Security for New Installations

This section discusses the security implications for a new installation of the MOM 2005 Management Server and MOM Database. You must create and configure two security accounts in preparation for installing the MOM Database and the Management Server-the DAS account and the Management Servers Action Account. Security requirements for deploying agents is in the "Security For Agent Deployment" section in this guide.

Installation Account

When you install MOM, you must be logged on as an administrator on all the computers you are installing components on.

DAS account

By default, MOM will assign the account you specify during setup to the correct security group and SQL Server role for the DAS.

To change which account is used for the DAS, must make the following changes

  1. Make the account a member of the MOM Users group on the Management Server.

  2. Make sure the account has "Log on as a batch job" rights.

    Note

        If the MOM Connector Framework or a Product Connector is installed and the DAS account is being used (this is the default setting), the DAS account also requires the "Log on as a service" right.

  3. Add it to the SQL Server "db_owner" role in the OnePoint database on the MOM Database Server.

  4. Change the Identity of the Microsoft Operations Manager Data Access Server COM+ application on the Management Servers in the management Group.

  5. Make the account a SQL Server Security Login with "Permit" server access.

For more information about the DAS account, see the "MOM Database and Reporting Database Security" section in this guide.

Using the Network Service Account for DAS

Windows Server 2003 supports the Network Service account, which is a predefined local account that is used to start a service and provide the security context for that service. The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and authenticated access (as the computer account) to network resources.

Note

The Local System account is also available on Windows Server 2003.

Workgroup Edition - The DAS account on the MOM 2005 Workgroup Edition can be run as Local Service.

You can use this account, rather than a local, or domain, user account, for the DAS security context to lower the privileges under which the DAS functions and to avoid policy-driven password expirations. To use the Network Service account for the DAS, follow the "To use Network Service for DAS" procedure in this guide.

Important

    You can only do this if the Management Server is running on Windows Server 2003. Windows 2000 does not support the Network Service account.

Management Server Action Account

On the Management Server, the Action Account can have two roles: monitoring the Management Server itself and deploying agents on discovered computers, running discover tasks, and updating the agent settings on those computers. For more detailed information about the Management Servers Action Account, see the "Management Server Security - Action Account" section in this guide.

Monitoring the Management Server - The Management Server also has an agent, installed by default, that collects information about, and runs responses on, the Management Server using the Management Servers Action Account. To perform these actions on the default installation, the Action Account must have at least the following privileges:

  • Member of the local Users group

  • Member of the local "Performance Monitor Users" group

  • "Manage auditing and security log" permission (SeSecurityPrivilege)

  • "Allow log on locally" permission (SeInteractiveLogonRight)

Important

    The minimum privileges above are the lowest privileges that MOM 2005 supports. The actual privileges required for the Action Account will depend upon which Management Packs are running on the computer and how they are configured. For more information about what specific privileges are required, see the appropriate Management Pack Guide.

Note

A low-privileged account can be used only on Windows Server 2003. On Windows 2000, the Action Account must be a member of the local administrator security group.

Deploy and Update Agents Using the Management Servers Action Account - You can also configure the Management Server to deploy agents to discovered computers and to update agents settings automatically, using the Management Servers Action Account. If you choose to have the Management Server deploy agents to discovered computers or to update agents settings, the Action Account on the Management Server must be a domain account that has administrator rights on these computers. You can use a domain user account that is a member of the local administrators group on these computers. Using a highly-privileged account, such as the domain administrator account, is not advised.

Deploy and Update Agents By Providing Credentials - Another option for deploying agents from the Management Server is to provide credentials at the time you install the agents from the Management Server. The credentials you supply for installing the agents must be an administrator on the discovered computers. You can do this so that the Management Servers Action Account does not require high privileges on other computers. In fact, you can use this agent deployment option and configure the Management Server Action Account as a local user account with low privileges (only on Windows Server 2003). The credentials used are stored securely and disposed of when the installation process is finished.