Orchestrator Web Service and Orchestration Console Security


Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator

If you plan to install the Orchestrator web service and orchestration console, you should choose a secure protocol such as HTTPS to secure communication and prevent malformed requests from a man-in-the-middle attack. For more information on securing your Orchestrator web service and the Orchestration console, go to How to Configure the Orchestrator Web Service to use HTTPS.

In the default configuration of an Orchestrator deployment, web service calls are not logged. This applies to requests made with the Orchestration console as well as the Orchestration Integration Toolkit (OIT). The result is that a user can start a job and pass parameters into a runbook with no record of who started the job.

To record all requests to your Orchestrator web service, you should enable audit trail logging with atlc.exe. For more information about logging using atlc.exe, go to Audit Trail.