SCOM SSRS permissions

Microsoft SQL Server SSRS icon

Let’s discuss SCOM SSRS permissions. The SCOM Reporting role install really comes down to three (3) things – permissions, latest SSRS EXE downloaded (for install 2019, 2022), and ReportExtensions configuration. I’ve hit some permission issues that need more ‘how to’ details.

Set SCOM Admins group permissions

Whether the permissions are set up as part of a group policy (GPO) or not, if these steps are missing, expect problems.

Verify that your SCOM Admins domain group is a local administrator on the SCOM servers (SSRS server in this case)

Right click on Start > Computer Management

Expand System Tools

Expand Local Users and Groups

Click on Groups

Double click on Administrators

Verify SCOM Admins group, or specific service/MSA accounts are listed

Computer Management with Administrators group properties documenting relevant members which include the SCOM Admins group, and any other SQL related service accounts.

Click OK

Set SQL Instance permissions for SCOM Admins group

Reference Holman’s QuickStart > Install SCOM Reporting Role…

Log on using your domain user account that is a member of the OMAdmins group, and has “sysadmin” role level rights over the SQL instance.

RDP to server with SSMS that connects to SQL server

Connect to Database Engine

Expand instance , then expand Security folder, thirdly expand Logins folder

Right click on the SCOM Admins group and select properties

In the pop-up, click on SQL Server Role

Verify that sysAdmin

View of SSMS Database Engine showing SCOM Admins group SQL Server Role has sysAdmin

Follow similar steps if using a domain connected SVC/MSA account when configuration differs from Holman’s QuickStart template.

Additional troubleshooting from the SCOM install can be found in the user’s directory – C:\Users\<accountHere>\AppData\Local\SCOM\LOGS

Find additional details in the SQL install logs

C:\Program Files\Microsoft SQL Server\MSRS13.MSSQLSERVER\Reporting Services\LogFiles

NOTE that the Instance and version 'MSRS13.MSSQLSERVER' can change

Additional documentation and relevant links

The go-to reference is Holman’s QuickStart deployment guides for SCOM2019 forward list the how-to starting point.

Holman Quick Start links:

https://kevinholman.com/2022/05/01/scom-2022-quickstart-deployment-guide/

https://kevinholman.com/2019/03/14/scom-2019-quickstart-deployment-guide/

SSRS learn.microsoft.com site article https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/cannot-deploy-operations-manager-reports

SSRS Error occurred when invoking the authorization extension https://learn.microsoft.com/en-us/answers/questions/266488/installing-scom-2019-reporting-ssrs-2019-error-an

Update SCAP tools

DISA Security Content Automation Protocol

One more admin process and workflow is to ‘update SCAP tools’ on servers. Many times overlooked, this can save many headaches with the newest version installed on servers.

Check DOD Cyber Exchange

Check the website here, to search for Win in SCAP tools, then download & Install

SCAP tool download from DOD Cyber Exchange public website.

Navigation steps:

Control Panel > Programs > Programs and Features

In the search bar (top right) enter scap (and hit enter)

SCAP Control panel output showing multiple versions installed. Need to install latest application, then remove the old versions (in this case, all three!)

Install SCAP application

Extract files from ZIP

Copy folder to repository (my path example below)

Save SCAP zip and files to folder repository and on server to install SCAP on.

Run SCAP application

Take the defaults (unless you want the checker icon on desktop). Run SCAP application from PowerShell (as admin) window.

Open PowerShell as admin window

Example:

cd “D:\MonAdmin\STIGS\scc-5.7.2_Windows”; gci; .\SCC_5.7.2_Windows_Setup.exe

Hit enter to begin install

Run SCAP install from PowerShell (as admin) window.

On the SCAP EULA radio button application install screen, click ‘I accept’ radio button and click Next.

Select Destination location (preferably on non-system disk), and click Next

Change path to non-system disk (like d:)

SCAP Destination Location Application install window.

From the ‘Select Components’ window, click Next

SCAP Select Components application install window.

Click Next on the Setup Start Menu folder window

On the SCAP select additional tasks install window, click Next

Click Install on ‘Ready to install’ popup screen

With the new SCAP tool Install window, click Finish to complete.

SCAP tool install finished splash screen.

Refresh Control Panel SCAP search

Remove old versions

Click Continue and go through removal prompts

SCAP control panel remove old version with prompt to continue.

With the Uninstall screen, click Yes to uninstall.

Click OK on uninstall

Check Control Panel for SCAP installs

Verify control panel only has latest version installed. Close out Programs and Features window

Windows Control Panel, Programs and Features, SCAP search for new version install

Review SCC (SCAP Compliance Checker) Release Notes

Verify SCAP application functionality

Click on Start > start typing SCAP > Click on SCAP Compliance Checker

From the SCAP checker UAC prompt, click Yes to continue

Click OK to end the install

Run Local Scan

Run local scan to prove functionality.

Select STIG(s) in the middle pane > Click Start Scan

Run SCAP scan against server, choose your STIGs and Start Scan

Verify SCAP tool modified files after installation

Recheck Windows Explorer for OpenSSL; look at file properties for version details. Interesting, NONE of these files have versions (openssl, x509 searches show nothing file version wise)

Ask the Security Admin to re-scan!

Documentation/Links

DOD Cyber Exchange https://public.cyber.mil/stigs/scap/

STIGs for SCOM FIPS compliance on Windows

What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’

The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.

Install DLL for STIGs for SCOM FIPS compliance on Windows

Time to mitigate!

Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480

Download files

Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link

Download SCOM ISO from my.visualstudio.com/Downloads?q=operations

If you downloaded from my.visualstudio.com, extract from ISO.

Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.

Download the DLL to the SCOM default folder –

Best practice is SCOM Default folder on non-system disk @

D:\Program Files\System Center\Operations Manager\Server

Update the registry on relevant servers

Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.

STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\

Verification via RegEdit (registry editor)

Display of regedit for the FIPS enabled key

PowerShell Verification:

$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

Example Output

PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

PS C:\> $FIPSEnabled

PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

FIPS disabled

PowerShell to set the registry key:

Blog link

$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”

$Name = “Version”

$value = “1”

New-ItemProperty -Path $registryPath -Name $name -Value $value `

-PropertyType DWORD -Force | Out-Null

Reboot web console servers to verify web console functionality!

This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’

Relevant links and documentation of ‘STIGs for SCOM FIPS compliance on Windows’

Download from blog here (Link https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)

Nathan Gau’s blog here

VisualStudio download for SCOM ISO’s here

STIG V-220942 for Windows 10

STIG V-226335 for Windows Server 2012/2012R2

STIG V-73701 for Windows Server 2016

STIG V-93511 for Windows Server 2019

STIG V-254480 for Windows Server 2022

NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions

TechNet migrated forum post here

Tenable link for Server 2016 here

NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf

Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Researching further, Microsoft certified server2016,2019 per learn articles.

Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2

To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/

SCOM Web Console Authentication settings

SCOM Web Console authentication settings discussion! Let’s go through standard IIS authentication settings like disabling Anonymous Authentication, and enabling Windows Authentication, AD Client Certificate Authentication, and binding providers (Negotiate before NTLM). Ready to begin?! A shout out to Alden Hatten as we worked through this and resetting the Web Console run here recently, that brought up the urgency to document.

Vendor documentation

Learn.Microsoft.Com link, SCOM2019 link

SCOM TechCommunity post for context

Kevin Holman’s SCOM QuickStart guides for SCOM 2019, 2022 (Including WebConsole default setup steps)

SCOM Web Console Authentication settings defaults

RDP to server with SA or Local admin level account

Go into IISManager > Expand the tree to then click on ‘Default Web Site’

Click on Authentication

IIS Manager output for ‘Default Web Site’

IISManager Default Authentication settings

SmartCard aka AD Client Certificate Authentication defaults

In IIS Manager for the server > Click on Authentication

Verify AD Client Certificate Authentication is added and enabled.

IIS Manager Authentication, with SmartCard or Client Certificate Authentication

Windows Authentication

Set Authentication Providers order

From IIS Manager > Expand Default Web Site

Click on Authentication > Click on Providers at the top right

If Negotiate is not on top, highlight, and click Move Up button > Click OK to set. Restart IIS to make setting take effect ( also use iisreset from command prompt or PowerShell )

NOTE: Anonymous Authentication should be disabled!

IIS Manager Authentication, Windows Authentication, Providers, Negotiate on top

If screenshot is your setup, close the Providers window

After reviewing these authentication settings, you should be one step closer to encrypted authentication.

Enjoy!

SCOM WebConsole HTTP Redirect

Use this post when the SCOM WebConsole gets flagged for HTTP Redirect. The IIS configuration is pretty easy to set up. When your Security team contacts you to resolve VulnID 121040, the steps below should resolve the compliance finding. Use the Microsoft learn site for more details.

Add HTTP Redirect role from Server Manager

Time to Configure ‘SCOM WebConsole HTTP Redirect’

RDP to server, open Server Manager

Click on Manage on top right

Click Next on the ‘before you begin popup’

Click Next

Click Next

Server Manager Destination Manager screen

Expand the ‘Web Server’ drop down menu

Expand Web Server drop down menu

Expand Common HTTP Features

Check box for HTTP Redirection

Server Manager Roles expanding Web Server for HTTP Redirect

Click Next

Server Manager HTTP Redirection check box selected

Click Next at the Features tab

Click Install to install the feature

NOTE the checkbox to ‘Restart if required is NOT selected’

Most change processes don’t allow this on the fly (unplanned outage)

Wait while the feature(s) install

Click Close once complete

Server Manager feature install in progress

Setup Redirection in IIS Manager

Open IISManager

NOTE If IISManager was open before the feature was closed, exit and open IISManager again. IISManager refresh does NOT make HTTP Redirect reappear (even if restarting IIS service).

Click on your webServer > Double click on HTTP Redirect

IISManager HTTP Redirect Default splash screen

Check the ‘Redirect requests to this destination:’ check box

Enter the WebConsole URL for your installation.

NOTE SCOM default WebConsole URL is http://<webserverName>/OperationsManager

Check the two (2) boxes for Redirect behaviors

IISManager HTTP Redirect configuration screen

Click Apply

Recommend restart/reboot of server (off hours) to apply configuration before having Security team scan server.

Verify HTTP Redirect after reboot

After reboot, verify current settings (shown are default)

Click on ‘Default WebSite’ dropdown > Select HTTP Redirect

Verify HTTP Redirect is configured in IIS Manager

Contact Security team to re-scan server

Happy mitigating!

SCOM WebConsole settings for Kerberos AD Delegation

I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication

Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation. I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication. Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)

If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478

Documentation

https://www.sentinelone.com/blog/detecting-unconstrained-delegation-exposure

https://pentestlab.blog/2022/03/21/unconstrained-delegation/

Outline

Assess affected unconstrained delegation servers in environment

Configure delegation on SCOM and/or PowerBI servers

Assess affected unconstrained delegation servers in environment

From a computer, with ADUC, and RSAT feature installed, search for relevant account(s) used (Read Only RO access displayed below).

Alternatively, from PowerShell > run this command to see affected servers (much wider list, unless you add a where clause)

Get-ADComputer -LDAPFilter

“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

Configure delegation on SCOM and/or PowerBI servers

Take the list of affected servers, to take action. Use the steps below to configure relevant SCOM or PowerBI servers.

Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.

From ADUC > change ‘Find’ drop-down to Computers

In the Computer name text box, enter <SCOMWebConsoleServerName> and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMWebConsoleServerName>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC SCOM Lab server choosing process

Verification of delegation settings

ADUC Delegation flags with SCOM MS processes selected.

Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.

PowerBI Report Server

With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in. NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)

In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search

Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>, select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter the service account for the data source, and then select OK.

Select the SPN that you created for <PowerBI Report Server Name>

Select both as FQDN and the NetBIOS names are in the SPN

Select OK.

Back to ADUC (AD Users and Computers), change Find drop-down to Computers

Enter <PowerBI Report Server Name>, and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <Example can be SCOMDataAccessReader Account>, and then select OK.

Click the Add button to add services

Select the HTTP process

ADUC Delegation Add Services > HTTP, WWW

Select OK.

ADUC Delegation Settings for http for PowerBI Report Server (PBIRS)