Using RunAs accounts and profiles is an often poorly understood area of OpsMgr. As I began to investigate setting this up for the SQL MP, I quickly realized how little I understood it. Chatting with my PFE peers, I found that while everyone felt they had a “big picture” idea of how to configure it, nobody I talked to really understood all the options and impact.
This post will be a primer on the basics of using RunAs accounts and profiles, and an in depth example of applying them to the SQL Management pack under different typical scenarios.
Why do we have RunAs accounts?
We use RunAs accounts when we need a Management Pack workflow to run under the credentials of a different account than the default agent action account.
Generally, the situation is that the default agent action account does not have enough rights and privileges to perform the action that must be taken in the management pack. This is typical under two scenarios:
In SOME cases, the application being monitored does not allow Local System (or a local admin/domain user account) to have any, or enough rights to the application. When this happens, we need to use a RunAs account and profile.
The SQL Example
When SQL 2005 is installed by default, it places some default security to the SQL instance. BUILTIN\Administrators (Local Administrators Group from the OS) and NT AUTHORITY\SYSTEM (Local System) are automatically added to the SQL Security access list, and provided with SA (SysAdmin) server role access to the instance.
When SQL 2008 is installed by default, it no longer places BUILTIN\Administrators in the SQL security access list. The install of SQL 2008 now prompts the installer to give SQL a user account, or Group, to grant SA (SysAdmin) rights to. If installing on a standalone instance, NT AUTHORITY\SYSTEM (Local System) is still granted SA rights. If installing on a clustered instance, NT AUTHORITY\SYSTEM (Local System) is granted public rights, but not SA.
Most savvy SQL customers would always remove the BUILTIN\Administrators login to SQL to harden the SQL security access. Some will additionally restrict NT AUTHORITY\SYSTEM (Local System) to have public server role only, removing the SA rights. There are pros and cons to restricting Local System from SA, that isn't the purpose of this blog post.
I did a previous article, explaining the latest SQL MP version 6.1.314.36, and some of the changes in this MP. I briefly touched on setting up security for the MP – and I will pick up where I left off there.
Following are the most common scenarios I run into, in the field:
Scenario #1. You use Local System as the default agent action account.
So – in summary – the most common scenarios are:
Moving forward… in this example, we have decided we want to keep using Local System for the default agent action account, and set up a RunAs account for access to SQL. At a very high level, this will involve the following:
Step 1: Create a Run As Account
1. Open the console and browse to Administration pane > Run As Configuration > Accounts.
2. Create a Run As Account of type = Windows
3. Give it a good display name, such a “SQL MP Monitoring Account”
4. Type in the credentials for username, password, and domain.
5. On the next pane – you are asked about a distribution security option. You need to choose “Less Secure” or “More Secure”. This REALLY warrants a good discussion.
Now the fun begins! Run As Profiles are objects that are shipped within Management Packs. You don’t create them in the UI – they will come delivered with the MP that needs them. Each workflow or module in an MP can *optionally* attempt to load a Run As Profile (if it is associated with a Run As Account for that system). If the Run As Profile is not associated with anything (default) then the workflow will run under the Default Agent Action Account credentials, like any other workflow.
RunAs="SQL!Microsoft.SQLServer.SQLProbeAccount">
Note the highlighted part in yellow. This instructs the workflow to try and run this workflow as the “SQLProbeAccount” profile if it is associated for this HealthService.
So… Workflow tries to load a profile > Profile is associated with a Run As account > Run As account contains a credential for execution.
What you will see – if a new MonitoringHost.exe process will spin up, and execute any workflows that need to run under this credential.
Make sense?
The SQL MP includes 3 Run As profiles. These are:
Let’s start with the “SQL Server Discovery Account” Profile. (Oh how I WISH people would name a PROFILE with the WORD “Profile” instead of “Account”…. but I digress)
1. Open the Properties of this profile. On the Run As Accounts page, click “Add”.
2. Select your “SQL MP Monitoring Account”.
3. Now we have to choose “All targeted objects” or “A selected class, group, or object”. This warrants yet another deep dive discussion.
Next – let’s examine the SQL Server Monitoring Account profile.
1. Open the Properties of the SQL Server Monitoring Account profile. On the Run As Accounts page, click “Add”.
2. Select your “SQL MP Monitoring Account”.
3. Now we have to choose “All targeted objects” or “A selected class, group, or object”.
Last – let’s examine the SQL Server Default Action Account profile.
This is a new Run As profile that showed up with Version 6.1.314.36 of the SQL MP. A deeper analysis shows that this profile is primarily used for:
1. Open the Properties of the SQL Server Default Action Account profile. On the Run As Accounts page, click “Add”.
2. Select your “SQL MP Monitoring Account”.
3. Now we have to choose “All targeted objects” or “A selected class, group, or object”.
Review:
Let’s take a break and review.
Close – but no cigar?
So – the example above will work really well for customers, where all their SQL servers are tightly secured, and where all their SQL servers are managed by the same SQL team, in the same trusted domain, and can use the same SQL Run As Account. This covers success for a large number of environments.
But – what if the corporate SQL team only “owns” or supports half of the SQL servers in the management group, while the other SQL servers are owned and supported by various application teams?
What if we want to monitor ALL SQL servers in the management group, but need to use different Run As accounts depending on their domain, or support team? Maybe for some SQL servers, we don’t want to use any Run As accounts at all, and just use the default action account?
Scenario #5 You use Local System as the default action account.
To configure the SQL MP and Run As – we will use a very similar plan to what we did above. However, we will need to be more precise in two areas:
Now – the steps will go something like this.
1. Create the three RunAs accounts just like we did above. Ensure each account will have Local Administrator and SQL SysAdmin rights over the correct OS and instance.
2. Distribute the correct Run As accounts to the appropriate Health Services. For Non-Corp IT SQL instance, we will attempt to use the Default Agent action account to monitor SQL. If Local System does not have enough rights to SQL, we will then distribute and associate our RunAs account, and tell the application owner to make our special Run As account a local admins and SQL admin if they want their SQL server monitored.
3. On the Run As Profile Associations – choose “Group” instead of “Class” this time. Select the group from the object picker.
Here is how it will look when complete:
Now – we simply can make sure the right computers/engines are members of the appropriate group. If you want a Non-Corp SQL instance to try and use the default agent action account for SQL monitoring – just don’t distribute the Run As account, and don’t add them to the “Non-Corp IT SQL Computers” group. Then they will have NO association, no credential, and will try local system. If this fails to work – you can simply have a standard document for the application owner for how to configure their SQL server for proper monitoring. This takes the burden off the OpsMgr administrator.
The thing to keep in mind here – is the profile association works just like overrides. More specific wins. So you could have the group associations just like above, but if you had a special one-off instance that needed its OWN run as account – you can associate that specific DB Engine to a very specific Run As account, and it would take priority over the conflicting group association.
Conclusion
I hope this helps provide more answers than it does questions. This is just one example of how to use the Run As in OpsMgr 2007 R2. Other strategies could be formed. Keep in mind – usually the simplest solution is best, so don’t over-complicate things. Make a strategy that is the easiest to maintain, while providing good security separation.
Additionally – this example above is not the “most secure” configuration…. because we assumed our Run As account would have SA rights to SQL. That is not technically required. The SQL MP guide does a good job of documenting the minimum instance and database rights needed to grant a Run As account so it can fully monitor SQL. That said – the Run As account and profile configuration (the focus of this article) will not be any different if you further restrict SQL rights – Run As will work exactly the same way.
Finally – the SQL product group has provided a spreadsheet (attached) which outlines EVERY Rule, Monitor, Discovery, and Task workflow in the SQL 2005 and 2008 MP’s, and which (if any) Run As accounts they are associated with. This will help if you ever need to better understand or troubleshoot which account/profile is being used for a given workflow.
This post will be a primer on the basics of using RunAs accounts and profiles, and an in depth example of applying them to the SQL Management pack under different typical scenarios.
Why do we have RunAs accounts?
We use RunAs accounts when we need a Management Pack workflow to run under the credentials of a different account than the default agent action account.
Generally, the situation is that the default agent action account does not have enough rights and privileges to perform the action that must be taken in the management pack. This is typical under two scenarios:
- The application being monitored has its own security model and access list, and does not necessarily share the rights of the Operating System (e.g. SQL Server)
- The default agent action account is running under a low-priv domain user account, and does not have enough rights for typical management pack operations (rare)
In SOME cases, the application being monitored does not allow Local System (or a local admin/domain user account) to have any, or enough rights to the application. When this happens, we need to use a RunAs account and profile.
The SQL Example
When SQL 2005 is installed by default, it places some default security to the SQL instance. BUILTIN\Administrators (Local Administrators Group from the OS) and NT AUTHORITY\SYSTEM (Local System) are automatically added to the SQL Security access list, and provided with SA (SysAdmin) server role access to the instance.
When SQL 2008 is installed by default, it no longer places BUILTIN\Administrators in the SQL security access list. The install of SQL 2008 now prompts the installer to give SQL a user account, or Group, to grant SA (SysAdmin) rights to. If installing on a standalone instance, NT AUTHORITY\SYSTEM (Local System) is still granted SA rights. If installing on a clustered instance, NT AUTHORITY\SYSTEM (Local System) is granted public rights, but not SA.
Most savvy SQL customers would always remove the BUILTIN\Administrators login to SQL to harden the SQL security access. Some will additionally restrict NT AUTHORITY\SYSTEM (Local System) to have public server role only, removing the SA rights. There are pros and cons to restricting Local System from SA, that isn't the purpose of this blog post.
I did a previous article, explaining the latest SQL MP version 6.1.314.36, and some of the changes in this MP. I briefly touched on setting up security for the MP – and I will pick up where I left off there.
Following are the most common scenarios I run into, in the field:
Scenario #1. You use Local System as the default agent action account.
You accept the default SQL permissions, or modify them to ensure that Local System has the “SA” role to the SQL instance. In this case – the default agent action account has full rights to the Operating System and to SQL. No other configuration or use of Run-As accounts is necessary. The SQL MP will discover and monitor the SQL instances. This is not the most secure scenario, but likely the simplest to manage.Scenario #2. You use a Domain User account as the default action account.
This account is a member of the Local Administrators group on the server OS. This domain user account has been delegated “SA” rights in SQL explicitly, or via group membership. In this case – the default agent action account has full rights to the Operating System and to SQL. No other configuration or use of Run-As accounts is necessary. The SQL MP will discover and monitor the SQL instances. (Hint – you might consider just using this special account as the default agent action account ONLY for your SQL servers). This is more secure than scenario #1 above, but is more difficult to manage in some cases.Scenario #3. You use Local System as the default action account.
However, the SQL team has restricted the NT AUTHORITY\SYSTEM (Local System) SQL login, and removed the “SA” right. In this case, the Local System account has full rights to monitor the server OS, however, does not have enough rights to discover and monitor the SQL application. In this case – we would use a Run-As account(s) to manage access for the SQL workflows only, to execute under this Run-As account. This account(s) can be created and fully managed by the SQL team. This is a VERY common scenario.Scenario #4. You use a Domain User account as the default action account.
This account is a member of the Local Administrators group on the OS. It is used by the OpsMgr team as their agent account. However, the SQL team has restricted or deleted the BUILTIN\Administrators SQL login, thereby removing the “SA” right from local admins. The SQL team will not allow this account, which they do not control, to have any access to SQL. In this case, the default agent action domain user account has full rights to monitor the server OS, however, does not have enough rights to discover and monitor the SQL application. In this scenario – we would use a Run-As account(s) to manage access for the SQL workflows only, to execute under this Run-As account. This account(s) can be created and fully managed by the SQL team.
So – in summary – the most common scenarios are:
- Use a default agent action account that has Local Admin rights to the OS and SA rights to SQL
- Use a default agent action account that has no rights to SQL and therefore configure RunAs accounts and profiles to gain access to SQL.
Moving forward… in this example, we have decided we want to keep using Local System for the default agent action account, and set up a RunAs account for access to SQL. At a very high level, this will involve the following:
- Create a Run As account using a Domain User credential.
- Associate this Run As account with one or more Run as profiles.
Step 1: Create a Run As Account
1. Open the console and browse to Administration pane > Run As Configuration > Accounts.
2. Create a Run As Account of type = Windows
3. Give it a good display name, such a “SQL MP Monitoring Account”
4. Type in the credentials for username, password, and domain.
5. On the next pane – you are asked about a distribution security option. You need to choose “Less Secure” or “More Secure”. This REALLY warrants a good discussion.
“Less Secure” just means distribute this credentials to ALL Health Services in the management group.Step 2: Associate the Run As Account to a Run As profile.
“More Secure” just means distribute this credential ONLY to Health Services that I EXPLICITLY define.
I really don’t like the terminology we chose of “Less Secure”. I think they were trying to stress that using “more secure” is a better way to ensure that the tightest security model is upheld. Theoretically, someone could take an agent management machine they had access to, and hack the credential presented until they got the password. This model has completely changed from SP1, where were distributed the credential anywhere that needed it, automatically. This presented a risk, because a server admin who didn’t get access to the credential, could theoretically “fake” that he had an application which needed the credential by placing a dummy registry entry, having this class discovered, get the credential distributed, and start trying to hack the credential. "The new “more secure” absolutely controls the distribution of the Run As credential, and only OpsMgr admins have access to this.
Less Secure really isn't a valid option. The reason for this, is that the R2 agent, as soon as it receives a Run As credential, performs a series of tests to make sure that we can use the Run As credential. This includes testing for the “Log On Locally”. If you create a Run As account, and choose “Less Secure” you will immediately get a flood of alerts from all your Domain Controllers, Exchange servers, and any other servers that restrict the Log on Locally right. In enterprise server environments, this is very typical to remove “Domain Users” or the local “Users” group from this user right via group policy – or to deny “Log on Locally” for service accounts. This essentially makes “Less Secure” unusable for any practical purpose.
Therefore we WILL be using “More Secure”.
Now that we have that settled, this means we need to choose the Health Services to distribute the Run As credential to. Go ahead and finish creating the Run As Account using more secure, then open the properties of the newly created account. There is a distribution tab:
Click “Add” and now we can add the Health Service objects we want to send this account to. In this example – I am sending this credential to all my SQL servers. Our only option here is to search by name. If you have a good naming standard – this is fine. If you don’t… this will be a bit painful initially. Luckily, I have the term “SQL” in almost all my SQL server names, so this is easy enough for me – I type in “sql” and his search, and add all my SQL servers, one by one.
Click “OK” and you are done.
Behind the scenes – all of these Health Services are notified of a config update – they download their new config and get the new credential.
Now the fun begins! Run As Profiles are objects that are shipped within Management Packs. You don’t create them in the UI – they will come delivered with the MP that needs them. Each workflow or module in an MP can *optionally* attempt to load a Run As Profile (if it is associated with a Run As Account for that system). If the Run As Profile is not associated with anything (default) then the workflow will run under the Default Agent Action Account credentials, like any other workflow.
Here is an XML example from the SQL MP:The monitor which inspects SQL Service pack version is below:
Note the highlighted part in yellow. This instructs the workflow to try and run this workflow as the “SQLProbeAccount” profile if it is associated for this HealthService.
So… Workflow tries to load a profile > Profile is associated with a Run As account > Run As account contains a credential for execution.
What you will see – if a new MonitoringHost.exe process will spin up, and execute any workflows that need to run under this credential.
Make sense?
Ok – let’s associate!
The SQL MP includes 3 Run As profiles. These are:
- SQL Server Discovery Account
- Used for discoveries and discovery based datasources
- In the XML – referenced as: “SQLDiscoveryAccount”
- SQL Server Monitoring Account
- Use for monitoring workflows and monitoring based datasources
- In the XML – referenced as: “SQLProbeAccount”
- SQL Server Default Action Account
- New in this MP version
- Used for Monitoring tasks
- Used for when the default agent action account is extremely low priv (rare)
- In the XML – referenced as: “SQLDefaultAccount”
Let’s start with the “SQL Server Discovery Account” Profile. (Oh how I WISH people would name a PROFILE with the WORD “Profile” instead of “Account”…. but I digress)
1. Open the Properties of this profile. On the Run As Accounts page, click “Add”.
2. Select your “SQL MP Monitoring Account”.
3. Now we have to choose “All targeted objects” or “A selected class, group, or object”. This warrants yet another deep dive discussion.
4. Choose “A selected class, group, or object” and click “Select”. Now – which do we pick?
Normally – the MP Author should let you pick “All targeted objects” and you can be on your way. Choosing “All Targeted Objects” means that anywhere the profile is associated with a workflow – load and use the defined account (SQL MP Monitoring Account) on all systems.
HOWEVER – in the SQL Discovery MP – there is a challenge, which will prohibit us from using “All targeted objects”.
It is a best practice for all management packs with a discovered class to use a “seed” discovery. This discovery targets ALL agents (or servers, or operating systems) and runs a lightweight registry discovery. Then, from the instances discovered in the “seed” discovery, you can target that new class, with your more in-depth role/application based discoveries. Then – a secondary best practice – is to NEVER load a RunAs Profile against your seed discovery. This is covered here: http://social.technet.microsoft.com/wiki/contents/articles/worst-practice-adding-a-run-as-profile-to-your-seed-discovery.aspx
We have two challenges with this SQL MP. First – there is no lightweight seed discovery. Instead – there are 4 discoveries that run against all Windows Server objects in the management group, and the DBEngine discovery is a VBScript. This isn't really a big deal, just not always a best practice to run a VBscript against all servers looking for existence of an application. Secondly (and more to the point of this article), the initial discovery for DBEngine uses a RunAs profile. This is not a best practice, because this means if we associated that profile to an account, EVERY agent would need the RunAs account credential distributed, and that RunAs account would need logon rights to all agents in the management group. If we didn’t distribute the credential to ALL agents,AND the credential doesn’t have local logon rights to ALL agents – we will immediately get spammed with alerts from ALL agents which aren't SQL servers. If we were using a “seed” discovery with no profile – then we could simply choose “All targeted objects” and let the default agent action account run the seed discovery, then let the RunAs account run the remainder of the discoveries, which would only occur on SQL servers. Because of this situation – we cannot use “All Targeted Objects” for the SQL Server Discovery Account profile.
So – this means we MUST choose “A selected class, group, or object” for the SQL Server Discovery Account profile. Not a big deal…. just need to understand that.
This choice, while confusing at first, gives us a LOT of flexibility. These choices work very much like overrides, so you should already be familiar with that process, where most specific wins. In this example – I am going to keep it to the most simple scenario – then demonstrate more advanced scenarios later.
We will choose “Class”. Then – which class?
Our goal is to make the initial discoveries – which target the “Windows Server” class, run under the default agent action account. THEN – ALL subsequent discoveries should run under the SQL Discovery Profile/Run As account. Therefore – we should add the “SQL DB Engine” class.
Since “SQL DB Engine” class Hosts or Contains ALL other classes in the SQL Discovery MP (other than those listed above), this will ensure that all discovery workflows will use the Profile and Run As Account configured.
That covers the SQL Server Discovery Account profile.
Next – let’s examine the SQL Server Monitoring Account profile.
1. Open the Properties of the SQL Server Monitoring Account profile. On the Run As Accounts page, click “Add”.
2. Select your “SQL MP Monitoring Account”.
3. Now we have to choose “All targeted objects” or “A selected class, group, or object”.
This choice is much simpler than the discovery profile. Since ALL workflows that leverage the SQL Server Monitoring Account profile are targeting a class that is a SQL specific discovered class, we can use “All Targeted Objects”.4. Done!
Last – let’s examine the SQL Server Default Action Account profile.
This is a new Run As profile that showed up with Version 6.1.314.36 of the SQL MP. A deeper analysis shows that this profile is primarily used for:
- Tasks
- Monitoring workflows that don’t need any special rights for the datasource used (event log, perfmon, scripts that don’t access SQL)
- Write actions
1. Open the Properties of the SQL Server Default Action Account profile. On the Run As Accounts page, click “Add”.
2. Select your “SQL MP Monitoring Account”.
3. Now we have to choose “All targeted objects” or “A selected class, group, or object”.
This choice is much simpler than the discovery profile. Since ALL workflows that leverage the SQL Server Default Action Account profile are targeting a class that is a SQL specific discovered class, we can use “All Targeted Objects”.4. Done!
Review:
Let’s take a break and review.
- We need to use a Run As account whenever we need a Management Pack workflow to run under the credentials of a different account than the default agent action account.
- The Run As account is the credential (username and password)
- The Run As account needs to be distributed to Health Services (More Secure and a Less Secure)
- Discoveries, Rules, Monitors (and their associated data sources) can be configured to use a Run As Profile.
- For a Run As profile to work, it must be associated correctly with a Run As account.
- There is a lot of flexibility in how we can associate the account to the profile.
Close – but no cigar?
So – the example above will work really well for customers, where all their SQL servers are tightly secured, and where all their SQL servers are managed by the same SQL team, in the same trusted domain, and can use the same SQL Run As Account. This covers success for a large number of environments.
But – what if the corporate SQL team only “owns” or supports half of the SQL servers in the management group, while the other SQL servers are owned and supported by various application teams?
What if we want to monitor ALL SQL servers in the management group, but need to use different Run As accounts depending on their domain, or support team? Maybe for some SQL servers, we don’t want to use any Run As accounts at all, and just use the default action account?
Scenario #5 You use Local System as the default action account.
Contoso.com is a global IT services firm. Their OpsMgr Management Group has about 500 SQL servers discovered, a mix of SQL 2005 and SQL 2008, with a handful of SQL 2008R2 instances. Their corporate IT SQL team manages 400 of these SQL instances. The remaining 100 SQL servers are not supported by the corporate SQL team, they are one-off SQL instances which are specific to applications, and managed by the application owners.
Of the 400 SQL servers supported by the corporate IT SQL team, 20 of these are in a highly secured domain disconnected from the corporate IT domain.
The goal is to develop a Run As strategy which will accommodate all SQL servers to be monitored.
All agents will be deployed as Local System for the default agent action account, as that is the standard for the Enterprise Monitoring Team.
All SQL security settings on the 400 corporate IT SQL team servers has been hardened and standardized. The SQL security settings for the 100 application owners SQL instance is largely unknown. Some could be hardened, but it is assumed most will be left to default settings performed at the installation.
To configure the SQL MP and Run As – we will use a very similar plan to what we did above. However, we will need to be more precise in two areas:
- Run As account distribution
- Use Groups for Run As profile association.
- Corp IT SQL Run As account
- Corp IT SQL Run As account for the high security domain
- Non-Corp IT SQL team (Application owners) Run As account
- Corp IT SQL Computers
- Corp IT SQL Computers High Security
- Non Corp IT SQL Computers
Now – the steps will go something like this.
1. Create the three RunAs accounts just like we did above. Ensure each account will have Local Administrator and SQL SysAdmin rights over the correct OS and instance.
2. Distribute the correct Run As accounts to the appropriate Health Services. For Non-Corp IT SQL instance, we will attempt to use the Default Agent action account to monitor SQL. If Local System does not have enough rights to SQL, we will then distribute and associate our RunAs account, and tell the application owner to make our special Run As account a local admins and SQL admin if they want their SQL server monitored.
3. On the Run As Profile Associations – choose “Group” instead of “Class” this time. Select the group from the object picker.
Here is how it will look when complete:
Now – we simply can make sure the right computers/engines are members of the appropriate group. If you want a Non-Corp SQL instance to try and use the default agent action account for SQL monitoring – just don’t distribute the Run As account, and don’t add them to the “Non-Corp IT SQL Computers” group. Then they will have NO association, no credential, and will try local system. If this fails to work – you can simply have a standard document for the application owner for how to configure their SQL server for proper monitoring. This takes the burden off the OpsMgr administrator.
The thing to keep in mind here – is the profile association works just like overrides. More specific wins. So you could have the group associations just like above, but if you had a special one-off instance that needed its OWN run as account – you can associate that specific DB Engine to a very specific Run As account, and it would take priority over the conflicting group association.
Conclusion
I hope this helps provide more answers than it does questions. This is just one example of how to use the Run As in OpsMgr 2007 R2. Other strategies could be formed. Keep in mind – usually the simplest solution is best, so don’t over-complicate things. Make a strategy that is the easiest to maintain, while providing good security separation.
Additionally – this example above is not the “most secure” configuration…. because we assumed our Run As account would have SA rights to SQL. That is not technically required. The SQL MP guide does a good job of documenting the minimum instance and database rights needed to grant a Run As account so it can fully monitor SQL. That said – the Run As account and profile configuration (the focus of this article) will not be any different if you further restrict SQL rights – Run As will work exactly the same way.
Finally – the SQL product group has provided a spreadsheet (attached) which outlines EVERY Rule, Monitor, Discovery, and Task workflow in the SQL 2005 and 2008 MP’s, and which (if any) Run As accounts they are associated with. This will help if you ever need to better understand or troubleshoot which account/profile is being used for a given workflow.
Hiç yorum yok:
Yorum Gönder