Microsoft Operations Manager (MOM)
Our experiences in managing large Windows deployments has taught us that above all, information is king -- if you don't know what's going on out there in the data center, you might as well forget about security. The reason for our discussion of MOM in this chapter on the future of Windows security is this: Although MOM is available today, we believe that it will provide the framework in the near future for all monitoring of Microsoft server environments, so it behooves us at least to give an overview of how it can support security.
We'll let readers follow the links in "References and Further Reading" to download the "marketecture"; we'll focus here on the security benefits of MOM. The primary benefit it provides is a secured, centralized database of events from across the environment. This is done primarily through MOM's security log aggregation feature, which sends collected events to a secured, central computer. This aggregation integrates many potential data sources, including Simple Network Management Protocol (SNMP) and UNIX syslog. For those of you who have struggled to manage Event Logs across thousands of servers, here's your solution. MOM can also monitor security settings for systems grouped into organizational units (OUs) (such as all IIS servers).
Of course, monitoring and collecting events is not enough; we know plenty of organizations that keep reams of log data that no one ever reviews or takes action on. You must also keep alert on critical events and proactively enforce selected policies that should never be violated. MOM can also respond to security events with scripts to alert administrators and/or enforce security policy proactively across the environment. For example, MOM can send a notification to a specified administrative account, disable an account showing aberrant behavior or shut down a potentially compromised computer (also selectively enforceable by OU).
Last but not least, MOM has a reporting and trend analysis component that will keep those management types happily pouring over graphs and pie charts until their eyes water. After all, you have to justify that security budget somehow, right?
Of course, MOM installs an agent that must run as Administrator, but most of us are used to that from Microsoft. (When are they ever going to develop a global read-only account?) MOM 2004, scheduled for release in the first half of 2004, and the new Extended Management Packs (XMP) that extend MOM to manage AD, .NET Framework, Exchange, Biztalk, ISA Server and SQL Server (just to name a few) that are available now, are something any smart security administrator should look into.