Audit Collection Services (ACS) Security in Operations Manager 2007
Updated: May 22, 2009
Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1
In Operations Manager 2007, Audit Collection Services (ACS) requires mutual authentication between the ACS collector and each ACS forwarder. By default, Windows authentication, which uses the Kerberos protocol, is used for this authentication. After authentication is complete, all transmissions between ACS forwarders and the ACS collector are encrypted. You do not need to enable additional encryption between ACS forwarders and the ACS collector unless they belong to different Active Directory forests that have no established trusts.
By default, data is not encrypted between the ACS collector and the ACS database. If your organization requires a higher level of security, you can use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt all communication between these components. To enable SSL encryption between the ACS database and the ACS collector, you need to install a certificate on both the database server and the computer hosting the ACS Collector service. After these certificates are installed, configure the SQL client on the ACS collector to force encryption.
For more information about installing certificates and enabling SSL or TLS, see SSL and TLS in "Windows Server 2003" at http://go.microsoft.com/fwlink/?LinkId=76134 and "Obtaining and installing server certificates" at http://go.microsoft.com/fwlink/?LinkId=76135. For a list of the steps to force encryption on a SQL client, see http://go.microsoft.com/fwlink/?LinkId=76136.
Limited Access to Audit Events
Audit events that are written to a local Security log can be accessed by the local administrator, but audit events that are handled by ACS, by default, do not allow users (even users with administrative rights) to access audit events in the ACS database. If you need to separate the role of an administrator from the role of a user who views and queries the ACS database, you can create a group for database auditors and then assign that group the necessary permissions to access the audit database. For step-by-step instructions, see How to Deploy Audit Collection Services (ACS).
Limited Communication for ACS Forwarders
Configuration changes to the ACS forwarder are not allowed locally, even from user accounts that have the rights of an administrator. All configuration changes to an ACS forwarder must come from the ACS collector. For additional security, after the ACS forwarder authenticates with the ACS collector, it closes the inbound TCP port used by ACS so that only outgoing communication is allowed. The ACS collector must terminate and then reestablish a communication channel to make any configuration changes to an ACS forwarder.
ACS Forwarders Separated from the ACS Collector by a Firewall
Because of the limited communication between an ACS forwarder and an ACS collector you only need to open the inbound TCP port 51909 on a firewall to enable an ACS forwarder, separated from your network by a firewall, to reach the ACS collector.