MOM Database and Reporting Database Security
The two databases used by MOM are installed with sufficiently secure permissions; however, you can increase security by using either IPSec policy or OLE DB encryption to encrypt the data being transmitted to or from the databases.
Data Access Service (DAS)
MOM uses the DAS account to perform the following actions:
Query the OnePoint database for information to display in the Administrator console, Operations console, or Web Console.
Insert data into the OnePoint database, such as operations data (alerts, events, performance data) and configuration data.
Execute stored procedures (that ship with MOM 2005) on the OnePoint database.
Run the MMPC service, if it installed.
The DAS account does not require any additional privileges to do this other than the "db_owner" role for the OnePoint database and being a SQL Server Security Login with "Permit" server access. The DAS account must also be a member of the SC DW DTS security groups on the MOM Reporting Server and MOM Database Server, if MCF is installed.
Using the Network Service Account for DAS
Windows Server 2003 supports the Network Service account, which is a predefined local account that is used to start a service and provide the security context for that service. The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and authenticated access (as the computer account) to network resources.
You can use this account, rather than a local, or domain, user account, for the DAS security context to lower the privileges under which the DAS functions and to avoid policy-driven password expirations. To use the Network Service account for the DAS, follow the "To use Network Service for DAS" procedure in this guide.
Important
You can only do this if the Management Server is running on Windows Server 2003. Windows 2000 does not support the Network Service account.
MOM Operations Database
The MOM Database (OnePoint) holds the operations data for MOM and the Management Servers communicate with it over the TCP/UDP port 1433 using OLEDB. The data is not encrypted by MOM, but you can use either IPSec or OLEDB Encryption to secure this data. For more information about using these technologies, see the "IP Security (IPSec)" or "OLEDB Encryption" section in this guide.
SQL Jobs On The MOM Database
MOM uses several SQL Server Jobs to maintain the MOM Database. These jobs run under the credentials of the logon that installed the MOM Database, which is a member of the administrators group on the MOM Database Server. The following table enumerates the jobs and the permissions that they can run under:
Table 4 MOM 2005 SQL Server Jobs
Job Name |
Permissions |
|---|---|
One Point - Update Statistics |
DBO or sysadmin |
One Point - Check Integrity |
execute privilege on master..xp_sqlmaint |
One Point - Reindex |
execute privilege on master..xp_sqlmaint |
MOMX Partitioning and grooming |
db_datareader, db_datawriter, db_dlladmin, execute over all OnePoint stored procedures |
One Point - Computer Maintenance |
db_datareader, db_datawriter, db_dlladmin, execute over all OnePoint stored procedures |
One Point - TodayStatisticsUpdateComputersAndAlerts |
db_datareader, db_datawriter, db_dlladmin, execute over all OnePoint stored procedures |
One Point - TodayStatisticsUpdateEvents |
db_datareader, db_datawriter, db_dlladmin, execute over all OnePoint stored procedures |
One Point - TodayStatisticsUpdatePerfmonRulesKB |
db_datareader, db_datawriter, db_dlladmin, execute over all OnePoint stored procedures |
One Point - Update Database |
db_datareader, db_datawriter, db_dlladmin, execute over all OnePoint stored procedures |
Reporting Database
The Reporting Database holds the archived operations data for MOM and supplies this information for the SQL Server Reporting Service. The data is archived using Data Transformation Services (DTS) in SQL Server and the data is transmitted over TCP/UDP port 1433. The data is not encrypted, but you can use either IPSec or OLEDB Encryption to secure this data. For more information about using these technologies, see the "IP Security (IPSec)" or "OLEDB Encryption" section in this guide.
Changing Passwords
If you change the passwords for any accounts that are members of the SCDW DTS security group on the MOM Reporting Server, you must also replicate these changes to the DTS scheduled task and the SCDW Data Source. To change the password, use the "To change the password in the MOM Reporting Scheduled Task" and "To change the password in the SCDW Data Source" procedures in this guide.
Reporting Console
The Reporting console components are installed on the MOM Reporting Database Server and communicate to Web clients over HTTP port 80. You can use the console to view, create and save reports on the Reporting Database. The console is part of the Microsoft SQL Server Reporting Services installation. The Reporting console can be used through a firewall.
MOM does not provide encryption for the Reporting console to client connection; however, you can use Secure Sockets Layer (SSL) encryption for this purpose.
Reporting Through ISA 2004
MOM 2005 supports running reporting through an Internet Security and Acceleration Server (ISA) 2004 firewall. For more applications, if you are accessing the Reporting Console through an ISA 2004 firewall, you must have the HTTP port 80 open, or HTTPS port 443 if you are using SSL encryption, must configure the ISA 2004 firewall for Web Publishing. For more information about Web Publishing, see the ISA 2004 documentation.