V-237434 SCOM Web Console SSL Settings

No Soup for you! You have STIG findings :-(
No Soup for you! You have STIG findings 🙁

 

Much like the character from Seinfeld, finding out that the ‘V-237434 SCOM Web Console SSL Settings’ is NOT STIG Compliant (STIG’d), is just as tramatic as being hungry, and told ‘No soup for you!”  With all the many STIG findings, here’s a quick and dirty way to resolve the finding.

 

 

Vendor documentation

STIG V-237434

SCOM Web Console Authentication on learn.microsoft.com

Kevin Holman SCOM QuickStart guides for SCOM 2019, SCOM 2022

 

V-237434 SCOM Web Console SSL Settings

STIG V-237434 requires trusted CA SSL certificates.  Previous July blog posts are related to the effort to secure the SCOM web console.  The redirect post forces HTTPS, complimenting this STIG finding.  As the STIG states, remediation verification that IIS web site binding is HTTPS, and remove HTTP.

 

Remediate SCOM servers with Web Console role

Assumption = SmartCards are used for authentication, this part is applicable, otherwise skip.

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

IIS Manager Default Web Site menu
IIS Manager Default Web Site menu

 

Click on SSL Settings

If the menu is greyed out, follow the SCOM WebConsole settings blog to setup the SSL certificate.  Once complete, proceed below.

 

Click on SSL Settings > Check box to ‘Require SSL’

If menu is NOT greyed out, click radio button to ‘Accept’ client certificates

Click Apply

IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings
IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings

 

Click on Default Website on left hand pane

In the Actions Pane (right hand side), click on Restart to restart the IIS website

Restart IIS website from IIS manager actions pane
Restart IIS website from IIS manager actions pane

 

 

IIS Website bindings

Next pieces is to verify the SSL HTTPS binding is setup correctly.  In case you got disconnected, or rebooted the server

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

In the Actions pane on the top right, click on Bindings

IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS
IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS

 

Kevin Holman’s QuickStart blog(s) for SCOM 2019, SCOM2022 setup default HTTP binding (i.e. NO SSL cert configured)

Default website, Bindings selection showing HTTP if SCOM quick start followed
Default website, Bindings selection showing HTTP if following SCOM quick start

 

If HTTP ONLY, click the Add button

Change dropdown for Type to https

Enter Host Name

Click Select to choose the SSL cert

Click OK

Adding HTTPS Binding with server name, SSL cert drop down and selected
Adding HTTPS Binding with server name, SSL cert drop down and selected

 

Verify SSL certificate added

IIS HTTPS Bindings with SSL cert
IIS HTTPS Bindings with SSL cert

 

If you have the binding above, change your STIG CKL finding and document as NOT a finding, for V-237434 SCOM Web Console SSL Settings!

Have fun

Leave a Reply

Your email address will not be published. Required fields are marked *