Are you in or around Toronto on September 26th? If so, check out the presentation on Monitoring AD Security with MOM 2005 at Microsoft Canada.

 

If you haven’t already heard, Microsoft is putting on a presentation at Microsoft Canada on September 26^th on using MOM 2005 to Monitor AD Security.

 

This session walks through multiple demonstrations to show how Microsoft Operations Manager (MOM) 2005 can be used to monitor Active Directory security. Learn how to create custom security rules that monitor for changes to the local Administrators group on all monitored servers in your environment, as well as changes in membership to key groups such as Schema Admins, Enterprise Admins and Domain Admins. You'll leave this session with a better understanding of how advanced criteria can be used in your MOM 2005 rules to filter out unwanted information and throttle the information collected by MOM 2005 so that only the most relevant information is collected. This presentation also explores Secure Vantage Technologies Management Packs, demonstrating the rules and reports included that allow you to quickly begin monitoring security within your environment.  

 

For more informatin and to register, go to http://www.microsoft.com/canada/events/event_details.aspx?event_id=1032306855

 

Have fun, learn MOM!!

Last week, we held the 4-day MOM 2005 bootcamp in NYC and it was a huge success!! Thanks to everyone for their participation in the event, it was great to meet you all and we really appreciate your feedback on the event. Thanks to Gordon McKenna for flying in from the UK with his personal items in a clear zip lock bag :) and doing a great job co-delivering the bootcamp. It was a lot of fun and both Gordon and I were really pleased that we could share our knowledge of MOM 2005 with everyone.

 

If you missed NYC but are interested in attending another bootcamp, we have a few more planned for the remainder of the year. Check out the schedule at www.infrontconsulting.com/events.htm. The session for Atlanta is sold out and Denver is filling up quickly so send an email to info@infrontconsulting.com to inquire about registering.

 

See you at a MOM Bootcamp!!

It's kind of ironic really that the Availability MP has had such sporadic availability but it's now been officially re-released!! Make sure you grab it while it's still available!! :) Sorry, I couldn't help myself!

 

 

Check it out, there is a MP config guide and release notes. Please read them!!

 

Have fun and learn MOM!!

To monitor changes to files within a specific directory, enable Auditing of Object Access via group policy and enable auditing on the folder or file you wish to monitor.

 

Confirm that the audit events are being written to the Security Event log.

 

Create a rule within MOM. Normally, I would create a new Rule group and possibly a new child rule group to logically organize my rules. For example, if I wanted to monitor the files in the directory C:\DTS_out and this directory existed on all SQL servers, I would create a parent rule group called Security and not bind any Computer groups to this rule group. I would then create a child rule group named File Auditing and then another child rule group named SQL Server Security so that my rule group hierarchy looked like this:

Security (PRG)

            File Auditng (PRG)

                        SQL Server Security (PRG)

 

I would then bind the SQL Server Computer group to the SQL Server Security processing rule group so that all SQL Servers that are a member of the SQL Server computer group receive the rules.

 

Now I would create a new Event Rule with the following properties to monitor for file deletions:

-         Alert on or respond to Event

-         Data Provider: Security

-         Criteria:

o       Event ID = 560

o       Source = Security

o       Description contains substring DELETE

o       Parameter 2 = File

o       Paramter 3 matches regular expression C:.DTS_out.

Note: The ‘.’ After the : in the above regular expression represents ‘any character’ and must be used as opposed to \ as the backslash will not be recognized.

 

To monitor for file creation, create a new Event rule with the following properties:

-         Alert on or respond to Event

-         Data Provider: Security

-         Criteria:

o       Event ID = 560

o       Source = Security

o       Description contains substring WriteData

o       Parameter 2 = File

o       Paramter 3 matches regular expression C:.DTS_out.

 

To monitor for file changes to existing files, create a new Event rule with the following properties:

-         Alert on or respond to Event

-         Data Provider: Security

-         Criteria:

o       Event ID = 560

o       Source = Security

o       Description matches regular expression (AppendData|WriteAttributes|WriteEA)

o       Parameter 2 = File

o       Paramter 3 matches regular expression C:.DTS_out.

 

The most difficult part of monitoring files with MOM is making sure that you filter out all of the events that you don’t want to receive and doing this properly involves knowing what information you are looking for and then testing it for all of the scenarios that you are trying to monitor for! Testing is critical as one rule with alert suppression enabled could have a very large repeat count in the Alert properties if not configured properly.

Have you noticed the reporting differences in the latest release of the DHCP MP? The previous release was 05.0.3000 and the latest is 05.0.3001. The only file that's changed is the reporting XML. 

This minor update was a direct result of 919598 and impacts other MP reports as well, specifically:

•	Microsoft Application Center Management Pack for Microsoft Operations Manager 2005
•	Print Service Management Pack for Microsoft Operations Manager 2005
•	Microsoft Web Sites and Services Management Pack for Microsoft Operations Manager 2005
•	Microsoft Windows Distributed File System Service Management Pack for Microsoft Operations Manager 2005
•	Microsoft Windows DHCP Service Management Pack Management Pack
•	Microsoft Windows File Replication Service Management Pack for MOM 2005
•	Microsoft Windows Terminal Server Management Pack for Microsoft Operations Manager 2005
•	Microsoft Exchange Server 2003 Management Pack for Microsoft Operations Manager 2000 SP1
•	Microsoft Virtual Server 2005 R2 Management Pack

 This change in a minor one from a code perspective.

Well, it's by no means the greatest management pack on earth but people who run IBM hardware (poor folks) do often ask where they can find it and after searching high and low today, voila! You can find it here... http://www-1.ibm.com/support/docview.wss?uid=psg1MIGR-61783

 

Have fun!!

Boy, my apologies. I just realized that it's been a whole month since I have posted to this blog. On the flip side, my family is starting to recognize me again and it's been a great summer!! I hope the same is true for you!! Anyway, on to all things MOM related...

 

Microsoft Operations Manager 2005 Service Pack 1 agents do not appear in the MOM Operator console and cannot communicate with the MOM Management Server

 

Computers that have the Microsoft Operations Manager (MOM) 2005 Service Pack 1 (SP1) agent installed do not appear in the MOM Operator console. However, the computers do appear in the MOM Administrator console. Additionally, the computers do not send alert or event information to the MOM Management Server.

 

If you are experiencing this issue, check out KB 921288.