Audit Collection Services Security
Updated: January 15, 2013
Applies To: System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager
In System Center 2012 – Operations Manager, Audit Collection Services (ACS) requires mutual authentication between the ACS collector and each ACS forwarder. By default, Windows authentication, which uses the Kerberos protocol, is used for this authentication. After authentication is complete, all transmissions between ACS forwarders and the ACS collector are encrypted. You do not need to enable additional encryption between ACS forwarders and the ACS collector unless they belong to different Active Directory forests that have no established trusts.
By default, data is not encrypted between the ACS collector and the ACS database. If your organization requires a higher level of security, you can use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt all communication between these components. To enable SSL encryption between the ACS database and the ACS collector, you need to install a certificate on both the database server and the computer hosting the ACS Collector service. After these certificates are installed, configure the SQL client on the ACS collector to force encryption.
For more information about installing certificates and enabling SSL or TLS, see SSL and TLS in Windows Server 2003 and Obtaining and installing server certificates. For a list of the steps to force encryption on a SQL client, see How to enable SSL encryption for SQL Server 2000 if you have a valid Certificate Server.
Limited Access to Audit Events
Audit events that are written to a local Security log can be accessed by the local administrator, but audit events that are handled by ACS, by default, do not allow users (even users with administrative rights) to access audit events in the ACS database. If you need to separate the role of an administrator from the role of a user who views and queries the ACS database, you can create a group for database auditors and then assign that group the necessary permissions to access the audit database. For step-by-step instructions, see How to Install Audit Collection Services (ACS).
Limited Communication for ACS Forwarders
Configuration changes to the ACS forwarder are not allowed locally, even from user accounts that have the rights of an administrator. All configuration changes to an ACS forwarder must come from the ACS collector. For additional security, after the ACS forwarder authenticates with the ACS collector, it closes the inbound TCP port used by ACS so that only outgoing communication is allowed. The ACS collector must terminate and then reestablish a communication channel to make any configuration changes to an ACS forwarder.
ACS Forwarders Separated from the ACS Collector by a Firewall
Because of the limited communication between an ACS forwarder and an ACS collector you only need to open the inbound TCP port 51909 on a firewall to enable an ACS forwarder, separated from your network by a firewall, to reach the ACS collector.
TasksHow to Configure Certficates for ACS Collector and Forwarder
How to Enable Audit Collection Services (ACS) Forwarders
How to Enable Event Logging and ACS Rules on Solaris and AIX Computers
How to Filter ACS Events for UNIX and Linux Computers
How to Remove Audit Collection Services (ACS)
ConceptsCollecting Security Events Using Audit Collection Services in Operations Manager
Audit Collection Services Capacity Planning
Audit Collection Services Performance Counters
Monitoring Audit Collection Services Performance
Audit Collection Services Administration (AdtAdmin.exe)
For additional resources, see Information and Support for System Center 2012.
Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.