Government gets proactive with auditing product

Although the department of Indian and Northern Affairs Canada (INAC) had long ago migrated from Microsoft Corp.’s Windows NT 4 to Active Directory and Windows 2000, it was only recently that the federal agency got a handle on troubleshooting its decentralized directory.

The Gatineau, Que.-based federal department is responsible for meeting the Canadian government’s constitutional, treaty, political and legal responsibilities to First Nations, Inuit and Northerners.

Heath Beechey, access control officer for INAC, presided over the Windows migration in 2001. After that, INAC wanted to optimize its Active Directory implementation, which was built from the ground up; Beechey designed a single forest with 22 sites and 35 domain controllers distributed among 14 regional offices, located in every territory and province. Currently, 5,400 users are on the system, Beechey said. But while Active Directory service is useful, it lacks the ability to audit and track changes to the system, he said.

Beechey had to first build a business case for the solution, because INAC has been operating under a tight budget for the past few years and the organization didn’t really need any admin tools for decentralizing the administration of an infrastructure that was relatively stable.

But over the last few years INAC has had replication issues and accidental system changes. It is critical for INAC to know about modifications such as removing or adding domain controllers or first-level changes to Global Catalogs, sites, subnets and other components as they happen, Beechey said.

To solve the audit and tracking trouble, INAC turned to Phoenix, Ariz.-based NetPro Corp. and its ChangeAuditor, an auditing and configuration-management product designed to maintain control of Active Directory. NetPro CTO Gil Kirkpatrick said the recently updated ChangeAuditor 2.0 features custom user and group attribute tracking. The product integrates with Microsoft Operations Manager to support multiple repositories and multiple-agent configurations.

INAC implemented the solution late fall of 2004. Installing the solution was relatively simple, Beechey said. “I set up a server with SQL on it and ran the install for the repository…and it was a done deal for that.”

ChangeAuditor tracks all key Active Directory configuration changes in real-time, Beechey said. The product captures user changes to the directory including what, where and why original data was altered. In the past, it was extremely difficult to troubleshoot the problem to determine exactly who made a particular change, Beechey said.

The solution also enables the IT department to be more proactive and accountable, he noted. Previously, the only way to track change activity was to check Active Directory every once in a while for recent changes.

He said the system now tracks changes to organizational units (OU) from the directory, domain controllers, subnets and other components, all in real-time. Users now dial in through a virtual private network to gain access to the system. They provide credentials ChangeAuditor matches to an Active Directory user profile.

According to Beechey, using the NetPro tools reduces change-related network downtime and troubleshooting pains. The solution is like an insurance policy; INAC can see in real-time when changes are happening and take proactive measures, he added. 052331