Security Considerations

適用於: Operations Manager 2007

The Forefront Endpoint Protection (FEP) Management Pack works out of the box for most configurations and usually does not require additional changes in accounts or permissions. The management pack monitor runs under the standard SCOM agent account, and requires that this account have access rights to query the state of both the FEP service and the FEP SSIS jobs. The default permissions are setup as follows:

  • FEP service health—The SCOM agent runs under the Local System account by default, which is sufficient to monitor the FEP service health. If the SCOM agent runs under a different account check that the account has the user rights to query the state of the FEP service and add or modify the rights as required

  • FEP SSIS jobs health—By default the Forefront Endpoint Protection installation:

    1. If the FEP service runs on the same machine as the database, adds the Network Service and Local System accounts to the db_HealthPermissions role.

    2. Adds the machine account of the computer that runs the FEP service to the db_HealthPermissions role on the database server where the FEP Data Warehouse is stored.

If the administrator implements a different security model for the SCOM agent or deviates from the default Forefront Endpoint Protection installation, additional configuration may be required. In particular, if the FEP Data Warehouse database runs on a different SQL Server than your System Center Configuration Manager 2007 R2 database, then you have to perform additional configuration steps manually.

Modifying security permissions

If the administrator implements a different security model and the SCOM agent on the computer which runs the FEP monitoring service runs as a domain user account, modify the security permissions.

To modify security permissions

  1. For the user mapped to the FEP DWH database, ensure that the AN_ReaderRole and db_HealthPermissions database roles membership is enabled.

    注意

    Adding an account to the db_HealthPermissions role on the database server where the FEP Data Warehouse runs, enables the account to query the status of any SSIS job, and not just the FEP SSIS job. This requires carefully consideration and the administrator may decide to change role membership to a different account.

  2. Similarly, on the msdb database (on the SQL Server hosting the FEP DHW database), ensure the SQLAgentReaderRole database role and the SQLAgentUserRole database roles membership is enabled for the user.

Modifying security permissions when running two SQL Servers

When the System Center Configuration Manager 2007 R2 database and the FEP Data Warehouse database run on two different SQL Server computers, you have to perform the following additional configuration steps manually.

To modify security permissions when running two SQL Servers

  1. On the server that has the FEP Data Warehouse:

    1. In SQL Server Management Studio, expand Security > Logins.

    2. If the SCOM agent runs under the Local System account, add the SCOM agent machine account to the db_HealthPermissions, AN_ReaderRole, SQLAgentReaderRole and SQLAgentUserRole database roles.

    3. If the SCOM agent runs under a domain user account, see the previous section.

  2. To execute discovery immediately, in the Health Explorer, click Recalculate Health.