Share via


Security for Discovery-Based Deployment in Operations Manager 2007

Discovery-based agent deployment is accomplished by using the Discovery Wizard from the Operations Manager Administration pane to search for devices and install agents on discovered devices on your network. The Management Server will perform a discovery based upon the criteria you specify in the wizard, and, once discovered, agents can be deployed to the computers or devices you select. For more information about discovery-based deployment, see How to Deploy the Operations Manager 2007 Agent to Windows-Based Computers from the Operations Console.

Security Considerations for Agent Deployment

When agents are pushed out to computers, Operations Manager 2007 sends the local administrator credentials required to install the agent. In such circumstances, the user who owns the computer that the agent will be deployed to can attempt to acquire these credentials. You should be careful in your choice of accounts used for agent deployment. Where possible, avoid using high privileged accounts, such as Domain Administrator, when deploying agents.

If pushing an agent out to a computer is a concern in your environment, you should consider manual deployment of agents.

Deployment Requirements

The Management Server uses the Server Message Block (SMB) port (TCP/UDP 445) and the RPC port (TCP 135) to deliver the files needed for agent installation on remote computers and for updating agent settings after installation. If you block these outgoing ports on the Management Server or block the incoming ports on any of the target computers, or if the target computer and Management Server are separated by a firewall, you cannot use discovery-based deployment to install agents. You must either open these ports or install these agents manually.

Disabling the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services disables the SMB ports.

Deployment Limitations

Operations Manager 2007 agents cannot be installed or updated by using the Discovery Wizard and must be manually installed or updated under the following circumstances:

  • The agent and Management Server are separated by a firewall and required ports cannot be opened.
  • The target computer is in an IPSec-enabled domain and the Management Server is in a non-IPSec-enabled domain.
  • The agent cannot be installed on a computer running Windows NT 4.0.
  • The agent cannot be installed on a Microsoft Cluster Services virtual server. However, you can install an agent on a node of a cluster.

Agent Deployment File Transfer While Deploying Agents

The files and other data that are used to deploy agents are not encrypted by Operations Manager 2007. The deployment process uses both the SMB ports and the RPC port (TCP 135) and the DCOM port range. You can use either SMB packet signing or IPSec to help secure the agent deployment process.

Account Used for Deployment

When implementing discovery-based agent deployment, you can provide either credentials for an account or use the Management Server's action account. The account you use must be a local administrator on all of the computers you are deploying agents to. The credential information used to install agents is encrypted before being communicated and discarded after use.

See Also

Tasks

How to Deploy the Operations Manager 2007 Agent to Windows-Based Computers from the Operations Console
How to Use Active Directory Domain Services to Assign Computers to Operations Manager 2007 Management Servers
How to Use the Health Service Lockdown Tool in Operations Manager 2007

Concepts

Configuring Objects to Be Managed by Operations Manager 2007
Operations Manager 2007 Accounts
Using Operations Manager 2007 with Firewalls

Other Resources

About Security in Operations Manager 2007
Security Considerations in Operations Manager 2007

Did you find this information useful? Please send your suggestions and comments about the documentation.