Semperis Directory Services Protector for Active Directory

Keeping You in the Know and in Control
Business applications on-premises and in the cloud rely on Active Directory, making it a critical piece of your IT infrastructure. Directory changes must be scrutinized, and unwanted changes – whether accidental or malicious – immediately undone. Semperis Directory Services Protector (DSP) lets you find and fix problems fast to ensure systems remain available and secure.

Eliminate holes in the audit log

Isolate suspicious changes

Instantly roll back unwanted changes

Change tracking and remediation together in one console

Precise Protection

Respond quickly to security threats and operational errors, to minimize exposure and eliminate downtime
Semperis DSP gives you visibility of changes to Active Directory, as well as the ability to immediately roll back unwanted changes.
  • Instant Recovery: roll back unwanted changes immediately, without mounting or restoring a backup
  • Tamperproof Tracking: capture all changes even if agents are disabled or security logs are erased
  • Granular Restore: restore individual attributes, objects, and containers and restore to any point in time (not just to a previous backup)
  • Continuous Protection: capture all changes, including objects created and deleted between backups and attributes modified and then changed back
  • Who Dunnit: see who made each change, and quickly find all changes made by a particular user
  • Role-Based Access Control (RBAC): grant permission to view or undo changes to specific attributes, object types, OUs, etc.
  • Real-Time Alerts: send notifications when changes are made to sensitive security groups, privileged users, etc.
  • Group Policy Changes: track changes, compare versions, and undo changes as needed
  • DNS, Configuration, and Schema Changes: extend change tracking to additional components of Active Directory
  • Built-in Security Reports: see stale user accounts, computer accounts trusted for delegation, potential “Kerberoasting” targets, and more
  • Automation and Integration: automate with PowerShell, integrate to external SIEM

The Semperis Difference

Semperis DSP leverages multiple data sources to overcome the shortcomings of traditional agent-based tracking and backup-based restore.
Unlike tracking tools that rely on agents and security logs, Semperis DSP tracks changes even if native security logging is turned off, logs are deleted, agents are disabled, or agents stop working for whatever reason (memory overflow, software bug, compatibility issue, etc.).
Semperis DSP eliminates holes in your audit log and allows you to quickly identify and undo suspicious changes, so you can minimize disruption to users and damage from cyberattacks.
Unlike recovery tools that rely on backups, Semperis DSP provides instant recovery (no need to mount or restore a backup). So, while other tools might make it possible to restore individual objects and attributes, Semperis DSP makes it practical to actually do so.
In addition, Semperis DSP can restore to any point in time (not just to a previous backup).

Number of User Accounts protected by Semperis

(and counting)

“Semperis DNS zone and record restoration is a lifesaver.”

– Boris Bykov, Systems Manager, Metropolitan Transportation Authority (NY)

“The ability to search and compare changes in real time saves us critical downtime.”

– Rafi Dabush, IT Manager, EL AL Airlines

How can Semperis help me?

  • Hacker A hacker gains privileged access and disables native security logging. You discover the breach within 15 minutes and disable the hijacked account. You can’t see what was changed or potentially compromised, so to be safe you restore Active Directory from backup. As a result, you lose several hours or even a day’s worth of legitimate changes, and users are locked out until those changes are redone.

    With Semperis DSP, you can see what was changed during those 15 minutes and immediately undo any suspicious changes – eliminating the downtime and rework associated with restore from backup.
  • Scripting error A script adds the wrong users to 100+ groups. With Semperis DSP, you can quickly isolate the mistaken additions and immediately undo them all with just three mouse clicks.
  • Accidental OU deletionYou delete an OU with 1,000 users across 10 sub-OUs. With Semperis DSP, you can undelete an individual object or an entire hierarchy of 1,000+ objects with a single right-click operation.
  • Inadvertent DNS zone deletion An administrator accidentally deletes a DNS zone, rendering an entire division non-functional. With Semperis DSP, you can undo changes to deleted or modified AD-integrated DNS zones as easily as user and computer objects.
  • Misconfigured Group Policy ObjectA newly deployed Group Policy Object (GPO) breaks all production servers. With Semperis DSP, you can immediately roll back the GPO to the prior version.