MOM 2005 Security Accounts

MOM 2005 Accounts: What are they, what they do, and what permissions do they need?

We’ve seen and run into quite a bit of confusion about the different security accounts that exist in MOM 2005. Specifically what accounts exist for MOM, what they do, and what permissions do they need to do it. The following is an attempt to provide a summary of this information based upon our own experiences. For Microsoft’s best practices you can refer to the Microsoft MOM security guide which is available at: http://go.microsoft.com/fwlink/?linkid=33035.

Most of the debate revolves around the Action accounts that are used within MOM. The recommended approach is to use Local System (the Network Service on Windows 2003 is recommended over Local System) to provide the required functionality. The MOM Agent Action accounts should be run as Network Service unless the account cannot effectively be given the permissions it requires based on management packs deployed to that system. As an example, the SQL Server management pack requires access to various databases which will not be available unless the Local System/Network Service account is given permission to those databases. We can think of more than one organization which was not comfortable with a system account having that level of permissions into their databases.

The following is a summary of the security accounts in MOM, what they do, and the recommended permissions. Basically you have to have an account with permissions to deploy the agents (the Management Server Action account is recommended) and one which will have access rights to the MOM databases (the MOM DAS account). For more detailed information on these, our upcoming MOM 2005 Unleashed book provides quite a bit more than what is listed below.

         Management Server Service account (the MOM Service account)

        What does it do? Communicates with the agents, runs local agent on the management server
        What type of account should I use? Local System/Network Service

         Management Server Action account

        What does it do? Installs/uninstalls agents, runs server-side responses on the management server, computer discovery, agentless operational data gathering, runtime tasks from the MOM console
        What type of account should I use? domain admin, or local admin for each server to install an agent on

         MOM DAS account

        What does it do? Controls access to data in the OnePoint database
        What type of account should I use? domain account, permissions to the OnePoint database (permissions are configured by the MOM setup program)

         MOM Reporting account

        What does it do? Data transfer between the Operations and Reporting databases
        What type of account should I use? Use the “MOM DAS” account

         MOM Agent Action account(s)

        What does it do? Runs responses (scripts, managed code responses) on the managed system, collects performance data and events
        What type of account should I use? Local System/Network Service, or domain user as a local admin*
         These can exist on a per-managed server basis
         In some cases using a specific account is preferable to provide permissions required for the management pack(s) such as the SQL Server Management Pack (organizations not wanting to give SQL rights to Local System), or the Active Directory Management Pack.

         MOM Agent Service Action account(s)

        What does it do? Used when communicating with the management server and running the agent
        What type of account should I use? Local System/Network Service, or local admin

*On Windows 2000 Server, the Action account must be a member of the local Administrators group. On Windows Server 2003, you can use a low-privileged account for the agent’s Action account under certain circumstances (see Microsoft’s MOM 2005 Security Guide for more information). 

Advertisements
This entry was posted in MOM 2005. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s