Search

Using SCOM to Monitor AD and Local Accounts and Groups

For those that have deployed SCOM without ACS or another monitoring service, but don't have a full blown IDS\IPS. With a little effort its possible to at least monitor and alert when critical groups and accounts.


As a free alternative, ELK (Elastic Search) or Security Onion.


The following example is SCOM being configured to alert when Domain Admins is updated.


On the Authoring Tab, Management Pack Objects, Rules, select 'NT Event Log (Alert)'


Create a new Management Pack if required, don't ever use the default MP

The 'Rule Name' should have an aspect that is unique to this and all subsequent rules to assist searching later on. For this all rules that monitor Groups or Accounts will be pre-fixed with 'GpMon'


The 'Rule Target' in this case is 'Windows Domain Controllers' as its a domain group.

Change the 'Log Name' to 'Security'

Add Event ID 4728 (A member was added to a security-enabled global group)

Update the Event Source to 'Contains' with a value of 'Domain Admins'

Update the priorities to High and Critical

Sit back grab a coffee (or 2) and wait whilst the rule is distributed to the Domain Controllers, this can take a while.


Test the rule by adding a group or account to Domain Admins, in the SCOM Monitoring tab an alert will almost immediately be appear with full details.

Now for the laborious bit, create further monitors for the following:

  • Server Operators

  • Account Operators

  • Print Operators

  • Schema and Enterprise Admins

  • Any delegation or role up groups

  • SCCM Administrative groups

  • CA Administrative groups

That's the obvious groups covered, now to target all Windows Servers and Clients (if SCOM has been deployed to the clients)

  • Local accounts for creation, addition to local groups and password resets.

  • Applocker to alert on any unauthorised software being installed or accessed.

  • Finally here's what Microsoft's recommend.

A few hours of effort and you'll have better visibility of the system and any changes to those critical groups.




15 views0 comments

Recent Posts

See All

Passwords, this is not a lecture.....

There's lots on the web regarding passwords and what they should consist of. There are plenty of sites that also validate the strength of a would be password. But do those sites make useful suggestion