Auditing the Microsoft Private Cloud with ACS Autopilot - Part 1

Prereqs: Part 1 of 3 posts in a “mini-series” describing how to automatically audit private cloud enterprises.

In order to automatically audit security events from Windows servers that are provisioned dynamically to private clouds, branch offices and the entire enterprise; Microsoft recommends Audit Collection Services (ACS) which is included in System Center 2012 - Operations Manager. However, ACS does not natively expose the capability to audit ACS forwarders on Windows servers as they come and go in an “elastic” manner –and for good reason! If the automation in the “autopilot” management pack were to be enabled prematurely or without careful planning, it could potentially overwhelm the ACS backend infrastructure.

So how do you audit Windows servers in an automated manner when one of the key attributes of a private cloud is “rapid elasticity”?

"Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time." - The NIST Definition of Cloud Computing, Special Publication 800-145

This mini-series seeks to answer that need with ACS “autopilot”. Before we get to that capability, let’s “set the table” with a common auditing scenario in customer enterprises:

  • CONTOSO is a large, multi-national company with a private cloud, a datacenter, and many branch offices around the world. They are having to “do more with less” in a challenging economy and have sought to cut operational costs down through economies-of-scale and by consolidating its IT staff into a single org and hierarchy. This has helped them simplify their OM 2012 management group design greatly with a single MG monitoring all Windows servers in their enterprise.
  • CONTOSO has also implemented a SIEM solution that enables it address governance controls for SOX compliance. They have internal auditors who routinely run reports in their ACS and SIEM solutions to ensure compliance.
  • OM 2012 and ACS and have been “scaled up and out” to handle current and anticipated load. CONTOSO engaged Microsoft Consulting Services who followed best practices in scaling the solutions correctly. :-)
  • OM 2012 and ACS have been designed and implemented with role separation (auditors vs. admins) specifically in mind.

The following conceptual diagram depicts the single management group scenario which will be referenced throughout this mini-series (and possibly others in the future):

Now that the OM 2012 and ACS infrastructures have been fully implemented to address monitoring and audit requirements, we can move on to part 2 where the OM 2012 agents are automatically deployed.