Security Considerations
Applies To: Operations Manager 2007
This section provides information about using a low-privilege account with the Windows Server Internet Information Services 2000 and 2003 Management Packs for Operations Manager 2007, as well as information about using groups and roles to delegate authority for monitoring IIS.
Low-Privilege Environments
The Windows Server Internet Information Services 2000 and 2003 Management Packs use the agent action account to perform discovery and run monitors, rules, and tasks. The agent action account can run as Local System or as a named account. When running as Local System, the agent action account has the privileges needed to perform discovery and run monitors, rules, and tasks.
A low-privilege account can be used to monitor Internet Information Services (IIS) 2003. Using a low-privilege domain account requires password updating consistent with your password expiration policies.
Important
A low-privileged account cannot be used to monitor IIS 2000.
Using a Low-Privilege Account
A low-privilege agent action account must meet the following requirements to enable the Management Pack for IIS 2003 to monitor IIS 2003:
Be a member of the local users group.
Be a member of the local Performance Monitor users group.
Be granted Log On Locally rights.
The following tasks in the Management Pack for IIS 2003 require a high-privilege account to run.
| Task | Description |
|---|---|
List Backups |
Lists all of the backups of IIS by name, version, and date. |
List Application Pools |
Lists the process, process ID, and name for each application pool on the Web server. |
Start Web Site Diagnostics |
Checks to determine whether the Web site, dependent application pool, and site configuration are in a healthy state. |
When these tasks run, they do not use the agent action account or the specified low-privilege account, but instead use the Privileged Monitoring Account Run As profile, which defaults to Local System and does not require association with a Run As account and Target Computer. No user intervention is required.
Using Groups
In Operations Manager 2007, groups are logical collections of objects, such as IIS 2003 Server Role instances, hard disks, or LAN connections. Management Packs usually provide one or more groups for the technology for which they enable monitoring. Groups, along with user roles, make it possible to delegate authority. Groups also allow you to apply overrides to a specified set of objects.
You can create groups with the Create Group Wizard. For example, when you run the wizard you would create a group called the IIS FTP and Web Server group, which is dynamically populated with IIS 2000 and 2003 FTP and Web servers.
Note
See the "Using Roles" section below to finish delegating authority.
The Management Packs for IIS 2000 and 2003 provide the groups described in the following table.
| Management Pack | Group | Description |
|---|---|---|
Windows Server Internet Information Services 2000 |
IIS 2000 Computer Group |
All Windows-based computers running a Windows 2000 Server version of an IIS component. |
Windows Server Internet Information Services 2000 |
IIS 2000 Server Role Instance |
All Windows 2000 Server instances of the IIS role. |
Windows Server Internet Information Services 2003 |
IIS 2003 Computer Group |
All Windows-based computers running a Windows Server 2003 version of an IIS component. |
Windows Server Internet Information Services 2003 |
IIS 2003 Server Role Instance |
All Windows Server 2003 instances of the IIS role. |
Windows Server Internet Information Services Library |
IIS Computer Group |
All Windows-based computers running an IIS component. |
Windows Server Internet Information Services Library |
IIS Instance Group |
All Windows Server instances of the IIS role. |
For more information about groups, see the "Groups in Operations Manager 2007" topic in the Operations Manager 2007 Help. For more information about overrides, see the "Overrides in Operations Manager 2007" topic in the Operations Manager 2007 Help.
Using Roles
You can delegate authority as needed by your organization using Operations Manager 2007 user roles, in conjunction with Operations Manager 2007 groups. A user role is the combination of a profile and a scope. For example, you would run the Create User Role Wizard and create the IIS FTP and Web Operator role. When you run the wizard, do the following:
Add Windows-based user accounts or security groups to the role.
Scope the user role to one or more groups, such as the IIS FTP and Web Server group created in the "Using Groups" section above.
Specify which tasks the user role can execute.
Assign the views the user role can see.
For more information about user roles, see "About User Roles in Operations Manager 2007" in the Operations Manager 2007 Help.