Tuesday, January 12, 2010

Catch-22: Securing ACS Reports AND scheduling them. Part II: What do we need?

--------------------------------------------------------------------------------- 
Postings in the same series:
Part   I: How Catch-22 was born…
Part III: Setting Security
Part IV: Setting the subscriptions on the ACS Reports
Part  V: Auditing Security
---------------------------------------------------------------------------------

In this posting I will describe the needed setup in order to get ACS Reports secured so only a certain group of people can run them AND to have these reports scheduled as well.

There is a caveat to reckon with:
The security settings on the SQL Server Reporting Services (SSRS aka SRS) instance for ACS can be circumvented. So auditing and alerting upon it is a requirement.
 

Setting up secured AND scheduled ACS Reports consist out of these three major steps:

  1. Setting security
  2. Setting the subscriptions on the ACS Reports
  3. Auditing security

First the security needs to be set on different objects. Also certain groups and accounts have to be created which will be used when setting the security. Secondly the reports have to be scheduled. However, when all that is in place, the security can be circumvented. So a third step is needed: auditing of the server hosting the SQL Reporting Server Services instance has to be configured. But only to have a security event logged when the security settings of the server have been changed (like adding/deleting a user from a group) won’t suffice. An Alert is needed as well. So a MP needs to be built as well which will raise an Alert. But now we have an Alert showing up in the Console which can be closed pretty fast. So a Notification is at order.

As you can see, there is much more to it then meets the eye…

Every major step consist out of several other tasks:

1 - Setting Security:
A – Creating the needed accounts and groups
B - Securing the SQL instance
C - Securing the server hosting the SQL Server Reporting Service instance
D - Securing the SQL Server Reporting Service instance > Site Settings
E - Securing the SQL Server Reporting Service instance > Object Settings

2 – Setting the subscriptions on the ACS Reports:
A – Creating a file share and setting the security
B – Setting the subscriptions on the ACS Reports
C – Testing the subscriptions on one or more ACS Reports

3 – Auditing Security:
A – Enabling and configuring the Audit Policy on the SSRS server
B – Testing the Audit Policy
C – Creating a MP which Alerts when the security settings on the SSRS Server have been changed
D – Creating a Notification Model which sends out an e-mail/sms message when an Alert comes in from this MP

It goes too far to write down every needed step in detail. Also – as stated before – some steps are described in detail in the book SCOM Unleashed. So those steps I will certainly not describe in detail. Just buy the book! :)

The next posting in this series will be about Step 1: Setting Security.

No comments: