First impression of Security Top Alerts MP (STAMP) from Secure Vantage

  • Article

Secure Vantage is offering a free download of their Security Top Alerts Management Pack (STAMP).

STAMP is designed to provide key alerting for Windows Server Security events leveraging System Center Operations Manager 2007. STAMP is intended to provide security alerting and operations for key Windows Security events for the following:

  • Auditing Integrity
  • Domain Changes
  • Policy Changes
  • User Rights Changes

The Security Top Alerts MP provides base Alerting of key Windows Server security events with predefined views and knowledge content. The primary intent of this Free Management Pack is to provide Auditing on key Windows Security events. This MP only provides a subset (10%) of the Windows Security Auditor MP.

To get the MP you need to fill in the Online Request Form and after that you will receive an email with the download location of the MP.

So hereby my first impression of this MP from Secure Vantage.

  1. MP content
    Looking at the MP with MPViewer you can see that there are 12 Rules in this MP, so the full version will probably have about 120 rules (10% of 120 = 12 rules). For more info on the MP just import it in the MPViewer and look for yourself. See here for the Rules in the STAMP.
  2. Installation
    After downloading the MP and reading the User Guide the installation was pretty easy.
    First you need to configure Auditing to test this MP. See User Guide and the WinSec Wiki for more info on configuring auditing. 
     image  
    After that you just need to import the MP in the Operations Console as any other MP you want to install. 
    The only thing I had to do is give the OpsMgr Management Server Action Account permissions on the Manage Auditing and Security Log (for reading events from the Security Event log). You can do this with either a Local or a Global policy.
  3. Management Pack Knowledge.
    The MP has Knowledge available from the Online Encyclopedia for Windows Security Event published at www.UltimateWindowsSecurity.com. And you can also look at some Online Resources from within in the Operator Console (if the machine on which the Operations Console is running has a internet connection).
    image image
  4. Result
    After following some of the scenario’s documented in the Guide I was getting Security Alerts in my Operations Manager console. So it worked!

image

The only thing I don’t know is why they fill Custom Field 10: with “WinSec.Policy"? image

Conclusion:

This is a good MP to start getting experience with Security Alerting in OpsMgr. The installation is straight forward if you have configured the Audit Policy correctly and there is enough extra Product Knowledge available inside the MP and through hyperlinks to online knowledge on the Ultimate Windows Security Website. And if that is not enough there is a link to Infront Consulting (SystemCenterTraining.com) where you can get an OpsMgr training;-)

I would suggest taking a look at the Audit Policy section of the WinSec Wiki for some basic knowledge about configuring Auditing:

Audit account logon events

Audit account management

Audit directory service access

Audit logon events

Audit object access

Audit policy change

Audit privilege use

Audit process tracking

Audit system events