Wednesday, January 19, 2005

MOM 2005 Security Without Active Directory

You Can Use MOM 2005 Without Active Directory
    Unfortunately, it was not made clear in the MOM 2005 documentation, but you can deploy and successfully use MOM 2005 without Active Directory. Although MOM 2005 installs and functions (for the most part anyway), there are a few features that are not available without AD. I will concentrate upon the security features right now, but there are other features, such as Discovery, that are either not available or are affected in some way without AD.

The Security Features Not Available without AD:

  • Mutual authentication - It will not be possible for MOM to have agents and Management Servers positively authenticate each other. This feature was offered to help mitigate man-in-the-middle attacks and spoofing attacks.
  • Reject manually installed agents - all manually installed agents will show up in the Pending Actions folder even if the feature is selected. This feature was offered to help mitigate rogue administrators installing agents without, or even against, IT policy.
  • Prevent agent proxying - agents will not be blocked from sending data form other computers or network devises. This feature was offered to help mitigate spoofing attacks and certain DoS attacks.

The Security Features Still Available without AD:

  • Block Legacy Agents - You can still block pre-MOM 2005 agents form communicating with the Management Server.
  • Secure Communications Channel - this encryption channel between the agents and the Management Server does not require AD.

What does this mean? Basically, this means MOM 2005 will be less secure in these respects and I know of no way to use other means to substitute these intended mitigations. In today’s security-conscious world, I thought all should be aware of this.

Note - The MOM Management Server must do not have to be a member of a domain. For more information, see the MOM 2005 Supported Configurations document either on the product CD (root/RelDocs/SuppConfg.htm) or online .

Note about the above note - OK, the MOM servers (Management Server, Database Server, and Reporting server) do NOT have to be in an AD domain.

For more information about these features and MOM security in general, see the MOM 2005 Security Guide

(Download or TechNet)

Moral of the story - Use Active Directory

Via James Morey

No comments: