Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Orchestration Database Security

Updated: November 1, 2013

Applies To: System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator, System Center 2012 SP1 - Orchestrator

The following sections provide information about securing the orchestration database in Orchestrator:

Database roles

Security to the orchestration database is implemented through database roles in the supported versions of Microsoft SQL Server. The table below lists the roles that are created in the orchestration database and the permissions granted to each. These roles are configured and populated with the required members during the installation process, so there is typically no requirement to work directly with them. The information provided here is to help the administrator better understand the security behind the configuration and prepare for possible custom scenarios.

 

Account Database role

Management Service Account

Microsoft.SystemCenter.Orchestrator.Admins

Member of Orchestrator Admins Group

Microsoft.SystemCenter.Orchestrator.Admins

Orchestrator Runbook Service Account

Microsoft.SystemCenter. Orchestrator.Runtime

Orchestrator Runbook Server Monitor Service Account

Microsoft.SystemCenter. Orchestrator.Runtime

Orchestrator Web Service User Account

Microsoft.SystemCenter. Orchestrator.Operators

 

Role Permission Object

Microsoft.SystemCenter. Orchestrator.Operators

SELECT

[Microsoft.SystemCenter.Orchestrator.Runtime].[Jobs],

[Microsoft.SystemCenter.Orchestrator.Runtime].[RunbookInstances],

[Microsoft.SystemCenter.Orchestrator.Runtime].[RunbookInstanceParameters],

[Microsoft.SystemCenter.Orchestrator.Runtime].[RunbookServers],

[Microsoft.SystemCenter.Orchestrator.Runtime].[ActivityInstances],

[Microsoft.SystemCenter.Orchestrator.Runtime].[ActivityInstanceData],

[Microsoft.SystemCenter.Orchestrator.Runtime].[Events],

[Microsoft.SystemCenter.Orchestrator.Statistics].[Statistics]

Microsoft.SystemCenter. Orchestrator.Operators

EXECUTE

[Microsoft.SystemCenter.Orchestrator].[GetSecurityToken],

[Microsoft.SystemCenter.Orchestrator].[AccessCheck],

[Microsoft.SystemCenter.Orchestrator].[ComputeAuthorizationCache],

[Microsoft.SystemCenter.Orchestrator.Statistics.Internal].[GetStatisticsSummary],

[Microsoft.SystemCenter.Orchestrator.Runtime].[CreateJob],

[Microsoft.SystemCenter.Orchestrator.Runtime].[CancelJob]

Microsoft.SystemCenter. Orchestrator.Runtime

SELECT

All tables,

dbo.[POLICIES_VIEW],

dbo.[POLICY_REQUEST_HISTORY]

Microsoft.SystemCenter. Orchestrator.Runtime

INSERT

dbo.[OBJECT_AUDIT]

Microsoft.SystemCenter. Orchestrator.Runtime

INSERT, UPDATE

dbo.[OBJECTS],

dbo.[ACTIONSERVERS],

dbo.[POLICYINSTANCES],

dbo.[OBJECTINSTANCES],

dbo.[OBJECTINSTANCEDATA]

Microsoft.SystemCenter. Orchestrator.Runtime

INSERT, DELETE

dbo.[COUNTERINSTANCES],

dbo.[POLICYRETURNDATA]

Microsoft.SystemCenter. Orchestrator.Runtime

UPDATE

dbo.[POLICY_PUBLISH_QUEUE]

Microsoft.SystemCenter. Orchestrator.Runtime

CONTROL

[ORCHESTRATOR_ASYM_KEY],

[ORCHESTRATOR_SYM_KEY]

Microsoft.SystemCenter. Orchestrator.Runtime

EXECUTE

dbo.sp_insertevent,

dbo.sp_PublishPolicy,

dbo.sp_UnpublishPolicy,

dbo.sp_UnpublishPolicyRequest,

dbo.fn_GetPolicyInstanceStatus,

dbo.fn_NumFailedInstancesPerServer,

dbo.fn_NumInstancesPerServer,

dbo.fn_NumRunningInstancesPerServer,

[Microsoft.SystemCenter.Orchestrator.Cryptography].[Encrypt],

[Microsoft.SystemCenter.Orchestrator.Cryptography].[Decrypt],

[Microsoft.SystemCenter.Orchestrator.Internal].[RethrowError]

Microsoft.SystemCenter. Orchestrator.Admins

SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE TABLE

SCHEMA::dbo

Microsoft.SystemCenter. Orchestrator.Admins

REFERENCES

dbo.[OBJECTS]

Microsoft.SystemCenter. Orchestrator.Admins

SELECT

dbo.[POLICIES_VIEW], GRANT SELECT ON dbo.[POLICY_REQUEST_HISTORY]

Microsoft.SystemCenter. Orchestrator.Admins

CONTROL

[ORCHESTRATOR_ASYM_KEY],

[ORCHESTRATOR_SYM_KEY]

Microsoft.SystemCenter. Orchestrator.Admins

EXECUTE

[Microsoft.SystemCenter.Orchestrator.Cryptography].[CreateOrchestratorKeys],

[Microsoft.SystemCenter.Orchestrator.Cryptography].[DropOrchestratorKeys],

[Microsoft.SystemCenter.Orchestrator.Cryptography].[Encrypt],

[Microsoft.SystemCenter.Orchestrator.Cryptography].[Decrypt],

[Microsoft.SystemCenter.Orchestrator.Internal].[RethrowError],

dbo.sp_CustomLogCleanup,

dbo.sp_GetLogEntriesForDelete_FilterByDays,

dbo.sp_GetLogEntriesForDelete_FilterByEntries,

dbo.sp_GetLogEntriesForDelete_FilterByEntriesAndDays,

dbo.sp_insertevent,

dbo.sp_PublishPolicy,

dbo.sp_UnpublishPolicy,

dbo.sp_UnpublishPolicyRequest,

dbo.fn_GetPolicyInstanceStatus,

dbo.fn_NumFailedInstancesPerServer,

dbo.fn_NumInstancesPerServer,

dbo.fn_NumRunningInstancesPerServer,

[Microsoft.SystemCenter.Orchestrator.Internal].AddUserToRole,

[Microsoft.SystemCenter.Orchestrator].[SetPermissions],

[Microsoft.SystemCenter.Orchestrator.Internal].[SetProductInfo]

The Database Configuration Utility (DBSetup.exe) requires permissions as a user on the computer where the management server is installed and is a member of either the Administrators or Orchestrator Users Group to access the settings.dat file. Custom tools that connect to the database directly through DBDataStore.dll require the same permissions.

securitySecurity Note
When installing Orchestrator, ensure that the account used to connect to SQL server has minimum privileges on the SQL server to avoid a potential elevation of privileges.

Securing SQL server connections

The SQL server connections in a default deployment of Orchestrator are not secure. The exception to this is when Orchestrator stores or retrieves sensitive data. In this case, Orchestrator creates a secure connection to SQL server with a self-signed certificate. This certificate does not provide strong security and is susceptible to man-in-the-middle attacks.

For information about encrypting connections to SQL Server, go to Encrypting Connections to SQL Server (configuring SSL). For information on how to enable connections to the database engine, go to How to: Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).

Encryption keys

As part of your security planning, you should plan for rotating your encryption keys at a regular interval. The National Institute of Standards and Technology(NSIT) recommends that keys be rotated at least once every two years. For more information about NSIT security standards, go to NSIT Computer Security Division Computer Security Resource Center.

To rotate encryption keys

  1. From the Runbook Designer, export all of your runbooks, global settings, variables, schedules, and so on. 

    You should provide a password for the export.

    During export, all encrypted data is decrypted and re-encrypted with a new key created by the password.

  2. If you want, change the SQL Server Master Database key. 

    Orchestrator encrypts data using both the SQL Server Master Database key and the master database key for the orchestration database. 

    For information on how to change the SQL Server Master Database key, go to SQL Server and Database Encryption Keys (Database Engine).

  3. Re-install the management server and create a new database. 

    For information on how to install the management server, see the topic How to Install a Management Server for System Center 2012 - Orchestrator.

    Do not connect to the existing database.  A new cryptographic key is generated when a new database is created.

  4. From the Runbook Designer, re-import the runbooks and any other data you exported. 

    Provide the password used for the export.  The data in the export file is decrypted using the password, and encrypted as it is imported to the database using the new Orchestrator master database key.

 

-----
For additional resources, see Information and Support for System Center 2012.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.
-----
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.