Compare SolarWinds and SCOM

My Big Fat Greek Wedding - we're all just fruits! — My Big Fat Greek Wedding – we’re all just fruits!

I think of My Big Fat Greek wedding to ‘Compare SolarWinds and SCOM’. The wedding reception, where the father says the root of his daughter, and son-in-law’s last names, are from the greek word for Orange, and Apple. “so in the end, we’re all fruits” We are the same but different, where diversity and inclusion is key. Everyone’s got a voice. Contribute, don’t consume 🙂

First, I’ve been lucky to administer both tools for Fortune 100 companies (and more tools). Second, I hope this blog provides some clarification of the strengths, weaknesses, and costs associated with both tools. Here’s hoping wordpress readers identify with my background – saving money, cutting coupons, looking for on-sale, buy one get one deals. Thirdly, while everyone’s past experiences may not be the same, cost is still a big factor. Lastly, proprietary tools, Security, and other requirements can make or break an implementation.

Here’s a link to a PPT built to ‘Compare SolarWinds and SCOM’ feature wise, that goes along with ‘My Big Fat Greek Wedding’ and the fruit. PPT title ‘better together’, is loaded with links and breaking out key capabilities.

Some items NOT covered in the PPT comparison

Example context – SAW/PAW/Red Forest

Both tools can store credentials within the application, obfuscated.

SCOM allows gMSA’s (managed service accounts) for key services including run as accounts. View the Monitoring Guys blog plug here for CJ, Scott, and Tyson’s contributions 😛

COST

SolarWinds small enterprise example

Windows Server, SQL licenses (no cost given)

Monitors Windows, Non-Windows, Microsoft products

Community of custom application monitoring

Renewal cost per year in 2020 $48K/year

Add HA for SQL Enterprise licenses is same, where SW HA/High availability is the SolarWinds cost, not compute licenses for Windows Server, SQL

***500 license SAM, VOIP, IPAM, NPM/NCM.

Redesigning licensing to unlimited (site license) was $344K

Wow! Site licenses cost considerably more.

Though for clarification, 500 licenses equates to 500 monitors targeted at 500 servers.

Add unlimited VMAN, DPA, SCM, VNQM adds $256K

Migrate functionality to site license ($48K > $344K)

Adding SolarWinds features with site unlimited licenses

SCOM small enterprise example

Windows Server, SQL licenses (no cost given)
No license limitation for products/features used, community built solutions

Monitors Windows, Non-Windows, Microsoft products

Large community of custom application monitoring

No yearly support costs (included with Microsoft support agreement)

SQL Enterprise licenses is same, where SW HA/High availability is the SolarWinds cost, not compute licenses for Windows Server, SQL

ESX monitoring via NiCE VMWare 3rd party pay pack is $10K/year
OpsLogix Teams integration helps with NOC/NOSC/SOC integration
Including NiCE Oracle monitoring $10k/year

I’ll leave the cost comparisons to you.

Securing the Applications and web consoles

SolarWinds (SW)

Secure SW website search, Smart Cards post, 2FA/MFA/RSA post

NPM (now N-Able RMM – Remote Management & Monitoring)

NCM Thwack forum

SCOM web console

Did you know – gMSA’s (managed service accounts) can be used with SCOM, Windows, AD, etc? Monitoring Guys blog plug here for CJ, Scott, and Tyson 😛

Configuring AD Delegation, Smart cards and SSL certs (Client Certificate Mapping Authentication, IIS configuration, FIPS

Knowledge sources: Learn.Microsoft.Com, TechNet, blogs, STIG Library and more

Vulnerability mitigation

SCOM vulnerability mitigations Blog vuln search, SCOM STIGs plus IIS, Windows Server, SQL, WebServer ALL apply

Solarwinds vulnerability – Trust Center – CVE2023-23836, CVE2021-35211, CVE-2023-33231, all from searches.

NO DISA STIG for SolarWinds, so IIS, Windows Server, SQL, WebServer ALL apply

NOTE: I’ve NOT supported SolarWinds recently to see Security scans for other vulnerabilities and STIG settings (Windows Server, SQL, IIS, Network blog. STIG dashboard ‘how to’

Licensing

Licensing is a big differentiator cost wise

SolarWinds needs an EA for Windows Server, SQL licenses.

SCOM has been part of the EA (Enterprise agreement) for at least 15+ years (since SCOM2007, if not MOM2005). Windows Server license (now CPU based), SQL license, however NOT enterprise comes standard. One reason the System Center suite is successful might be this built-in licensing, as well as the feature depth and cost the tools provide.

Hardware requirements

In my experience interacting with customers, SolarWinds support recommends hardware configuration well above vendor recommendations. Support recommendations requesting high compute to provide memory level SQL speed and responsive web console. However, the compute is basically ESX host level compute in the realm of 128GB of memory per server, in High Availability (HA), meaning x4 – 2 servers for 2 sites.

Monitoring tools are rarely Tier1 Applications with respective Service Level Availability (SLA). Expectation alone presents a disparity, and false impression. People just see a tool and base on personal experience.

Ferrari vs. GMC Cyclone - fooled you eh — Ferrari vs. GMC Cyclone – fooled you eh

Is it really surprising if one is faster than the other?

SQL query Plan howto

SQL Query Plan - can't you do anything right? — SQL Query Plan – can’t you do anything right?

Ever need to build out a capability and the SQL query is your blocker? Use a SQL query Plan ‘howTo’ to figure out what’s taking query so long. My thanks to Dennis Zwahlen (a Data and AI CSA – LinkedIn ) helping me figure out what was causing a SCOM DW SQL query to render data VERY slowly!

Don’t get me wrong, the sheer volume of events is definitely part of the problem. Event rules are using expressions to further restrict collected event data.

SCOM DW Events ingested for DC Security Events when SIEM is a limit, and NOT using ACS feature. Will discuss the SCOM DW Event ingestion and additional XML authoring options to turn down the pressure.

Time to use the ‘SQL query Plan howto’ blog for SQL execution plan, to help to figure out why the DW Query takes so long. Using the execution plan, similar to SQL profiler, will provide insight to possibly speed up query, allowing PowerBI app/report rendering of data.

From SSMS > View > Add Display Estimated Execution Plan

SQL execution plan starting from the left documenting SQL query

SQL query plan starting from the left documenting SQL query

Sort is taking 4.5 minutes in this example of the SQL execution plan visual. You can see moving right from the Join lines documents how SQL behaves, and how each piece affects overall execution.

SQL query plan starting moving right from the left documenting SQL query

Hope this helps for another diagnostic SQL step in your tool box!

Vuln 178852 OLE DB driver

VulnID 178852 - Vulnerable to hackers - SQL OLE DB Driver update required — VulnID 178852 – Vulnerable to hackers – SQL OLE DB Driver update required

Got another vulnerability pop up on the last scan. ‘Vuln 178852 OLE DB driver’ has vulnerabilities and needs updated. My experience links this NOT to ODBC vuln 175441, thereby related to added capabilities and drivers installed with SSMS v19. NOTE: OLE has a pre-req of the new Visual C++ Redistributable x86 and x64 bits. Let’s mitigate Vuln 178852 OLE DB driver update!

Quick outline of steps with Vuln 178852 OLE DB driver

Download the bits (and copy to repository and servers for install)

Update VC_Redist.x64.exe (and subsequent VC_Redist.x86.exe)

Update MSOLEDB drivers (x64 and possibly x86)

Re-scan to validate remediated!

Download the bits

Download Microsoft OLE DB Driver for SQL Server – OLE DB Driver for SQL Server | Microsoft Learn

https://learn.microsoft.com/en-us/sql/connect/oledb/download-oledb-driver-for-sql-server?view=sql-server-ver16

Latest supported Visual C++ Redistributable downloads | Microsoft Learn

https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170

Latest supported Visual C++ Redistributable downloads | Microsoft Learn

https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#visual-studio-2015-2017-2019-and-2022

Once downloaded, copy the OLE DB Driver and VC Redistributable EXE’s for x64 and x86 to the affected servers. Search for OLE first, to assess OLE and Redistributable versions currently installed.

Assess ‘Vuln 178852 OLE DB driver’ updates on affected servers

Log into the server(s)

From Control Panel > Programs > Programs and Features > Search for ‘ole’ to see Redistributable versions

Check Control Panel for OLE DB Version

Check Redistributable version

From Control Panel > Programs > Programs and Features > Search for ‘Red’ to see Redistributable versions

If you don’t upgrade Visual C++ Redistributable first, you’ll get this setup error

Executing OLE DB Driver update pre-requisite error for Visual C++ Redistrubutable update

Update VC_Redist.x64.exe (and subsequent VC_Redist.x86.exe

First, we have to install the Visual C++ updates to the server before we can update the driver.

From PowerShell (as admin) on affected servers

Go to saved directory for EXE and MSI files

PowerShell as admin > go to directory > run the EXE

Click the Check box to EULA ‘I agree’

At the Visual C++ Redistributable EULA splash screen

Check agree checkbox, then click Install button lower right

Visual C++ Redistributable EULA splash screen to check agree checkbox, then click on Install

Update installing

VC_Redistributable installing screenshot

Click Restart button (when in approved change window)

Click Restart when in change window to reboot server for Visual C++ update to apply

Restart server

Update VC_Redist.x86.exe

Second part, if applicable x86 library is installed, is to update.

Install next pre-req, if server contained both x86 and x64 bits for the ‘Vuln 178852 OLE DB driver’

From PowerShell (as admin) on affected servers:

Go to saved directory for EXE and MSI files

.\VC_redist.x86.exe

Powershell as admin window initiating the Visual C++ Redistributable x86 exe

Click the Check box to EULA ‘I agree’

At the Visual C++ Redistributable EULA splash screen

Check agree checkbox, then click Install button lower right

Click on 'I agree' checkbox, and click Install button to begin the x86 Visual C++ Redistributable update — Click on ‘I agree’ checkbox, and click Install button to begin the x86 Visual C++ Redistributable update

Update installing

Screenshot installing the x86 Visual C++ Redistributable update

Update complete

Screenshot showing successful install of the x86 Visual C++ Redistributable update

Update MSOLEDB drivers

Third, assess first if you need x64 AND x86 drivers (my example is only x64)

Start by checking the Control Panel > Programs > Programs and Features > search for ole (and hit enter)

Control Panel > Programs > Programs and Features > searching for ole, showing old v18

From PowerShell (as admin) on affected servers

Go to saved directory for EXE and MSI files

Open MSI to begin install

PowerShell as Admin running the ole MSI install

Click Next if you get the ‘User Account Control’ (UAC) prompt to initiate MSI install

OLE MSI Install - User Account Control (UAC) prompt to initiate MSI install — OLE MSI Install – User Account Control (UAC) prompt to initiate MSI install

Click Next

Click ‘I agree’ radio button and Click Next

OLE MSI Install, EULA splash screen to check 'I Agree' radio button and click Next — OLE MSI Install, EULA splash screen to check ‘I Agree’ radio button and click Next

Next, on the OLE MSI install, click next to accept default features (just the driver install)

Click Install to begin driver install

OLE driver install completed, click Finish

Verify Control Panel for OLE driver install and version

Lastly, assess server and application requirements to verify if the old OLE driver is okay to remove from system to clear vulnerability. The old OLE driver on my system was installed the day I installed SSMS v19.x

Back to your Control Panel > Programs > Programs and Features window

Change search to OLE in the top right > hit enter

Click Delete on old version

On the Warning popup window, click continue

Control Panel view showing two OLE drivers, reflecting the newly installed, and the old version

At the UAC prompt, click Yes

Once complete, verify Control Panel window

STIGs for SCOM FIPS compliance on Windows

What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’

The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.

Install DLL for STIGs for SCOM FIPS compliance on Windows

Time to mitigate!

Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480

Download files

Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link

Download SCOM ISO from my.visualstudio.com/Downloads?q=operations

If you downloaded from my.visualstudio.com, extract from ISO.

Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.

Download the DLL to the SCOM default folder –

Best practice is SCOM Default folder on non-system disk @

D:\Program Files\System Center\Operations Manager\Server

Update the registry on relevant servers

Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.

STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\

Verification via RegEdit (registry editor)

Display of regedit for the FIPS enabled key

PowerShell Verification:

$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

Example Output

PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

PS C:\> $FIPSEnabled

PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

FIPS disabled

PowerShell to set the registry key:

Blog link

$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”

$Name = “Version”

$value = “1”

New-ItemProperty -Path $registryPath -Name $name -Value $value `

-PropertyType DWORD -Force | Out-Null

Reboot web console servers to verify web console functionality!

This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’

Relevant links and documentation of ‘STIGs for SCOM FIPS compliance on Windows’

Download from blog here (Link https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)

Nathan Gau’s blog here

VisualStudio download for SCOM ISO’s here

STIG V-220942 for Windows 10

STIG V-226335 for Windows Server 2012/2012R2

STIG V-73701 for Windows Server 2016

STIG V-93511 for Windows Server 2019

STIG V-254480 for Windows Server 2022

NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions

TechNet migrated forum post here

Tenable link for Server 2016 here

NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf

Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Researching further, Microsoft certified server2016,2019 per learn articles.

Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2

To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/

Updating SQLserver packs to v7.2.0.0

Quick public service announcement – remove the SQL Server Core Custom Monitoring pack before ‘updating SQLServer packs to v7.2.0.0’! Read to save time and frustration, before importing the packs, as the previous 7.0.42.0 pack isn’t upgradable to v7.2.0.0.

Updating SQL server packs to v7.2.0.0

Download links for SQL Server with SSIS, Dashboards, SSAS, SSRS

Check Holman’s GitHub Repo for a newer SQL ‘runAs’ pack

Run the MSI’s and copy the files to your file repository on the MS.

If you created custom SQL monitors, backup (export) override pack(s).

Remove the SQL Server Core Custom Monitoring pack.

Import packs and enjoy!

This ends the ’emergency broadcasting system’ Updating SQL server packs to v7.2.0.0

V-237434 SCOM Web Console SSL Settings

No Soup for you! You have STIG findings :-( — No Soup for you! You have STIG findings 🙁

Much like the character from Seinfeld, finding out that the ‘V-237434 SCOM Web Console SSL Settings’ is NOT STIG Compliant (STIG’d), is just as tramatic as being hungry, and told ‘No soup for you!” With all the many STIG findings, here’s a quick and dirty way to resolve the finding.

Vendor documentation

STIG V-237434

SCOM Web Console Authentication on learn.microsoft.com

Kevin Holman SCOM QuickStart guides for SCOM 2019, SCOM 2022

V-237434 SCOM Web Console SSL Settings

STIG V-237434 requires trusted CA SSL certificates. Previous July blog posts are related to the effort to secure the SCOM web console. The redirect post forces HTTPS, complimenting this STIG finding. As the STIG states, remediation verification that IIS web site binding is HTTPS, and remove HTTP.

Remediate SCOM servers with Web Console role

Assumption = SmartCards are used for authentication, this part is applicable, otherwise skip.

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

Click on SSL Settings

If the menu is greyed out, follow the SCOM WebConsole settings blog to setup the SSL certificate. Once complete, proceed below.

Click on SSL Settings > Check box to ‘Require SSL’

If menu is NOT greyed out, click radio button to ‘Accept’ client certificates

Click Apply

IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings

Click on Default Website on left hand pane

In the Actions Pane (right hand side), click on Restart to restart the IIS website

Restart IIS website from IIS manager actions pane

IIS Website bindings

Next pieces is to verify the SSL HTTPS binding is setup correctly. In case you got disconnected, or rebooted the server

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

In the Actions pane on the top right, click on Bindings

IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS

Kevin Holman’s QuickStart blog(s) for SCOM 2019, SCOM2022 setup default HTTP binding (i.e. NO SSL cert configured)

Default website, Bindings selection showing HTTP if SCOM quick start followed — Default website, Bindings selection showing HTTP if following SCOM quick start

If HTTP ONLY, click the Add button

Change dropdown for Type to https

Enter Host Name

Click Select to choose the SSL cert

Click OK

Adding HTTPS Binding with server name, SSL cert drop down and selected

Verify SSL certificate added

If you have the binding above, change your STIG CKL finding and document as NOT a finding, for V-237434 SCOM Web Console SSL Settings!

Have fun

SCOM Web Console Authentication settings

SCOM Web Console authentication settings discussion! Let’s go through standard IIS authentication settings like disabling Anonymous Authentication, and enabling Windows Authentication, AD Client Certificate Authentication, and binding providers (Negotiate before NTLM). Ready to begin?! A shout out to Alden Hatten as we worked through this and resetting the Web Console run here recently, that brought up the urgency to document.

Vendor documentation

Learn.Microsoft.Com link, SCOM2019 link

SCOM TechCommunity post for context

Kevin Holman’s SCOM QuickStart guides for SCOM 2019, 2022 (Including WebConsole default setup steps)

SCOM Web Console Authentication settings defaults

RDP to server with SA or Local admin level account

Go into IISManager > Expand the tree to then click on ‘Default Web Site’

Click on Authentication

IIS Manager output for ‘Default Web Site’

IISManager Default Authentication settings

SmartCard aka AD Client Certificate Authentication defaults

In IIS Manager for the server > Click on Authentication

Verify AD Client Certificate Authentication is added and enabled.

IIS Manager Authentication, with SmartCard or Client Certificate Authentication

Windows Authentication

Set Authentication Providers order

From IIS Manager > Expand Default Web Site

Click on Authentication > Click on Providers at the top right

If Negotiate is not on top, highlight, and click Move Up button > Click OK to set. Restart IIS to make setting take effect ( also use iisreset from command prompt or PowerShell )

NOTE: Anonymous Authentication should be disabled!

IIS Manager Authentication, Windows Authentication, Providers, Negotiate on top

If screenshot is your setup, close the Providers window

After reviewing these authentication settings, you should be one step closer to encrypted authentication.

Enjoy!

SCOM WebConsole HTTP Redirect

Use this post when the SCOM WebConsole gets flagged for HTTP Redirect. The IIS configuration is pretty easy to set up. When your Security team contacts you to resolve VulnID 121040, the steps below should resolve the compliance finding. Use the Microsoft learn site for more details.

Add HTTP Redirect role from Server Manager

Time to Configure ‘SCOM WebConsole HTTP Redirect’

RDP to server, open Server Manager

Click on Manage on top right

Click Next on the ‘before you begin popup’

Click Next

Click Next

Server Manager Destination Manager screen

Expand the ‘Web Server’ drop down menu

Expand Web Server drop down menu

Expand Common HTTP Features

Check box for HTTP Redirection

Server Manager Roles expanding Web Server for HTTP Redirect

Click Next

Server Manager HTTP Redirection check box selected

Click Next at the Features tab

Click Install to install the feature

NOTE the checkbox to ‘Restart if required is NOT selected’

Most change processes don’t allow this on the fly (unplanned outage)

Wait while the feature(s) install

Click Close once complete

Server Manager feature install in progress

Setup Redirection in IIS Manager

Open IISManager

NOTE If IISManager was open before the feature was closed, exit and open IISManager again. IISManager refresh does NOT make HTTP Redirect reappear (even if restarting IIS service).

Click on your webServer > Double click on HTTP Redirect

IISManager HTTP Redirect Default splash screen

Check the ‘Redirect requests to this destination:’ check box

Enter the WebConsole URL for your installation.

NOTE SCOM default WebConsole URL is http://<webserverName>/OperationsManager

Check the two (2) boxes for Redirect behaviors

IISManager HTTP Redirect configuration screen

Click Apply

Recommend restart/reboot of server (off hours) to apply configuration before having Security team scan server.

Verify HTTP Redirect after reboot

After reboot, verify current settings (shown are default)

Click on ‘Default WebSite’ dropdown > Select HTTP Redirect

Verify HTTP Redirect is configured in IIS Manager

Contact Security team to re-scan server

Happy mitigating!

SCOM WebConsole settings for Kerberos AD Delegation

I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication

Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation. I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication. Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)

If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478

Documentation

https://www.sentinelone.com/blog/detecting-unconstrained-delegation-exposure

https://pentestlab.blog/2022/03/21/unconstrained-delegation/

Outline

Assess affected unconstrained delegation servers in environment

Configure delegation on SCOM and/or PowerBI servers

Assess affected unconstrained delegation servers in environment

From a computer, with ADUC, and RSAT feature installed, search for relevant account(s) used (Read Only RO access displayed below).

Alternatively, from PowerShell > run this command to see affected servers (much wider list, unless you add a where clause)

Get-ADComputer -LDAPFilter

“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

Configure delegation on SCOM and/or PowerBI servers

Take the list of affected servers, to take action. Use the steps below to configure relevant SCOM or PowerBI servers.

Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.

From ADUC > change ‘Find’ drop-down to Computers

In the Computer name text box, enter <SCOMWebConsoleServerName> and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMWebConsoleServerName>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC SCOM Lab server choosing process

Verification of delegation settings

ADUC Delegation flags with SCOM MS processes selected.

Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.

PowerBI Report Server

With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in. NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)

In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search

Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>, select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter the service account for the data source, and then select OK.

Select the SPN that you created for <PowerBI Report Server Name>

Select both as FQDN and the NetBIOS names are in the SPN

Select OK.

Back to ADUC (AD Users and Computers), change Find drop-down to Computers

Enter <PowerBI Report Server Name>, and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <Example can be SCOMDataAccessReader Account>, and then select OK.

Click the Add button to add services

Select the HTTP process

ADUC Delegation Add Services > HTTP, WWW

Select OK.

ADUC Delegation Settings for http for PowerBI Report Server (PBIRS)

SCOM WebConsole settings for authentication

Auto Pilot for SCOM web console — Airplane movie – AutoPilot with SCOM Web Console settings

Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration. I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’

Quick outline

Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’

Configuring SSL certs and Smart Cards (this post)

Configuring Kerberos and AD delegation (next post)

Verifying WebConsole functionality blog posts – ReDirect, Authentication, SSL and Bindings

Mitigating SCOM vulnerabilities – Java, HSTS, ODBC

Knowledge Articles

How to Install Web Console from learn.microsoft.com for SCOM 2019, 2022

Holman’s SCOM quick start install guides for SCOM 2019, 2022

IIS Manager Authentication from learn.microsoft.com

Configuring SSL Certs and Smart Cards

Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods. I’ve setup the web console role with defaults, then come back later. Holman’s quick start lets you complete the role with default HTTP setup. After that, we add an SSL cert for HTTPS. Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console. Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation.

Part 1 – Start with the SSL certificate for https

Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question. Add any SAN names/aliases you want (if not load balanced).

NOTE:

Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization. Generally, external certificates require manual effort executing the certreq script.

Sample SSL certificate

Less typing means less typos

Below SSL certificate example with any SAN names/aliases (if not load balanced). Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager

IIS manager server certificates with SAN DNSName aliases included.

Part 2 – Add authentication Smart Card in IIS

Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’. Additionally, review the Learn.microsoft.com site for IIS here.

Compatibility

Version	Notes
IIS 10.0	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0	The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0	The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.

Add the Client Certificate feature for the SCOM Web Console

Let’s add SmartCard authentication capability.

Open Server manager >

Click on Manage > Add roles/features (top right)

Scroll to the top right, and click on Manage, then 'Add Roles or features' — Scroll to the top right, and click on Manage, then ‘Add Roles or features’

Click Next twice to get to the Server Roles

Server Manager > Server Roles tab output

Expand Web Server drop down

SCOM Web Console Authentication installing Client Certificate Mapping role

Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Click Install (mine is greyed out as it’s enabled)

Allow install to complete, server will prompt if reboot required.

NOTE: Either way, reboot is required to apply new authentication method.

Validate IISManager after reboot

Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.

IIS Authentication with Client Certificate Authentication (after role installed)

After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.

From IISManager > Server > Authentication > Verify method is there and enabled

Verify Default Web Site Authentication setup

Verify Default Web site has Windows Authentication enabled.

Navigation steps:

IIS Manager > Expand Sites > Default Web Site > Authentication

Windows Authentication should be enabled, others disabled

Default Web Site Authentication showing Windows Authentication ONLY enabled

Some items NOT covered in the PPT comparison

COST

Securing the Applications and web consoles

Vulnerability mitigation

Licensing

Hardware requirements

Quick outline of steps with Vuln 178852 OLE DB driver

Download the bits

Assess ‘Vuln 178852 OLE DB driver’ updates on affected servers

Update VC_Redist.x64.exe (and subsequent VC_Redist.x86.exe

Update VC_Redist.x86.exe

Update MSOLEDB drivers

Verify Control Panel for OLE driver install and version

Other documentation

Install DLL for STIGs for SCOM FIPS compliance on Windows

Update the registry on relevant servers

Relevant links and documentation of ‘STIGs for SCOM FIPS compliance on Windows’

Updating SQL server packs to v7.2.0.0

V-237434 SCOM Web Console SSL Settings

Remediate SCOM servers with Web Console role

IIS Website bindings

Vendor documentation

SCOM Web Console Authentication settings defaults

SmartCard aka AD Client Certificate Authentication defaults

Windows Authentication

Add HTTP Redirect role from Server Manager

Setup Redirection in IIS Manager

Verify HTTP Redirect after reboot

Documentation

Outline

Assess affected unconstrained delegation servers in environment

Configure delegation on SCOM and/or PowerBI servers

Verification of delegation settings

PowerBI Report Server

Quick outline

Knowledge Articles

Configuring SSL Certs and Smart Cards

Part 1 – Start with the SSL certificate for https

Less typing means less typos

Part 2 – Add authentication Smart Card in IIS

Compatibility

Add the Client Certificate feature for the SCOM Web Console

Verify Default Web Site Authentication setup