Update SCAP tools

DISA Security Content Automation Protocol
DISA Security Content Automation Protocol

 

One more admin process and workflow is to ‘update SCAP tools’ on servers.  Many times overlooked, this can save many headaches with the newest version installed on servers.

 

 

Check DOD Cyber Exchange

Check the website  here, to search for Win in SCAP tools, then download & Install

SCAP tool download from DOD Cyber Exchange public website.
SCAP tool download from DOD Cyber Exchange public website.

 

Navigation steps:

Control Panel > Programs > Programs and Features

In the search bar (top right) enter scap (and hit enter)

 

SCAP Control panel output showing multiple versions installed.  Need to install latest application, then remove the old versions (in this case, all three!)

SCAP Control panel output showing multiple versions installed.
SCAP Control panel output showing multiple versions installed.

 

 

Install SCAP application

Extract files from ZIP

Copy folder to repository (my path example below)

Save SCAP zip and files to folder repository and on server to install SCAP on.

Save SCAP zip and files to folder repository and on server to install SCAP on.
Save SCAP zip and files to folder repository and on server to install SCAP on.

 

 

Run SCAP application

Take the defaults (unless you want the checker icon on desktop).  Run SCAP application from PowerShell (as admin) window.

Open PowerShell as admin window

 Example:

cd “D:\MonAdmin\STIGS\scc-5.7.2_Windows”; gci; .\SCC_5.7.2_Windows_Setup.exe

Hit enter to begin install

Run SCAP install from PowerShell (as admin) window.
Run SCAP install from PowerShell (as admin) window.

 

On the SCAP EULA radio button application install screen, click ‘I accept’ radio button and click Next.

SCAP EULA radio button application install screen.
SCAP EULA radio button application install screen.

 

Select Destination location (preferably on non-system disk), and click Next

Change path to non-system disk (like d:)

SCAP Destination Location Application install window.
SCAP Destination Location Application install window.

 

From the ‘Select Components’ window, click Next

SCAP Select Components application install window.
SCAP Select Components application install window.

 

Click Next on the Setup Start Menu folder window

SCAP Start Menu folder install window
SCAP Start Menu folder install window

 

On the SCAP select additional tasks install window, click Next 

SCAP select additional tasks install window
SCAP select additional tasks install window

 

Click Install on ‘Ready to install’ popup screen

SCAP Ready to Install popup screen.
SCAP Ready to Install popup screen.

 

 

With the new SCAP tool Install window, click Finish to complete.

SCAP tool install finished splash screen.
SCAP tool install finished splash screen.

 

 

Refresh Control Panel SCAP search

Remove old versions

Click Continue and go through removal prompts

SCAP control panel remove old version with prompt to continue.
SCAP control panel remove old version with prompt to continue.

 

With the Uninstall screen, click Yes to uninstall.

SCAP uninstall yes/no screen
SCAP uninstall yes/no screen

 

Click OK on uninstall

Old SCAP unistall completed.
Old SCAP unistall completed.

 

 

Check Control Panel for SCAP installs

Verify control panel only has latest version installed.  Close out Programs and Features window

Windows Control Panel, Programs and Features, SCAP search for new version install
Windows Control Panel, Programs and Features, SCAP search for new version install

 

 

Review SCC (SCAP Compliance Checker) Release Notes

SCAP release Notes details
SCAP release Notes details

 

Verify SCAP application functionality

Click on Start > start typing SCAP > Click on SCAP Compliance Checker

SCAP Compliance Checker

 

From the SCAP checker UAC prompt, click Yes to continue

SCAP checker UAC prompt, click Yes to continue
SCAP checker UAC prompt, click Yes to continue

 

Click OK to end the install

SCAN new features popup after install
SCAN new features popup after install

 

 

Run Local Scan

Run local scan to prove functionality.

Select STIG(s) in the middle pane > Click Start Scan

Run SCAP scan against server, choose your STIGs and Start Scan
Run SCAP scan against server, choose your STIGs and Start Scan

 

Verify SCAP tool modified files after installation

Recheck Windows Explorer for OpenSSL; look at file properties for version details.  Interesting, NONE of these files have versions (openssl, x509 searches show nothing file version wise)

Verify SCAP tool modified files after installation
Verify SCAP tool modified files after installation

 

Ask the Security Admin to re-scan!

 

 

Documentation/Links

DOD Cyber Exchange https://public.cyber.mil/stigs/scap/

STIGs for SCOM FIPS compliance on Windows

What does your mind link to with the FIPS acronym?  FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’

 

The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files.  The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022).  As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files.   My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.

 

 

Install DLL for STIGs for SCOM FIPS compliance on Windows

Time to mitigate!

Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’.  Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480

 

Download files

Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link

Download SCOM ISO from my.visualstudio.com/Downloads?q=operations
Download SCOM ISO from my.visualstudio.com/Downloads?q=operations

 

If you downloaded from my.visualstudio.com, extract from ISO.

Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.

Download the DLL to the SCOM default folder –

Best practice is SCOM Default folder on non-system disk @

D:\Program Files\System Center\Operations Manager\Server

 

Update the registry on relevant servers

Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.

 

STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\

Verification via RegEdit (registry editor)

Display of regedit for the FIPS enabled key
Display of regedit for the FIPS enabled key

 

PowerShell Verification:

$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

 

Example Output

PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

PS C:\> $FIPSEnabled

0

PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

FIPS disabled

 

 

PowerShell to set the registry key:

Blog link

$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”

$Name = “Version”

$value = “1”

New-ItemProperty -Path $registryPath -Name $name -Value $value ` 

    -PropertyType DWORD -Force | Out-Null

 

 

 

Reboot web console servers to verify web console functionality!

This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’

 

 

 

Relevant links and documentation of  ‘STIGs for SCOM FIPS compliance on Windows’

Download from blog here (Link  https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)

Nathan Gau’s blog here

VisualStudio download for SCOM ISO’s here

STIG V-220942 for Windows 10

STIG V-226335 for Windows Server 2012/2012R2

STIG V-73701 for Windows Server 2016

STIG V-93511 for Windows Server 2019

STIG V-254480 for Windows Server 2022

NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions

TechNet migrated forum post here

Tenable link for Server 2016 here

NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf

Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Researching further, Microsoft certified server2016,2019 per learn articles.

Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2

To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/

 

 

 

 

SCOM Web Console Authentication settings

Authentication Authentication Authentication! SCOM Web Console authentication settings
Authentication Authentication Authentication! SCOM Web Console authentication settings

 

SCOM Web Console authentication settings discussion!  Let’s go through standard IIS authentication settings like disabling Anonymous Authentication, and enabling Windows Authentication, AD Client Certificate Authentication, and binding providers (Negotiate before NTLM).  Ready to begin?!  A shout out to Alden Hatten as we worked through this and resetting the Web Console run here recently, that brought up the urgency to document.

 

 

Vendor documentation

Learn.Microsoft.Com link, SCOM2019 link

SCOM TechCommunity post for context

Kevin Holman’s SCOM QuickStart guides for SCOM 2019, 2022 (Including WebConsole default setup steps)

 

 

SCOM Web Console Authentication settings defaults

RDP to server with SA or Local admin level account

Go into IISManager > Expand the tree to then click on ‘Default Web Site’

Click on Authentication

IIS Manager output for ‘Default Web Site’

IISManager Default Authentication settings
IISManager Default Authentication settings

 

 

SmartCard aka AD Client Certificate Authentication defaults

In IIS Manager for the server > Click on Authentication

Verify AD Client Certificate Authentication is added and enabled.

IIS Manager Authentication, with SmartCard or Client Certificate Authentication
IIS Manager Authentication, with SmartCard or Client Certificate Authentication

 

 

Windows Authentication

Set Authentication Providers order

From IIS Manager > Expand Default Web Site

Click on Authentication > Click on Providers at the top right

If Negotiate is not on top, highlight, and click Move Up button > Click OK to set.   Restart IIS to make setting take effect ( also use iisreset from command prompt or PowerShell )

NOTE: Anonymous Authentication should be disabled!

IIS Manager Authentication, Windows Authentication, Providers, Negotiate on top
IIS Manager Authentication, Windows Authentication, Providers, Negotiate on top

If screenshot is your setup, close the Providers window

 

After reviewing these authentication settings, you should be one step closer to encrypted authentication.

Enjoy!

SCOM WebConsole HTTP Redirect

Detour sign, redirect ahead
Detour sign, redirect ahead

 

Use this post when the SCOM WebConsole gets flagged for HTTP Redirect.  The IIS configuration is pretty easy to set up.  When your Security team contacts you to resolve VulnID 121040, the steps below should resolve the compliance finding.  Use the Microsoft learn site for more details.

 

 

Add HTTP Redirect role from Server Manager

Time to Configure ‘SCOM WebConsole HTTP Redirect’

RDP to server, open Server Manager

Click on Manage on top right

Click Next on the ‘before you begin popup’

Server Manager splash screen
Server Manager splash screen

 

Click Next

Server Manager Role Installation Type popup wizard
Server Manager Role Installation Type popup wizard

 

Click Next

Server Manager Destination Manager screen
Server Manager Destination Manager screen

 

Expand the ‘Web Server’ drop down menu

Server Manager Roles
Server Manager Roles

 

Expand Web Server drop down menu

Expand Common HTTP Features

Check box for HTTP Redirection

Server Manager Roles expanding Web Server for HTTP Redirect
Server Manager Roles expanding Web Server for HTTP Redirect

 

Click Next

Server Manager HTTP Redirection check box selected
Server Manager HTTP Redirection check box selected

 

Click Next at the Features tab

Server Manager Features window
Server Manager Features window

 

Click Install to install the feature

NOTE the checkbox to ‘Restart if required is NOT selected’

Most change processes don’t allow this on the fly (unplanned outage)

Server Manager Selections window
Server Manager Selections window

 

Wait while the feature(s) install

Click Close once complete

Server Manager feature install in progress
Server Manager feature install in progress

 

 

 

Setup Redirection in IIS Manager

Open IISManager

NOTE If IISManager was open before the feature was closed, exit and open IISManager again.   IISManager refresh does NOT make HTTP Redirect reappear (even if restarting IIS service).

 

Click on your webServer > Double click on HTTP Redirect

IIS Manager with HTTP Redirect
IIS Manager with HTTP Redirect

 

IISManager HTTP Redirect Default splash screen
IISManager HTTP Redirect Default splash screen

 

Check the ‘Redirect requests to this destination:’ check box

Enter the WebConsole URL for your installation.

NOTE SCOM default WebConsole URL is http://<webserverName>/OperationsManager

Check the two (2) boxes for Redirect behaviors

IISManager HTTP Redirect configuration screen

IISManager HTTP Redirect configuration screen

Click Apply

 

Recommend restart/reboot of server (off hours) to apply configuration before having Security team scan server.

 

 

Verify HTTP Redirect after reboot

After reboot, verify current settings (shown are default)

Click on ‘Default WebSite’ dropdown > Select HTTP Redirect

Verify HTTP Redirect is configured in IIS Manager
Verify HTTP Redirect is configured in IIS Manager

 

Contact Security team to re-scan server

Happy mitigating!

SCOM WebConsole settings for Kerberos AD Delegation

Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication
I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication

 

Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation.  I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication.  Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)

 

 

If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478

 

Documentation

https://www.sentinelone.com/blog/detecting-unconstrained-delegation-exposure

https://pentestlab.blog/2022/03/21/unconstrained-delegation/

 

 

Outline

Assess affected unconstrained delegation servers in environment

Configure delegation on SCOM and/or PowerBI servers

 

 

 

Assess affected unconstrained delegation servers in environment

From a computer, with ADUC, and RSAT feature installed, search for relevant account(s) used (Read Only RO access displayed below).

ADUC SCOM account examples
ADUC SCOM account examples

 

 

Alternatively, from PowerShell > run this command to see affected servers (much wider list, unless you add a where clause)

Get-ADComputer -LDAPFilter

“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

 

 

 

Configure delegation on SCOM and/or PowerBI servers

Take the list of affected servers, to take action.  Use the steps below to configure relevant SCOM or PowerBI servers.

 

Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.

 

From ADUC > change ‘Find’ drop-down to Computers

In the Computer name text box, enter <SCOMWebConsoleServerName>  and  click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMWebConsoleServerName>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC SCOM Lab server choosing process

ADUC SCOM Lab server choosing process

 

 

Verification of delegation settings

ADUC Delegation flags with SCOM MS processes selected.
ADUC Delegation flags with SCOM MS processes selected.

 

Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.

 

 

PowerBI Report Server

With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in.  NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)

In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search

Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>,  select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter the service account for the data source, and then select OK.

Select the SPN that you created for <PowerBI Report Server Name>

Select both as FQDN and the NetBIOS names are in the SPN

Select OK.

 

Back to ADUC (AD Users and Computers), change Find drop-down to Computers

Enter <PowerBI Report Server Name>, and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <Example can be SCOMDataAccessReader Account>, and then select OK.

Click the Add button to add services

Select the HTTP process

Select OK.

ADUC Delegation for PowerBI RS
ADUC Delegation for PowerBI RS