ACS

I posted a copy of an ACS Database and Disk Calculator tool  we presented in the ACS Master Series from SecureVantage that provides a utility to ease the process of estimating Audit database sizing and growth, as well as appropriately sizing your disk subsystem of your Audit Collection Services deployment. In keeping with MS best practices, the calculator is  based on the procedural guidance contained in the Operations Manager Performance and Scalability Guide, making it unique among other similar aids posted in the past.

It goes a step beyond existing guides to provide a tool that helps administrators negotiate the sizing formulas of the Perf and Scalability Guide. Download the ACS Database and Disk Calculator Tool HERE.

Find links for past sessions and register for future sessions of the ACS Master Series by clicking HERE.

I was doing some research and testing on Windows 2008 security and audit logging capabilities and wanted to share these resources for you Opsmgr administrators that may be have need for some of this information for use with Audit Collection Services.

Here are some great resources to get you familiar with Windows 2008 security events and granular audit policy configuration.

• Windows 2008 Audit and Compliance - This TechNet Magazine article is a great introduction to auditing capabilities of Windows 2008 and configuration of Granular Audit Policies (GAP).

• Security Audit Events for Win2008 and Vista - Here’s a great list of Windows 2008 Security Event IDs and descriptions. You’ll notice that Win2008 events are nearly identical to Windows Vista, and you’ll see these in the EventSchema.xml

• Windows 2008 Security Guide - Downloadable version of the authoritative guide on Windows 2008 security

• SVT Audit Reference List - If you have interested in matching Windows 2008 event IDs to their legacy counterparts, Secure Vantage folks took some info from MS and ultimatewindowssecurity.com to reference some of the legacy event IDs next to their Windows 2008 equivalents.

Update your MOM skills to Operations Manager 2007 at the Operations Manager 2007 Bootcamp! Register in December for training in 2008 at SystemCenterForum and receive a free copy of Operations Manager 2007 Unleashed!

Check the 2008 Bootcamp Schedule and request pricing and availability HERE.

Here’s a post that is a must read for anyone looking to understand ACS internals.

I was doing some research and reading related to ACS and stumbled across the a recent entry from Eric Fitzgerald of the (Windows Auditing team) on how ACS Forwarder and Collector  perform event transformation. He offers a breakdown on what the instructions in EventSchema.xml mean and how they are interpreted and used by ACS roles.

Full article at the source

While only an active / passive configuration, the addition of the capability to configure a secondary / failover ACS collector for a single Audit database in Operations Manager 2007 Service Pack 1 takes us a step in the right direction. In part 3 of the ACS series, Anders and I offer a brief overview of the ACS architecture (for those not already familiar), as well as a step-by-step walkthrough of the configuration and testing process for redundant ACS collectors.

Download the tutorial at: http://systemcenterforum.org/wp-content/uploads/ACS_Part3_final.pdf

Read previous installments of the ACS Series:

• Part 1: Audit Collection Services is installed, now what?
• ACS Part 2: Effective use of ACS and the information lifecycle

There was an important change in Audit Collection Services that seems to have gone largely unnoticed in the SP1 release. More details as they come available. As a temporary aid, included are the details of the change and basic configuration details we received.

In SP1, Microsoft will now allow 2 ACS collectors to point to the same ACS database, but with only one active at a time. One acts as the primary collector, the other one acts as the failover/secondary collector, which can only be enabled when the primary one failed or is disabled.

Setup Instructions:

The following are the general steps to configure this setup. These steps assume the Primary Collector, Secondary Collector and the database, resides on 3 separate physical machines.

On the designated SQL server which will host the Audit database, create a SQL Login that will be used be the ACS Collectors to authenticate and access the Audit database.

1. Open SQL Server Management Studio

a. Expand Security and right click on Logins

b. Click on New Login (the Login-New dialog will be displayed)

c. Specify Login name

d. Select the SQL Authentication option and specify password

e. Select the default database to be OperationsManagerAC

f. (no additional permission/security setting is needed, because they will be automatically applied when this login is specified when running AdtSetup)

Note: Don’t use a login with SA privilege

2. Setup the first collector (i.e. the Primary Collector)

a. Under the screen: Database Authentication, choose the “SQL Authentication” option

b. Under the screen: Database Credential, specify the SQL login created in step 1

3. Once setup is completed successfully, shut down AdtServer (i.e. Operations Manager Audit Collection Service) on the Primary Collector

4. Setup the Secondary Collector

a. Under the screen: Database Installation Option, choose the “use an existing DB” option

b. Under the screen: Database, specify the DB created in step one.

c. Under the screen: Database Authentication, choose the “SQL Authentication” option

d. Under the screen: Database Credential, specify the SQL login created in step 1

5. Shut down the AdtServer service (Operations Manager Audit Collection Service) on the Secondary Collector and restart AdtServer on the Primary Collector

6. When enabling the Audit Forwarding on the agent, Override the Collector Server parameter and specify the Primary Collector FQDN, followed by the Secondary Collector FQDN, separating the 2 with a comma

To redirect audit traffic to the Secondary Collector (in the event that the Primary Collector is having problem), one must first ensure AdtServer is NOT running on the Primary Collector, then turn on AdtServer on the Secondary Collector. The Secondary Collector will go under heavy load initially, as it determines the state of the incoming forwarders and builds up its cache. It will eventually stabilize.

Once the problem on the Primary Collector is fixed, shut down AdtServer on the Secondary Collector and turn on AdtServer on the Primary Collector. The forwarders will automatically redirect themselves back to the Primary Collector.

The reason behind the use of SQL Authentication is that, when Windows Authentication option is used in ACS, the Collector machine account is assigned as the login and given privileges to the ACS DB. This would not work with 2 Collectors, since there are 2 machine accounts and currently ACS setup only knows how to deal with one.

Microsoft and Forrester Research are holding a couple of security seminars in February to discuss industry trends in security and compliance, as well as proactive solutions available with Operations Manager Audit Collection Services. Registration link below.

San Jose, CA
Date: February 12, 2008
Event ID: 1032361790
Bellevue, WA
Date: February 14, 2008
Event ID: 1032361786
Register today!
Go to http://msevents.microsoft.com and enter in the Event ID located below the city you would like to attend.

Enterprise Certified, an ISV offering OpsMgr ACS archiving, reporting and compliance solutions, accounced they received their fourth Microsoft Gold Certified Partner award … this one for Security, Identify and Access.

Previous posts in the series:

Part 1: Audit Collection Services is installed, now what?

In part 1, we discussed the real function of ACS, differentiated between product and process, and touched on a couple of the necessary preparations and considerations. AC is simple enough to configure - today I want to focus on effectively utilizing your security information data throughout its lifetime. This is commonly called as the Information Lifecycle or more specifically the Security Information Lifecycle.

For purposes of our discussion, we will consider the Security Information Lifecycle in terms of the following phases:

1. Collection - Acquisition and management of log data. This step is the foundation for the event analytics (the processes) that ultimately comprise any successful security and compliance initiative
2. Examination - Examining the data for anomalies or patterns of interest.
3. Analysis - When an anomaly is identified, this triggers data auditing (human analysis)…ad-hoc auditing so to speak.
4. Review - Periodic examination of data as part of the scheduled auditing process.

At the end of the day, ACS is a Security Information Management (SIM) solution, and like every SIM on the market, what it lacks out of the box is the human intelligence and skill in data analysis of a good security engineer.

Audit Collection Services represents the automation of phase 1. Phases 2 and 3 are where the auditor (or some automated form of audit logic) we have to take some action. This is where data analysis comes into play. There is good out of the box reporting, but from a process perspective we need to act on this data. There is no automated processing analyzing this data.

And this is especially important because the event data contained in the ACS database is a rolling data set. If you accepted the defaults during installation, the data is groomed by the nightly maintenance task at 14 days old. If your company has no externally legislated data retention requirements that prompted your to purchase a 3rd party ACS data archiving solution, 14 days is end-of-life for that data. If you don’t take action on this data, it’s gone forever and the opportunity lost. And even if you do have a 3rd party archiving solution, it is less expensive (in terms of human effort) and business value (in terms of problems uncovered) if we analyze this data sooner rather than later, while the data is still fresh, online and accessible.

NOTE: The 3^rd party add-ons from companies like Enterprise Certified and SecureVantage bring numerous benefits we will discuss in a future installment.

So the million dollar question is: How can we more aggressively and effectively analyze and utilize this data before it is groomed, and without watching a console all day?

So let’s consider a simple scenario. You work for a company with ACS deployed to support internally-defined security policies, with no 3^rd party archiving add-on. There are really a couple of different ways we could go about this.

1. We could simply schedule various ACS reports to run periodically and e-mail or publish to a file share. Definitely some value in this, and while it potentially results in an extensive set of reports to comb through, if we target these reports at the key events we care about, it’s a definite improvement over the alternative.
2. Use scripts querying the ACS high-performance WMI provider. We could, but there is an easier way in my opinion. (Incidentally, I will touch on how this provider should be utilized in a later post.)
3. Through the strategic use of ACS in conjunction with Event Rules to watch for changes and then raise alerts - Think MOM 2005 here. How did we audit for security events in MOM 2005? Through event rules matching the criteria we define! This is a simple 2-step strategy:

a. As an engineer or auditor, I use the events I wish to watch for and create rules in Operations Manager to watch for these events and generate alerts. This could be login failures, auditing changes to my Active Directory, whatever.

b. When an event is matched and an alert is raised, this is my prompt to run the appropriate ACS reports and do my analysis to establish the timeline and sequence of events.

In short, we use monitoring to fire an alert that prompts internal auditors or service owners to utilize Event Log data collected by ACS to analyze the event.

The trigger used in our 3^rd method is something every MOM 2005 admin is familiar with, but very effective as it allows us to make use of data triggers outside the Security Event Log as well (e.g. - SQL logon failures) with the tools we already have in place. We catch events of local significance, and then analyze their global significance and scope (across multiple systems) through ACS report data.

Why this makes sense:

This may seem counter-intuitive strategy until you consider the fact that the ACS interfaces for data analysis are the reports (not well-suited to automation) and the ACS WMI provider (but no user-friendly interface for running process scripts). Technically, we could use the ACS WMI provider in OpsMgr rules, but this is not the easiest way to go about this. Using event rules in Operations Manager in this way leverages the existing rich data processing capabilities of OM 2007 and also separates this processing load.

Use case scenarios:

Let me elaborate through a few examples just to get you creativity jump-started here on all the ways you could tap this strategy as part of a more effective audit strategy in our organization.

Network Administrator

If you’re the person responsible for host-based security in your company, you could watch for high failed login counts on servers using an event rule, which would then prompt analysis of Event Data collected by ACS to identify from which systems the attempts came from.

Internal Auditor

If you’re an internal auditor with key data security initiatives, you could use configure audit policies and use Event Rules in Operations Manager 2007 to set trigger alerts on key security events that prompt analysis. If a malicious user accesses a file share on the ERP Server where spreadsheets containing payroll data is stored, you could catch this through an Event Rule targeting an event Security Event Log. And then go do your analysis to establish the undeniable sequence of events required for punitive action.

Active Directory Administrator

By enabling the right audit policies, we can use rules to watch changes for any object class or instance in the Active Directory to catch who and when unplanned or unauthorized activities: Trusts, group policies, OUs, sensitive security groups, topology changes (sites, site links, subnets). And then, if necessary, we can then go ACS to review a given users recent activities to see what else they’ve been up to ;)

There’s a much bigger picture to consider for the heterogeneous enterprise and the future of ACS. We will start this discussion in part 3.

Your thoughts and comments are welcome on this post or via the contact page.

In the RTM release of Operations Manager 2007, you have likely noticed that the Enable Audit Collection task does not appear in the Actions pane when the RMS or a Management Server is selected. This task enables the Audit Collection Forwarder service (which is disabled on agent-managed computers by default) and sets the appropriate values in the registry.

In fact, the Audit Collection Forwarder service is not even installed on a Management Server.

Enabling the ACS Forwarder service on a Mgmt Server is a new feature in SP1, but it turns out, there is actually a way to do this in the RTM release. Credit Jeff Skelton for working through how to do this when MS Support told him it was not possible. While obviously unsupported, I did work through Jeff’s solution in the lab and it seems to work as expected.

Steps for Enabling the ACS Forwarder Role on an Management Server

1. Copy adtagent.exe to C:\windows\system32
2. Run adtagent -install
3. Edit HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AdtAgent\Parameters
   • Ensure DWORD key EventlogLoggingLevel is set to 2
   • Add DWORD key LocalConfig and set to 2
   • Add DWORD key NoCache and set to 2
   • Add Multi-String Value key AdtServers and enter name of the collector to
     forward to.
4. In Services CP, set Operations Manager Audit Forwarding Service to Automatic and start.
5. Verify by running SELECT * FROM dbo.dtMachine on the OperationsManagerAC database and finding the management server name. You could also run SELECT * FROM dbo.dtMachine WHERE Description = ‘DOMAINNAMEHERE\MACHINENAMEHERE$

Nice work Jeff!

There are some good formulas and guidelines in here for ACS sizing, as well as a VBScript to gather event counts per second on a target machine.

The Operations Manager 2007 Performance and Scalability Guide has been updated to include Audit Collection Services sizing information. The updated guide is available on TechNet for browsing HERE and the Download Center for download HERE.

I was talking with a fellow OM 2007 enthusiast recently and was surprised to learn he had never heard of Enterprise Certified Corporation (ECC). When I noticed their name in the System Center Pack Catalog a couple of months ago, I picked up the phone and gave these folks a call. If this name is unfamiliar to you, let me take a moment introduce you to the other partner for Audit Collection archival and compliance reporting.

Solutions:

ECC just released an updated version of their Enterprise System Center Operations Portal(eSCOP) and Enterprise Compliance Auditing and Reporting(eCAR) solutions compatible with the SP1 Release Candidate for Operations Manager 2007, which I believe will be of interest to many enterprises with internally driven auditing needs or legislatively mandated compliance requirements related to SOX, HIPPA, PCI, FISMA, etc.

• eSCOP - As the eSCOP name implies, this solution delivers an interface for slicing-and-dicing ACS events and archived events. archiving configuration and archived partition retrieval via an interface separate from the Operations Console. Incidentally, eSCOP goes a step events from the OpsMgr data warehouse are accessible from the eSCOP interface. ECC also teamed up with eXc Software, leveraging their base framework for audit collection and reporting for non-Windows platforms.
• eCAR - The eCAR product delivers more than 100 reports mapped to National Institute of Standards and Technology (NIST) recommendations integrated into the Reporting workspace in the Operations Console.

Where to get it:

You can request a trial copy or a live demonstration of eSCOP from the sales team at http://enterprisecertified.com/contact.htm.

Thoughts:

I don’t want to yet claim full knowledge of what appears to be a platform with broad reporting capabilities. In my limited experience with the platform, my initial impression is that the eSCOP console is intuitive and responsive. The web demonstration I attended featured demonstrations of very fast report delivery, attributed in part to string caching, an element of the “secret sauce” attributed to very fast console performance. My hands-on time with the eSCOP console revealed a very responsive reporting experience (although my test lab database was much smaller).

The ECC Team

In talking with Bob Williams, I was intrigued to learn of his teams education and professional background. The ECC team boasts two former Microsoft MVPs for Security in Bob Williams, PHD and Mark Walla. Both have impressive resumes. Bob was involved in crisis management in the Anthrax scare here in the States a few months back, as well as ongoing anti-terrorist activities. No doubt skill sets like this among product architects no doubt positively influence the end result.

I encourage anyone considering ACS as a component of an enterprise compliance auditing solution to add Enterprise Certified to their list of partners to contact.

In the next few weeks, I am going to drill down on the role of the Ops Mgr 2007 Audit Collection Services (ACS) in the Security Auditing process. I want to start by providing some context around the role of ACS in the overall process.

The Audit Trail created by ACS should not be confused with the activity of Auditing.

By the CISSP CBK description, these activities would be defined as follows:

• Audit Trail (aka Audit Log) = A record of events, without regard to correctness or accuracy. It’s just the reporting of an event.

This is exactly what ACS Collector does. It catches data from the ACS Forwarder (part of the OpsMgr agent) and inserts it into the database, creating a centralized audit trail for all systems. By forwarding events in near real-time, ACS protects the integrity of the audit trail by minimizing opportunity for Security Event Log tampering, protecting us from the evil administrator (see law #6)

• Auditing = Is the Activity of examining the audit trail to verify the accuracy of a system, or reconstruct a complex event or series of events.

ACS reports are designed to assist in this activity, providing filtering of these events into more easily digestible chunks based on filtering of a specific activity. Complex events may involve multiple systems, bringing to bear the importance of time sync across all systems in your environment.

And then there is monitoring, an activity which goes beyond simple periodic review of ACS reports to actual identification activities that violate corporate security policies, whether this is auditing of changes to the Active Directory, intrusion detection, and in some cases, identification of activities affecting regulatory compliance (e.g - HIPAA) with an output of near real-time alerts or responses. More on this in later.

With this in mind, what are the first steps?

1. Get time synchronization in order in your environment. If times are out of sync across systems, reconstruction of complex will be difficult or impossible.
2. Size event logs accordingly - Even though ACS forwards events in near real time, network connectivity or other circumstances may prevent this from happening. The queue for ACS is the Security Event Log itself. The ACS Collector keeps a watermark for each ACS Forwarder noting the last event collected, but if the Security Event Log fills and wraps on the Forwarder before connectivity is re-established, you lose events. You may need to want to bump log size to 50-100mb on domain controllers or other critical servers, but base these decisions on your needs and environment.
3. Enable local and domain audit policies to support your auditing objectives. Audit policies control what information is logged to the Security Event Log. Let’s start simple. This settings can be set through group policy.  Below are recommended audit policies for Windows systems by role (view source HERE).

This is just a starting point. There is no one-size-fits-all answer. In future posts, we’ll drill down the specific events covered in the policy categories, and scenarios where exceptions to these rules will be necessary and additional configuration will be required.

Recommended Audit Policy Settings by Machine Role

That’s all for now. Look for more in our Audit Collection series later in the month, and our new Security and Compliance Resources section coming online in a few weeks.

Graham Davies has created a great Step-by-Step guide on how to create state views to show the status (enabled/disabled) of ACS on an agent server. Any OpsMgr administrator working with ACS should have a look at this document.

You can download the document from here.

This script was provided during the Operations Manager 2007 Beta by Joseph Chan @ Microsoft.  The original script enabled ACS on all agents to the provided ACS collector.  I have copied this script and modified it to take the Display Name of the group as a parameter so you can control what agents are enabled.

You can download the All Agents Bulk Enable here.

Parameters:
rmsServerName: The FQDN of the root
collectorServerName: The FQDN of the ACS Collector

You can download the Display Name Bulk Enable here.

Parameters:
rmsServerName: The FQDN of the root
collectorServerName: The FQDN of the ACS Collector
displayName: The display name of the group.  Ex: ‘Sample group’