Information related to Audit Collection Services, part of System Center Operations Manager 2007.

Overview

Introducing Audit Collection Services

• Free add-on component to System Center Operations Manager 2007
• Not for purchase separately
• Based on the previous stand-alone solution MACS (private beta)

Overview

• Solution for regulatory compliance, e.g. Sarbanes-Oxley
• Internal or external auditing
• Targetted at medium & large organisations
• Centrally stores Windows security eventlog
• Consolidation of logs provides normalised overview
• Dedicated (secured) database
• Enables for forensic analysis using reports
• Based on Microsoft SQL Server 2005

Why audit?

The security eventlog is important for many reasons:

• Change and privilige use is monitored
• Security threats can be identified, e.g. hacking and viral activity
• Misuse of resources can be tracked
• Auditors and security officers can monitor for misuse for regulatory compliance
• Administrators can track activity, e.g. account lockouts

There are problems with security logs:

• Only keeps a centrain amount of historical information locally
• Security eventlog is only as trustworthy as the administrators
• Analysis of distributed logs is difficult and time consuming
• Delegation to auditors or security officers is not possible
• No centraliosed “as it happens” live monitoring is possible

Unique administrative accounts

It is pointless to enable auditing if everyone uses the built-in Administrator accounts. It is impossible to track who is actually the person who used the account. For this reason, it is suggested that:

• Not use local administrator accounts (disable or use random passwords)
• Never use the built-in domain adminaccount (enforce using two-person strategy)
• Provide IT persons with normal (general office duties) and admin account
• Delegate administration priviliges

Windows Vista includes a feature called UAC that will automatically prompt for credentials whenever a user tries to do something they don’t have the privileges for.

ACS Forwarder

The agent is currently supported on:

• Windows XP Professional
• Windows 2000 Server
• Windows Server 2003
• Support will be added for Windows Vista
• Support will be added for Windows “Longhorn” Server

ACS can be enabled on selected agents as required. The agent contains the necessary components for ACS. The agent will automatically forward events from the security log soon after they are written. The ACS component of the agent is referred to as the forwarder.

The approach Microsoft has taken to security auditing is that the local administrator is not trusted. Only data that is forwarded to the collector is trusted. The agent or forwarder will forward security events in real time to the collector as soon as possible. Collected information can be trusted by auditors and data that is under control (and can be wiped) of local administrators is no longer necessary.

Microsoft will remind you that the audited machine is considered un-trusted from an auditing point of view. Anything that happens on that machine is completely under the control of the local administrator; he is in a position to be able to break the forwarder. This will be true of any solution that relies on the local machine in order to audit. What the forwarder will try to do is capture information as quickly as possible and enables the collector to archive it securely.

Network efficiency

• Not every event is forwarded, to prevent noise
• “Which events” is stored in OS schema (upgrades with service packs, OS releases)
• Only minimal information is forwarded, e.g. date, time, event ID, unique text, etc.
• Collector can rebuild event combining event ID, unique text and description
• Event is centrally stored in database in normalised form
• Average event is 140 bytes (smaller than “normal” SCOM message)
• How much traffic depends on machine type, what is audited and activity

Security

• In-transit security using encryption
• However, data is stored in clear text in the database
• Use DB security to provide relevant protection, only grant Auditors (!)
• Mutual authentication between collector and forwarder using Kerberos

ACS Collector

• Can be installed on any Management Server
• Requires SQL 2005 for the database
• In this SCOM beta release: one-to-one relationship (collector, database)
• ACS database (transaction) limitations depend on environment & hardware
• More than one collector when exceeding limitations
• Management Groups supports multiple collectors
• No aggregation solution for multiple collectors / databases (yet)
• Collector will perform SID caching on events (limiting impact on A.D.)
• Agent can be configured to fallback to an alternate collector

Current collector support limitations:

• 100 Domain Controllers
• 1.000 Member Servers
• 10.000 Workstations

WMI Subscriber

• There is a built-in WMI subscriber on the collector
• Can be used to intercept events as they occur
• Microsoft has no plans to write any Security Analysis m.p. (3rd party will)
• However, you can erite your own customised management pack
• Essentially this makes ACS an IDS for your Windows network
• However, ACS is primarily an auditing solution

ACS Database

• Can grow quite big depending on network size and activity
• Microsoft monitored 5.000 servers & 10.000 workstations: 8 TB of data in 30 days
• Database will be partitioned every day by default (optimising reporting performance)
• There will be an archival process (not in this beta release yet)
• Microsoft recommends different server and dedicated database
• DB view called “AdtServer.dvAll” to provide simple “eventlog” view of records

ACS Reporting

• A number of reports are available out of the box
• Set of reports not finalised in this beta release yet
• At the moment, ACS reporting is separate to MOM reporting
• Microsoft may attempt to integrate reporting in the final release
• Based on SQL 2005 Reporting Services

Sample reports that have been mentioned for the final release:

• identifying password change attempts by someone who is not account owner
• identifying who cleared audit logs
• identifying who has changed local audit policies

It is also possible to create your own reports, likewise as with creating your own MOM reports.

Alternate forwarder deployment

• Deploy forwarder by installing ADTAGENT_X86.MSI
• Configure an SRV record (DNS) called _adtserver on port 51909
• Point the records to the FDQN of the host with the collector installed on it
• Use group policy template Adtagent.adm to manage forwarders

Note that ACS is a component of SCOM 2007 and requires SCOM purchase and licesing. It is not planned to sell as a separate product.

ACS Administration

• Administration tool is called ADTADMIN.EXE
• Can be found on the install media in \ACS
• Support for i386 and AMD64 platforms

Collector tuning

Four registry entries for tuning the ACS collector performance, to be found in HKLM\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters

• MaximumQueueLength (max # of events to queue in mem while waiting on DB)
• BackOffTreshold (% of how full db queue can become, before denying new conn)
• DisconnectTreshold (% of how full db queue can become, before disconnecting fw’s)
• MaxPurgingQueue (do not purge when db queue length is greater than)

Microsoft has given the following advice:

• MaximumQueueLength should normally never exceed 80%
• Increase I/O capacity or reduce forwarders when BackOffTreshold is reached
• MaximumQueueLength and MaxPurgingQueue should be managed as one
• BackOffTreshold and DisconnectTreshold should be managed as one

Performance Monitoring

You can monitor the performance of the collector and forwarders using performance monitor on the collector. You will find two sets of counters:

ACS Collector

This set of counters will monitor the collector.

ACS Collector Client

These performance counters will monitor the performance of forwarders. Each forwarder is listed as an instance for each counter. Only the highest valued assets are listed as instances if there are more than 100 connecting forwarders for this collector.

Sample ACS VBscript

Dim dateTime, objWMIProvider, objEvents, auditEvent

'Parameters
strCollector = "Computer1"
strWQL = "SELECT * FROM AdtsEvent WHERE EventId=560 OR EventId=517"

'Set up date/time conversion
Set dateTime = CreateObject("WbemScripting.SWbemDateTime")

'Set up subscription
Set objWMIProvider = GetObject("winmgmts:" & 
"{impersonationLevel=impersonate}!\\" & strCollector & "\root\default")
Set objEvents = objWMIProvider.ExecNotificationQuery(strWQL)

'Polling loop
While True
  Set auditEvent = objEvents.NextEvent()
  dateTime.SetFileTime(auditEvent.CreationTime)
  Wscript.Echo "Event ID:  " & auditEvent.EventID
  Wscript.Echo "UTC Time:  " & dateTime.GetVarDate
  Wscript.Echo "Computer:  " & auditEvent.EventMachine
  Wscript.Echo "PrimaryUser: " & auditEvent.PrimaryUser
  Wscript.Echo "User:      " & auditEvent.ClientDomain & "\" & 
auditEvent.ClientUser

  If auditEvent.EventID = 560 Then
    Wscript.Echo "Object Type: " & auditEvent.String02
    Wscript.Echo "Object Name: " & auditEvent.String03
  Else
    Wscript.echo "WARNING: Security log has been cleared!"
  End If

  Wscript.Echo
Wend

Summary

Many organisations have a need to implement a solution that will intelligently collect security logs for secure centralised storage and auditing. System Center Operations Manager provides a solution called Audit Collection Services that will provide this solution.

A dedicated SQL database enables extra security and delegation of auditing to non IT staff. A set of reports will provide basic information and a simple to use database view will enable simple custom querying.

It will be possible to use SCOM 2007 and ACS as an intrusion detection system using ACS fed management packs that will likely be developed by third party vendors. It will be possible for organisations to engineer their own management packs for this purpose.

ACS will be the logical choice for security auditing for any organisation that intends to deploy System Center Operations Manager 2007.

SecureVantage

SecureVatage is working on a reporting solution for ACS. Their solution optimizes the entire architecture and introduces audit scenario reports provided by MS Security MVP Randy Franklin Smith with prescriptive use guidance and regulation mapping (ISO included). They are also building more solutions for ACS including MPs and a Datawarehouse.

Their first release will result in the following additional features:

• Improved performance tuning
• Event Load Analysis Reporting
• Report Accountability Tracking
• Regulatory Compliance Mapping (US regulations: COBIT, FISMA, GBLA, etc.)
• Usage guidance
• Collation Support (RC0 only supports US Latin1 Case Insensitive collation).

Please check their website regularly for updates!