Large US City Public School System

Active Directory Chaos

“I have an active account that hasn’t been used in 10 years…and it still has the same password.” That’s how the data center security manager for a public school system in a major US city answers when asked why cleaning up his Active Directory is a priority. He adds, “we have 8,000 faculty and staff, including contractors, and yet we have over 30,000 active directory user accounts, and that number does not include our student AD accounts.”

StealthAUDIT = Compliance + Security

Compliance requirements driven by CIPA (Child Internet Protection Act) and FERPA (Family Educational Rights and Privacy Act) are partly driving the AD clean-up effort, but improved security and best practices are also key considerations. “We understand that stale user accounts are a serious security vulnerability, especially when you’re carrying over 20,000 of them.”

ManageEngine Unhelpful

When searching for a tool to help the AD clean-up effort, the security manager leveraged skills from a previous professional life, “I spent several years evaluating security and network software for a trade publication, so I know a good product when I see it.” He first downloaded the ManageEngine AD Audit Plus free trial. “It’s a great tool from a fun graphics perspective, but it provides no means to act on the information presented in the nice graphics. It couldn’t remediate anything.”

StealthAUDIT Works

He then turned to STEALTHbits, and the StealthAUDIT for Active Directory Action Modules were just what the doctor ordered. “STEALTHbits set up a demo of the product’s Action Modules, and that sold me immediately,” described the security manager. “I also loved the flexibility of the tool, and that we’d have access to the SQL database directly, if necessary.” Almost immediately, he was able to clean up the stale and disabled accounts in the faculty OU (Organizational Unit).

AD Just the Beginning

Well on his way to optimizing the school system’s AD with StealthAUDIT for Active Directory, he’s now turning his attention to other STEALTHbits products, starting with StealthAUDIT for Data Access Governance (DAG). They would eventually like to use SA for DAG to enable more efficient and intelligent de-provisioning, effectively preventing their Active Directory from returning to the state of chaos that greeted the data security manager when he started. They anticipate, however, many uses for the StealthAUDIT Management Platform: “I haven’t found a situation that StealthAUDIT can’t handle.”

STEALTHbits Triple Play

Eventually, the data security manager would like to deploy StealthINTERCEPT as well. “We are learning that a lot of people have access to our Active Directory that shouldn’t,” he noted. “We’d like to use StealthINTERCEPT to get a handle on that.” He also adds that “compliance is a dirty word around here,” and believes that StealthAUDIT and StealthINTERCEPT can help augment and improve their auditing process and reduce that burden on the IT staff. “I’m convinced the STEALTHbits products are something that we can get a lot of benefit out of.”


In Brief:

  • City Public School System

  • Approximately 50,000 students

  • 8,000 faculty and staff, including contractors

  • Active Directory completely neglected

  • Best practices/security and compliance driving clean-up effort

Quotes:

  • “I haven’t found a situation that StealthAUDIT can’t handle.”

  • “ManageEngine’s a great tool from a fun graphics perspective...but it couldn’t remediate anything.”

  • “STEALTHbits set up a demo of the Action Modules, and that sold me immediately.”

  • “I love the flexibility of STEALTHbits, and that we’d have access to the SQL database directly if necessary.”

  • “I’m convinced the STEALTHbits products are something that we can get a lot of benefit out of.”