You are browsing the archive for 2008 August.

Avatar of alkin

by alkin

ACS noise filter

2:55 pm in Uncategorized by alkin

When you install ACS you will get a ton of events! Not all events are relevant for your environment. Securevantage has written a nice noisefilter guide. This guide introduces noise filters for Windows Servers 2000 & 2003 Security Events.

 

Also interesting is the  Secure Vantage Security Auditing Reference List: Over 1300 Windows security events and settings with interactive links to Randy Franklin Smiths online security wiki.

The Service Account Authentication Success filter provides an example of how to filter specific user accounts or  patterns within a user account name like admin or sys on logon. These are commonly used to filter service accounts that run on all systems frequently such as antivirus or backup programs. Please note this is for ‘Success’ activity only, all Logon failure activity should be collected.

image

 

Run adtamin:

AdtAdmin.exe /getquery

Result: Current query: ‘select * from AdtsEvent’

image

 

Next, set the query to drop the “sys” and “adm” logons:

AdtAdmin.exe /setquery /query:”Select * from AdtsEvent where NOT ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND(EventID = 528 OR EventID = 540 OR EventID = 680))”

 

check your query by running AdtAdmin.exe /getquery. the result should be:

Current query: “Select * from AdtsEvent where NOT ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND(EventID = 528 OR EventID = 540 OR EventID = 680))”

 

Now all these events will be dropped before they enter the acs database.

 

Greetz,

Alexandre Verkinderen

http://scug.be/blogs/scom

 

Avatar of alkin

by alkin

enable audit collection on opsmgr agents

2:44 pm in Uncategorized by alkin

Depending on your auditing needs, you might have several hundred to thousands of computers from which you want to collect audit events. By default, the service needed for an agent to be an Audit Collection Services (ACS) forwarder is installed but not enabled when the Operations Manager agent is installed. After you install the ACS collector and database you can then remotely enable this service on multiple agents through the Operations Manager console by running the Enable Audit Collection task.

This procedure should be run after the ACS collector and database are installed and can only be run against computers that already have the Operations Manager agent installed. In addition, the user account that runs this task must belong to the local Administrators group on each agent computer.

To enable audit collection on Operations Manager 2007 agents

1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for your Operations Manager 2007 Management Group. This account must also have the rights of a local administrator on each agent computer that you want to enable as an ACS forwarder.

2. In the Operations Console, click the Monitoring button.

Note

When you run the Operations Console on a computer that is not a Management Server, the Connect To Server dialog box displays. In the Server name text box, type the name of the Operations Manager 2007 Management Server that you want the Operations Console to connect to.

3. In the Monitoring pane, expand Operations Manager, expand Agent, and then click Agent Health State. This view has two panes, and the actions in this procedure are performed in the right pane.

 

4. In the details pane, click all agents that you want to enable as ACS forwarders. You can make multiple selections by pressing CTRL or SHIFT.

5. In the Actions pane, under Health Service Tasks, click Enable Audit Collection. The Run Task – Enable Audit Collection dialog box displays.

image

6. In the Task Parameters section, click Override. The Override Task Parameters dialog box displays.

7. In the Override the task parameters with the new values section, click the CollectorServer parameter; in the New Value column, type the FQDN of the ACS collector; and then click Override.

image

8. In the Task credentials section, click Other. In the User Name box, type the name of a user account that belongs to the local Administrators group on the agent computers. In the Password box, type the password for this user account. Click to expand the Domain drop-down list to view the available domains, and then click the domain of the user account.

9. Click Run Task. The Task Status dialog box displays tracking the progress of the task.

image

10. When the task completes successfully, click Close

Watch for this event on your forwarder:

image

 

Wait a few minutes and your ready to collect your auditing events!

 

Greetz,

Alexandre verkinderen

http://scug.be/blogs/scom

 

Avatar of alkin

by alkin

How to Deploy Operations Manager 2007 ACS Reporting

7:11 pm in Uncategorized by alkin

Audit Collection Services (ACS) reporting can be installed in two configurations.

  • A Microsoft SQL Server 2005 Reporting Services (SRS) SP1 or SP2 instance with Operations Manager Reporting already installed. A benefit of this is the ability to view ACS Reports in the Operations Console.
  • A SRS instance without Operations Manager Reporting installed.

The installation procedures for ACS Reporting do not differ, but the application of access control is different. By deploying ACS Reporting on the same SQL Server 2005 Reporting Services instance as your Operations Manager 2007 Reporting, the same role-based security applies to all reports. This means that ACS Reporting users need to be assigned to the Operations Manager Report Operator Role to access the ACS reports.

In addition to membership in the Operations Manager Reporting Role, ACS report users must also be assigned db_datareader role on the ACS database (OperationsManagerAC) in order to run ACS reports. This is requirement is independent of the presence of Operations Manager Reporting

If you choose to install ACS Reporting independently of Operations Manager Reporting, you can also use SRS security to secure the reports. See the SQL Server 2005 Books Online Reporting Services Tutorials, Setting Permissions in Reporting Services for more information.

 

I installed my ACS reporting on the same instance as my scom reports.

Before You Start

Deploy ACS as described in my previous post before setting up ACS reporting.

 

1. The Root Management Server for your management group must be installed and ACS must be configured, on either the RMS or a management server. For more information, see About Audit Collection Services (ACS) in Operations Manager 2007.

2. An instance of Microsoft SQL Server 2005 Reporting Services must be installed on the target computer.

3. During this procedure, you need to be logged on as member of Operations Manager Report Operator user role.

4. IIS must be installed on the hosting system. IIS will have already been installed if you are co-locating with a Reporting Server.

5. You need to have access to the ACS database.

6. You need the Operations Manager 2007 installation media.

Deploying ACS Reporting

 

1. Logon to the server that will be used to host ACS reporting as a user that is an administrator of the SRS instance.

2. Create a temporary folder, such as C:\acs.

3. On your installation media, go to \ReportModels\acs and copy the directory contents to the temporary installation folder.

There are two folders (Models and Reports) and a file named UploadAuditReports.cmd.

4. On your installation media, go to \SupportTools and copy the file ReportingConfig.exe into the temporary acs folder.

image

 

5.Launch a Command Prompt window and change directories to the temporary acs folder.

6. Run the following command.
UploadAuditReports “<AuditDBServer\Instance>” “<Reporting Server URL>” “<path of the copied acs folder>”
For example: UploadAuditReports “myAuditDbServer\Instance1” “http://myReportServer/ReportServer$instance1” “C:\acs”

This example creates a new data source called Db Audit, uploads the reporting models Audit.smdl and Audit5.smdl, and uploads all reports in the acs\reports directory.

Note

The reporting server URL needs the reporting server virtual directory (ReportingServer$<InstanceName>) instead of the reporting manager directory (Reports$<InstanceName>).

image

7. Open Internet Explorer and enter the following address to view the SQL Reporting Services Home page. http://<yourReportingServerName>/Reports$<InstanceName>

image

8. Click Audit Reports in the body of the page and then click Show Details in the upper right part of the page.

9. Click the Db Audit data source.

10. In the Connect Using section, select Windows Integrated Security and click Apply.

image

 

image

 

That’s it!

 

Greetz,

Alexandre Verkinderen

http://scug.be/blogs/scom

Avatar of alkin

by alkin

Installing Audit Collection Services ( ACS )

7:05 pm in Uncategorized by alkin

I’m going to make some procedures for ACS. First I’m going to install the audit collection services, after that I’m going to deploy the ACS reporting and last but not least enable the acs forwarding on the agents. I’m going to use the info on the technet site as a basis.

 

The ACS database runs on Microsoft SQL Server 2005. The Audit Collection Services Collector Setup wizard creates the ACS database on an existing installation of Microsoft SQL Server 2005. To complete the installation procedure, you must be a member of the local Administrators group on both the ACS collector and the ACS database computers as well as a database administrator on the ACS database. As a best practice for security, consider using Run As to perform this procedure.

 

To install an ACS collector and an ACS database

1. Insert the Operations Manager 2007 CD in the Management Server that you selected to be the ACS collector.

2. On the root of the CD, double-click SetupOM.exe. In the Install section, click Install Audit Collection Server. The Audit Collection Services Collector Setup wizard starts.

3. On the Welcome page, click Next.

image

4. On the License Agreement page, read the licensing terms and then click I accept the agreement. Click Next.

5. On the Database Installation Options page, click Create a new database and then click Next.image

6. On the Data Source page, type a name that you want to use as the Open Database Connectivity (ODBC) data source name for your ACS database in the Data Source Name box. By default, this name is OpsMgrAC. Click Next.

 image

7. On the Database page, if the database is on a separate server than the ACS collector, click Remote Database Server and then type the computer name of the database server that will host the database for this installation of ACS. Otherwise, click Database server running locally.

image

8. In the Database server instance name field, type the name of the database that will be created for ACS. If you leave this field blank, the default name is used. In the Database name field, the default database name of OperationsManagerAC is automatically entered. You can select the text and type in a different name or leave the default name. Click Next.

Note

To display a list of SQL Server Instances, click Start, point to Programs and Microsoft SQL Server 2005, and then click SQL Server Management Studio on the database computer. Under Server name, click Browse for more and then expand Database Engine. All databases are listed as server name\database name.

9. On the Database Authentication page, click to select one authentication method. If the ACS collector and the ACS database are members of the same domain, you can select Windows authentication; otherwise, select SQL authentication and then click Next.

Note

If you select SQL authentication and click Next, the Database Credentials page displays. Enter the name of the user account that has access to the SQL Server in the SQL login name box and the password for that account in the SQL password box, and then click Next.

image

10. On the Database Creation Options page, click Use SQL Server’s default data and log file directories to use SQL Server’s default folders. Otherwise, click Specify directories and enter the full path, including drive letter, to the location you want for the ACS database and log file, for example C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data. Click Next.

11. On the Event Retention Schedule page, click Local hour of day to perform daily database maintenance. Choose a time when there is the amount of expected security events are low. During the database maintenance window, database performance will be impacted. Type the number of days ACS should keep events in the ACS database before the events are removed during database grooming in Number of days to retain events. The default value is 14 days. Click Next.

image

12. On the ACS Stored Timestamp Format page, click to choose Local or Universal Coordinated Time, formerly known to as Greenwich Mean Time, and then click Next

image

13. The Summary page displays a list of actions that the installation program will perform to install ACS. Review the list, and then click Next to begin the installation.

Note

If a SQL server login dialog box displays and the database authentication is set to Windows authentication, click the correct database and verify that the Use Trusted Connection check box is checked. Otherwise click to remove the check and enter the SQL login name and password. Click OK.

image

14. When the installation is complete, click Finish.

image

Check in the opsmgr console if your collector is healthy.

image

 

That’s it!

 

Greetz,

Alexandre Verkinderen

http://scug.be/blogs/scom

Avatar of alkin

by alkin

Microsoft.interop.security.azroles.dll error when installing opsmgr

2:20 pm in Uncategorized by alkin

Yesterday I wanted to install my second management server on a windows 2003 R2 SP2 machine. I installed all the requirements and ran the prerequisite checker.

image

 

I was really astonished! It was the first time I saw this error and didn’t understand it!

 

image

 

http://support.microsoft.com/default.aspx?scid=KB;[LN];937292

 

This problem occurs if the primary interoperability assembly (Microsoft.interop.security.azroles.dll) is no longer registered in the global assembly cache after you install Microsoft Windows Server 2003 with Service Pack 1 or Windows Server 2003 with Service Pack 2.

To resolve this problem in Windows Server 2003 with Service Pack 2, re-register the primary interoperability assembly in the global assembly cache.
To do this, follow these steps:

  1. Click Start, click Run, type cmd , and then click OK.
  2. At the command prompt, type the following commands. Press ENTER after you type each command.
    • cd %windir%\Microsoft.NET\AuthMan\1.2
    • azrlreg register Microsoft.interop.security.azroles.dl
  3. run the prerequisite checker again and everything is green now!

 

Greetz,

Alexandre Verkinderne

http://scug.be/blogs/scom

Avatar of alkin

by alkin

Join us for Security Auditing & ACS Optimization

9:16 am in Uncategorized by alkin

clip_image002clip_image004

Join us for

Security Auditing & ACS Optimization

Learn how your organization can maximize their investment in System Center to support security and regulatory compliance auditing requirements using Operations Manager and the Audit Collection Service (ACS). This is a great opportunity to learn about the latest in partner solutions that extend ACS to provide centralized security event management featuring ACS administration, security alerting, data archiving, multi-collector reporting, syslog event collection and better support for regulatory compliance needs including EUDPD, ISO27000, SOX, PCI and many others.

Event Agenda:

  • 17h30: Registrations
  • 18h00: Pizzas !
  • 18h30: SCUG.be (Alexandre Verkinderen)
    • Welcome & Introductions
  • 18h45: SecureVantage (Jeremiah Beckett)
    • Audit Collection Service Overview
    • Security Management & Auditing with Secure Vantage Compliance Security Suite for System Center
    • Case Study Review – Information Services Firm Enhances Compliance & Optimizes Data Center
    • Open Q&A
    • Attendee Raffle
  • 20h30: Drink/networking @ The Pole

 

WHEN – September 16 2008

Time: 3hr

WHERE – Dolmen, Huizingen: map

RegistrationRegistration Link   PLACES ARE LIMITED

 

PDF


So if YOU are involved with security, compliance or systems management in your organization, come hear the latest information about the solutions available to help you mitigate your IT risks while improving your audit and reporting capabilities to support regulatory compliance efforts with Microsoft System Center technologies.

About Secure Vantage Technologies
Move to the next generation of enterprise security management with the Secure Vantage Compliance Security Suite for Microsoft System Center.  Take advantage of hundreds of audit scenarios, advanced forensics and unmatched offline archiving capabilities for Windows security events, group policy, service and application configurations — even your Unix/Linux syslogs. Fully customizable, Secure Vantage solutions include extensive context-sensitive expertise & guidance providing System Center support for CoBITs, ISO, FISMA, HIPAA, PCI, SOX, and other regulations, natively.  www.securevantage.com

clip_image008clip_image009

Avatar of alkin

by alkin

Opsmgr agent grayed out on domain controller

1:41 pm in Uncategorized by alkin

Last week I deployed my scom agents on my domain controllers. The installation was succesful and of course I checked the agent proxing checkbox in the administration console.


 


After 30 minutes I checked the status of my agent and it was grayed out!! So I looked at the event log of my dc and saw this error


 


Event Type: Error

Event Source: HealthService

Event Category: Health Service

Event ID: 7017

Date: 4/07/2008

Time: 11:49:36

User: N/A

Computer:

Description:

The health service blocked access to the windows credential NT AUTHORITY\SYSTEM because it is not authorized on management group dgz. You can run the HSLockdown tool to change which credentials are authorized.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

http://technet.microsoft.com/en-us/library/bb309542(TechNet.10).aspx

On computers requiring high security, for example a domain controller, you may need to deny certain identities access to rules, tasks, and monitors that might jeopardize the security of your server

So, you have to run the HSlockdown tool to change the credentials that are authorized:

image 

When you run HSLockdown [ManagementGroupName] /L – List Accounts/groups you can see that the system account is denied! Thats why my agents are greyed out!

image

Next run HSLockdown [ManagementGroupName] /R “NT AUTHORITY\SYSTEM”

Restart your healthservice and you’re done!!

Greetz,

Alexandre Verkinderen

http://scug.be/blogs

Avatar of alkin

by alkin

ACS training by SecureVantage

5:30 pm in Uncategorized by alkin

SecureVantage is organizing some free online training arround ACS.

Download Flyer.

The next online training is on August 7 about troubleshooting access issues, events codes and performance.

After that they will give sessions about disaster and recovery, gateways, administration, report planning, etc!

The really cover everything about ACS!

 

Grtz,

Alkin

 

Alexandre Verkinderen

http://scug.be/blogs/scom

Visit Us On TwitterVisit Us On Linkedin