Security Changes in MOM 2005

This section provides information about the differences between MOM 2000 SP1 and MOM 2005 directly or indirectly relating to security and introduces new security-related features in MOM 2005.

In MOM 2000 SP1, the OnePoint (MOM) service was comprised of two parts, the Consolidator and the Agent Manager, and ran under the CAM account (or under the DAS account if a combined account was used). This account was a domain account with administrative privileges on all the agent computers and the MOM DCAM. In MOM 2005, these parts are separated into two distinct processes: the MOM Service and MOM Host, each of which run under their own credentials. The table below provides the equivalent terms for each release of MOM.

Table 1 MOM 2005 Terms Equivalent to MOM 2000 Terms

MOM 2000 Term

MOM 2005 Equivalent Term

DCAM

Management Server

Agent

Agent

Configuration group

management group

DAS

DAS

DCAM account

Split into: Management Server Action Account and MOM Service Account.

MOM Service

In MOM 2005 the MOM Service runs as Local System (for Windows 2000 or Windows Server 2003) or Network Service (only for Windows Server 2003) and is not used for agent management or the Data Access Service (DAS) functionality. The MOM Service is responsible, primarily, with communications between the agent and the MOM Management Server and with running the agent on the managed computer.

Important

Changing the credentials under which the MOM Service runs is not supported and can result in communication failures with agents and other problems in your MOM environment. The MOM Service will not start unless it is running as either Local System or Network Service.

DAS Service

The function of the DAS Account has not changed significantly, except that it now requires fewer privileges. For upgrades from MOM 2000 SP1, the settings for the DAS account are left unchanged. This leaves the permissions and privilege level for the DAS account higher than is necessary for its operation. For more information about these settings and steps to lower the privilege level for the DAS account after upgrade, see the "Configuring Security After Upgrade" section later in this guide.

The MOM to MOM Product Connector (MMPC) also uses the DAS account.

Action Account

The Action Account is new in MOM 2005and is used to gather operations data from, and to run responses and scripts on, the managed computers, including the agent on the Management Server. This is a separate account in MOM 2005 allowing you to separate the MOM Service context and the response context on managed computers, including the agent on the Management Server.

The Action Account on the Management Server can also be used to install, uninstall, or update settings on agents on remote computers. For more information about the agents Action Account, see the "Agent Security - Action Account" section in this guide. For more information about the Management Servers Action Account, see the "Management Server Security - Action Account" section in this guide.

Note

The Action Account must be a member of the Administrators group or Local System for MOM to monitor the Internet Information Services (IIS) logs.

Security Groups

The MOM setup creates the following groups during a new installation, or renames the MOM 2000 SP1 groups during an upgrade to MOM 2005. During an upgrade the memberships are retained from MOM 2000 SP1. The following are the MOM 2005 groups and the nearest equivalent MOM 2000 SP1 group in parentheses:

  • MOM Service (OnePointOp System). This group is used for the internal functions of MOM 2005 and individual accounts should not be made a member of this group. This group is created only on the Management Server and has no members by default (for new installations). When you install the MOM-to-MOM Product Connector (MMPC), the DAS account is automatically added to this group.

    Note

    The account used for the MOM-to-MOM Product Connector (MMPC) is added by setup to this group to grant the necessary access to the account. Do not remove this account from this group. This account, the DAS account, should be the only members of this group.

  • MOM Administrators (OnePointOp ConfgAdms). The members of this group can perform any task in MOM 2005 in either console, except reporting functions. To perform these functions they must also be a member of SC DW Reader group. The MOM Administrators group is created only on the MOM Management Server and has no members by default (for new installations).

    Note

    Members of the local administrators group of the Management Server can also perform all MOM operations as if they were members of the MOM Administrators group.

  • MOM Authors (OnePointOp Operators). The members of this group can import, export, create, and modify Management Packs in the MOM Administrator console. They can also use the Operator console and perform any task in it. They cannot change which computers are managed or the type of management used. This group is created only on the MOM Management Server and has no members by default (for new installations).

  • MOM Users (OnePointOp Users). The members of this group can use any Operator console functionality on any computer that belongs to the scope associated with the MOM Users group. They cannot, however, perform runtime tasks. They are limited to using the Operator console and do not have access to the Administrator console, except to use it to open the Operator console. This group is created only on the MOM Management Server and has only the DAS account as a member by default (for new installations).

  • SC DW DTS (No corresponding MOM 2000 SP1 group). The members of this group can perform data archiving functions from the MOM 2005 Database Server to the MOM 2005 Reporting Database. This group is created on the MOM Database Server and has no members by default (for new installations).

  • SC DW Reader (OnePointOp Reporting). The members of this group have access to the SQL Server Reporting Services on the MOM Reporting Server and can perform reporting functions, such as creating, viewing, and saving reports. Members of this group are given permission to perform the archiving (DTS) operation. This group is created on the MOM Reporting Database Server and has no members by default (for new installations).

    You can lower administration overhead by creating domain-wide or universal groups and adding these groups to the appropriate MOM group. This way you can manage the members of these groups universally.

    Note

    This model might not be appropriate for high-security environments or environments where the membership of the MOM groups are assigned per management group.

Mutual Authentication

Using mutual authentication, the Management Server and agent authenticate each other using the Kerberos v5 protocol before transmitting operational or configuration data. This is new in MOM 2005and is designed to mitigate man-in-the-middle attacks. If mutual authentication is enabled, none of the MOM 2000 SP1 agents in the management group will be able to communicate with the Management Server. The mutual authentication setting is management-group wide and cannot be overridden.

Block Legacy Agents

You can use this setting to allow or block communications from MOM 2000 SP1 agents. This setting tells the Management Server to ignore communications from MOM 2000 and MOM 2000 SP1 agents. This setting is automatically enabled if you enable mutual authentication, but it can be used even if mutual authentication is disabled. This setting is management group-wide and cannot be overridden.

Agent Proxying

This setting either enables or blocks agents from relaying information from other computers or network devices to the management Server. This setting is management group-wide, but can be overridden on individual agents.

Secure Communications Channel

The communications between MOM 2005 agent and the Management Server is always encrypted and digitally signed by default and is also authenticated (if mutual authentication is enabled). Communications between the MOM 2000 SP1 agent and the Management Server is encrypted as it was in MOM 2000 by default if mutual authentication is disabled. (If mutual authentication is enabled MOM 2000 SP1 agents cannot communicate with the Management Server). Only mutual authentication requires an Active Directory trust.

Secure Credential Storage

MOM 2005 stores account credentials securely. Some of these accounts, especially the Management Servers Action Account, might have high levels of privilege on the domain, so MOM 2005 safeguards how it stores their credentials.

Tasks

Tasks are new in MOM 2005and are management operations that can be easily run from the Operator console. Tasks run on one of three possible locations: the computer on which the Operator console is running, the MOM Management Server, or the agent-managed computer. Tasks that run on the Management Server or the agent-managed computer do so in the context of the Management Servers Action Account or the agents Action Account respectively. Console tasks run under the logged on users credentials.

Task Auditing

Task auditing automatically records information about tasks being run in your MOM environment and on MOM 2005 agents. This information can be used in auditing when a Task was run and who ran it. You can also see this information in the Tasks Status view in the Operator console. Task Auditing is an important security measure and is ON by default and cannot be disabled.

Responses

Responses are actions that MOM takes automatically in response to rule criteria being met, such as specific operations data received from managed computers. These responses are defined by rules and can take place in one of two places: on the managed computer or on the Management Server (called Server-Side Responses). The responses running on the managed computer run in the context of the agents Action Account and the responses running on the Management Server run in the context of the Management Servers Action Account.

Responses are different from Tasks in that they are initiated by MOM itself and not by a person using the Operator console.

File Transfer Responses

In MOM 2005, you can configure MOM to transfer files from a file-transfer server to a MOM 2005 agent, or from a MOM 2005 agent to a file-transfer server, in response to rule criteria being met. Unlike other responses that run in the context of the agents Action Account, file transfer responses run as Local System (on Windows 2000 or Windows Server 2003) and Network Service (only on Windows Server 2003). For more information, see File Transfer Responses in the "Management Server Security" section of this guide.

Agentless Management

New in MOM 2005is the ability to monitor computers without installing a MOM agent on them. This is called "agentless management." You can use agentless management for computers that are in special environments where an agent cannot be installed or where you do not need the rich management provided by a MOM agent.

The Management Server communicates to the agentless-managed computer over the RPC port (TCP 135) and the DCOM port range, and therefore using agentless management for computer outside a firewall is not supported. The Management Servers Action Account must also be a local administrator on the remote computer if you want to use agentless management, so they must either be in the same domain or a trust relationship must exist between their domains.

Reporting Database

The Reporting Database is new in MOM 2005 and is a separate database that houses archived operational data and that generates and provides reports for the Reporting console. By separating the reporting features from the MOM Database (OnePoint) a significant increase in performance and security is gained for both databases.

Consoles

There are four consoles in MOM 2005, the Administrator console, Operator console (new to MOM 2005), Web console, and the Reporting console (new to MOM 2005). You can use the Administrator console (MMC snap-in) to import and export management packs, change computer groups settings, configure global settings, and make other configuration changes. You use the Operator console to monitor computers, resolve alerts, view events, perform tasks, and other operations-related functions. You can use the Reporting console to view and generate Web-based reports using SQL Server Reporting Services.

Both the Administrator and Operator consoles communicate with the Management Server over the RPC port (TCP 135) and the DCOM port range, therefore installing the consoles beyond a firewall is not supported.

Note

Scripts built using the MOM SDK will use the same permissions as the corresponding user in the Administrator or Operator console would. The SDK does not grant a script additional access that a user performing the action in the console would have.

The Web console communicates over TCP port 1272 (by default) and the Reporting console over HTTP port 80 (by default). This means that either can be used through a firewall or even a WAN and that Secure Sockets Layer (SSL) encryption can be used to encrypt the data being transmitted. SSL uses port 443 (the port is user-configurable and might not be port 443).

Note

The Web Console uses Windows Integrated authentication and is intended for intranets only. It might not function properly over the Internet.

MOM Connector Framework

The MOM Connector Framework (MCF) provides a framework to create a Product Connection from MOM 2005 to other management applications. The Product Connectors send, receive, and coordinate operation data between MOM and these applications. Product Connectors must be developed for each management product. For more information about these Connectors, see the Microsoft Operations Manager Partners Web site at https://go.microsoft.com/fwlink/?linkid=32736.

The connectors use a .NET Web Service that communicates over TCP port 1271. This means that MOM and the other management applications can be separated by a firewall or even a WAN and that Secure Sockets Layer (SSL) encryption can be used to encrypt the data being transmitted between them.

MOM to MOM Product Connector

The MOM-to-MOM Product Connector (MMPC) provides a framework to create connections between MOM 2005 management groups, or between MOM 2000 SP1 configuration groups and MOM 2005 management groups, for the purpose of alert forwarding. The connectors send, receive and coordinate alerts and discovery data between these MOM environments. By default the MMPC service uses the DAS account.

Using MOM 2005 with a Disjointed DNS Namespace.

To discover and push agents using MOM 2005 in a Disjointed DNS Namespace:

  • Using the MOM Agent Install/uninstall wizard, provide Domain\Computername or NetBIOS name format.

  • Using the Create Computer Discovery Rule dialog, provide only the NetBIOS computer name or the Domain name and the NetBIOS computer name for the Domain name and Computer name fields respectively If you attempt to use MOM 2005 over a disjointed DNS namespace.

The following features are not available:

  • Mutual Authentication (Mutual authentication is supported if the Management Server is in a non-disjointed namespace and agents are in the disjointed namespace)

  • Push install when using the "Browse" functionality to choose a target computer

  • Push install when using the DNS FQDN computer name

A "disjointed DNS namespace" is a DNS infrastructure that includes two or more top-level DNS domain names. For more information about this, see "Configuring Name Resolution for Disjointed Namespaces" in the Windows Server 2003 documentation, under Deploying Network Services.