1. Operations Manager 2007 R2
& Audit Collection services to monitor and audit
your AD-based security policies
Olivier MICHOT Nicolas LOUVIOT
Managing Director Operations Technical Manager
2. Agenda
Monitoring and Core IO
Operations Manager 2007
New features in SCOM 2007 R2
AD and Security monitoring
Audit Collection Services (ACS)
Recommendations & guidelines
3. Monitoring and Core IO
Business value to you organization?
Microsoft Core IO initiative: from Basic to Dynamic
System Center Operations Manager provides key
features to end-to-end services monitoring and real-
time system health check.
4. Operations Manager 2007
Enterprise monitoring solution for AD environments
State, health and performance information
Alerts according to some availability, performance,
configuration or security situations being identified
Management Packs provide
best practice knowledge to discover,
monitor, troubleshoot and Report
Role-based security model
5. Operations Manager added-value
Deliver value right away
Easy installation & quick results
Support for complex environments & prescriptive guidance
Run operations more productively
Proactive monitoring based upon pre-defined rule sets
Notification of issues within the environment
Allows creation of customized self healing processes
Decrease overall workload
Reduction of manual tasks & alerts consolidation
Centralized management tool across the organization
6. Management packs
Microsoft Applications
BizTalk Server
Exchange Server
Host Integration Server Windows
Identity Integration Server Windows Operating Systems
Internet Security and Acceleration Server Active Directory
Microsoft Operations Manager
Project Server DNS service
Proxy Server IIS versions
SharePoint Server Server clusters
SQL Server Component Services (formerly MTS 2.0)
Systems Management Server 2003 / 2.0 Message Queuing (MSMQ)
… Distributed Transaction Coordinator (MS DTC)
.NET Framework
3rd Party Platforms Windows Internet Name Service (WINS)
eXc Software: IBM AS400, IBM z/OS, Unix, Windows SharePoint Services
Linux Network Load Balancing
Metilinx: Linux/Unix Routing and Remote Access service
3rd Party Devices Terminal Services
JalaSOFT: Cisco Routers and Switches File Replication Services
3rd Party Hardware Advanced Deployment Services
Dell OpenManage Group Policy
HP Insight Manager
IBM Director
7. Knowledge Base
Knowledge is a key feature
Facilitates rapid issue resolution
Empowers front line operators
Less escalation
Faster resolution
8. OpsMgr Reporting & Analysis
Microsoft SQL Server Reporting Services
More than 100 predefined reports
System monitoring and operations
Capacity planning
Performance analysis
Application-specific monitoring
9. Reports
Reports are interactive
Easy navigation through views
Interface can launch tasks
Reports are run from the Console
Support for scheduling reports
Favorite reports
10. New features in SCOM 2007 R2
User interface, performance and scalability
Cross-platform monitoring
Service Level Tracking
11. Cross-Platform Monitoring
Extend end-to-end monitoring to distributed applications
deployed across heterogeneous platforms and operating
systems
Monitor Windows Server, Linux and
ERP Application
Unix – all from a single console
Setup non-Windows agents
Databases Servers Web Servers
Order DB App1 OTW-IIS- OTW-
01 IIS-02
12. Service Level Tracking
Define SLOs against state and
performance data
Extended service level reporting
capabilities
SharePoint integration for
displaying service level
performance within the
organization
“I need to track the availability of my
Exchange service against my agreed service level goal
of 99.99% during regular business hours”
15. Why Monitor AD and Security?
Active Directory is at the heart of Windows-based
environment security
Regulatory compliance impacts the whole organization
AD problems can be extremely disruptive if left
undetected:
Slow login/login failures/password issues
Group Policy & resource access problems
Security issues
Exchange Issues
AD problems are trivial to fix when detected early, but
rapidly become complex when ignored
Replication issues can lead to security holes
Business applications critically depend on AD
16. Active Directory Management Pack
Active Directory MP Provides
Core Active Directory monitoring rules
Client side monitoring capabilities
Replication and trust monitoring
Active Directory health and state monitoring
What it’s lacking…. security monitoring
Changes to membership of key groups
Enterprise Admins, Domain Admins, Schema Admins
User accounts and Groups created / deleted / modified
Password changes by non account owner
Access to sensitive files/folders
Changes to OU Permissions
17. Security Event Log
The security event log is important :
Security privilege changes are logged
Security threats are identified, e.g. hacking and virus
Unauthorized use of resources are tracked
Auditors and security officers can monitor for misuse
for regulatory compliance
Administrators can track activity, e.g. account lockouts
Applications can create events when
security fails within their scope
18. Limitations
But :
It only keeps a certain amount of historical
information
Security event log is only as trustworthy as the
administrators
Analysis of distributed logs is difficult and
time consuming
Delegation to auditors or security officers is
not possible
19. The solution is ACS
Mean to collect records generated by an audit policy
Delegation of auditing to non-IT staff
Centrally stores Windows security event log
Consolidation of logs provides normalized overview
Dedicated (secured) database – Immutable collection policy
Enables for forensic (legal) analysis using reports
Solution for regulatory compliance such as SOX or CSSF
23. Recommendations
Auditing is based upon user accounts
Not use local administrator accounts (disable or use
random passwords)
Never use the built-in domain admin account (enforce
using two-person strategy)
Provide IT persons with 2 accounts:
Standard account
Admin account
Delegate administration privileges
24. Deployment guidelines
Define the range of events to audit
Simulate the scenario activity in a lab to identify the
Events and Event IDs generated i.e. modify Domain
Admins group membership
Create rules / monitors based on these events
Verify that rules / monitors are working correctly
Verify that your reports return relevant information
Deploy your rules / monitors in production but limit
distribution to mitigate risk