STIGs for SCOM FIPS compliance on Windows

What does your mind link to with the FIPS acronym?  FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’

 

The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files.  The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022).  As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files.   My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.

 

 

Install DLL for STIGs for SCOM FIPS compliance on Windows

Time to mitigate!

Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’.  Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480

 

Download files

Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link

Download SCOM ISO from my.visualstudio.com/Downloads?q=operations
Download SCOM ISO from my.visualstudio.com/Downloads?q=operations

 

If you downloaded from my.visualstudio.com, extract from ISO.

Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.

Download the DLL to the SCOM default folder –

Best practice is SCOM Default folder on non-system disk @

D:\Program Files\System Center\Operations Manager\Server

 

Update the registry on relevant servers

Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.

 

STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\

Verification via RegEdit (registry editor)

Display of regedit for the FIPS enabled key
Display of regedit for the FIPS enabled key

 

PowerShell Verification:

$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

 

Example Output

PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

PS C:\> $FIPSEnabled

0

PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

FIPS disabled

 

 

PowerShell to set the registry key:

Blog link

$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”

$Name = “Version”

$value = “1”

New-ItemProperty -Path $registryPath -Name $name -Value $value ` 

    -PropertyType DWORD -Force | Out-Null

 

 

 

Reboot web console servers to verify web console functionality!

This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’

 

 

 

Relevant links and documentation of  ‘STIGs for SCOM FIPS compliance on Windows’

Download from blog here (Link  https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)

Nathan Gau’s blog here

VisualStudio download for SCOM ISO’s here

STIG V-220942 for Windows 10

STIG V-226335 for Windows Server 2012/2012R2

STIG V-73701 for Windows Server 2016

STIG V-93511 for Windows Server 2019

STIG V-254480 for Windows Server 2022

NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions

TechNet migrated forum post here

Tenable link for Server 2016 here

NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf

Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Researching further, Microsoft certified server2016,2019 per learn articles.

Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2

To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/

 

 

 

 

Updating SQLserver packs to v7.2.0.0

HA HA HA, that's so funny. An error I didn't expect importing the SQL packs 'Updating SQLServer packs to v7.2.0.0'
HA HA HA, that’s so funny. An error I didn’t expect importing the latest SQL packs ‘Updating SQLServer packs to v7.2.0.0’

 

Quick public service announcement – remove the SQL Server Core Custom Monitoring pack before ‘updating SQLServer packs to v7.2.0.0’!  Read to save time and frustration, before importing the packs, as the previous 7.0.42.0 pack isn’t upgradable to v7.2.0.0.

 

 

Updating SQL server packs to v7.2.0.0

Download links for SQL Server with SSIS, Dashboards, SSAS, SSRS

Check Holman’s GitHub Repo for a newer SQL ‘runAs’ pack

Run the MSI’s and copy the files to your file repository on the MS.

If you created custom SQL monitors, backup (export) override pack(s).

Remove the SQL Server Core Custom Monitoring pack.

Import packs and enjoy!

Screenshot list of SQL v7.2.0.0 packs
Screenshot list of SQL v7.2.0.0 packs

This ends the ’emergency broadcasting system’ Updating SQL server packs to v7.2.0.0

V-237434 SCOM Web Console SSL Settings

No Soup for you! You have STIG findings :-(
No Soup for you! You have STIG findings 🙁

 

Much like the character from Seinfeld, finding out that the ‘V-237434 SCOM Web Console SSL Settings’ is NOT STIG Compliant (STIG’d), is just as tramatic as being hungry, and told ‘No soup for you!”  With all the many STIG findings, here’s a quick and dirty way to resolve the finding.

 

 

Vendor documentation

STIG V-237434

SCOM Web Console Authentication on learn.microsoft.com

Kevin Holman SCOM QuickStart guides for SCOM 2019, SCOM 2022

 

V-237434 SCOM Web Console SSL Settings

STIG V-237434 requires trusted CA SSL certificates.  Previous July blog posts are related to the effort to secure the SCOM web console.  The redirect post forces HTTPS, complimenting this STIG finding.  As the STIG states, remediation verification that IIS web site binding is HTTPS, and remove HTTP.

 

Remediate SCOM servers with Web Console role

Assumption = SmartCards are used for authentication, this part is applicable, otherwise skip.

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

IIS Manager Default Web Site menu
IIS Manager Default Web Site menu

 

Click on SSL Settings

If the menu is greyed out, follow the SCOM WebConsole settings blog to setup the SSL certificate.  Once complete, proceed below.

 

Click on SSL Settings > Check box to ‘Require SSL’

If menu is NOT greyed out, click radio button to ‘Accept’ client certificates

Click Apply

IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings
IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings

 

Click on Default Website on left hand pane

In the Actions Pane (right hand side), click on Restart to restart the IIS website

Restart IIS website from IIS manager actions pane
Restart IIS website from IIS manager actions pane

 

 

IIS Website bindings

Next pieces is to verify the SSL HTTPS binding is setup correctly.  In case you got disconnected, or rebooted the server

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

In the Actions pane on the top right, click on Bindings

IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS
IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS

 

Kevin Holman’s QuickStart blog(s) for SCOM 2019, SCOM2022 setup default HTTP binding (i.e. NO SSL cert configured)

Default website, Bindings selection showing HTTP if SCOM quick start followed
Default website, Bindings selection showing HTTP if following SCOM quick start

 

If HTTP ONLY, click the Add button

Change dropdown for Type to https

Enter Host Name

Click Select to choose the SSL cert

Click OK

Adding HTTPS Binding with server name, SSL cert drop down and selected
Adding HTTPS Binding with server name, SSL cert drop down and selected

 

Verify SSL certificate added

IIS HTTPS Bindings with SSL cert
IIS HTTPS Bindings with SSL cert

 

If you have the binding above, change your STIG CKL finding and document as NOT a finding, for V-237434 SCOM Web Console SSL Settings!

Have fun

SCOM Web Console Authentication settings

Authentication Authentication Authentication! SCOM Web Console authentication settings
Authentication Authentication Authentication! SCOM Web Console authentication settings

 

SCOM Web Console authentication settings discussion!  Let’s go through standard IIS authentication settings like disabling Anonymous Authentication, and enabling Windows Authentication, AD Client Certificate Authentication, and binding providers (Negotiate before NTLM).  Ready to begin?!  A shout out to Alden Hatten as we worked through this and resetting the Web Console run here recently, that brought up the urgency to document.

 

 

Vendor documentation

Learn.Microsoft.Com link, SCOM2019 link

SCOM TechCommunity post for context

Kevin Holman’s SCOM QuickStart guides for SCOM 2019, 2022 (Including WebConsole default setup steps)

 

 

SCOM Web Console Authentication settings defaults

RDP to server with SA or Local admin level account

Go into IISManager > Expand the tree to then click on ‘Default Web Site’

Click on Authentication

IIS Manager output for ‘Default Web Site’

IISManager Default Authentication settings
IISManager Default Authentication settings

 

 

SmartCard aka AD Client Certificate Authentication defaults

In IIS Manager for the server > Click on Authentication

Verify AD Client Certificate Authentication is added and enabled.

IIS Manager Authentication, with SmartCard or Client Certificate Authentication
IIS Manager Authentication, with SmartCard or Client Certificate Authentication

 

 

Windows Authentication

Set Authentication Providers order

From IIS Manager > Expand Default Web Site

Click on Authentication > Click on Providers at the top right

If Negotiate is not on top, highlight, and click Move Up button > Click OK to set.   Restart IIS to make setting take effect ( also use iisreset from command prompt or PowerShell )

NOTE: Anonymous Authentication should be disabled!

IIS Manager Authentication, Windows Authentication, Providers, Negotiate on top
IIS Manager Authentication, Windows Authentication, Providers, Negotiate on top

If screenshot is your setup, close the Providers window

 

After reviewing these authentication settings, you should be one step closer to encrypted authentication.

Enjoy!

SCOM WebConsole HTTP Redirect

Detour sign, redirect ahead
Detour sign, redirect ahead

 

Use this post when the SCOM WebConsole gets flagged for HTTP Redirect.  The IIS configuration is pretty easy to set up.  When your Security team contacts you to resolve VulnID 121040, the steps below should resolve the compliance finding.  Use the Microsoft learn site for more details.

 

 

Add HTTP Redirect role from Server Manager

Time to Configure ‘SCOM WebConsole HTTP Redirect’

RDP to server, open Server Manager

Click on Manage on top right

Click Next on the ‘before you begin popup’

Server Manager splash screen
Server Manager splash screen

 

Click Next

Server Manager Role Installation Type popup wizard
Server Manager Role Installation Type popup wizard

 

Click Next

Server Manager Destination Manager screen
Server Manager Destination Manager screen

 

Expand the ‘Web Server’ drop down menu

Server Manager Roles
Server Manager Roles

 

Expand Web Server drop down menu

Expand Common HTTP Features

Check box for HTTP Redirection

Server Manager Roles expanding Web Server for HTTP Redirect
Server Manager Roles expanding Web Server for HTTP Redirect

 

Click Next

Server Manager HTTP Redirection check box selected
Server Manager HTTP Redirection check box selected

 

Click Next at the Features tab

Server Manager Features window
Server Manager Features window

 

Click Install to install the feature

NOTE the checkbox to ‘Restart if required is NOT selected’

Most change processes don’t allow this on the fly (unplanned outage)

Server Manager Selections window
Server Manager Selections window

 

Wait while the feature(s) install

Click Close once complete

Server Manager feature install in progress
Server Manager feature install in progress

 

 

 

Setup Redirection in IIS Manager

Open IISManager

NOTE If IISManager was open before the feature was closed, exit and open IISManager again.   IISManager refresh does NOT make HTTP Redirect reappear (even if restarting IIS service).

 

Click on your webServer > Double click on HTTP Redirect

IIS Manager with HTTP Redirect
IIS Manager with HTTP Redirect

 

IISManager HTTP Redirect Default splash screen
IISManager HTTP Redirect Default splash screen

 

Check the ‘Redirect requests to this destination:’ check box

Enter the WebConsole URL for your installation.

NOTE SCOM default WebConsole URL is http://<webserverName>/OperationsManager

Check the two (2) boxes for Redirect behaviors

IISManager HTTP Redirect configuration screen

IISManager HTTP Redirect configuration screen

Click Apply

 

Recommend restart/reboot of server (off hours) to apply configuration before having Security team scan server.

 

 

Verify HTTP Redirect after reboot

After reboot, verify current settings (shown are default)

Click on ‘Default WebSite’ dropdown > Select HTTP Redirect

Verify HTTP Redirect is configured in IIS Manager
Verify HTTP Redirect is configured in IIS Manager

 

Contact Security team to re-scan server

Happy mitigating!

SCOM WebConsole settings for Kerberos AD Delegation

Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication
I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication

 

Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation.  I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication.  Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)

 

 

If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478

 

Documentation

https://www.sentinelone.com/blog/detecting-unconstrained-delegation-exposure

https://pentestlab.blog/2022/03/21/unconstrained-delegation/

 

 

Outline

Assess affected unconstrained delegation servers in environment

Configure delegation on SCOM and/or PowerBI servers

 

 

 

Assess affected unconstrained delegation servers in environment

From a computer, with ADUC, and RSAT feature installed, search for relevant account(s) used (Read Only RO access displayed below).

ADUC SCOM account examples
ADUC SCOM account examples

 

 

Alternatively, from PowerShell > run this command to see affected servers (much wider list, unless you add a where clause)

Get-ADComputer -LDAPFilter

“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

 

 

 

Configure delegation on SCOM and/or PowerBI servers

Take the list of affected servers, to take action.  Use the steps below to configure relevant SCOM or PowerBI servers.

 

Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.

 

From ADUC > change ‘Find’ drop-down to Computers

In the Computer name text box, enter <SCOMWebConsoleServerName>  and  click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMWebConsoleServerName>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC SCOM Lab server choosing process

ADUC SCOM Lab server choosing process

 

 

Verification of delegation settings

ADUC Delegation flags with SCOM MS processes selected.
ADUC Delegation flags with SCOM MS processes selected.

 

Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.

 

 

PowerBI Report Server

With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in.  NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)

In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search

Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>,  select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter the service account for the data source, and then select OK.

Select the SPN that you created for <PowerBI Report Server Name>

Select both as FQDN and the NetBIOS names are in the SPN

Select OK.

 

Back to ADUC (AD Users and Computers), change Find drop-down to Computers

Enter <PowerBI Report Server Name>, and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <Example can be SCOMDataAccessReader Account>, and then select OK.

Click the Add button to add services

Select the HTTP process

Select OK.

ADUC Delegation for PowerBI RS
ADUC Delegation for PowerBI RS

SCOM WebConsole settings for authentication

Auto Pilot for SCOM web console
Airplane movie – AutoPilot with SCOM Web Console settings

 

Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration.  I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’

 

 

Quick outline

Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’

Configuring SSL certs and Smart Cards (this post)

Configuring Kerberos and AD delegation (next post)

Verifying WebConsole functionality blog posts – ReDirect, Authentication, SSL and Bindings

Mitigating SCOM vulnerabilities – Java, HSTS, ODBC

 

 

Knowledge Articles

How to Install Web Console from learn.microsoft.com for SCOM 2019, 2022

Holman’s SCOM quick start install guides for SCOM 2019, 2022

IIS Manager Authentication from learn.microsoft.com

 

 

Configuring SSL Certs and Smart Cards

Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods.  I’ve setup the web console role with defaults, then come back later.  Holman’s quick start lets you complete the role with default HTTP setup.  After that, we add an SSL cert for HTTPS.  Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console.  Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation. 

 

 

Part 1 – Start with the SSL certificate for https

Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question.  Add any SAN names/aliases you want (if not load balanced).

 

NOTE:

Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization.  Generally, external certificates require manual effort executing the certreq script.

 

Sample SSL certificate

SCOM Web Console SSL Cert details
SCOM Web Console SSL Cert details

 

Less typing means less typos

Below SSL certificate example with any SAN names/aliases (if not load balanced).  Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager

 

IIS manager server certificates with SAN DNSName aliases included.
IIS manager server certificates with SAN DNSName aliases included.

 

 

Part 2 – Add authentication Smart Card in IIS

Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’.  Additionally, review the Learn.microsoft.com site for IIS here.

Compatibility

VersionNotes
IIS 10.0The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.

 

 

Add the Client Certificate feature for the SCOM Web Console

Let’s add SmartCard authentication capability.

 

Open Server manager >

Open Server manager
Open Server manager

 

Click on Manage > Add roles/features (top right)

Scroll to the top right, and click on Manage, then 'Add Roles or features'
Scroll to the top right, and click on Manage, then ‘Add Roles or features’

 

Click Next twice to get to the Server Roles

 

Server Manager > Server Roles tab output

Server Manager > Server Roles
Server Manager > Server Roles

 

 

Expand Web Server drop down

SCOM Web Console Authentication installing Client Certificate Mapping role

Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Click Install (mine is greyed out as it’s enabled)

Server Manager Features Install
Server Manager Features Install

 

Allow install to complete, server will prompt if reboot required.

NOTE: Either way, reboot is required to apply new authentication method.

 

Validate IISManager after reboot

Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.

IIS Authentication with Client Certificate Authentication (after role installed)
IIS Authentication with Client Certificate Authentication (after role installed)

 

 

After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.

 

From IISManager > Server > Authentication > Verify method is there and enabled

IIS Authentication with Client Certificate Authentication (after role installed)
IIS Authentication with Client Certificate Authentication (after role installed)

 

 

Verify Default Web Site Authentication setup

Verify Default Web site has Windows Authentication enabled.

 

Navigation steps:

IIS Manager > Expand Sites > Default Web Site > Authentication

Windows Authentication should be enabled, others disabled

Default Web Site Authentication showing Windows Authentication ONLY enabled
Default Web Site Authentication showing Windows Authentication ONLY enabled

Security – ODBC Vuln 175441

Security – ODBC Vuln 175441

Time to make the donuts!
Time to make the donuts!

Time to make the doughnuts again, new Security ODBC Vuln 175441 that needs to be mitigated.  Not sure if you ever saw the commercials, but this is where my mind goes sarcastic humor and all.  Whether you’re using ACAS/Tenable/Nessus for security scans, this may show up with your SCOM servers (MS, DB), and PowerBI Report Servers.

 

 

Let’s get started to upgrade ODBC

Action:  Security scan shows a new ODBC Vuln 175441, that may impact SCOM or PowerBI Report Server talking with SQL servers.

Start with some documentation, to understand what and why…

Tenable/Nessus Link to vulnerability

Download ODBC v18 here, v17 here

Outline of mitigation steps

What servers are vulnerable

Mitigate vulnerability on affected servers

Verify server Control Panel shows update

Have Security run additional scan to verify resolved

 

 

What servers are vulnerable?

We’re focused on the ‘Security – ODBC Vuln 175441’

 

Begin by looking at your Security scanning tool output (PowerBI report pictured).  I am also showcasing the PowerBI report, as this streamlines what the Security Admin has to provide when System Administrators (sysAdmin) reach out for debug/details.

ACAS/Tenable/Nessus scan PowerBI Report
ACAS/Tenable/Nessus scan PowerBI Report

 

In my case, I wanted to see what servers are impacted.  The PowerBI Report has a built-in ‘Deep Dive’ tab to see the details from the scan/check.  Click on the Deep Dive Tab, enter the PlugIn ID (175441 for ODBC) and hit enter.  This breaks out what servers are vulnerable.   Assess what servers are yours (my output simplified to show what I own with SCOM and PowerBI 🙂  Looking at the ‘NetBIOS Name’ column.  Alternatively, the admin typically has the scan tool email XLS files.

Access your ACAS/Tenable/Nessus scan deep dive tab (or PowerBI Report) to see how many systems are vulnerable.
Access your ACAS/Tenable/Nessus scan deep dive tab (or PowerBI Report) to see how many systems are vulnerable.

 

 

Mitigate vulnerability on affected servers

Download ODBC v18 here, v17 here

Save to share or common path to put file on affected server(s).

Once moved, login to affected server(s), typically RDP with Local Administrator equivalent admin ID

Open Windows Explorer > Copy ODBC MSI to server

Open PowerShell (as Admin) window > Go to path > Run ODBCMSI

PowerShell as Administrator steps
PowerShell as Administrator steps

 

 

Now the ODBC popup window for install

Note the screenshots and progress prompts

 

Click ‘I accept’ radio button and then click ‘Next’

ODBC EULA splash screen
ODBC EULA splash screen

 

 

Click Next to move beyond the ODBC features screen

ODBC Features screen
ODBC Features screen

 

 

Click on Install

ODBC Install prompt
ODBC Install prompt

 

 

Watch progress bar  (maybe 1-2 minutes)

ODBC Install Progress bar
ODBC Install Progress bar

 

 

Click Finished

ODBC Install finished
ODBC Install finished

Once the MSI installer window closes, it’s time to verify server Control Panel.

 

Verify server Control Panel shows update

Click on Start > Control Panel > Programs > Programs and Features

In the top right search bar, type ‘ODBC’ and hit enter to filter results.

 

Snapshot of Control Panel before

Control Panel with ODBC as the search string
Control Panel with ODBC as the search string

 

Snapshot of Control Panel after

Hit F5 to refresh screen output

ODBC Control Panel after install
ODBC Control Panel after install

 

The one question is if version 17 has to be removed to clear vulnerability.  Ran into this scenario with Java, as the update left old versions.

I typically reboot the server to reinitialize server to assess any impacts, as well as boot on the new drivers.   For this instance, I coordinated my July server updates were installed to simplify my admin (as both require reboot!)

 

Have Security run additional scan to verify resolved

Typically SME has scheduled scans that run weekly, and can run scans on-demand.  Depending on urgency, you can decide whether or not waiting is relevant.

Enjoy!

 

Microsoft links

Learn article here

Download ODBC v18 here, v17 here

PowerBI May 2023 install

PowerBI time baby!

Time to update PowerBI Report Server to PowerBI May 2023 update/install for PowerBI Desktop and Report Server!

 

Do you use PowerBI to render monitoring insights from SCOM, SolarWinds, ACAS/Tenable, ForeScout or more?   In case you didn’t know, PowerBI Report Server is the on-premise solution where updates from the PowerBI Cloud Service make way to prem at least twice a year.  Time to update to ‘PowerBI May 2023’ when you’re air-gapped, or just NOT to the cloud.  This post is how to upgrade PowerBI Report Server and PowerBI Desktop to the latest version.  This has been a few iterations in progress, and I couldn’t find any blog showing how to update these components.  NOTE: MDE/Intune/MECM/EM tools can be used to package this easily enough, but it’s typically a very small subset of servers used.

 

Grab a snapshot of PowerBI Report Server and Desktop Before MSI update/install

Before we upgrade to ‘PowerBI May 2023 install’ MSI’s –

Open Control Panel > Programs and Features > Search for Report (and hit enter)

Windows Server, Control Panel, Programs and Features before install
Windows Server, Control Panel, Programs and Features before install

 

Check PowerBI Desktop (shows before and after!)

Open Control Panel > Programs and Features > Search for ‘power’ (and hit enter)

PowerBI Desktop Windows Server, Control Panel, Programs and Features before install
PowerBI Desktop Windows Server, Control Panel, Programs and Features before install

 

 

Begin PowerBI Desktop update

Assuming you’ve downloaded the PowerBI updates and saved to relevant servers.  Check PowerBI blog here, PowerBI May2023 details and MSI download

 

Open PowerShell (as Admin)

Type .\PBIDesktopSetupRS_X64.exe and hit enter

Note the Pop-up MSI installer

PowerBI Desktop and PowerBI Report Server from PowerShell, Windows Server, Control Panel, Programs and Features before install
PowerBI Desktop and PowerBI Report Server from PowerShell, Windows Server, Control Panel, Programs and Features before install

 

 

Confirm EULA

Click ‘I Accept’ check box and then Next to continue Desktop install

PowerBI Desktop EULA
PowerBI Desktop EULA

 

Confirm Desktop Path

I changed to secondary drive to NOT fill up C: boot disk

PowerBI Desktop May2023 update path
PowerBI Desktop May2023 update path

 

 

Click Next to begin install

Click Next to begin install

PowerBI Desktop May2023 Next

PowerBI Desktop May2023 Next

 

Click Finish

Click Finish to complete update

PowerBI Desktop May2023 Finish
PowerBI Desktop May2023 Finish

 

 

 

PowerBI Desktop Reboot required prompts

PowerBI desktop prompted twice for reboot required

Click OK

PowerBI Desktop required reboot prompt first time
PowerBI Desktop required reboot prompt first time

Prompted again for reboot

PowerBI Desktop required reboot prompt
PowerBI Desktop required reboot prompt

Click OK

 

 

PowerBI Report Server update

Begin PowerShell window for PowerBI Report Server exe update

 

Check Version prior to install

Click on Start > Control Panel > Programs > Programs and Features

Type Report (and hit enter)

Verify version

PowerBI Report Server before update
PowerBI Report Server before update

 

 

PowerBI Report Server update

Check what’s installed before update

Check Control Panel > Programs > Programs and Features > Report (hit enter)

PowerBI Report Server updated
PowerBI Report Server updated

 

 

Begin Report Server install/update

From PowerShell as Administrator window > Type .\PowerBIReportServer.exe

Hit enter

NOTE: Similar popup output to PowerBI desktop pictured below

PowerBI Desktop and PowerBI Report Server from PowerShell, Windows Server, Control Panel, Programs and Features before install

PowerBI Desktop and PowerBI Report Server from PowerShell, Windows Server, Control Panel, Programs and Features before install

Choose Upgrade/Install PowerBI Report Server

PowerBI Report Server Upgrade/Install prompt

PowerBI Report Server Upgrade/Install prompt

Accept EULA

Click on ‘I accept’ radio checkbox

PowerBI Report Server EULA prompt
PowerBI Report Server EULA prompt

 

Report Server update installing

Watch while PowerBI Report Server updates

PowerBI Report Server Install progress
PowerBI Report Server Install progress

 

 

PowerBI Report Server reboot required

PowerBI Report Server prompts for reboot – ‘Restart required’

Click Close to reboot server

NOTE:  Optionally click on Restart.   Validate PowerBI Report server service is running via services.msc, and then check the PowerBI Report Server URL specified is functional.  This may still require server reboot! 

PowerBI Report Server Restart Required
PowerBI Report Server Restart Required

 

 

Additional verification of PowerBI Report Server install

Verify PowerBI Report Server updated from Windows Control Panel

Click on Start > Control Panel > Programs > Programs and Features

Type Power (and hit enter)

Verify the version number matches (unfortunately, Report Server does NOT list the version in the title)

PowerBI Report Server update complete
PowerBI Report Server update complete