The array of available network and system monitoring tools can be bewildering. Most are expensive and work for a limited number of products and controls. Others require monitored products and controls to support a protocol such as SNMP. Some are dedicated solely to security event management and others focus on both security and broader operations.

Microsoft has its own monitoring product called Microsoft Operations Manager (MOM) 2005, which fits into the latter category. MOM is designed for large enterprises. It’s open and extensible, meaning that it can be used to monitor not just Microsoft products but those from third parties, and it reports security-related events and other information.

MOM 2005 is too expensive for smaller networks, so Microsoft released MOM 2005 Workgroup Edition, which retails for $499 and is designed for use in networks with as many as 10 servers. MOM Workgroup Edition is also a great tool for larger environments that want to monitor only a small number of servers or several groups of servers. (You can deploy more than one copy of MOM Work-group Edition in an enterprise.)

Let’s look at how to use MOM 2005 Workgroup Edition to monitor systems and networks for potential security events and how to plan for deployment and configuration issues. In a future article, I’ll discuss Management Packs, which are used to expand the functionality and reporting features of MOM, including how to customize and create your own packs.

Preparing for MOM
Before installing MOM 2005 Work-group Edition, you need to ensure that your environment and installation server are prepared for it. The first requirement is that you have and use Active Directory (AD). MOM 2005 Workgroup Edition, like the full version of the product, requires AD for authentication and service discovery. The second requirement is that the installation server be running a 32-bit version of Windows Server 2003. (Any edition will do.)

The Workgroup Edition version of MOM 2005 also requires that a database be installed on the same server as MOM. The good news is that you don’t need to install a full version of Microsoft SQL Server 2000. (SQL Server 2005 isn’t supported.) You can download Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) for free at http://download.microsoft.com and install it instead. The instance of SQL Server 2000 or MSDE and the SQL Server Agent used by MOM must both be configured to start automatically.

Last, MOM 2005 Workgroup Edition requires that the server it’s installed on be running Microsoft IIS, have version 1.1 of the Microsoft .NET Framework installed, and have Background Intelligent Transfer Service (BITS) 2.0. Like the database and database agent software, BITS must be configured to start automatically. You can change the startup type by using the Microsoft Management Console (MMC) Services snap-in, which you can launch from the command line by running services.msc.

Although not recommended, you can install MOM 2005 Workgroup Edition on a server that’s running other applications, such as Windows Server Update Services (WSUS), and which already has one or more databases. You might want to install MOM on a server used for other applications if you would otherwise exceed the 10-server licensing limitation. If the server already has a database installed on it and you prefer to use a dedicated database for MOM, you can install a new instance of SQL Server or MSDE and select that when you install MOM.

Installing the MOM Server
Installing MOM 2005 Workgroup Edition itself is easy. Loading the installation CD-ROM in the drive launches the Microsoft Operations Manager 2005 Setup Resources wizard, which has several tabs. On the Setup Tasks tab (the default) are three steps:

  1. Check Prerequisites
  2. Install MOM 2005 Workgroup Edition
  3. Configure MOM 2005 Workgroup Edition

Click step 1, Check Prerequisites, to ensure that your system meets the minimum requirements listed above for MOM 2005 Workgroup Edition to install. There are two options when checking prerequisites. The default is to check requirements for a complete install on the server. The second option is to check requirements for the console only, which you would use if you were installing the MOM console on a workstation. Click Check to begin the requirements check; the results are displayed on a Web page. If any requirements haven’t been satisfied, you’ll see details about why and what you can do to correct the problem.

Click step 2 to launch the MOM 2005 Workgroup Edition setup wizard. The wizard prompts you for your name, the name of your organization, and the 25-digit product key. After you enter this information, you’ll be prompted to specify an installation folder, or you can use the default.

Next, the setup wizard ensures that the prerequisites are satisfied. If any prerequisites aren’t satisfied, the wizard won’t proceed. Then, if you have more than one database instance, you’re asked which instance MOM should use. The default instance is shown as the name of the server on which you’re installing MOM. Alternate instances are displayed as SERVER INSTANCE. Select the instance you want to use.

The next step in the setup wizard asks you for the username, password, and domain of the account that MOM 2005 Workgroup Edition will use. This account is used to deploy MOM agents and should be a member of the Domain Admins group. Finally, the setup wizard asks whether you want MOM to report errors in its operation to Microsoft or to a reporting server in your organization. If you choose to have MOM gather operation errors, you can have them sent to Microsoft directly or queued for you to determine which should be sent. After you specify your error reporting preferences, the wizard prompts you to begin the installation by clicking Install.

Installing MOM Agents
After MOM 2005 Workgroup Edition has been installed, the MOM 2005 Administrator Console opens automatically and instructs you to install MOM agents on the servers you want MOM to monitor. You can install them centrally from the MOM server by clicking Install Agents in the MOM 2005 Administrator Console to launch the Install/Uninstall Agents Wizard, or you can install them from the MOM installation CD-ROM on each server. The manual approach gives you more configuration options, as you’ll see below.

Installing agents from the MOM server. When you use the Install/Unin-stall Agents Wizard, the first step is to select the server or servers you want MOM 2005 Workgroup Edition to monitor. You can enter server names individually, one per line, or use the wizard’s Browse button to select servers from AD. Don’t enter the MOM server’s name—an agent for it is installed automatically. If you enter its name or the name of any other servers that can’t be managed, you’ll be prompted to remove them from the list of servers before proceeding.

The last step in the wizard displays the actions the wizard will take when you click Finish. Installation of agents is scheduled, and the actual installation is done by using the MOM service account you specified earlier. If you checked the Show task progress option in the final step of the Install/Uninstall Wizard, you’ll see the agents being deployed during installation.

You can launch the Install/Unin-stall Agents Wizard to install the agents on computers discovered in AD by expanding the Microsoft Operations Manager\Administration Computers\Unmanaged Computers node in the MOM 2005 Administrator Console. Select one or more computers that don’t have the MOM agents installed in the right pane of the console, right-click, and select Install. The wizard steps are slightly different from those described above, and typically you can just click Next at each step, accepting the default. Once computers have the MOM agents installed, they appear in the Computers\Agent-managed Computers node in the MOM 2005 Administrator Console.

If you want to manually install agents, you must first configure the MOM 2005 Workgroup Edition server to permit manual installation. The simplest means is to expand the Microsoft Operations Manager Administration\Global Settings node in the MOM 2005 Administrator Console, right-click Management Servers, and select Properties to launch the Management Servers Properties dialog box. Then, select the Agent Install tab and clear the Reject new manual agent installations option, as Figure 1 shows.

You need to commit configuration changes to MOM 2005 Workgroup Edition and restart the service for them to take effect. In the MOM 2005 Administrator Console, expand the Microsoft Operations Manager node, right-click Management Packs, then click Commit Configuration Change. Restart MOM by running services.msc from the command line, right-click the MOM service, and select Restart.

Installing agents locally from CDROM. To install the agents from the MOM 2005 Workgroup Edition CDROM, insert the disc into the server to be managed. When the MOM Setup Resources installation tool starts, go to the Custom Installs tab, and click the Install Microsoft Operations Manager 2005 Agent option to launch the Microsoft Operations Manager 2005 Agent Setup wizard. Specify a destination folder for the agent or accept the default location.

On the next wizard screen, enter the Management Group Name and Management Server, as Figure 2 shows. You can find the Management Group Name at the top of the MOM 2005 Administrator Console’s Home page. The Management Server is the server name. The default ports used by MOM 2005 Workgroup Edition agents to communicate with the MOM server are TCP port 1270 and UDP port 1270. If your MOM server is behind a firewall or has a host-based firewall turned on, make sure that this port is open. (You might also need to follow additional instructions in the Microsoft article “How to install and manage Microsoft Operations Manager 2005 agent computers that are behind a firewall or in an untrusted domain” at http://support.microsoft.com/kb/904866/en-us.)

On the same screen, choose the Agent Control Level. The default is None.If you select Full, the MOM 2005 Workgroup Edition server will be able to remotely manage the agent, including configuring and upgrading it.

The next step in the wizard lets you specify the MOM Agent Action Account. The default is for the agent to run under the Local System account, which is the recommended configuration. You can select a Domain or Local account instead.

Next, you’re asked whether you’re using AD. Select Yes if you use AD and No if you don’t. (There are other reasons for selecting No, but they’re not applicable in most organizations.) The wizard will display a summary of your configuration options; click Install to begin installation of the agent.

If you want to deploy an agent to monitor an Internet Security and Acceleration Server system, you’ll need to modify ISA Server’s System Policy to permit MOM 2005 Work-group Edition servers to connect to ISA Server. You’ll also need to manually install the MOM agent.

Agentless computers. MOM 2005 Workgroup Edition can also manage agentless computers (i.e., computers that don’t have the MOM agent installed). (Agentless computers still count toward the 10-server limit.) MOM will have less information about these systems, but agentless monitoring can be a useful option for systems for which you don’t require full reporting and monitoring functionality.

To manage a computer as an agentless computer, expand the Unmanaged Computers node, select the computer(s) you want to monitor without an agent, right-click, and select Start Agentless Management. Agentless computers are displayed in the Computers\Agentless Managed Computers node and can be converted to agent-managed status at a later date if desired.

Using the MOM 2005 Operator Console
After you’ve installed MOM 2005 Workgroup Edition on your server and deployed your agents, you can begin to monitor your systems and network for security-related events through the MOM 2005 Operator Console. You can launch the MOM 2005 Operator Console from the MOM 2005 Administrator Console or from the Microsoft Operations Manager 2005 program group in the Windows Start menu.

When launched, the MOM 2005 Operator Console’s default view is the Alerts view, which Figure 3 shows. In this view, you can see in the top center pane all the alerts that MOM 2005 Workgroup Edition has collected or generated from the monitored systems and agents. Alerts are categorized by severity level: Service Unavailable, Security Issue, Critical Error, Error, Warning, Information, or Success.

Selecting an alert in the top center pane displays details about the alert in the bottom center pane, including properties, associated events, product knowledge from Microsoft that might help resolve the problem, a company knowledge section that you can populate to build up your own knowledge base, and history.

The Alerts view is useful to see all problems reported by MOM 2005 Workgroup Edition. You should investigate alerts and update their resolution state, as Figure 4 shows. When an alert is marked as Resolved, MOM removes it from the console.

Other views can be just as useful as the Alerts view, if not more so. Select Computers and Groups from the list of views in the lower left pane, and MOM 2005 Workgroup Edition lists all your computers in the top center pane. For each, MOM displays its state using the same list of categories as for alerts, the last time the MOM server was in communication with it and received a heartbeat, the number of new alerts for the computer, and the number of unavailable services. (A computer can have more than one unavailable service, depending on how it’s configured, what software it’s running, and so on.)

Selecting the State view in the lower left pane provides an at-a-glance view of the state of each of your monitored systems and crucial aspects such as their disk space and OS. MOM 2005 Workgroup Edition will determine whether any of your monitored systems are running services such as AD on a domain controller (DC), DNS, Microsoft Exchange Server, Microsoft SQL Server, or Microsoft IIS and display their state too. Because MOM is extensible, you can add Management Packs to look for other services such as ISA Server and third-party services.

The Diagram view gives you a picture of your network that you can query for services and their state; the Performance view lets you select which counters MOM 2005 Work-group Edition should collect from monitored systems so that you can query the systems and determine their health; and the Events view allows you to see each of the events collected by MOM and the alerts generated as a result of each.

You can control which systems are displayed in each view by selecting a predefined group in the Group drop-down box on the MOM 2005 Operator Console toolbar. Selecting MOM Administrator Scope causes MOM to display all systems, but you can select from many other groups including Exchange Servers, SQL Servers, and Domain Controllers.

The MOM 2005 Operator Console lets you perform many common maintenance and security-related tasks on your managed computers. For example, you can query the IP configuration of any managed computer by selecting IP Configuration in the Tasks pane at the right of the console and following the wizard. If the Tasks pane isn’t visible, you can make it appear by clicking Tasks on the toolbar.

The Tasks pane is context sensitive, and by default, MOM 2005 Work-group Edition will run any task you select against the currently highlighted computer(s) in the State view or the Computers and Groups view. For some tasks, such as IP Configuration, the data collected will be returned as generated events and can be seen in the Events view. For other tasks, such as Computer Management or Remote Desktop, MOM will open an MMC snap-in or Terminal Services session to the selected computer.

You can also launch the Microsoft Baseline Security Analyzer (MBSA) from the MOM 2005 Operator Console’s Task pane. MOM Workgroup Edition ships with MBSA 1.2. You can update to the latest supported version by downloading the MBSA Management Pack for MOM 2005 at http://www.microsoft.com/downloads.

When you select Run MBSA Scan from the MOM 2005 Operator Console, a package containing the MBSA executable is created and downloaded to the target managed computer. Alternatively, you can tell the managed computer to obtain the msse-cure.cab file from Microsoft or from a virtual directory (vDir) on the MOM server. (Look for more details in the MBSA Management Pack Guide, available at http://www.microsoft.com/downloads.)

Once downloaded, MBSA scans the local machine and returns the results to the MOM 2005 Operator Console as a series of events. Alerts are generated from the events if there are any security-related items of interest, and the state of the managed computer is updated accordingly. You can view the alerts and corresponding events by clicking Alerts and Events in the lower left pane of the console. Where appropriate, the Product Knowledge tab of an Alert is populated with information about how to correct the security issue found by MBSA.

I’ve introduced you to the power of MOM 2005 Workgroup Edition, but the real benefit lies in MOM Management Packs, which I’ll cover in detail in a future article. I also recommend that you visit the Microsoft Web site dedicated to MOM, http://www.microsoft.com/mom, to learn more about its features.

The compelling features of MOM 2005 Workgroup Edition, coupled with the low price, make this version ideal for small and midsized networks. Larger networks can use the enterprise version of MOM, which has a wealth of additional features, including the ability to create hierarchies of MOM servers and powerful reporting capabilities.