Securing the collection server

Applies To: Forefront Client Security

The collection server runs the following applications:

  • MOM 2005 server

  • MOM Operator console

  • MOM Administrator console

  • Microsoft Forefront Client Security Management Pack for MOM

It is recommended that you follow best practices for securing MOM. For more information about MOM security, see Security Best Practices (https://go.microsoft.com/fwlink/?LinkId=87262).

Flood protection

The Client Security Management Pack for MOM includes a server event rule that helps defend the collection server against denial of service (DoS) attacks. The rule checks for MOM agents that are sending more events within a configurable time period than is allowed. When a MOM agent exceeds the allowed number of events, the rule automatically disconnects the flooding client from the collection server.

Similarly, the rule checks for MOM agents that send events with too many parameters.

For more information about flood protection, see Configuring "Flooding Detected" alert parameters (https://go.microsoft.com/fwlink/?LinkId=87104).

Security for connections to the collection server

It is recommended that you secure connections to the collection server. The following connections may exist.

Component Connection to Topologies

Collection server

Collection database

Five-server and six-server

Management server

Collection server

Four-server, five-server, and six-server

Client computer (MOM agent)

Collection server

All

Server-to-server connection security

The server-to-server connections involving the collection server are related to the MOM server and MOM consoles. You can use Internet Protocol security (IPsec) to secure these connections. For more information about using IPsec with MOM, see the following topics:

MOM agent-to-server connection security

By default, connections between MOM agents and the collection server are mutually authenticated, encrypted, and digitally signed; however, you can use IPsec to secure these connections if mutual authentication is unavailable.

Note

Client Security supports alerting and reporting only for client computers that are mutually authenticated.

For more information, see "IPSec and MOM" in IP Security (IPSec) (https://go.microsoft.com/fwlink/?LinkId=87064).