This blog entry is the next in a series of Operations Manager-related items that review the steps performed to install, configure and tune management packs in real-world environments. Historically we have only discussed management packs from Microsoft, but beginning with this blog posting we digress a bit and look at the Secure Vantage Management Pack.
What is SecureVantage and why would people want to deploy it with Operations Manager 2007? SecureVantage has a variety of products that enhance the capabilities of Operations Manager focused around the areas of Security and Audit Collection Services (ACS). These products include solutions for archiving information from the ACS database, and management packs focusing on security information that can provide reports for regulations such as HIPAA and SOX (among others).
General information about SecureVantage and its product line is available at http://www.securevantage.com/. SecureVantage also provides a free management pack for download that provides alerting for the top Windows security audit scenarios. You can download this management pack at http://www.securevantage.com/ProductsSTAMP.html.
For the purposes of this article, we are using the IT Auditors Express for reports and the following SecureVantage management packs:
- Security Base Library
- Security Top Alerts
- Group Policy Auditor
- Windows Security Auditor
- Identify the Auditing requirements for your organization (understood, this is a really big high-level bullet, but you want to have a good idea of the particular items you want to audit in your environment).
- Install and configure Operations Manager 2007, including the reporting components.
- Deploy the OpsMgr agent to the systems that plan to you monitor with ACS and SecureVantage.
- Install and configure Audit Collection Services for Operations Manager 2007.
- Enable Auditing on the servers that you will be auditing.
- Validate the functionality of ACS by opening the Performance Monitor (perfmon) and monitoring the ACS Collector object/Connected Clients Counter. If ACS is installed correctly and clients are reporting in to the server, this counter should be greater than 0.
- Install the SecureVantage management packs on the Root Management Server (RMS).
- Install IT Auditors Express on the Operations Database Server (not on the RMS).
- The SecureVantage Management pack information is available at http://www.securevantage.com/ComplianceSecuritySuite.html. High-level information on the management packs and the download links are available at http://www.microsoft.com/technet/prodtechnol/mom/catalog/catalog.aspx?kw=&vs=2007&ca=&co=Secure%20Vantage%20Technologies.
- Read the guides on the SecureVantage products, available at http://www.securevantage.com/ProductsDocuments2007.html
We ran into a few interesting tidbits and caveats to be aware of with the SecureVantage functionality:
- The SecureVantage product uses both the Operations Manager functionality (event log gathering, etc) and the ACS functionality to provide the alerts and reports that are provided with the product.
- Currently the group membership rule actually provides all changes made to group memberships, not just the changed in high security groups (such as domain administrators). The Admin Group Membership view (Operations Console -> Monitoring -> Security Operations -> Windows Security Operations -> Server Security -> Account Management -> Admin Group Membership) also currently displays all group changes. This is scheduled to be resolved shortly.
- The SecureVantage management pack creates its alerts in an informational state. The number of alerts will vary depending upon a variety of factors that include the number of servers you are auditing, what is being audited, and how active the servers are which you are monitoring. For our particular environment with approximately 30 domain controllers, approximately 1000 informational alerts were listed.
- When using the SecureVantage reports, if you choose the Expose Details option prior to running the report the system will pause for a several seconds before you can run the report.