In this excerpt of Chapter 17 from Hacking Exposed Windows Server 2003, authors Joel Scambray and Stuart McClure explain the security benefits of Microsoft Operations Manager (MOM).
Our experiences in managing large Windows deployments has taught us that above all, information is king -- if you don't know what's going on out there in the data center, you might as well forget about security. The reason for our discussion of Microsoft Operations Manager (MOM) in this chapter on the future of Windows security is this: Although MOM is available today, we believe that it will provide the framework in the near future for all monitoring of Microsoft server environments, so it behooves us at least to give an overview of how it can support security.
We'll let readers follow the links in "References and Further Reading" to download the "marketecture"; we'll focus here on the security benefits of MOM. The primary benefit it provides is a secured, centralized database of
Of course, monitoring and collecting events is not enough; we know plenty of organizations that keep reams of log data that no one ever reviews or takes action on. You must also keep alert on critical events and proactively enforce selected policies that should never be violated. MOM can also respond to security events with scripts to alert administrators and/or enforce security policy proactively across the environment. For example, MOM can send a notification to a specified administrative account, disable an account showing aberrant behavior or shut down a potentially compromised computer (also selectively enforceable by OU).
Last but not least, MOM has a reporting and trend analysis component that will keep those management types happily pouring over graphs and pie charts until their eyes water. After all, you have to justify that security budget somehow, right?
Of course, MOM installs an agent that must run as Administrator, but most of us are used to that from Microsoft. (When are they ever going to develop a global read-only account?) MOM 2004, scheduled for release in the first half of 2004, and the new Extended Management Packs (XMP) that extend MOM to manage AD, .NET Framework, Exchange, Biztalk, ISA Server and SQL Server (just to name a few) that are available now, are something any smart security administrator should look into.Download Chapter 17, The Future of Windows Security