close

Вход

Забыли?

вход по аккаунту

?

Operations Manager 2007

код для вставкиСкачать
Operations Manager 2007
Audit Collection Services
Jeff LeBlanc, MCSE, CISSP
Senior Solutions Specialist
LegendCorp
Agenda
What is Operations Manager 2007
Why Monitor AD and Security
Security Monitoring Fundamentals
Windows Security Events
Security Reports
Resources
Operations Manager 2007
Next Generation Enterprise monitoring
solution for Active Directory environments
Manage your Windows servers, workstations
or even non-Windows systems more
effectively with pro-active monitoring based
on Best Practices
Management Packs provide Best Practice
configuration monitoring, Knowledge and
Reports
Operations Manager Can Help…
Help me deliver
value right away
п‚ў
п‚ў
п‚ў
п‚ў
Help me run
operations more
productively
Help me
decrease my
workload
п‚ў
п‚ў
п‚ў
п‚ў
п‚ў
п‚ў
Installs easily, gets results quickly
Support for complex environments
Prescriptive guidance
Proactive monitoring based upon pre-defined
rule sets
Automated alert resolution
Notification of issues within the environment
Allows creation of customized self healing
processes
Reduction of manual tasks i.e. reading event logs
Consolidation of alerts – one issue to one alert
Centralized management tool across the organization
Operations Manager
Helps IT to…
Stay aware of issues that arise.
Effectively respond to hardware and software issues
quickly and accurately.
Access built in application knowledge and
prescriptive guidance from Operations Manager
Management Packs.
Retain resolution information in the corporate
knowledge base.
Demonstrate accountability to stakeholders.
Microsoft Applications
Application Center 2000
BizTalk Server 2002 Enterprise Edition
Commerce Server 2000
Exchange Server 2003 / 2000 / 5.5
Host Integration Server 2000
Identity Integration Server 2003
Internet Security and Acceleration Server
Live Communications Server 2003 (LCS)
Microsoft Operations Manager 200x
Project Server 2003
Proxy Server 2.0
SharePoint Portal Server 2003
Site Server 3.0
SNA Server 4.0
SQL Server 2005/2000/7.0
Systems Management Server 2003 / 2.0
3rd Party Platforms
eXc Software: IBM AS400, IBM z/OS, Unix, Linux
Metilinx: Linux/Unix
3rd Party Devices
JalaSOFT: Cisco Routers and Switches
3rd Party Hardware

Dell OpenManage

HP Insight Manager

IBM Director
Windows
Management Packs
Windows Operating Systems
Active Directory
DNS service
IIS versions 4.0 / 5.0 / 6.0
Windows System Resource Manager
Server clusters
Component Services (formerly MTS 2.0)
Message Queuing (MSMQ)
Distributed Transaction Coordinator (MS DTC)
.NET Framework
Windows Internet Name Service (WINS)
Windows SharePoint Services
Network Load Balancing
Routing and Remote Access service
Terminal Services
File Replication Services
Advanced Deployment Services
Group Policy
OpsMgr Knowledge
Knowledge is a key feature
Facilitates rapid issue
resolution
Empowers front line
operators
Less escalation
Faster resolution
OpsMgr Reporting & Analysis
Uses SQL reporting services
Over 130 predefined reports
General system monitoring and operations
Capacity planning and performance analysis
Application specific monitoring
Reports
• Reports are interactive
• can launch other reports
• can launch console views
• can launch tasks
• Reports are run from the Console,
not the SQL Reporting Services
Webpage
• Knowledge for reports will
help in understanding reports
• Support for scheduling reports
• Support for saving parameter
definitions to a favorite report
Audit Collection Services
Audit Collection Services (ACS)
New in Operations Manager 2007
Auditing
Maintain Audit Trail of internal security
related events
Scalable and Secure
Infrastructure must guarantee collection of
large volumes of security events
Audit Collection Service con’t…
Key Design Principles:
Near real time exporting of all Security events vs
batch copy
Immutable collection policy – tamper resilient
Network friendly, lightweight, compressed event
forwarding
Scalable (collection points and event volume)
Schematized events for improve analysis and
reporting
Efficient on-line storage
Customer Value-Add
Integrated with Operations Manager 2007
infrastructure
Out-of-the-box, customizable reports from
Microsoft
ACS extensions provided by Secure Vantage,
including
Advanced security alerting and reporting
libraries (free downloads)
Data consolidation and archiving
Regulatory compliance knowledge guidance
and mapping
ACS Infrastructure Design
Monitored
Clients
Monitored Servers
Events subject to tampering
Audit Collector
Audit DB
Security
Alerts
Events under control of auditors
Data Archival
ACS Collector: Design
Requirements
High Performance
Each collector must support up to 2,500 events*/sec
(continuous load)
Peak load support per collector: up to 100,000 events*/sec
(short burst only – non sustainable)
High Scalability
With default audit policy, a single collector can support:
3,000 non-DC servers, or
150 Domain Controllers, or
20,000 workstations
*Average bytes per event over the wire =< 100 bytes
Why Monitor AD and Security
AD problems can be extremely disruptive if left undetected:
Slow login/login failures/password issues
Group Policy problems
Resource access problems
Exchange 2003/2007 Issues
AD problems are trivial to fix when detected early, but
rapidly become complex when ignored
Replication issues can lead to security holes
More and more applications critically depend on Active
Directory everyday
Active Directory
Management Pack
Active Directory MP Provides
Core Active Directory monitoring rules
Client side monitoring capabilities
Replication and trust monitoring
Active Directory health and state monitoring
What it’s lacking…. security monitoring
Who’s been added to the Enterprise Admins group or
other highly sensitive groups?
Who created an Organizational Unit (OU) in my domain?
Who changed the permissions on an OU?
Who enabled �Block Inheritance’ or �No Override’
Who’s logging on through Remote Desktop with a service
account?
Security Monitoring
Fundamentals
Identify what you want to monitor
Enable Windows Auditing to collect events
Enable OpsMgr Audit Collection for the systems
Simulate the scenario activity in a lab (ie. Modify
Domain Admins group membership) to identify
the Events and Event IDs generated
Create a Rule to Alert based on those events
Security Monitoring con’t…
Test your rule in your lab
Verify that the rule / monitor is working
correctly
Verify your Reports return relevant
information
Deploy your rule / monitor in production but
limit distribution to mitigate risk
Proceed with full production deployment
when comfortable
Monitoring Security Events
Things to monitor:
Changes to membership of key groups
Enterprise Admins, Domain Admins,
Schema Admins
User accounts and Groups created / deleted /
modified
Password changes by non account owner
Access to sensitive files/folders
Changes to OU Permissions
Group Membership Changes
Event Type:
Success Audit
Event Source:
Security
Event Category: Account Management
Event ID:
632 (633 for Removal – these are for Domain Global
Security Groups)
Date:
6/7/2007
Time:
10:10:07 AM
User:
LGNDDEMO\JeffLe
Computer:
TORDC01
Description:
Security Enabled Global Group Member Added:
Member Name:
CN=OpsMgr.Admin,OU=Service
Accounts,DC=LGNDDEMO,DC=COM
Member ID:
LGNDDEMO\OpsMgr.Admin
Target Account Name:
Domain Admins
Target Domain:
LGNDDEMO
Target Account ID:
LGNDDEMO\Domain Admins
Caller User Name:
JeffLe
Caller Domain:
LGNDDEMO
Caller Logon ID:
(0x0,0x48E98C)
Privileges:
-
Group Member Changes Tips
Check the group type in AD before creating the rule
Membership changes to Global groups use event ids 632 / 633
Membership changes to Universal groups use event ids 660 / 661
Membership changes to Domain Local groups use event ids 650 / 651
Membership changes to Local groups use event ids 636 / 637
See Microsoft Knowledge Base articles KB299475 and KB301677 for
Security Events Descriptions
Test your rules in a lab
If you flood your Operations Manager Management Server – stop the
Health Service on the Ops Mgr Agent(s) or disable Auditing
Group Member Changes
Demo
Groups Created / Deleted
Monitoring Group Creation and Deletion
Global groups use event ids 631 / 634
Universal groups use event ids 658 / 662
Local groups use event ids 635 / 638
Groups Created / Deleted
Event Type:
Success Audit
Event Source:
Security
Event Category: Account Management
Event ID:
631 (634 for Deleted – these are for Domain Global
Security Groups)
Date:
6/7/2007
Time:
12:59:53 PM
User:
LGNDDEMO\JeffLe
Computer:
TORDC01
Description:
Security Enabled Global Group Created:
New Account Name: MyTestGroup
New Domain:
LGNDDEMO
New Account ID:
LGNDDEMO\MyTestGroup
Caller User Name: JeffLe
Caller Domain: LGNDDEMO
Caller Logon ID:
(0x0,0x7B7A9A)
Privileges:
-
Groups Created / Deleted Tips
Check the group type in AD before creating the rule
Global groups use event ids 631 / 634
Universal groups use event ids 658 / 662
Local groups use event ids 635 / 638
Groups Created / Deleted
Demo
OU Permission Changes
Monitor for OU Permission changes
Remember to enable Auditing first
Event Type:
Success Audit
Event Source:
Security
Event Category:
Directory Service Access
Event ID:
566
Date:
2/22/2006
Time:
5:44:29 PM
User:
LGNDDEMO\Administrator
Computer:
TORDC01
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: organizationalUnit
Object Name: OU=Marketing,DC=DEMOMOM,DC=com
Handle ID:
Primary User Name: TORDC01$
Primary Domain:
LGNDDEMO
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: LGNDDEMO
Client Logon ID: (0x0,0x16E743)
Accesses:
WRITE_DAC
Remote Desktop Logons
Monitor logons for specific accounts (service accounts)
I.E. Logons via Remote Desktop as OpsMgr.Admin (Logon
Type 10)
Note: Win2k doesn't differentiate an interactive logon from a
TS/RD logon, W2k3 does!! Win2k sees them both as logon
type 2.
Remote Desktop Logons con’t…
Event Type:
Event Source:
Event Category:
Event ID:
Date:
Time:
User:
Computer:
Description:
User Logoff:
Success Audit
Security
Logon/Logoff
538
6/10/2007
2:41:06 PM
LGNDDEMO\OpsMgr.Admin
TORDC01
User Name:
OpsMgr.Admin
Domain:
Logon ID:
Logon Type:
LGNDDEMO
(0x0,0x1773D2)
10
Audit Collection Services
Demo
Logon Types
Logon Type 2: Interactive
Logon Type 3: Network
Logon Type 4: Batch
Logon Type 5: Service
Logon Type 7: Unlock
Logon Type 8: NetworkCleartext
Logon Type 9: NewCredentials
Logon Type 10: RemoteInteractive (Windows XP and newer OS’s only)
Logon Type 11: CachedInteractive
BE CAUTIOUS: Monitoring without the correct filters can result in event
and/or alert storms! Test your rules against a SINGLE production server
before a production deployment.
Audit Alerts
Audit Reports
Audit Reports
Resources
Technical Chats and Webcasts
http://www.microsoft.com/communities/chats/default.mspx
http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certification
http://www.microsoft.com/learning/default.mspx
Virtual Labs
http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroups
http://communities2.microsoft.com/
communities/newsgroups/en-us/default.aspx
Technical Community Sites
http://www.microsoft.com/communities/default.mspx
В© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or
trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as
of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Документ
Категория
Презентации
Просмотров
7
Размер файла
3 526 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа