Security support from MOM

Learn how Microsoft Operations Manager supports security in this excerpt from "Hacking Exposed Windows Server 2003."

Hacking Exposed Windows Server 2003

By Joel Scambray and Stuart McClure                               628 pages                    McGraw-Hill/Osborne

In this excerpt of Chapter 17 from Hacking Exposed Windows Server 2003, authors Joel Scambray and Stuart McClure explain the security benefits of Microsoft Operations Manager (MOM).

Our experiences in managing large Windows deployments has taught us that above all, information is king -- if you don't know what's going on out there in the data center, you might as well forget about security. The reason for our discussion of Microsoft Operations Manager (MOM) in this chapter on the future of Windows security is this: Although MOM is available today, we believe that it will provide the framework in the near future for all monitoring of Microsoft server environments, so it behooves us at least to give an overview of how it can support security.

We'll let readers follow the links in "References and Further Reading" to download the "marketecture"; we'll focus here on the security benefits of MOM. The primary benefit it provides is a secured, centralized database of

Information Security Bookshelf

Read Chapter 17, The Future of Windows Security

Read more chapters and book reviews

Review this book

events from across the environment. This is done primarily through MOM's security log aggregation feature, which sends collected events to a secured, central computer. This aggregation integrates many potential data sources, including Simple Network Management Protocol (SNMP) and Unix syslog. For those of you who have struggled to manage Event Logs across thousands of servers, here's your solution. MOM can also monitor security settings for systems grouped into organizational units (OUs) (such as all IIS servers).

Of course, monitoring and collecting events is not enough; we know plenty of organizations that keep reams of log data that no one ever reviews or takes action on. You must also keep alert on critical events and proactively enforce selected policies that should never be violated. MOM can also respond to security events with scripts to alert administrators and/or enforce security policy proactively across the environment. For example, MOM can send a notification to a specified administrative account, disable an account showing aberrant behavior or shut down a potentially compromised computer (also selectively enforceable by OU).

Last but not least, MOM has a reporting and trend analysis component that will keep those management types happily pouring over graphs and pie charts until their eyes water. After all, you have to justify that security budget somehow, right?

Of course, MOM installs an agent that must run as Administrator, but most of us are used to that from Microsoft. (When are they ever going to develop a global read-only account?) MOM 2004, scheduled for release in the first half of 2004, and the new Extended Management Packs (XMP) that extend MOM to manage AD, .NET Framework, Exchange, Biztalk, ISA Server and SQL Server (just to name a few) that are available now, are something any smart security administrator should look into.

Download Chapter 17, The Future of Windows Security

This was last published in May 2005

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.