Access Rights Manager

Format: 75 multiple-choice questions
Time allotment: 90 minutes

Study Resources
The intention of the resources provided is to supplement your experience with Access Rights Manager (ARM). The included resources are not all-inclusive and should only aid as a starting place for your studies.

Use the available documentation to learn more about ARM:

• ARM Installation Guide
• ARM Getting Started Guide
• ARM Administrator Guide

For additional study resources, visit THWACK.

Identify access rights on a resource
ARM quickly shows you all access rights on file server directories.

Create groups and add users
ARM allows you to create standardized groups quickly and easily. Each process is automatically documented.

Flexible reports (web client)
With Analyze & Act in the web client, you create flexible reports via the web client. Design the report with groupings, filters, sorts and the desired columns exactly as you need it.

Organizational help for administrators
Besides automated documentation and reports ARM also includes a number of additional documentation features. These allow you to add post-its to objects manually or give AD groups aliases with the “purpose groups” feature.

Delegation of tasks
ARM includes functionality that can benefit users who are not administrators, depending on the size of your organization, sensitivity of your data, and your existing processes.

The simple authorization process - approving and rejecting actions as an administrator
Enable the “request mode” to require approval of certain access rights changes.

Execute scripts for directories in bulk (web client)
Use self-created scripts on directories.

Create a protected file server directory
Create a protected directory that only select users have access to.

Change mailbox permissions
You can manage “Full access”, “Send as”, “Receive as” mailbox permissions.

Select access categories available in ARM
ARM bundles the Microsoft permission combinations into access categories. This allows for a simplification of access rights assignment.

ARM service account permissions
Use service accounts (dedicated user accounts) for ARM.

How to view all attributes in ARM applicable to an AD object
Enable and view the Attribute Editor in AD Users and Computer Snap in to view all attributes in ARM that apply to an AD object.

FS Logga requirements (monitor file server)
Review and know the hardware and software system requirements for FS Logga (monitor file server).

Set alerts for groups
Employees receive their access rights through group memberships. Especially sensitive groups grant access to secret folders and other important resources. The AD Logga allows you to actively monitor specific AD groups so that an alert is received if new members are added.

Run the ARM Configuration Wizard
The Configuration Wizard collects required information for the base configuration and for the first Active Directory scan and the first file server scan.

1. How can you restrict access to a directory that contains information about an upcoming company merge?
1. Disable inheritances
2. Assign one resource owner
3. Configure SAP properties
4. Disable the automatic list rights management
2. What supported file types can you see to configure scripts? Select all that apply.
1. .bat
2. .pyo
3. .cmd
4. .js (nodejs.exe)
5. sh

Maximum number of ARM queue messages exceeded
Troubleshoot an ARM alarm message queue system warning.

Remove corrupted inheritance
Broken ACLs (Access Control Lists) interfere with NTFS inheritances on file servers. As a consequence, the sub-directory will not inherit the correct permissions, despite this feature being activated.

Identify errors in inheritance in Analyze & Act and fix them in bulk
Identify corrupted inheritance in a few clicks and eliminate them in one go.

Enable alerts for suspected data theft (file server)
To efficiently capture security incidents, ARM focuses on user-initiated file server events. If these occur in unusually high numbers and additionally in a short period of time, ARM proactively informs all those responsible.

Report on ARM Access Rights Management activities (Logbook report)
Capture events by person or event type within any desired time period to ensure transparent processes and documentation.

Enable alerts for file server directories
Monitor targeted safety-critical directories by defining directory-specific alerts. Should an access be made to a security-relevant directory, ARM sends an alert to the data controller.

Identify over-privileged users based on Kerberos token size
The size of a Kerberos token is a good indicator for identifying users with excessive access rights. The more group memberships a user has, the bigger their Kerberos token. Even if a group membership does not automatically grant privileges, it is worthwhile analyzing the listed users.

Identify recursive groups
Groups can be members of other groups. Active Directory allows “children” to become “parents” within their own family tree.

ARM port and firewall requirements
Review and know port and firewall requirements for ARM.

SQL Server database maintenance
Every morning at 5 am the ARM server completes scheduled maintenance by removing and archiving old scans from the ARM data base.

Identify access rights on a resource
ARM quickly shows users all access rights on file server directories.

Determine server thresholds
Define how many events within a period trigger the alert.

Advanced Exchange scan settings in the configuration files
Advanced settings must be adjusted in the configuration files.

Configure audit policies for the domain controllers (DC)
To access AD Logga functionality you must activate specific audit policies. If you want to make changes to audit policy you must be a member of the appropriate domain admin or organization admin group.

Add AD scans
The scan comparison compares AD scans at two different points in time and shows you how your access rights situation has changed.

Start FS scans
The scan comparison compares AD scans at two different points in time and shows you how your access rights situation has changed.

Complete a FS Logga configuration
Use FS Logga to monitor all administrative actions made within a given time period to access rights on file servers.

Exchange Logga
The Exchange Logga logs activities of mailbox owners, their deputies, and administrators.

1. A user has been losing access rights for several months, but does not know which rights are lost. The user has been running ARM for one year. How can you troubleshoot this issue? Select all that apply.
1. You compare the Where has a user/group access report against a current scan and a 6 months old scan
2. Run a scan comparison report for the user and another user who has no issues and compare them to search for issues
3. Review the logbook and search for issues
4. Run AD Logga report with the member removed event type, and set the report start date to the previous year and filter the report for the user
2. You configured ARM to send file server reports to Data Owners every quarter. What are possible reasons why you did not receive a report this quarter? Select all that apply.
1. The administrator deleted the Exchange Online mailbox
2. The SMTP server sending options changed
3. The 25 without SSL port was opened on the SMTP server
4. The SMTP server was offline when ARM attempted to run the report

ARM 9.2 System requirements for SolarWinds Access Rights Manager
Review and know the hardware and software system requirements for your ARM installation.

Web components and web interface requirements
Review and know hardware and software system requirements for your web components and web interface.

The components that make up the Access Rights Manager architecture
The ARM component architecture allows you to run installations across a variety of remote resources.

Identify corrupted inheritance
Broken ACLs (Access Control Lists) interfere with the NTFS inheritance on the fileserver.

Perform an update installation
Know the requirements for updating an installation.

Install additional collectors
If there is no trust between the ARM server (domain) and a resource (domain), use this method of installing a collector.

Download and install Access Rights Manager
The ARM installer is an all-in-one installation package that you can use to install ARM's components: The ARM Server, Collector, GUI applications, and Web interface components.

Advanced Exchange scan settings in the configuration files
Advanced settings must be adjusted in the configuration files.

1. After installation, the Basic Configuration page launches automatically and asks you to do which two steps before anything else can be configured?
1. Define the credentials for the ARM Server to run Active Directory requests
2. Install missing components listed in the install Report
3. Activate your license
4. Define the SQL Server database
2. Where can you run web components/WebAPI? Select all that apply.
1. ARM server with IIS installed
2. Apache server
3. Standalone Microsoft IIS server
4. GWS server

ARM Log Files
This article provides information about all the logs files in ARM and which one to use for type of issues.

Basic settings
Determine the basic settings for group wizard, comfort feature, and sandbox.

ARM jobs overview
The job overview contains a variety of information including scan speed and the amount of collected data.

Identify recursive groups (web client)
Groups can be members of other groups. Active Directory allows “children” to become “parents” within their own family tree.

Create a user account
With ARM you can quickly create standardized user accounts. You can specify this process by creating templates for different roles and then delegate it to your help desk.

Integrate Easy Connect resources
Add an Easy Connect resource.

Report on local accounts
The local account report displays local administrative rights on end points so users can see which administrators and users have access to which end point.

Report on changes in Active Directory
The AD Logga allows you to monitor current processes in your Active Directory. ARM even captures all changes made with native tools including temporary changes.

Execute scripts for directories in bulk (web client)
Use self-created scripts on directories.

1. What is required when you configure FS Logga for a Windows failover cluster? Select all that apply.
1. Install and run the collector service on all nodes
2. Restart the file server after you install FS Logga
3. Install .net in all cases manually
4. Install the FS Logga filter driver on all nodes
2. What helps automate the process of disabling a user in ARM? Select all that apply.
1. Scripts
2. Reports
3. GrantMa
4. Templates

Identify multiple access paths
Multiple access paths are often a consequence of confusing group structures and direct access rights. Access to resources should only be granted using group memberships.

Compare two different access rights situations (Scan Comparison)
The scan comparison shows the actual states of two authorization situations in the AD and on file servers and compares them with each other. This enables you to determine how the authorization situation has changed.

Identify nesting depth of groups
The ARM dashboard shows nested groups up to level 10.

Determine permissions deviating from the department profile (compliance check) (web client)
With the introduction of department profiles, department heads, together with the management and the compliance officer, users can define the scope of action of employees in the company.

Report on ARM Access Rights Management activities (Logbook report)
All changes made with ARM are automatically recorded in the log book.

Where do users and groups have access?
The “Where has the user/group access?” report lists all access rights of users and groups across all selected resources (user in focus).

Identify access rights on mailboxes
The “Who has access to which mailbox” report for Exchange shows you all access rights in the resources view.

Enable alerts for file server directories
Monitor targeted safety-critical directories by defining directory-specific alerts. Should an access be made to a security-relevant directory, ARM sends an alert to the data controller.

Apply an ARM account to a specific security role or data owner
Define which reports are relevant and ARM will send them to the user automatically in the desired frequency.

Request file server access rights
Employees can request access rights to file server directories from Data Owners by using the GrantMA self-service portal.

Create a new department profile
With the introduction of departmental profiles, department heads, together with the management and the compliance officer, users can define the scope of action of employees in the company.

Delete empty groups
Over time, empty groups accumulate in your Active Directory. These reduce performance and diminish transparency. You can delete these groups.

Remove unresolved SIDs in bulk (web client)
ARM clearly identifies unresolved SIDs in your system. Delete unresolved SIDs in bulk using the web client.

Remove multiple access paths to file server directories
ARM allows you to remove multiple access paths quickly and easily.

Change the manager of distribution groups
ARM allows you to quickly change managers for distribution groups. The process is automatically documented.

"Soft" delete a user
When deleting a user with “soft delete” all of their access rights remain intact. The account is moved to a  “Recycle-OU” and deactivated. This account can no longer be used since the “Recycle-OU” is part of a strictly limited group policy.

Analyze historical access rights situations
After the occurrence of data breaches and other security incidents it is often useful to review historical access rights. In this way, you can see who had access at a particular time and who did not. ARM allows you to access historical scans to understand the security implications of access rights at the time of the incident.

Edit and name templates
ARM provides sample templates in a directory.

Import or export Data Owner configurations
You can export an existing Data Owner configuration in order to be able to perform bulk operations or a transfer to and from other systems.

Configure scripts
The ARM server is a service that runs on local permissions.

The simple authorization process - approving and rejecting actions as an administrator
Enable the “request mode” to require approval of certain access rights changes.

Report on unresolved SIDs
SIDs become unresolved when users or groups with direct access rights are deleted in AD.

Manage group memberships
Easily manage group memberships and analyze group nesting.

Execute scripts on user accounts in bulk (web client)
Use self-created scripts on directories.

1. How can you improve filer server scan performance?
1. Configure $-Shares to see all shares
2. Increase scan depth and remove all shares
3. Configure Storage of Scans to store unnecessary data
4. Use the correct file server type
2. What can you do to balance the load on your ARM server?
1. Install additional collector
2. Use NTFS
3. Defrag hard disks
4. Use a dedicated drive for pagefile

Installation

1. A, D
2. A, C

Configuration

1. A
2. A, B, D

Administration

1. D
2. A

Troubleshooting

1. A, C, D
2. B, D

Architecture

1. A, D
2. A, C