SCOM 2007 & Audit Collection Services


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SCOM 2007 & Audit Collection Services

  1. 1. Operations Manager 2007 R2 & Audit Collection services to monitor and audit your AD-based security policies Olivier MICHOT Nicolas LOUVIOT Managing Director Operations Technical Manager
  2. 2. Agenda  Monitoring and Core IO  Operations Manager 2007  New features in SCOM 2007 R2  AD and Security monitoring  Audit Collection Services (ACS)  Recommendations & guidelines
  3. 3. Monitoring and Core IO Business value to you organization?  Microsoft Core IO initiative: from Basic to Dynamic  System Center Operations Manager provides key features to end-to-end services monitoring and real- time system health check.
  4. 4. Operations Manager 2007  Enterprise monitoring solution for AD environments  State, health and performance information  Alerts according to some availability, performance, configuration or security situations being identified  Management Packs provide best practice knowledge to discover, monitor, troubleshoot and Report  Role-based security model
  5. 5. Operations Manager added-value  Deliver value right away  Easy installation & quick results  Support for complex environments & prescriptive guidance  Run operations more productively  Proactive monitoring based upon pre-defined rule sets  Notification of issues within the environment  Allows creation of customized self healing processes  Decrease overall workload  Reduction of manual tasks & alerts consolidation  Centralized management tool across the organization
  6. 6. Management packs Microsoft Applications BizTalk Server Exchange Server Host Integration Server Windows Identity Integration Server Windows Operating Systems Internet Security and Acceleration Server Active Directory Microsoft Operations Manager Project Server DNS service Proxy Server IIS versions SharePoint Server Server clusters SQL Server Component Services (formerly MTS 2.0) Systems Management Server 2003 / 2.0 Message Queuing (MSMQ) … Distributed Transaction Coordinator (MS DTC) .NET Framework 3rd Party Platforms Windows Internet Name Service (WINS) eXc Software: IBM AS400, IBM z/OS, Unix, Windows SharePoint Services Linux Network Load Balancing Metilinx: Linux/Unix Routing and Remote Access service 3rd Party Devices Terminal Services JalaSOFT: Cisco Routers and Switches File Replication Services 3rd Party Hardware Advanced Deployment Services Dell OpenManage Group Policy HP Insight Manager IBM Director
  7. 7. Knowledge Base  Knowledge is a key feature  Facilitates rapid issue resolution  Empowers front line operators  Less escalation  Faster resolution
  8. 8. OpsMgr Reporting & Analysis  Microsoft SQL Server Reporting Services  More than 100 predefined reports  System monitoring and operations  Capacity planning  Performance analysis  Application-specific monitoring
  9. 9. Reports  Reports are interactive  Easy navigation through views  Interface can launch tasks  Reports are run from the Console  Support for scheduling reports  Favorite reports
  10. 10. New features in SCOM 2007 R2  User interface, performance and scalability  Cross-platform monitoring  Service Level Tracking
  11. 11. Cross-Platform Monitoring  Extend end-to-end monitoring to distributed applications deployed across heterogeneous platforms and operating systems  Monitor Windows Server, Linux and ERP Application Unix – all from a single console  Setup non-Windows agents Databases Servers Web Servers Order DB App1 OTW-IIS- OTW- 01 IIS-02
  12. 12. Service Level Tracking  Define SLOs against state and performance data  Extended service level reporting capabilities  SharePoint integration for displaying service level performance within the organization “I need to track the availability of my Exchange service against my agreed service level goal of 99.99% during regular business hours”
  13. 13. Service Level Tracking Demo
  14. 14. Audit Collection Services & how it can help you monitoring and auditing your AD-based security policies
  15. 15. Why Monitor AD and Security?  Active Directory is at the heart of Windows-based environment security  Regulatory compliance impacts the whole organization  AD problems can be extremely disruptive if left undetected:  Slow login/login failures/password issues  Group Policy & resource access problems  Security issues  Exchange Issues  AD problems are trivial to fix when detected early, but rapidly become complex when ignored  Replication issues can lead to security holes  Business applications critically depend on AD
  16. 16. Active Directory Management Pack  Active Directory MP Provides  Core Active Directory monitoring rules  Client side monitoring capabilities  Replication and trust monitoring  Active Directory health and state monitoring  What it’s lacking…. security monitoring  Changes to membership of key groups  Enterprise Admins, Domain Admins, Schema Admins  User accounts and Groups created / deleted / modified  Password changes by non account owner  Access to sensitive files/folders  Changes to OU Permissions
  17. 17. Security Event Log The security event log is important :  Security privilege changes are logged  Security threats are identified, e.g. hacking and virus  Unauthorized use of resources are tracked  Auditors and security officers can monitor for misuse for regulatory compliance  Administrators can track activity, e.g. account lockouts  Applications can create events when security fails within their scope
  18. 18. Limitations But :  It only keeps a certain amount of historical information  Security event log is only as trustworthy as the administrators  Analysis of distributed logs is difficult and time consuming  Delegation to auditors or security officers is not possible
  19. 19. The solution is ACS  Mean to collect records generated by an audit policy  Delegation of auditing to non-IT staff  Centrally stores Windows security event log  Consolidation of logs provides normalized overview  Dedicated (secured) database – Immutable collection policy  Enables for forensic (legal) analysis using reports  Solution for regulatory compliance such as SOX or CSSF
  20. 20. ACS Infrastructure Design
  21. 21. ACS & Ops Manager  Fully integrated in SCOM infrastructure (free add-on)  Out-of-the-box but customizable reports from Microsoft  High Performance  up to 2,500 events/sec (continuous load)  up to 100,000 events/sec (short burst )  High Scalability  3,000 non-DC servers  150 Domain Controllers  20,000 workstations
  22. 22. Audit Collection Services Demo
  23. 23. Recommendations  Auditing is based upon user accounts  Not use local administrator accounts (disable or use random passwords)  Never use the built-in domain admin account (enforce using two-person strategy)  Provide IT persons with 2 accounts:  Standard account  Admin account  Delegate administration privileges
  24. 24. Deployment guidelines  Define the range of events to audit  Simulate the scenario activity in a lab to identify the Events and Event IDs generated i.e. modify Domain Admins group membership  Create rules / monitors based on these events  Verify that rules / monitors are working correctly  Verify that your reports return relevant information  Deploy your rules / monitors in production but limit distribution to mitigate risk
  25. 25. Resources Microsoft: SCOM 2007 Home: SCOM Technet library Home: Management Packs Catalog: Community: