Orchestration Database Security
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator
The following sections provide information about securing the orchestration database in Orchestrator:
Database roles
Securing SQL server connections
Encryption keys
Database roles
Security to the orchestration database is implemented through database roles in the supported versions of Microsoft SQL Server. The table below lists the roles that are created in the orchestration database and the permissions granted to each. These roles are configured and populated with the required members during the installation process, so there is typically no requirement to work directly with them. The information provided here is to help the administrator better understand the security behind the configuration and prepare for possible custom scenarios.
| Account | Database role |
|---|---|
| Management Service Account | Microsoft.SystemCenter.Orchestrator.Admins |
| Member of Orchestrator Admins Group | Microsoft.SystemCenter.Orchestrator.Admins |
| Orchestrator Runbook Service Account | Microsoft.SystemCenter. Orchestrator.Runtime |
| Orchestrator Runbook Server Monitor Service Account | Microsoft.SystemCenter. Orchestrator.Runtime |
| Orchestrator Web Service User Account | Microsoft.SystemCenter. Orchestrator.Operators |
| Role | Permission | Object |
|---|---|---|
| Microsoft.SystemCenter. Orchestrator.Operators | SELECT | [Microsoft.SystemCenter.Orchestrator.Runtime].[Jobs], [Microsoft.SystemCenter.Orchestrator.Runtime].[RunbookInstances], [Microsoft.SystemCenter.Orchestrator.Runtime].[RunbookInstanceParameters], [Microsoft.SystemCenter.Orchestrator.Runtime].[RunbookServers], [Microsoft.SystemCenter.Orchestrator.Runtime].[ActivityInstances], [Microsoft.SystemCenter.Orchestrator.Runtime].[ActivityInstanceData], [Microsoft.SystemCenter.Orchestrator.Runtime].[Events], [Microsoft.SystemCenter.Orchestrator.Statistics].[Statistics] |
| Microsoft.SystemCenter. Orchestrator.Operators | EXECUTE | [Microsoft.SystemCenter.Orchestrator].[GetSecurityToken], [Microsoft.SystemCenter.Orchestrator].[AccessCheck], [Microsoft.SystemCenter.Orchestrator].[ComputeAuthorizationCache], [Microsoft.SystemCenter.Orchestrator.Statistics.Internal].[GetStatisticsSummary], [Microsoft.SystemCenter.Orchestrator.Runtime].[CreateJob], [Microsoft.SystemCenter.Orchestrator.Runtime].[CancelJob] |
| Microsoft.SystemCenter. Orchestrator.Runtime | SELECT | All tables, dbo.[POLICIES_VIEW], dbo.[POLICY_REQUEST_HISTORY] |
| Microsoft.SystemCenter. Orchestrator.Runtime | INSERT | dbo.[OBJECT_AUDIT] |
| Microsoft.SystemCenter. Orchestrator.Runtime | INSERT, UPDATE | dbo.[OBJECTS], dbo.[ACTIONSERVERS], dbo.[POLICYINSTANCES], dbo.[OBJECTINSTANCES], dbo.[OBJECTINSTANCEDATA] |
| Microsoft.SystemCenter. Orchestrator.Runtime | INSERT, DELETE | dbo.[COUNTERINSTANCES], dbo.[POLICYRETURNDATA] |
| Microsoft.SystemCenter. Orchestrator.Runtime | UPDATE | dbo.[POLICY_PUBLISH_QUEUE] |
| Microsoft.SystemCenter. Orchestrator.Runtime | CONTROL | [ORCHESTRATOR_ASYM_KEY], [ORCHESTRATOR_SYM_KEY] |
| Microsoft.SystemCenter. Orchestrator.Runtime | EXECUTE | dbo.sp_insertevent, dbo.sp_PublishPolicy, dbo.sp_UnpublishPolicy, dbo.sp_UnpublishPolicyRequest, dbo.fn_GetPolicyInstanceStatus, dbo.fn_NumFailedInstancesPerServer, dbo.fn_NumInstancesPerServer, dbo.fn_NumRunningInstancesPerServer, [Microsoft.SystemCenter.Orchestrator.Cryptography].[Encrypt], [Microsoft.SystemCenter.Orchestrator.Cryptography].[Decrypt], [Microsoft.SystemCenter.Orchestrator.Internal].[RethrowError] |
| Microsoft.SystemCenter. Orchestrator.Admins | SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE TABLE | SCHEMA::dbo |
| Microsoft.SystemCenter. Orchestrator.Admins | REFERENCES | dbo.[OBJECTS] |
| Microsoft.SystemCenter. Orchestrator.Admins | SELECT | dbo.[POLICIES_VIEW], GRANT SELECT ON dbo.[POLICY_REQUEST_HISTORY] |
| Microsoft.SystemCenter. Orchestrator.Admins | CONTROL | [ORCHESTRATOR_ASYM_KEY], [ORCHESTRATOR_SYM_KEY] |
| Microsoft.SystemCenter. Orchestrator.Admins | EXECUTE | [Microsoft.SystemCenter.Orchestrator.Cryptography].[CreateOrchestratorKeys], [Microsoft.SystemCenter.Orchestrator.Cryptography].[DropOrchestratorKeys], [Microsoft.SystemCenter.Orchestrator.Cryptography].[Encrypt], [Microsoft.SystemCenter.Orchestrator.Cryptography].[Decrypt], [Microsoft.SystemCenter.Orchestrator.Internal].[RethrowError], dbo.sp_CustomLogCleanup, dbo.sp_GetLogEntriesForDelete_FilterByDays, dbo.sp_GetLogEntriesForDelete_FilterByEntries, dbo.sp_GetLogEntriesForDelete_FilterByEntriesAndDays, dbo.sp_insertevent, dbo.sp_PublishPolicy, dbo.sp_UnpublishPolicy, dbo.sp_UnpublishPolicyRequest, dbo.fn_GetPolicyInstanceStatus, dbo.fn_NumFailedInstancesPerServer, dbo.fn_NumInstancesPerServer, dbo.fn_NumRunningInstancesPerServer, [Microsoft.SystemCenter.Orchestrator.Internal].AddUserToRole, [Microsoft.SystemCenter.Orchestrator].[SetPermissions], [Microsoft.SystemCenter.Orchestrator.Internal].[SetProductInfo] |
The Database Configuration Utility (DBSetup.exe) requires permissions as a user on the computer where the management server is installed and is a member of either the Administrators or Orchestrator Users Group to access the settings.dat file. Custom tools that connect to the database directly through DBDataStore.dll require the same permissions.
Important
When installing Orchestrator, ensure that the account used to connect to SQL server has minimum privileges on the SQL server to avoid a potential elevation of privileges.
Securing SQL server connections
The SQL server connections in a default deployment of Orchestrator are not secure. The exception to this is when Orchestrator stores or retrieves sensitive data. In this case, Orchestrator creates a secure connection to SQL server with a self-signed certificate. This certificate does not provide strong security and is susceptible to man-in-the-middle attacks.
For information about encrypting connections to SQL Server, go to Encrypting Connections to SQL Server (configuring SSL). For information on how to enable connections to the database engine, go to How to: Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).
Encryption keys
As part of your security planning, you should plan for rotating your encryption keys at a regular interval. The National Institute of Standards and Technology(NSIT) recommends that keys be rotated at least once every two years. For more information about NSIT security standards, go to NSIT Computer Security Division Computer Security Resource Center.
To rotate encryption keys
From the Runbook Designer, export all of your runbooks, global settings, variables, schedules, and so on.
You should provide a password for the export.
During export, all encrypted data is decrypted and re-encrypted with a new key created by the password.
If you want, change the SQL Server Master Database key.
Orchestrator encrypts data using both the SQL Server Master Database key and the master database key for the orchestration database.
For information on how to change the SQL Server Master Database key, go to SQL Server and Database Encryption Keys (Database Engine).
Re-install the management server and create a new database.
For information on how to install the management server, see the topic How to Install a Management Server.
Do not connect to the existing database. A new cryptographic key is generated when a new database is created.
From the Runbook Designer, re-import the runbooks and any other data you exported.
Provide the password used for the export. The data in the export file is decrypted using the password, and encrypted as it is imported to the database using the new Orchestrator master database key.