2. Jacques Mostert Solutions Consultant Chisa Technologies Session Code: MGT311

3. Agenda What is compliancy? Audit Collection Services (ACS) Extending the functionality Non-Windows security monitoring Database model and reports ACS and WMI Tips and tricks from the field Lots of DEMO’s !

4. What is compliancy ? “Conforming to a specification or policy, standard or law that has been clearly defined” Prove instead of trust Government policies (HIPAA, SOX) versus internal policies Compliance: centrally collect, monitor, archive and report security events Auditing: maintain audit trail of internal security related activities Scalable and Secure: infrastructure must guarantee collection and integrity of huge volumes of security events

5. Infrastructure Optimization Security Mgmt Security Auditing Security Compliance

6. Introducing Audit Collection Services (ACS) Centralized monitoring across Windows, Linux and Unix Configuration change monitoring Monitor and Manage Microsoft and third party virtualization platforms Proactive Platform Monitoring Application & service level monitoring Problem resolution knowledge base Track and report service levels Service level dashboards Application and Service Level Monitoring Standards based Open and extensible platform for customized support Interoperability with 3 rd party management systems and help desks Interoperable and Extensible Platform Centralized Security Auditing Collection and consolidation of security events Reporting to meet audit requirements Default and custom reporting

7. ACS fundamentals Key Design Principles: Near real time exporting of all security events versus batch copy Immutable collection policy – tamper resilient Network friendly, lightweight, compressed event forwarding Scalable (collection points and event volume) Schematized events for improve analysis and reporting Efficient on-line storage High performance High scalability

8. ACS architecture Monitored Servers Audit DB Audit Collector Events subject to tampering Events under control of auditors Data Archival Monitored Clients

9. ACS Key Components The Forwarder is a separate service from Operations Manager that listens to the EventLog service and processes Security events near real-time to a Collector. The local security log is the forwarder queue in failover and connectivity outages. SLDC compression 128-bit RC4 encryption Kerberos if domain-joined TLS/SSL with certificates Port 51909 to Collector Default Network Service Acct. RolesDescriptionSecurityRequirements Windows XP Win2000 w/SP4 Win2003 Vista Win2008 Forwarder The audit database is the central repository for a single Collector. The database maintains data insertion and partition maintenance. The audit database has a 1-1 ratio with an active Collector. SQL Security or Windows Integrated Security End users require db_datareader rights only Windows Server 2003 or 2008 SQL Server 2005 /8 Standard with SP1 SQL Enterprise and SP2 recommended Audit Database SCOM Reporting SQL 2005/8 SSRS The Reporting Server can reside locally on the audit database however it is recommended to run remotely on a separate server for performance reasons. Reports can be accessed via Operations Manager Reporting or SSRS Report Server Collector The Collector processes events from forwarders and manages the queue to the Audit Database. The Collector hosts the EventSchema and Filtering controls. TLS/SSL between Collector & Audit database Port 1433 inbound to Audit Database Windows Server 2003 or 2008 Operations Manager 2007 Supported Configurations http://technet.microsoft.com/en-us/library/bb309428.aspx

10. Secure Communication All connections are mutually authenticated Kerberos if forwarder is domain-joined TLS/SSL if forwarder is configured with certificate All data is compressed and encrypted SLDC compression 128-bit RC4 encryption Ensure delivery of all audits Alert on Availability and Integrity Event 4631 Forwarder Disconnected Event 4335 Event Gap Stream Detected Event 4336 Forwarder Rejected Certificates Kerberos 51909 (CAC5)

11. Security Management Responding to day-to-day threats Provided by Management Packs Monitors, rules, views.. Notifications.. Develop your own management pack elements by identifying key events or look at third party solutions Free management pack for key Windows Server auditing scenarios: STAMP

12. Security Auditing Reporting on historical facts Forensic analysis Provided by reports Microsoft provides reports out-of- the-box Third party reports available Develop your own reports by identifying key events and using Visual Studio Report models for ACS available as of R2 On the CD image

13. Filtering DB Noise Filter Directory Services and Object Specific Audit Policies Domain Audit Policies Number 1 factor that influences load is the number of events being collected Filtering is a bottom up approach and must take into consideration audit collection and reporting requirements

14. Audit Plan Developing a comprehensive audit policy is a multi-step process: Determine “what” should be audited Identify how the information is returned Implement Audit Policy and SACLs Windows Server 2003, 9 audit cat. Windows Server 2008, 50+ sub cat. Collection, triggers and analysis Start planning this in advance!

15. Noise Filtering How do I filter out events at the collector? Collector uses WQL query as filter to limit events going into DB Use AdtAdmin.exe located in the collector’s directory: %systemroot%\system32\security\adtserver The /SetQuery parameter implements the new filter which removed events before being inserted into the ACS database Adtadmin /setquery /collector:[Collector Name] /query: "SELECT * FROM AdtsEvent WHERE NOT ((HeaderUser='SYSTEM' OR HeaderUser='LOCAL SERVICE' OR HeaderUser='NETWORK SERVICE') OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680 OR (EventId>=541 AND EventId<=547))“

16. Sizing and Planning Log and Database Drives [Average number of disk I/O per event for (transaction log or database file)] * [Events per second for all computers] * [disk RPM] * 60 sec/minute = [number of required drives] * 2 (for RAID 1) Online Storage Requirements ((IncomingEventsSec * 400b * 60sec * 60min * 24hr) / 1073741824) * [RetentionPeriod] = total size of database in GB VariableValue Average number of logical disk I/O per event for transaction log 1.384 Average number of logical disk I/O per event for database file 0.138 Events per second for all computers Estimated by using the script and the To estimate the number of events per second for all computers procedure Disk RPMVaries, determined by disk device

17. ACS and Gateways Common scenarios for gateways Untrusted forest or domain Secure DMZ Workgroups Corporate Domain Work Groups Untrusted Domain Secure DMZ Trusted Domain Port 1433 Un-trusted domain Port 51909 Port 5723

18. Deploying Forwarders With Powershell Two scripts on the CD Can be used to enable or disable ACS forwarder for multiple agents at once Example here: http://contoso.se/blog/?p=433

19. ACS Enhancement in R2 Support for Windows Server 2008 and Windows Server 2008 R2 New Windows Server 2008 and Windows Server 2008 R2 integrated ACS reports Improved report performance New multi-staged indexing design that further enhance robustness and performance Support for Cross Platform (announced at MMS 2009)

20. Out-of-the-box ACS functionality

21. Monitor non-Windows Security One option: partner solution Syslog Gateway runs on any OpsMgr agent that has ‘ACS forwarder’ enabled Translates non-Windows security events into Windows formatted security events Plugs into the existing ACS environment and ‘event stream’ Offline Storage Syslog Gateway nonWindows Devices Windows Devices Data Controlled and Trusted once ACS collects from Gateway

22. System Center Cross Platform ACS enablement Provide Audit Collection Services (ACS) for Unix and Linux systems Leverage OpsMgr 2007 R2 Cross Platform infrastructure to enable Unix/Linux auditing Collect and aggregate audit events across enterprise systems for a singular view Out of the box support for base OS audit events Reporting – base OS auditing reports Access violations Account management Administrator activity Provide the infrastructure to enable enterprise auditing Network devices Applications Delivery Out of band, dependent on OpsMgr 2007 R2 2 nd half 2009

23. System Center Cross Platform ACS solution details Access violations – unsuccessful logon attempts Account management Account creation/deletion/password change Administrator activity – su, sudo Forensic – all events for a computer/event ID User logons Reports Out of the box MP for each platform Datasources - Syslog, su log, audit, etc. Audit event collection: Logons – success/failure Ssh, telnet, rsh, tty, ftp Privilege use activity – su, sudo Account activity – create/delete/password change Management Packs RedHat Enterprise 4, 5 Novell SLES 9, 10 Solaris 9, 10 HPUX 11iv2, 11iv3 AIX 5.3, 6.1 Platforms

24. Windows Security events List of Windows event IDs: http://www.securevantage.com/Products/ACSResourceKit.aspx Event Source:Security Event ID:632 User:INOVATIV\garyadams Computer:DC01 Description: Member Name: CN=johndoe,CN=Users,DC=INOVATIV,DC=local Member ID:INOVATIV\johndoe Target Account Name:Domain Admins Target Account ID:INOVATIV\Domain Admins Caller User Name:garyadams

25. Non-Windows Security events Security event mapping Syslog data source Facility = 4 Severity = 2 Priority= 34 PriorityName = security.critical TimeStamp = Nov 27 04:49:50 HostName = 192.168.3.81 Message = “This is a test…” Event translation Facility = Attribute1 Severity = Lookup Table Priority= Attribute2 PriorityName = Attribute3 TimeStamp = Attribute4 HostName = MachineName Message = Attribute5 Windows event EventID = 3 Severity = Failure MachineName = 192.168.3.81 Attribute1 = 4 Attribute2 = 34 Attribute3 = security.critical Attribute4 = Nov 27 04:49:50 Attribute5 = “This is a test…”

26. Windows Management Instrumentation Available on the ACS collector AdtEvent WMI namespace Exposes key attributes to a collected security event CreationTime EventID EventMachine PrimaryUser String01-String[..] Use custom rules/monitors or powershell/vbscripts to query

27. Using ACS to alert real-time

28. Sample script using WMI provider Dim dateTime, objWMIProvider, objEvents, auditEvent strCollector = "." strWQL = "SELECT * FROM AdtsEvent WHERE EventId=528" Set dateTime = CreateObject("WbemScripting.SWbemDateTime") Set objWMIProvider = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strCollector & "\root\default") Set objEvents = objWMIProvider.ExecNotificationQuery(strWQL) While True Set auditEvent = objEvents.NextEvent() dateTime.SetFileTime(auditEvent.CreationTime) Wscript.echo "RDP logon to a server!" wscript.echo Wscript.Echo "Logon Time: " & dateTime.GetVarDate & " (UTC)" Wscript.Echo "Server: " & auditEvent.String04 Wscript.Echo "User: " & auditEvent.PrimaryDomain & "\" & auditEvent.PrimaryUser Wscript.Echo "IP Address: " & auditEvent.String02 Wscript.Echo Wend

29. Audit Collection Reporting Two reporting views: “AdtServer.dvAll” and “AdtServer.dvAll5” FieldDescription. IdThe primary key of the dtEvent table. EventIdThe event ID number. SequenceNoThe event sequence number from the event log. S/FS=Success, F=Failure. CategoryCategory name for the event (Logon/Logoff, Object Access,.. CreationTimeThe time the event was generated. CollectionTimeThe time the event was received by the collector. AgentMachineThe computer hosting the forwarder that sent the event. EventMachineThe name of the computer in the event header SourceThe source and log name for the event. PrimaryUser PrimaryDomain PrimaryUserLogonIdThe primary user logon ID for the event. ClientUserThe client (impersonated) user referred to in the event. ClientUserLogonIdThe client user logon ID for the event. StringId01 - 22The string in the appropriate position.

30. Authoring a custom ACS report

31. SQL Query Used in Reporting Demo SELECT 'RDP' AS LogonType, Logon.CreationTime AS LogOnTime, LogOff.CreationTime AS LogOffTime, Logon.String04 AS Computer, Logon.String02 AS IP, Logon.PrimaryDomain AS LogonDomain, Logon.PrimaryUser AS LogonUser FROM (SELECT * FROM AdtServer.dvAll WHERE EventId=528) AS Logon LEFT OUTER JOIN (SELECT * FROM AdtServer.dvAll WHERE EventId=538) AS LogOff ON Logon.PrimaryLogonId = LogOff.ClientLogonId WHERE Logon.String01 = '10' ORDER BY LogOnTime

32. Extending the Functionality Create dashboards using the extensibility of the platform Service Level Dashboard v2 Savision Live Maps OpsMgr solution accelerator for Visio (NEW) Use the objects delivered by Microsoft management packs or third party vendors to model your dashboard Easily provides a “security overview at a glance”

33. Extending the Functionality

35. Creating a security dashboard

36. Providing Access to Auditors Two parts to it Database Lock down the database with SQL permissions Create an AD global group for the auditors (and the collector account) Reports Change security permissions on the ACS-related folders/reports to only allow the AD global group to access them Step-by-step guide available

37. Tips and Tricks From the Field Monitor the integrity of the security system Plan SQL database rights Plan ACS collector ‘service account’ Create custom rules to.. report on (interactive) logins with the ACS collector ‘service account’ report on password changes of the ACS collector ‘service account’ report on AD group membership changes of ‘Auditors’ report on editing of SQL database rights report on disconnected or misconfigured ACS forwarders Your compliancy solution is only as strong as the weakest link

38. Tips and Tricks From the Field Use SQL enterprise Document every aspect of your ‘solution’ Collector ‘load’ will decrease when using “noise filters” Separate SQL reporting services server or not? Server configuration Use 64-bit Use dedicated hardware / management server Plan your disks for the ACS database Use SQL enterprise edition (if SQL 2005) Use SCOM 2007 R2 or apply hotfix 949969 and 954329 to SP1

40. More Information and Downloads Audit Collection Services on Technet http://technet.microsoft.com/en-us/library/bb381258(TechNet.10).aspx OpsMgr 2007 Performance and Scalability Guide http://download.microsoft.com/download/d/3/6/d3633fa3-ce15-4071- be51-5e036a36f965/OM2007_PerfScal.doc ACS Master Class Series http://www.securevantage.com/ACSTraining.aspx http://www.securevantage.com/ACSTraining.aspx ACS Resource Kit http://www.securevantage.com/Products/ACSResourceKit.aspx http://www.securevantage.com/Products/ACSResourceKit.aspx ACS focused blogs http://www.techlog.orghttp://www.techlog.org | http://www.contoso.se | http://blogs.inovativ.nlhttp://www.contoso.sehttp://blogs.inovativ.nl http://www.systemcentercentral.comhttp://www.systemcentercentral.com | http://blogs.msdn.com/ericfitz/http://blogs.msdn.com/ericfitz/

41. Track Resources Key Microsoft Sites System Center on Microsoft.com: http://www.microsoft.com/systemcenterhttp://www.microsoft.com/systemcenter System Center on TechNet: http://technet.microsoft.com/systemcenter/http://technet.microsoft.com/systemcenter/ Virtualization on Microsoft.com: http://www.microsoft.com/virtualizationhttp://www.microsoft.com/virtualization Community Resources System Center Team Blog: http://blogs.technet.com/systemcenterhttp://blogs.technet.com/systemcenter System Center Central: http://www.systemcentercentral.comhttp://www.systemcentercentral.com System Center Community: http://www.myITforum.comhttp://www.myITforum.com System Center on TechNet Edge: http://edge.technet.com/systemcenterhttp://edge.technet.com/systemcenter System Center on Twitter: http://twitter.com/system_centerhttp://twitter.com/system_center Virtualization Feed: http://www.virtualizationfeed.comhttp://www.virtualizationfeed.com System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact scnetsup@microsoft.com scnetsup@microsoft.com

42. www.microsoft.com/teched International Content & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Tech ·Ed Africa 2009 sessions will be made available for download the week after the event from: www.tech-ed.co.zawww.tech-ed.co.za

43. Required Slide Complete a session evaluation and enter to win! 10 pairs of MP3 sunglasses to be won

44. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide