Contributed By: Andy Dominey [MVP MOM]
Today, IT security is a big challenge. Security as a whole encompasses a wide variety of items from building access to network security. One of the biggest problem facing security administrators today is tracking user’s access to servers and shared corporate data. This data is notoriously difficult to manage as many people use it and therefore there is a much greater risk of unauthorized access attempts.

The first step to securing an IT infrastructure is to actually decide who should have access and who shouldn’t. Then you can put in place the necessary restrictions. But how do we then ensure these restrictions are not only in place but that they are also efficient? Utilizing an existing Microsoft System Center Operations Manager 2007 management group, you can install and configure Audit Collection which is used to securely collect and store audit information from key Active Directory Domain Controllers and servers and even client machines should this be required.  Not only that, but utilizing SQL 2005 Reporting Services, the data can be viewed in a number of reports to make interpreting it much easier and more intuitive. In addition, the out of the box functionality can be enhanced with the addition of some excellent add-on software by SecureVantage.

The process for installing Audit Collection is a fairly simple one. Firstly you must ensure you have an active OpsMgr management group in place with the OpsMgr agent deployed to all machines on which you want to collect security data. Then you must install and configure the Audit Collection database server. The database can be located on the same database server as the OperationsManager database to reduce the amount of hardware required but at the very least, it is recommended to host it on a separate SQL Instance so that you can secure the instance separately from the OpsMgr database instance. The reason for this is that the collection of auditing and security data is undermined if too many people have access to the data. Usually, the security administrator will be the only person who will need to access this data and therefore access should be restricted to everyone else. Also, the added overhead of collecting security data in addition to regular monitoring data may be too much for your SQL Server.

Once the database is installed, you then need to configure the Audit Collector server. This is the machine that will collect the information from the client agents, filter it and write it to the database. The placement of this machine will depend on your environment but you can only have a single Audit Collector server per Audit Collection database so placement is important. Finally, you need to activate the Audit Collection service on the client machines. Doing this is very easy. The service is preinstalled with the OpsMgr agent but is disabled. Enabling and starting the service is really simple. There is a pre-existing task in OpsMgr that you can simply run on the machines you want to enable for Audit Collection.

Now that we are collecting data, we should consider how the data is actually collected. The audit forwarding agent, located on the agent machine, assumes that the machine it is installed onto is insecure; therefore it is necessary to collect and send all security events immediately. The events are processed extremely fast and are stripped of all excess data reducing the size of each event considerably. The events are then heavily compressed and sent to the Audit Collector. At this point, the Audit Collector filters the events, compresses them further and forwards them to the database where they are archived for auditing and reporting purposes. This whole process takes no more than a few seconds and the most critical part; collecting the data from the client security event log, happens almost in real-time to prevent the log being cleared before data has been collected.

There are some limitations with Audit Collection however. Firstly, you can only have a single Collector server per database. This won’t suit most medium to large organisations. Also, by default, data is only maintained for 14 days so unless you export the reports and save them, you will lose legacy data. This can be modified but it should be noted that the more days you retain, the larger the database will become. The product is also not designed to adhere to regulatory compliance. In order fulfil these requirements; you will need to invest in some additional software by SecureVantage. SecureVantage have long been the market leaders in security monitoring enhancements for MOM and Operations Manager and their additions to Audit Collection are no exception. The currently provide a number of tools but the most notable are the Archiver tool, the Forensic Analyzer tool and IT Compliance Reporting.

The Archiver tool allows the collection and archiving of data from multiple Collectors which provides a workaround for the single collector per database issue. The Forensic Analyzer is a set of reports which enhance the out of the box reports making them more intuitive and assisting navigation through large amounts of security related data. The IT Compliance Reporting pack adds the regulatory compliance knowledge and guidance to the product.

So basically, the new Audit Collection component of OpsMgr is an excellent tool for collecting security information in any environment but to really gain the most from the product, consider augmenting the default functionality with the additions provided by SecureVantage, you won’t be disappointed.

SecureVantage site (www.securevantage.com)