locked
System Center Ops Mgr Access RRS feed

  • Question

  • Hi 

    I am investigating System Center Ops Mgr deployment and its access within an AD environment.
    We are considering outsourcing the service but i am concerned about the level of access that will be given to the 3rd party that will manage this. 

    Is this a valid concern? we are trying to avoid domain admin access and will possibly have to look at local admin on the specific servers that will be monitored. Is this viable? What is the best way to approach this?

    Regards,


    VeeCT

    Wednesday, August 6, 2014 9:19 PM

Answers

  • You don't need to give anyone domain admin rights to access or manage OpsMgr. In fact, the service accounts don't even require that level of permissions. If the users have access into your environment already, you can simply grant their user accounts rights into OpsMgr, either as an Operator, Read-only, or whatever. You can even create custom views and dashboards so that said users can only see the items you want them to see...check this link out:

    http://technet.microsoft.com/en-us/library/hh230728.aspx

    If you're wanting to give them rights to manage the environment, you will need run-as accounts configured with specific permissions so they can access the monitored servers. But their accounts in no way shape or form require that level of permissions.


    Wednesday, August 6, 2014 11:41 PM
  • There are a couple security items to keep in mind, they may or may not impact your deployment.

    If the Agent runs as the Local System on Critical boxes, including the Domain Controllers it could grant them near UNLIMITED Access to the Domain.

    Check out this link:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/652e82f1-fdb6-46b7-b90e-c62fb37d583a/system-account-in-domain-controller?forum=winserverDS


    I ran a quick post on my blog for this too, hopefully it helps someone down the road too.  http://practice2perfect.com/2014/08/a-security-warning-on-domain-controllers/
    • Marked as answer by Yan Li_ Friday, September 5, 2014 8:03 AM
    Thursday, August 7, 2014 3:34 AM
  • In addition to add to what Chris Jones said, you can control the level of access by implementing user roles. I would not recommend giving the outsources service provider Operations Manager Administrator role, because then they have the ability to install management packs that could include nefarious code. As long as you control the packs that are implemented, and lock down the user role scoping for the service provider, there really isn't much to be concerned about.

    The articles Nathan referenced are valid, but they don't really apply to SCOM if you are controlling the environment via user role scoping.


    Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)


    Saturday, August 9, 2014 2:41 AM

All replies

  • You don't need to give anyone domain admin rights to access or manage OpsMgr. In fact, the service accounts don't even require that level of permissions. If the users have access into your environment already, you can simply grant their user accounts rights into OpsMgr, either as an Operator, Read-only, or whatever. You can even create custom views and dashboards so that said users can only see the items you want them to see...check this link out:

    http://technet.microsoft.com/en-us/library/hh230728.aspx

    If you're wanting to give them rights to manage the environment, you will need run-as accounts configured with specific permissions so they can access the monitored servers. But their accounts in no way shape or form require that level of permissions.


    Wednesday, August 6, 2014 11:41 PM
  • SCOM using role base security account in assigning user right on accessing monitored groups, tasks, views and administrative functions. Your can delegate a user account with low domain privilege in accessing SCOM.
    Beside, several service accounts are required in SCOM monitoring and use low privilege domain account or local system account.

    Account name Requested when Used for Low maintenance High security

    Management server Action Account

    management server setup

    Collecting data from providers, running responses

    Local system

    Low privilege domain account

    Data Access Service and Configuration Service Account

    management server setup

    Writing to operational database, running services

    Local system

    Low privilege domain account

    Local Administrator Account for target devices

    Discovery and push agent install

    Installing agents

    Domain or local administrator account

    Domain or local administrator account

    Agent Action Account

    Discovery and push agent install

    Gathering information and running responses on managed computers

    Local system

    Low privilege domain account

    Data Warehouse Write Action Account

    Reporting Server setup

    Writing to the Reporting Data Warehouse database

    Low privilege domain account

    Low privilege domain account

    Data Reader Account

    Reporting Server setup

    Querying SQL Reporting Services database

    Low privilege domain account

    Low privilege domain account

    For detail, pls refer to
    http://technet.microsoft.com/en-us/library/hh487288.aspx

    Roger

    Thursday, August 7, 2014 2:33 AM
  • There are a couple security items to keep in mind, they may or may not impact your deployment.

    If the Agent runs as the Local System on Critical boxes, including the Domain Controllers it could grant them near UNLIMITED Access to the Domain.

    Check out this link:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/652e82f1-fdb6-46b7-b90e-c62fb37d583a/system-account-in-domain-controller?forum=winserverDS

    Thursday, August 7, 2014 3:22 AM
  • There are a couple security items to keep in mind, they may or may not impact your deployment.

    If the Agent runs as the Local System on Critical boxes, including the Domain Controllers it could grant them near UNLIMITED Access to the Domain.

    Check out this link:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/652e82f1-fdb6-46b7-b90e-c62fb37d583a/system-account-in-domain-controller?forum=winserverDS


    I ran a quick post on my blog for this too, hopefully it helps someone down the road too.  http://practice2perfect.com/2014/08/a-security-warning-on-domain-controllers/
    • Marked as answer by Yan Li_ Friday, September 5, 2014 8:03 AM
    Thursday, August 7, 2014 3:34 AM
  • In addition to add to what Chris Jones said, you can control the level of access by implementing user roles. I would not recommend giving the outsources service provider Operations Manager Administrator role, because then they have the ability to install management packs that could include nefarious code. As long as you control the packs that are implemented, and lock down the user role scoping for the service provider, there really isn't much to be concerned about.

    The articles Nathan referenced are valid, but they don't really apply to SCOM if you are controlling the environment via user role scoping.


    Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)


    Saturday, August 9, 2014 2:41 AM