Tag Archives: OMS

Active Directory Health Monitoring with OMS (Operation Management Suite)

System Center Operation Manager (SCOM) is the Microsoft solution to monitor application and systems health in detail. It applies to Active Directory monitoring as well.  Using relevant management packs, it can monitor health of active directory services and its activities. Microsoft introduced Operation Management suite to bring monitoring to the next level with advanced analytics technologies. SCOM was more in to monitoring applications, services and devices running on-premises. But OMS work with on-premises, cloud only or hybrid cloud environments. 

OMS Benefits 

Minimal Configuration and Maintenance – If you worked with SCOM before you may know how many different components we need to configure such as management servers, SQL servers, Gateway Servers, Certificate Authority etc. But with OMS all we need a subscription and initial configuration of monitoring agents or gateway. No more complex maintenance routings either. 

Scalable – Latest records from Microsoft shows OMS is already using by more than 50k customer. More than 20PB data been collected more than 188 million queries been run for a week. With cloud based solution we no longer need to worry about the resource when we expanding. Subscription is based on the features and the amount of data you upload. You do not need to pay for the compute power. I am sure Microsoft no-way near running out of resources!! 

Integration with SCOM – OMS fully supported to integrate with SCOM. It allows engineers to specify which systems and data should be analyze by OMS. It also allows to do smooth migration from SCOM to OMS in stages. In integrated environment SCOM works similar to a gateway and OMS do queries through SCOM. OMS and SCOM both uses same monitoring agent (Microsoft Monitoring Agent) and there for client side configuration are minimum. 

Note – Some OMS components such as Network Performance Monitoring, WireData 2.0, Service Map required additional agent files, system changes and direct connection with OMS. 

Frequent Features Updates –Microsoft releases System center version in every four years’ time. But OMS updates and new services are coming more often. It allows Microsoft to address industry requirements quickly. 

OMS in Hybrid Environment 

In a hybrid environment, we can integrate on-premises system with OMS using three methods. 

Microsoft Monitoring Agent – Monitoring agent need to install in each and every system and it will directly connect to OMS to upload the data and run queries. Every system need to connection to OMS via port 443. 

SCOM – If you already have SCOM installed and configured in your infrastructure, OMS can integrate with it. Data upload to OMS will be done from SCOM management servers. OMS runs the queries to the systems via SCOM. However, some OMS feature still need direct connection to system to collect specific data. 

OMS gateway – Now OMS supports to collect data and run queries via its own gateway. This works similar to SCOM gateways. All the systems do not need to have direct connection to OMS and OMS gateway will collect and upload relevant data from its infrastructure. 

What is in there for AD Monitoring? 

In SCOM environment we can monitor active directory components and services using relevant management packs. It collects great amount of insight. However, to identify potential issues, engineers need to analyze these collected data. OMS provide two solution packs which collect data from Active Directory environment and analyze those for you. After analyzing it will visualize it in user friendly way. It also provides insight how to fix the detected problems as well as provide guidelines to improve the environment performance, security and high availability. 

AD Assessment – This solution will analyze risk and health of AD environments on a regular interval. It provides list of recommendations to improve you existing AD infrastructure. 

AD Replication Status – This solution analyzes replication status of your Active Directory environment. 

In this section I am going to demonstrate how we can monitor AD environment using OMS. Before we start we need, 

1) Valid OMS Subscription – OMS has different level of subscriptions. It is depending on the OMS services you use and amount of data uploaded daily. It does have free version which provides 500mb daily upload and 7-day data retention. 

2) Direct Connection to OMS – In this demo I am going to use the direct OMS integration via Microsoft Monitoring Agent. 

3) Domain Administrator Account – in order to install the agent in the domain controllers we need to have Domain Administrator privileges. 

Enable OMS AD Solutions 

1) Log in to OMS https://login.mms.microsoft.com/signin.aspx?ref=ms_mms as OMS administrator

2) Click on Solution Gallery

oms1

3) By default, AD Assessment solution is enabled. In order to enable AD Replication Status solution, click on the tile from the solution list and then click on Add

oms2

Install OMS Agents 
 
Next step of the configuration is to install monitoring agent in domain controllers and get them connected with OMS. 
 
1) Log in to the domain controller as domain administrator
2) Log in to OMS portal 
3) Go to Settings > Connected Sources > Windows Servers > click on Download Windows Agent (64bit). it will download the monitoring agent to the system. 
 
oms3
 
4) Once it is download, double click on the setup and start the installation process. 
5) In first windows of the wizard click Next to begin the installation. 
6) In next window read and accept the licenses terms.
7) In next window, we can select where it should install. If there is on changes click Next to Continue. 
8) In next window, it asks where it will connect to. In our scenario, it will connect to OMS directly. 
 
oms4
 
9) In next window, it asks about OMS Workspace ID and Key. it can be found in OMS portal in Settings > Connected Sources > Windows Servers. if this server is behind proxy server, we also can specify the proxy setting in this window. Once relevant info provided click on Next to continue. 
 
oms5
 
10) In next window, it asks how I need to check agent updates. It is recommended to use windows updates option. Once selection has made, Click Next
11) In confirmation page, click Install to begin the installation. 
12) Follow same steps for other domain controllers.
13) After few minutes, we can see the newly added servers are connected as data source under Settings > Connected Sources > Windows Servers
 
oms6

View Analyzed Data
 
1) After few minutes, OMS will start to collect data and virtualize the findings. 
2) To view the data, log in to OMS portal and click on relevant solution tile in home page. 
 
oms7
 
3) Once click on the tile it brings you to a page where it displays more details about its findings. 
 
oms8
 
4) As I explain before, it not only displays errors. It also gives recommendation on how to fix the existing issues. 
 
oms9
 
Collect Windows Logs for Analysis
 
Using OMS, we also can collect windows logs and use OMS analyzing capabilities to analyze those. When this enabled, OMS space usage and bandwidth usage on organization end will be higher. In order to collect logs,
 
1) Log in to OMS portal
2) Go to Settings > Data > Windows Event Log
3) In the box, you can search for the relevant log file name and add it to the list. We also can select which type of events to extract. Once selection is made click Save
 
oms10
 
4) After few minutes, you can start to see the events under log search option. In their using queries we can filter out the data. Also, we can setup email alerts based on the events. 
 
oms11
 
I believe now you have a basic knowledge on how to use OMS to monitor AD environment. There is lot of things we can do with OMS and I will cover those in future posts. 
 
This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.  

Update Management for Azure VM

Keeping your operating systems up-to-date is critical as it will be the first step towards protecting your systems from emerging threats. it will also help to improve efficiency and user experience. Simplest way to update your windows operating systems to use “Windows Update” feature comes with every operating system. But this is not enough for corporates as it is important to manage windows updates in control manner. Microsoft has tools such as WSUS, SCCM to manage windows update in infrastructure. when it comes to hybrid or cloud only environment it is important update your virtual machines running on cloud as well. Microsoft Operation Management Suite (OMS)’s “Update Management” is a great way to manage updates in any environment (on-premises, cloud only or hybrid). It detects and report missing updates in your environment. It also allows to deploy those using Azure automation. 

update1

However, if you running an azure environment, now Microsoft have another solution which will help to manage updates for Azure VMs. This is NOT a replacement for OMS update management even though it works similar. it helps to manage updates in individual VM level or as group. This feature “Update Management” still in preview mode but it is not too early to try its capabilities. 

There are few things I like about this feature.

1. No Agents or additional configuration – This feature can enable under a VM with few clicks and it doesn’t require any additional configuration inside the VM. It doesn’t need any agent installation or any other configuration such as firewall changes. It’s simple and efficient. 

2. No need to log in to VM – This is ideal for MSPs as well. In order to manage updates, you do not need to log in to VM at all. No need to define passwords to install updates either. 

3. Reporting – It list down missing updates and categories those based on type. It lists info about failed deployments. So, everything been logged and visualized in easy way to understand. 

Let’s see how we can get this setup.

1. In order to enable this feature, you need to log in to Azure as global administrator. 

2. The click on Virtual Machines to list down VMs.

update2

3. Then click on the VM which you choose. 

4. From left hand side panel, click on Update Management (Preview)

update3

5. In next window click on purple bar (as in following image) to enable the feature. 

update4

6. Then it will load the page to enable to feature. As we can see it is also creating log analytic workspace as well as automation account. Click on Enable to proceed. 

update5

7. Once it is enabled, it will take 15-20 minutes to gather information about updates. Once it is finish we can see new data under Update Management (Preview) panel. 

update6

8. In Missing Update section, it shows update name, classification, published date and link to see more details about updates. 

update7

9. If we click on one of missing updates it will bring to us to the log search window and in there we can see more details about update. 

update8

10. In Update Management (Preview) panel, lets click Manage Multiple Computers Option. 

update9

11. In that window, we can see all the computers which have this feature enabled and their compliance status. 

update10

12. By clicking on each computer in list, we can see more detail about it using log search window.

update11

13. We also can add Azure VM to update management. To do that click on Add Azure VM option in Manage Multiple Computers panel. 

update12

14. It will list the VMs in account and click on the relevant VM you like to add. Then we can enable the feature under it. 

update13

15. Now we have list of missing updates. Next step is to schedule update. In order to do that go back to Update Management (Preview) panel and click on Schedule update deployments option. 

update14

16. In new window, first thing is to define name for the job. Under Update classification we can select which updates to consider for the schedule. 

update15

17. If need to exclude any updates, we can do that using updates to exclude option. In there we need to define relevant KB numbers. 

update16

18. Under the schedule settings we can define the time to apply updates. It can be either one time or recurring job. 

update17

19. Using maintenance window option we can set how long it should be in maintenance mode. 

update18

20. Once it’s done click on Create to create the schedule. 

update19

21. If you use the same Schedule update deployments option under Manage Multiple Computers window, we can create schedule for multiple computers. 

update20

22. Once schedule is created we can see it under Scheduled update deployments tab. 

update21

23. This completes the configuration part and once schedule run, we can verify it using Update Management (Preview) panel 

This marks the end of the blog post and hope it was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Microsoft Advanced Threat Analytics (ATA) – Part 01

There are many ways to monitor Active Directory activities in an infastrcure. Some tools are just to monitor the AD services and some tools are to monitor services as well as the activities. Service level monitoring is the easy part and any monitoring tool with windows service monitoring can monitor the status of the AD services. Tools likes SCOM allows to monitor services in more granular level. it is not just monitoring status of the service, it also monitors the AD components and their activities. Windows event log also gives visibility over Active Directory service status and its activities. In a previous blog post I explained how we can enabled advanced active directory auditing which can help to understand what’s going on.

When it comes to security related events, only a tool with auditing capabilities can give some insight. However most of these tools do not give any advice or guidance based on the events it captured. It’s all depend on engineers who analysis those. As an example, an event I sees as a security related event may not see as a threat by a second line support engineer. This is a quite an issues as recent report from Microsoft shows it can take average of 146 days to identify an identity infrastructure security breach. We are fighting against human adversaries, it is obvious we cannot close all the doors. We need to expect a breach. If there is a breach or attempt there should be way to identify it quick as possible and prevent it.

Microsoft is maintaining Active Directory more than 20 years. Microsoft now also have Azure Active Directory. Every day they collect massive amount of security events related to active directory from many different sources. They used these data to build Microsoft Advanced Threat Analytics. It is a simple tool which can identify Active directory infastrcure security threats in early stage and notify engineers about it.

OMS or ATA ?

Microsoft Operation Management Suite also have modules such as AD Assessment, Security and Audit which uses Microsoft Security Graph to identify Active Directory infastrcure threats. OMS not only audit AD activities, it also evaluates existing Active Directory infastrcure setup and provide guidelines to improve it. All these recommends are based on Microsoft security and deployment best practices. OMS also can integrate with Azure Automation to automate operation tasks. It allows engineers to attach a runbook to an alert. In ATA it is only detect and report the problem but it will not take any action about it. I am not saying any of them can replace the other one. Both have different capabilities and its up to you to choose the best one for your environment.

What ATA can detect?

Things that ATA can detect can categorize under 3 areas.

Malicious attacks

  • P ass-the-Ticket (PtT)
  • Pass-the-Hash (PtH)
  • Overpass-the-Hash
  • Forged PAC (MS14-068)
  • Golden Ticket
  • Malicious replications
  • Reconnaissance
  • Brute Force
  • Remote execution
  • Malicious DPAPI

Abnormal behavior

  • Anomalous logins
  • Unknown threats
  • Password sharing
  • Lateral movement

Security issues and risks

  • Broken trust
  • Weak protocols
  • Known protocol
  • Vulnerabilities

ATA Components

ATA Center – ATA center is the operation center. It receives information from ATA gateways and display the detected events in web interface. using ATA center, we also can setup administrators, configure email alerts settings, check the status of connection to gateways. It also can manage the update settings for the gateways.

ATA Gateway – ATA Gateway monitors the traffic which comes to Active Directory Servers. it uses port mirroring technology for it. captured data will passed in to ATA center for evaluation.

ATA Lightweight Gateway – This is the easiest method which can use to install ATA gateway. This component can directly install in Active Directory Domain Controller. However, it will increase the resource usage of the domain controller.

ATA Deployment

There are three ways to deploy ATA,

Using only ATA Gateways – In this deployment mode separate ATA gateways will be used. Domain controllers network ports need to mirror to ATA gateways servers so they can capture the traffic. this is the most reliable method as it will not make any impact on active directory domain controller performance.

Using only ATA Lightweight Gateways – This is most cost effective method of deployment. It will not require separate server and component will be directly install on Domain Controller. It also not required any network layer changes. Only requirement will be to increase the RAM and CPU for the Domain Controller.

Using both ATA Gateways and ATA Lightweight Gateways – In this method, both gateway types will be used. This is ideal deployment mode for branch office environment. In branch office, we can use ATA Lightweight Gateways as it monitor relatively lower traffic.

ata-architecture-topology (1)

Image source : https://docs.microsoft.com/en-gb/advanced-threat-analytics/plan-design/media/ata-architecture-topology.jpg

ATA Prerequisites

  1. ATA center need minimum of Windows server 2012 R2 with latest updates. Recommended at least 4 GB and 2 CPU.
  2. ATA center need to two IP addresses
  3. ATA Lightweight Gateway need minimum of Windows server 2012 R2 with latest updates. Recommended at least 6 GB and 2 CPU.
  4. SSL Certificate for ATA center and gateways. If there is no valid certificate (such as wild card or certificate from internal CA) we can still use self-signed certificate.

Now we have everything ready for the ATA deployment. In next part of this post, I will walk you through the deployment steps.

Hope this was helpful and if you have any question feel free to contact me on rebeladm@live.com