Jacques Mostert Solutions Consultant Chisa Technologies Session
Code: MGT311
Slide 3
Agenda What is compliancy? Audit Collection Services (ACS)
Extending the functionality Non-Windows security monitoring
Database model and reports ACS and WMI Tips and tricks from the
field Lots of DEMOs !
Slide 4
What is compliancy ? Conforming to a specification or policy,
standard or law that has been clearly defined Prove instead of
trust Government policies (HIPAA, SOX) versus internal policies
Compliance: centrally collect, monitor, archive and report security
events Auditing: maintain audit trail of internal security related
activities Scalable and Secure: infrastructure must guarantee
collection and integrity of huge volumes of security events
Introducing Audit Collection Services (ACS) Centralized
monitoring across Windows, Linux and Unix Configuration change
monitoring Monitor and Manage Microsoft and third party
virtualization platforms Proactive Platform Monitoring Application
& service level monitoring Problem resolution knowledge base
Track and report service levels Service level dashboards
Application and Service Level Monitoring Standards based Open and
extensible platform for customized support Interoperability with 3
rd party management systems and help desks Interoperable and
Extensible Platform Centralized Security Auditing Collection and
consolidation of security events Reporting to meet audit
requirements Default and custom reporting
Slide 7
ACS fundamentals Key Design Principles: Near real time
exporting of all security events versus batch copy Immutable
collection policy tamper resilient Network friendly, lightweight,
compressed event forwarding Scalable (collection points and event
volume) Schematized events for improve analysis and reporting
Efficient on-line storage High performance High scalability
Slide 8
ACS architecture Monitored Servers Audit DB Audit Collector
Events subject to tampering Events under control of auditors Data
Archival Monitored Clients
Slide 9
ACS Key Components The Forwarder is a separate service from
Operations Manager that listens to the EventLog service and
processes Security events near real-time to a Collector. The local
security log is the forwarder queue in failover and connectivity
outages. SLDC compression 128-bit RC4 encryption Kerberos if
domain-joined TLS/SSL with certificates Port 51909 to Collector
Default Network Service Acct. RolesDescriptionSecurityRequirements
Windows XP Win2000 w/SP4 Win2003 Vista Win2008 Forwarder The audit
database is the central repository for a single Collector. The
database maintains data insertion and partition maintenance. The
audit database has a 1-1 ratio with an active Collector. SQL
Security or Windows Integrated Security End users require
db_datareader rights only Windows Server 2003 or 2008 SQL Server
2005 /8 Standard with SP1 SQL Enterprise and SP2 recommended Audit
Database SCOM Reporting SQL 2005/8 SSRS The Reporting Server can
reside locally on the audit database however it is recommended to
run remotely on a separate server for performance reasons. Reports
can be accessed via Operations Manager Reporting or SSRS Report
Server Collector The Collector processes events from forwarders and
manages the queue to the Audit Database. The Collector hosts the
EventSchema and Filtering controls. TLS/SSL between Collector &
Audit database Port 1433 inbound to Audit Database Windows Server
2003 or 2008 Operations Manager 2007 Supported Configurations
http://technet.microsoft.com/en-us/library/bb309428.aspx
Slide 10
Secure Communication All connections are mutually authenticated
Kerberos if forwarder is domain-joined TLS/SSL if forwarder is
configured with certificate All data is compressed and encrypted
SLDC compression 128-bit RC4 encryption Ensure delivery of all
audits Alert on Availability and Integrity Event 4631 Forwarder
Disconnected Event 4335 Event Gap Stream Detected Event 4336
Forwarder Rejected Certificates Kerberos 51909 (CAC5)
Slide 11
Security Management Responding to day-to-day threats Provided
by Management Packs Monitors, rules, views.. Notifications..
Develop your own management pack elements by identifying key events
or look at third party solutions Free management pack for key
Windows Server auditing scenarios: STAMP
Slide 12
Security Auditing Reporting on historical facts Forensic
analysis Provided by reports Microsoft provides reports out-of-
the-box Third party reports available Develop your own reports by
identifying key events and using Visual Studio Report models for
ACS available as of R2 On the CD image
Slide 13
Filtering DB Noise Filter Directory Services and Object
Specific Audit Policies Domain Audit Policies Number 1 factor that
influences load is the number of events being collected Filtering
is a bottom up approach and must take into consideration audit
collection and reporting requirements
Slide 14
Audit Plan Developing a comprehensive audit policy is a
multi-step process: Determine what should be audited Identify how
the information is returned Implement Audit Policy and SACLs
Windows Server 2003, 9 audit cat. Windows Server 2008, 50+ sub cat.
Collection, triggers and analysis Start planning this in
advance!
