Operations Manager 2007 Audit Collection Services Jeff LeBlanc, MCSE, CISSP Senior Solutions Specialist LegendCorp Agenda What is Operations Manager 2007 Why Monitor AD and Security Security Monitoring Fundamentals Windows Security Events Security Reports Resources Operations Manager 2007 Next Generation Enterprise monitoring solution for Active Directory environments Manage your Windows servers, workstations or even non-Windows systems more effectively with pro-active monitoring based on Best Practices Management Packs provide Best Practice configuration monitoring, Knowledge and Reports Operations Manager Can HelpвЂ¦ Help me deliver value right away п‚ў п‚ў п‚ў п‚ў Help me run operations more productively Help me decrease my workload п‚ў п‚ў п‚ў п‚ў п‚ў п‚ў Installs easily, gets results quickly Support for complex environments Prescriptive guidance Proactive monitoring based upon pre-defined rule sets Automated alert resolution Notification of issues within the environment Allows creation of customized self healing processes Reduction of manual tasks i.e. reading event logs Consolidation of alerts вЂ“ one issue to one alert Centralized management tool across the organization Operations Manager Helps IT toвЂ¦ Stay aware of issues that arise. Effectively respond to hardware and software issues quickly and accurately. Access built in application knowledge and prescriptive guidance from Operations Manager Management Packs. Retain resolution information in the corporate knowledge base. Demonstrate accountability to stakeholders. Microsoft Applications Application Center 2000 BizTalk Server 2002 Enterprise Edition Commerce Server 2000 Exchange Server 2003 / 2000 / 5.5 Host Integration Server 2000 Identity Integration Server 2003 Internet Security and Acceleration Server Live Communications Server 2003 (LCS) Microsoft Operations Manager 200x Project Server 2003 Proxy Server 2.0 SharePoint Portal Server 2003 Site Server 3.0 SNA Server 4.0 SQL Server 2005/2000/7.0 Systems Management Server 2003 / 2.0 3rd Party Platforms eXc Software: IBM AS400, IBM z/OS, Unix, Linux Metilinx: Linux/Unix 3rd Party Devices JalaSOFT: Cisco Routers and Switches 3rd Party Hardware п‚§ Dell OpenManage п‚§ HP Insight Manager п‚§ IBM Director Windows Management Packs Windows Operating Systems Active Directory DNS service IIS versions 4.0 / 5.0 / 6.0 Windows System Resource Manager Server clusters Component Services (formerly MTS 2.0) Message Queuing (MSMQ) Distributed Transaction Coordinator (MS DTC) .NET Framework Windows Internet Name Service (WINS) Windows SharePoint Services Network Load Balancing Routing and Remote Access service Terminal Services File Replication Services Advanced Deployment Services Group Policy OpsMgr Knowledge Knowledge is a key feature Facilitates rapid issue resolution Empowers front line operators Less escalation Faster resolution OpsMgr Reporting & Analysis Uses SQL reporting services Over 130 predefined reports General system monitoring and operations Capacity planning and performance analysis Application specific monitoring Reports вЂў Reports are interactive вЂў can launch other reports вЂў can launch console views вЂў can launch tasks вЂў Reports are run from the Console, not the SQL Reporting Services Webpage вЂў Knowledge for reports will help in understanding reports вЂў Support for scheduling reports вЂў Support for saving parameter definitions to a favorite report Audit Collection Services Audit Collection Services (ACS) New in Operations Manager 2007 Auditing Maintain Audit Trail of internal security related events Scalable and Secure Infrastructure must guarantee collection of large volumes of security events Audit Collection Service conвЂ™tвЂ¦ Key Design Principles: Near real time exporting of all Security events vs batch copy Immutable collection policy вЂ“ tamper resilient Network friendly, lightweight, compressed event forwarding Scalable (collection points and event volume) Schematized events for improve analysis and reporting Efficient on-line storage Customer Value-Add Integrated with Operations Manager 2007 infrastructure Out-of-the-box, customizable reports from Microsoft ACS extensions provided by Secure Vantage, including Advanced security alerting and reporting libraries (free downloads) Data consolidation and archiving Regulatory compliance knowledge guidance and mapping ACS Infrastructure Design Monitored Clients Monitored Servers Events subject to tampering Audit Collector Audit DB Security Alerts Events under control of auditors Data Archival ACS Collector: Design Requirements High Performance Each collector must support up to 2,500 events*/sec (continuous load) Peak load support per collector: up to 100,000 events*/sec (short burst only вЂ“ non sustainable) High Scalability With default audit policy, a single collector can support: 3,000 non-DC servers, or 150 Domain Controllers, or 20,000 workstations *Average bytes per event over the wire =< 100 bytes Why Monitor AD and Security AD problems can be extremely disruptive if left undetected: Slow login/login failures/password issues Group Policy problems Resource access problems Exchange 2003/2007 Issues AD problems are trivial to fix when detected early, but rapidly become complex when ignored Replication issues can lead to security holes More and more applications critically depend on Active Directory everyday Active Directory Management Pack Active Directory MP Provides Core Active Directory monitoring rules Client side monitoring capabilities Replication and trust monitoring Active Directory health and state monitoring What itвЂ™s lackingвЂ¦. security monitoring WhoвЂ™s been added to the Enterprise Admins group or other highly sensitive groups? Who created an Organizational Unit (OU) in my domain? Who changed the permissions on an OU? Who enabled вЂ�Block InheritanceвЂ™ or вЂ�No OverrideвЂ™ WhoвЂ™s logging on through Remote Desktop with a service account? Security Monitoring Fundamentals Identify what you want to monitor Enable Windows Auditing to collect events Enable OpsMgr Audit Collection for the systems Simulate the scenario activity in a lab (ie. Modify Domain Admins group membership) to identify the Events and Event IDs generated Create a Rule to Alert based on those events Security Monitoring conвЂ™tвЂ¦ Test your rule in your lab Verify that the rule / monitor is working correctly Verify your Reports return relevant information Deploy your rule / monitor in production but limit distribution to mitigate risk Proceed with full production deployment when comfortable Monitoring Security Events Things to monitor: Changes to membership of key groups Enterprise Admins, Domain Admins, Schema Admins User accounts and Groups created / deleted / modified Password changes by non account owner Access to sensitive files/folders Changes to OU Permissions Group Membership Changes Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 632 (633 for Removal вЂ“ these are for Domain Global Security Groups) Date: 6/7/2007 Time: 10:10:07 AM User: LGNDDEMO\JeffLe Computer: TORDC01 Description: Security Enabled Global Group Member Added: Member Name: CN=OpsMgr.Admin,OU=Service Accounts,DC=LGNDDEMO,DC=COM Member ID: LGNDDEMO\OpsMgr.Admin Target Account Name: Domain Admins Target Domain: LGNDDEMO Target Account ID: LGNDDEMO\Domain Admins Caller User Name: JeffLe Caller Domain: LGNDDEMO Caller Logon ID: (0x0,0x48E98C) Privileges: - Group Member Changes Tips Check the group type in AD before creating the rule Membership changes to Global groups use event ids 632 / 633 Membership changes to Universal groups use event ids 660 / 661 Membership changes to Domain Local groups use event ids 650 / 651 Membership changes to Local groups use event ids 636 / 637 See Microsoft Knowledge Base articles KB299475 and KB301677 for Security Events Descriptions Test your rules in a lab If you flood your Operations Manager Management Server вЂ“ stop the Health Service on the Ops Mgr Agent(s) or disable Auditing Group Member Changes Demo Groups Created / Deleted Monitoring Group Creation and Deletion Global groups use event ids 631 / 634 Universal groups use event ids 658 / 662 Local groups use event ids 635 / 638 Groups Created / Deleted Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 631 (634 for Deleted вЂ“ these are for Domain Global Security Groups) Date: 6/7/2007 Time: 12:59:53 PM User: LGNDDEMO\JeffLe Computer: TORDC01 Description: Security Enabled Global Group Created: New Account Name: MyTestGroup New Domain: LGNDDEMO New Account ID: LGNDDEMO\MyTestGroup Caller User Name: JeffLe Caller Domain: LGNDDEMO Caller Logon ID: (0x0,0x7B7A9A) Privileges: - Groups Created / Deleted Tips Check the group type in AD before creating the rule Global groups use event ids 631 / 634 Universal groups use event ids 658 / 662 Local groups use event ids 635 / 638 Groups Created / Deleted Demo OU Permission Changes Monitor for OU Permission changes Remember to enable Auditing first Event Type: Success Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Date: 2/22/2006 Time: 5:44:29 PM User: LGNDDEMO\Administrator Computer: TORDC01 Description: Object Operation: Object Server: DS Operation Type: Object Access Object Type: organizationalUnit Object Name: OU=Marketing,DC=DEMOMOM,DC=com Handle ID: Primary User Name: TORDC01$ Primary Domain: LGNDDEMO Primary Logon ID: (0x0,0x3E7) Client User Name: Administrator Client Domain: LGNDDEMO Client Logon ID: (0x0,0x16E743) Accesses: WRITE_DAC Remote Desktop Logons Monitor logons for specific accounts (service accounts) I.E. Logons via Remote Desktop as OpsMgr.Admin (Logon Type 10) Note: Win2k doesn't differentiate an interactive logon from a TS/RD logon, W2k3 does!! Win2k sees them both as logon type 2. Remote Desktop Logons conвЂ™tвЂ¦ Event Type: Event Source: Event Category: Event ID: Date: Time: User: Computer: Description: User Logoff: Success Audit Security Logon/Logoff 538 6/10/2007 2:41:06 PM LGNDDEMO\OpsMgr.Admin TORDC01 User Name: OpsMgr.Admin Domain: Logon ID: Logon Type: LGNDDEMO (0x0,0x1773D2) 10 Audit Collection Services Demo Logon Types Logon Type 2: Interactive Logon Type 3: Network Logon Type 4: Batch Logon Type 5: Service Logon Type 7: Unlock Logon Type 8: NetworkCleartext Logon Type 9: NewCredentials Logon Type 10: RemoteInteractive (Windows XP and newer OSвЂ™s only) Logon Type 11: CachedInteractive BE CAUTIOUS: Monitoring without the correct filters can result in event and/or alert storms! Test your rules against a SINGLE production server before a production deployment. Audit Alerts Audit Reports Audit Reports Resources Technical Chats and Webcasts http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Newsgroups http://communities2.microsoft.com/ communities/newsgroups/en-us/default.aspx Technical Community Sites http://www.microsoft.com/communities/default.mspx В© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.