What’s Involved in the Deployment Process

Most of the planning in this chapter has focused on designing the audit and monitoring service infrastructure and deciding where to install components. The following illustration provides a visual summary of the complete deployment process and highlights the keys to success. The sections after the flowchart provide additional details about what’s involved in each phase or the decisions you will need to make, such as who should be part of the deployment team, where to install the software, and who has permission to do what.

alt

Plan

During the first phase of the deployment, you collect and analyze details about your organization’s requirements and goals. You can then also make preliminary decisions about sizing, network communication, where to install components, and what your zone structure should look like.

alt

Here are the key steps involved:

  • Identify the goals of the deployment.

    • Is identity and privilege management or audit and monitoring service a primary goal?

    • Are identity and privilege management and audit and monitoring service equally important to the organization?

    • Is audit and monitoring service important for specific computers?

    • Is audit and monitoring service important for computers used to perform administrative tasks?

    • Is audit and monitoring service important for computers that host specific applications or sensitive information?

    • Should audit and monitoring service be required for users in specific groups or with specific roles?

      For example, if audit and monitoring service is important, are you

      primarily interested in auditing Windows servers, such as SQL Server,
      Exchange, and IIS, administrative workstations, or computers that host
      specific applications or sensitive information?

  • Assemble a deployment team with Active Directory and other expertise.

    • People with specific knowledge, such as Exchange, IIS, or Sharepoint administrators.
    • If auditing, at least one Microsoft SQL Server database administrator.

  • Provide basic training on Delinea software architecture, concepts, and terminology.

  • Study the existing environment to identify target computers where you plan to install Delinea software components.

    • Plan for permissions and the appropriate separation of duties for your organization.

    • Review network connections, port requirements, firewall configuration.

      For more information about network communication and the ports used, see

      Plan for network traffic and data storage.

    • Identify computers for administration.

      • Basic deployment — Access Manager
      • Auditing — Audit Manager and Audit Analyzer consoles

    • Identify computers to be used as collectors, audit stores, and the management database.

      • Verify that you have reliable, high-speed network connections between components that collect and transfer audit data.
      • Verify you have sufficient disk storage for the first audit store database.

    • Identify the initial target group of computers to be managed and audited.

  • Design a basic zone structure that suits your organization.

    • Single or multiple top-level parents.
    • Initial child zones, for example, separate zones for different functional departments or administrative groups.

Prepare

After you have analyzed the environment, you should prepare the Active Directory organizational units and groups to use. You can then install administrative consoles and the audit and monitoring service infrastructure, and prepare initial zones.

Here are the key steps involved:

  • (Optional) Create organizational units or containers to define a scope of authority.

    The deployment team should consult with the Active Directory enterprise administrator to determine whether any additional containers organizational units would be useful, who should be responsible for creatingLicenses and Zones container objects, and who will manage the objects in those containers.

  • (Optional) Create the additional Active Directory security groups for your organization.

    Groups can simplify permission management and the separation of duties.

  • Install Access Manager on at least one administrative Windows computer.

  • Open Access Manager for the first time to run the Setup Wizard for the Active Directory domain.

  • Create a parent zone and the appropriate child zones as identified in your basic zone design.

    The hierarchical zone structure you use depends primarily on how you want to use inheritance and roles.

  • Prepare Windows computer accounts in the appropriate zones and assign the default Windows Login role to the appropriate Active Directory users and groups.

  • Install Audit Manager and Audit Analyzer together or separately.

  • Create an installation and a management database on one computer.

  • Create an audit store and audit store database on at least one computer.

  • Install a collector on at least two computers.

Deploy

After you have prepared Active Directory, installed administrative consoles on at least one computer, created at least one zone, and prepared the audit and monitoring service infrastructure, you are ready to deploy on the computers to be managed.

Here are the key steps involved:

  • Create Desktop, Application, and Network Access rights.
  • Add Desktop, Application, and Network Access rights to custom role definitions.
  • Assign custom roles to the appropriate Active Directory users and groups.
  • Install the Agent for Windows on a target set of computers.
  • Join the appropriate zones.

  • Prepare a Group Policy Object for deploying agents remotely using a group

    policy.

  • Assign the appropriate permissions to the users and groups who should have

    access to audit data.

Validate

After you have deployed agents on target computers, you should test and verify operations before deploying on additional computers.

Here are the key steps involved:

  • Log on locally to a target computer using an Active Directory user account

    and password to verify Active Directory authentication and Windows Login

    role assignment.

  • Open a Remote Desktop Connection to a target computer to verify Active

    Directory authentication and Windows Login role assignment on a remote

    computer.

  • Create a new desktop that gives you administrative rights and verify that

    you can start and stop Windows services or perform other administrative

    tasks.

  • Right-click an application, select Run using selected roles, then select an

    available role for running the application.

  • Open Audit Analyzer and query for your user session if audit and monitoring

    service is enabled.

Manage

After you have tested and verified identity management, privilege management, and audit and monitoring service operations, you are ready to begin managing the installation and refining on-going operations.

Here are the key steps involved if you deploying identity management, privilege management, and auditing for Windows computers:

  • Secure the installation.

  • Add roles and assign roles and permissions to the appropriate users, groups,

    and computers.

  • Delegate administrative tasks to the appropriate users and groups for each

    zone.

  • Deploy additional group policies on the appropriate organizational units.
  • Create new databases and rotate the active database.
  • Archive and delete old audit data.

  • Automate key administrative tasks using Delinea-defined Powershell-based

    cmdlets and scripts.