1. Operations Manager 2007 R2
& Audit Collection services to monitor and audit
your AD-based security policies
Olivier MICHOT Nicolas LOUVIOT
Managing Director Operations Technical Manager

2. Agenda
 Monitoring and Core IO
 Operations Manager 2007
 New features in SCOM 2007 R2
 AD and Security monitoring
 Audit Collection Services (ACS)
 Recommendations & guidelines

3. Monitoring and Core IO
Business value to you organization?
 Microsoft Core IO initiative: from Basic to Dynamic
 System Center Operations Manager provides key
features to end-to-end services monitoring and real-
time system health check.

4. Operations Manager 2007
 Enterprise monitoring solution for AD environments
 State, health and performance information
 Alerts according to some availability, performance,
configuration or security situations being identified
 Management Packs provide
best practice knowledge to discover,
monitor, troubleshoot and Report
 Role-based security model

5. Operations Manager added-value
 Deliver value right away
 Easy installation & quick results
 Support for complex environments & prescriptive guidance
 Run operations more productively
 Proactive monitoring based upon pre-defined rule sets
 Notification of issues within the environment
 Allows creation of customized self healing processes
 Decrease overall workload
 Reduction of manual tasks & alerts consolidation
 Centralized management tool across the organization

6. Management packs
Microsoft Applications
BizTalk Server
Exchange Server
Host Integration Server Windows
Identity Integration Server Windows Operating Systems
Internet Security and Acceleration Server Active Directory
Microsoft Operations Manager
Project Server DNS service
Proxy Server IIS versions
SharePoint Server Server clusters
SQL Server Component Services (formerly MTS 2.0)
Systems Management Server 2003 / 2.0 Message Queuing (MSMQ)
… Distributed Transaction Coordinator (MS DTC)
.NET Framework
3rd Party Platforms Windows Internet Name Service (WINS)
eXc Software: IBM AS400, IBM z/OS, Unix, Windows SharePoint Services
Linux Network Load Balancing
Metilinx: Linux/Unix Routing and Remote Access service
3rd Party Devices Terminal Services
JalaSOFT: Cisco Routers and Switches File Replication Services
3rd Party Hardware Advanced Deployment Services
Dell OpenManage Group Policy
HP Insight Manager
IBM Director

7. Knowledge Base
 Knowledge is a key feature
 Facilitates rapid issue resolution
 Empowers front line operators
 Less escalation
 Faster resolution

8. OpsMgr Reporting & Analysis
 Microsoft SQL Server Reporting Services
 More than 100 predefined reports
 System monitoring and operations
 Capacity planning
 Performance analysis
 Application-specific monitoring

9. Reports
 Reports are interactive
 Easy navigation through views
 Interface can launch tasks
 Reports are run from the Console
 Support for scheduling reports
 Favorite reports

10. New features in SCOM 2007 R2
 User interface, performance and scalability
 Cross-platform monitoring
 Service Level Tracking

11. Cross-Platform Monitoring
 Extend end-to-end monitoring to distributed applications
deployed across heterogeneous platforms and operating
systems
 Monitor Windows Server, Linux and
ERP Application
Unix – all from a single console
 Setup non-Windows agents
Databases Servers Web Servers
Order DB App1 OTW-IIS- OTW-
01 IIS-02

12. Service Level Tracking
 Define SLOs against state and
performance data
 Extended service level reporting
capabilities
 SharePoint integration for
displaying service level
performance within the
organization
“I need to track the availability of my
Exchange service against my agreed service level goal
of 99.99% during regular business hours”

13. Service Level Tracking
Demo

14. Audit Collection Services
& how it can help you monitoring and auditing your
AD-based security policies

15. Why Monitor AD and Security?
 Active Directory is at the heart of Windows-based
environment security
 Regulatory compliance impacts the whole organization
 AD problems can be extremely disruptive if left
undetected:
 Slow login/login failures/password issues
 Group Policy & resource access problems
 Security issues
 Exchange Issues
 AD problems are trivial to fix when detected early, but
rapidly become complex when ignored
 Replication issues can lead to security holes
 Business applications critically depend on AD

16. Active Directory Management Pack
 Active Directory MP Provides
 Core Active Directory monitoring rules
 Client side monitoring capabilities
 Replication and trust monitoring
 Active Directory health and state monitoring
 What it’s lacking…. security monitoring
 Changes to membership of key groups
 Enterprise Admins, Domain Admins, Schema Admins
 User accounts and Groups created / deleted / modified
 Password changes by non account owner
 Access to sensitive files/folders
 Changes to OU Permissions

17. Security Event Log
The security event log is important :
 Security privilege changes are logged
 Security threats are identified, e.g. hacking and virus
 Unauthorized use of resources are tracked
 Auditors and security officers can monitor for misuse
for regulatory compliance
 Administrators can track activity, e.g. account lockouts
 Applications can create events when
security fails within their scope

18. Limitations
But :
 It only keeps a certain amount of historical
information
 Security event log is only as trustworthy as the
administrators
 Analysis of distributed logs is difficult and
time consuming
 Delegation to auditors or security officers is
not possible

19. The solution is ACS
 Mean to collect records generated by an audit policy
 Delegation of auditing to non-IT staff
 Centrally stores Windows security event log
 Consolidation of logs provides normalized overview
 Dedicated (secured) database – Immutable collection policy
 Enables for forensic (legal) analysis using reports
 Solution for regulatory compliance such as SOX or CSSF

20. ACS Infrastructure Design

21. ACS & Ops Manager
 Fully integrated in SCOM infrastructure (free add-on)
 Out-of-the-box but customizable reports from Microsoft
 High Performance
 up to 2,500 events/sec (continuous load)
 up to 100,000 events/sec (short burst )
 High Scalability
 3,000 non-DC servers
 150 Domain Controllers
 20,000 workstations

22. Audit Collection Services
Demo

23. Recommendations
 Auditing is based upon user accounts
 Not use local administrator accounts (disable or use
random passwords)
 Never use the built-in domain admin account (enforce
using two-person strategy)
 Provide IT persons with 2 accounts:
 Standard account
 Admin account
 Delegate administration privileges

24. Deployment guidelines
 Define the range of events to audit
 Simulate the scenario activity in a lab to identify the
Events and Event IDs generated i.e. modify Domain
Admins group membership
 Create rules / monitors based on these events
 Verify that rules / monitors are working correctly
 Verify that your reports return relevant information
 Deploy your rules / monitors in production but limit
distribution to mitigate risk

25. Resources
Microsoft:
SCOM 2007 Home:
http://www.microsoft.com/systemcenter/opsmgr/
SCOM Technet library Home:
http://technet.microsoft.com/en-us/library/bb310604.aspx
Management Packs Catalog:
http://pinpoint.microsoft.com/en-US/systemcenter/managementpackcatalog
Community:
http://www.systemcentercentral.com
http://scug.be
http://opsmgr.fr