Microsoft Operations Manager, or MOM for short, is one of the most powerful tools you can use to get an overview of how all of your servers are doing in one glance. Aside from analyzing performance and handling certain administrative functions, MOM handles some security-related functions as well. What often goes unexamined, though, is not the security settings for each system analyzed by MOM, but the security of MOM itself and the security of its connections to the servers you're managing with it.
There are several things you can do to enhance MOM's security:
Run the program in a different user context. MOM can run under the Local System account (the default for services) or in the Network Service account, where it has lowered privileges. This makes it harder to exploit the service.
Use MOM's scopes of operation to control which administrators can manage which computers. This reduces the chance of admins accidentally making changes on a machine they don't have responsibility or authority over -- which can be just as destructive as a malicious change.
Examine MOM's task auditing logs. MOM has task auditing enabled by default, so all tasks that run on MOM are recorded and can be read back if you're wondering what actions have indeed taken place or what might be going on that's not coming to your immediate attention.
Decide whether or not you need to use MOM agents. Agents in MOM -- the software installed on the servers themselves to monitor and report back to MOM -- are optional, not mandatory. You get far fewer management features, and the amount of network traffic going to and from the server goes up a bit if you choose not to use agents. But, if you can't deploy agents to each server or are worried about the possibility of agents being compromised (unlikely as it is), you can work without them. That said, agents are quite secure -- they're designed only to talk to MOM and to encrypt all the information they send.
Turn off agent proxying. Agent proxying is a feature in MOM that lets agents forward information on behalf of another computer, but it's possible that it could be used as a way to allow malicious software to send incorrect data to the MOM server. If you disable agent proxying, you must enable mutual authentication for agents. But that's something you'll probably want to do anyway.
Don't harden the server with third-party tools. Using a third-party tool to harden the MOM server can have unexpected consequences. If you run the IIS Lockdown Wizard, for instance, it'll disable critical components (like ASP.NET) that make MOM's Web-based admin console unusable. It's OK to audit the server's security settings, but apply any advice thus given only after making sure it won't send MOM into a spindizzy.
About the author:Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in December 2005