Agent Deployment Security

Agent installation, or deployment, involves a few security requirements and some security implications. You can choose the security context that the agent runs under. You can deploy agents automatically by creating computer discovery rules, or manually by using the Agent Installation Wizard on the remote computer.

Installing Agents Using the Install/Uninstall Agents Wizard

When you use the Install/Uninstall Agents Wizard, MOM 2005 searches for, and install agents on, computers on your network. The MOM Management Server performs a computer discovery based upon the criteria that you specify in the wizard and always installs (or uninstalls)the agents regardless of the setting on the Automatic Management tab of the Management Server properties.

Installing Agents Using Computer Discovery

When the Management Server discovers new computers, it either installs agents or puts the computers in the Pending Actions folder, depending upon the setting on the Automatic Management tab of the Management Server properties. For more information about this setting and agent deployment in general, see the Microsoft Operations Manager 2005 Deployment Guide.

Account Used for Deployment

If you are using discovery-based agent deployment, you can either provide credentials for an account, or you can use the Management Server's action account. The account you use must be a local administrator on all of the computers to which you are deploying agents. The credential information that is used to install agents is encrypted before being communicated, and then discarded after use.

Using the Management Server’s Action Account

The Management Server’s action account can be used for installing or uninstalling agents on remote computers and updating settings on agents. If you choose to use the account for this purpose, the account must be a domain account with administrator privileges on all target computers to which it is to install agents.

An alternative to using this highly-privileged account is to configure the Management Server’s action account to be a low-privileged account and to either specify credentials for installing agents when you use the Install/Uninstall Agents Wizard, or manually install agents. For more information, see “ Security While Deploying Agents." When you want to update agent settings, you can specify the proper credentials in the Update Agent Settingsdialog box in the MOM 2005 Administrator console.

Using a domain account

The domain account must have administrator rights on the target computer. The credentials for this account are securely stored and disposed of after use.

Deployment Requirements

The Management Server uses the following to deliver the files needed for agent installation on remote computers and for updating agent settings after installation:

If these ports are disabled on the Management Server or any of the target computers, or the target computer and Management Server are separated by a firewall, you cannot use discovery-based deployment to install agents. You must either enable these ports or install the agents manually. Manual installation does not require these ports. If you disable the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services, the SMB ports are disabled as well.

Deployment Limitations

MOM 2005 agents must be manually installed or updated under the following circumstances:

For more information about these limitations, see the Microsoft Operations Manager 2005 Supported Configurations Guide.

Agent Action Account

The agent’s action account is used to gather information about, and run responses on, the managed computer. The MOMHost.exe processes run under the action account, as well as specific threads within the MOMService.exe. Because more than one data provider or response can be running at one time, MOM runs them as separate processes to protect other MOMHost.exe processes, in the event that one of them fails. Therefore, more than one MOMHost.exe process can be running at any given time on the agent.

Local System Account

You can run the agent action account as Local System. Doing this will ensure that all management packs run with the correct user rights; however, the Local System account is an administrator-level account and using it might present a security issue. If an attacker is able to compromise the MOM processes, they can perform any action on the managed computer as Local System and even mount attacks against the Management Server under certain circumstances. Because of this, you can also use a lower-privileged account.

Lower-Privileged Account

You can use a domain or local account (preferred) to run the agent’s action account. Using a lower-privileged context ensures that the managed computer is more secure; however, management packs that require higher-level user rights might not work correctly. For more information, see the “Agent Security” section of the Microsoft Operations Manager 2005 Security Guide.

Agents Outside a Firewall

You can have normal communications between managed computers that are beyond a firewall from the Management Server if you open the TCP/UDP port 1270. However, you must manually install and update these agents. Mutual authentication and the signed and encrypted communications are still available, if a full Active Directory® trust relationship exists between the Management Server domain and the agent domain. Otherwise only signed and encrypted communications are available.

Agents in a Non-Trusted Domain or Workgroup

You can have agents in non-trusted domains or workgroups; however, mutual authentication is not available because, by definition, no two-way trust relationship exists between the Management Server domain and the agent domain. The secure channel is still available, however. You must install and update the agents manually. If the Management Server is configured to require mutual authentication, these agents will not be able to communicate with it.

Security While Deploying Agents

By default, MOM does not secure the files and other data that are used to deploy agents. The deployment process uses both the SMB ports and the RPC/DCOM port range. You can use either SMB packet signing or IPSec to secure the agent deployment.

Note  Note   

For added security, when you manually install an agent on a remote computer, you must approve the computer before the server allows the computer to connect to it. When the computer tries to connect, the server adds it to the pending actions list. To complete the connection, you must right-click the computer on the pending actions list, and then click Approve.

For more information, see the Using SMB Packet Signingand IP Security (IPSec)sections in the Microsoft Operations Manager 2005 Security Guide."

See Also

MOM Account Overview