SCOM Archives - Page 7 of 10 - Kevin Justin's Blog

AD Application monitoring

Data from StarTrek the next generation - Mr. Tricorder makes me laugh! — Data from StarTrek the next generation – Mr. Tricorder makes me laugh!

‘AD Application monitoring’ > web synthetics, artificial users > android what image comes to mind? Is it a person, or a thing from a Sci-Fi movie? Perhaps Bishop from Aliens, Data from Star Trek. What does ‘AD Application monitoring’ consist of? Currently that means a CRL validity check, and ADFS web synthetic (proving that ADFS is responding). My thanks to Jason Windisch CSA, for the supplied PowerShell!

Quick Download https://github.com/theKevinJustin/ADApplications/

Tailoring the pack to your environment

The purpose of the pack is to add scheduled workflow that acts like the user, identifies if the CRL’s are about to expire. Most times, monitoring stops at ICMP ping. Most times, there’s still an outage, as the network, and servers are responding. The next layer is IIS, Apache, etc. Sometimes the network team gets involved, checking a base IIS URL is configured. Most outages aren’t network, nor IIS wasn’t running. This is why we focus on the web application responding. Does the multi-prong tactical attack make sense?

This pack delivers on-demand tasks, daily reports, and rules/monitors to reflect health. Customize the watcher node, some URL’s, save, and import into SCOM! The purpose

Assign watcher node(s)

Assign a watcher node by creating a registry key.

What does that mean? Watcher nodes are needed to provide user perspective.

Multiple site example

Issue: Users from sites 1,2,3 are having problems accessing web pages. To understand a user in site 2, leverage a server in site 2 to initiate the web request (invoke-webRequest in PowerShell).

Why: Differentiate user experience (per site). Answer the ‘did you know’ – is the application responding from this site/perspective.

Unfortunately, the watcher node concept eludes most administrators. Mastering ‘user perspective’ makes for an invaluable aid moving from reactive ‘fire fighting’ to proactively being told before users. Hopefully this explains the power where monitoring imitates user interactions for key web applications.

How: Create registry key on whatever servers you want to initiate web monitor

From PowerShell (as Admin), or Command Prompt (as admin)

reg add “HKLM\SOFTWARE\ADApplications\WatcherNode”

AD Applications regedit registry key validation

Example of XML snippet from AD Applications management pack

AD Applications Watcher Node - create specific registry key — AD Applications Watcher Node – create specific registry key

Set up CRL Validity check and ADFS synthetic

Next, configure the URL’s for the customer environment for the ‘AD Application monitoring’ management pack.

Update AD Applications module types for monitor/rules for CRL and ADFS synthetics

Configure the CRL validity check array

From your favorite XML editor (notepad++ pictured)

Find/Replace ##FQDN##, ##CRLstring##, numbers to customer environment

CRL Validity check, create your array length as needed for customer environment

Configure the ADFS synthetic request(s)

From your favorite XML editor (notepad++ pictured)

Find/Replace $server, ##FederationFQDN##, if necessary, update ADFS URL string if different (the /adfs/ls/idpiniatedsignon.aspx portion) to customer environment

Update ADFS URL for invoke-webRequest, ADFS default URL in specified example

Save pack

Import and enjoy!

Documentation

URLGenie for advanced website monitoring

PowerShell invoke-webRequest

Addendum logic blog

Proactive Daily Reports

Proactive Analyst Reports as a new way to ingest key insights from SCOM

As a SME or team lead, ever need to know a key insight for the enclave? Let’s talk about the ‘Proactive Daily Reports’ pack. This provides you some built-in reports on what transpired in an enclave. Building again on the Health pillar, we can simplify what owners need to see. Creating a PowerShell script was a simpler alternative to a complex SSRS report that often broke due to patching, and not following best practices. The pack shows a simpler way to bring key insights to owners for Pending Reboots, Expiring PKI certificates, Logical Disk alerts, System Admin summary, and SCOM admin reports including long-running scripts, script errors, SCOM errors, and alert updates report.

Quick Download: https://github.com/theKevinJustin/ProactiveNOSCDailyTasks

Testing the Proactive Daily reports

Let’s start with some example reports – examples for expiring certificates, Logical Disk, Pending Reboot, System Admin summary, and SCOM admin reports including long-running scripts, script errors, SCOM errors, and alert updates report.

Expiring Certs –

About to expire certificates

Logical disk alerts –

Shows Server, drive, and % full data

Pending Reboots

Alerts of servers pending restart, not patched, not rebooted

Pending reboot report lists servers pending restart, not patched, not rebooted alerts

System Admin summary

This is really a consolidation of multiple insights:

Server performance issues
Open ITSM/Remedy tickets
Unhealthy Agents
Pending Reboot, Not Rebooted, Not patched
Disabled/Unhealthy/MaintenanceMode, Repeatedly down Agents
Logical Disk free space alerts
Expiring certificates
AD DC (ADDS) critical alerts
DNS alerts
Group Policy issues

SysAdmin daily summary report example alert

SCOM admin reports

Admin reports have a few separate alert reports, including long-running scripts, script errors, SCOM errors, and alert updates report.

SCOM Admin alerts report example of common SCOM problems

Long running scripts

ScriptErrors showing key SCOM connectivity issues

SCOM Admin script errors to help diagnose report script syntax errors

Useful links

Other blog posts for addendum management packs and capabilities –

https://kevinjustin.com/blog/2023/08/15/proactive-patching-alerts/
https://kevinjustin.com/blog/2023/08/14/top-process-powershell-script/
https://kevinjustin.com/blog/2023/08/15/proactive-daily-reports/

https://kevinjustin.com/blog/2023/08/08/create-closed-alerts-view/

Proactive Patching alerts

As a SME or team lead, ever need to know ‘Proactive Patching alerts’? i.e. What servers need patches applied, aren’t patching, or were missed? This pack builds on three (3) pillars – Health/Security/Compliance, enabling Cyber teams and more. This became an alternate option to a complex pack, with SSRS report, used by a customer to identify systems. The report was long, and had many blank lines/pages, which required a re-write. This pack started with the pending restart monitor directly from the AquilaWeb reboot pack logic. The logic helps SysAdmin/Domain Admin/NOC/NOSC/SOC teams to know when servers need reboots. This need is driven further due to multiple reboots (sometimes) required with Windows monthly updates, and Application updates. Used across multiple customers, this is the first pack enabling a proactive stance to answer the ‘Am I compliant’ question.

Quick Download: https://github.com/theKevinJustin/ProactivePatchUptimeReboot/

Testing the Proactive Patch alerts

David Allen built the ‘Aquilaweb.Support.PendingReboot.Monitor.PendingReboot’ PowerShell monitor, to tell system owners when the pending restart flag was present. Some builds though, make system changes which repeatedly flip the registry key, causing many alerts. Also, downloading the Aquila pack is a trick, as TechNet was retired.

David provided a great idea, which was built upon. This gave rise to the question of, what if the server was not patched, or not rebooted in a period of time? With my Cyber hat on, this became the next piece of content to create. That gave rise to another question – do these scenarios need to reflect in health (monitor), or not (rule)? We’re all about choices, free will, so the pack is built with those options (rules disabled out of the box).

Pending restart monitor XML showing options

The pack is setup to alert with CBS application updates, SCCM/MECM/Config Mgr Endpoint Management updates, and Windows Updates. This has been my experience for the most accurate reflections of alerts on secure builds where Application/System Owner needs to take action.

Last Patch and Last Reboot monitor/rules in the download, are set to 45 days. Tune this value down, if patching occurs at the 30 day mark, increase if you need more time before alerts.

Last Patch Monitor reflecting number of days

Otherwise, download and import into your environment. Depending on your subscription/notification settings, the Proactive set of alerts are built upon the Windows Operating System class. If subscriptions include the class, the notifications are automatic to System/Application owners.

Useful links

David Allen blog

Addendum, what does it mean blog

Top Process PowerShell script

Ever wish you had task manager output when you had a monitor go unhealthy? Following Kevin Holman’s lead to ‘Monitor Processes‘, the idea landed to build out the ‘Top Process PowerShell script’. This morphed into a management pack with Knowledge entries to better explain what is being done. Integrating Top Process into Health Explorer output as a recovery task helped provide another step before alerting. The idea started from the need to prove which Security tool(s) were causing the over-utilized compute spikes, causing non-responsive server(s). Thinking back to my UNIX days, we simply used top, vmstat, iostat, and other commands to identify problematic processes. Integrating PowerShell scripts into SCOM is part of the fun, then linking the obfuscated Security processes for the final output. From there, extrapolate into Azure Functions or Azure Logic apps, for additional functionality for cloud native monitoring.

Quick Download: https://github.com/theKevinJustin/TopProcess

Tier1 separated monitoring (no AD) https://github.com/theKevinJustin/TopProcessTier1

Building out the ‘Top Process PowerShell script’

Kevin Holman built a ‘ Monitor.Performance.ConsecSamples.ThenScript.TwoState.mpx fragment, beginning the logical journey. His fragment helped me start with a working model, taking processes and cores into consideration for true CPU usage on multi-core servers.

Kevin Holman Monitor performance then script fragment for PowerShell get-counter syntax

We need to see the processes, and their corresponding value, then build an output table (custom object). After gathering the processes, feed the TopProcesses array, lastly sorting the array for CPUValue

Next, we’ll want to see what applications/tools might be involved, including Active Client, IIS, monitoring, and EndPoint Management tools (keep things honest!).

Added the Security Processes into the mix

Then we build an output of the data so we can take the datasource (DS) or WriteAction (WA) into a scripted monitor/rule, or recovery tasks linked to various monitors. Even built a forked version in case of SAW/Red Forest, separating Tier0 monitoring from Tier1 (snippet below is NOT that pack)

snippet of manual tasks and recoveries that link to multiple monitors

Useful links

Kevin Holman MP fragments blog and GitHub Fragment library/repository

Create Closed Alerts view

Time to ‘create a Closed Alerts view’ for all users (versus an individual user workspace). Sometimes, we just need a different view. My thanks to Joe Kelly for his help documenting this!

Create Closed Alerts view

How to ‘create a Closed SCOM Alert’ view. Follow these steps:

Open the Operations Console and navigate to the Monitoring workspace.

Click on the “New” button in the toolbar and select “Alert View” from the dropdown menu.

In the “Create Alert View” wizard, give your view a name and select “Closed Alerts” as the criteria.

Click “Next” and select the columns you want to display in your view.

Click “Next” again and choose any grouping or sorting options you want to apply.

Click “Finish” to create your view.

Once you have created your closed alert view, access the new view from the Monitoring tab. Customize the view further by right-clicking on it and selecting “Properties”. From there, you can add or remove columns, change the grouping or sorting, and apply filters to further refine the view.

Learn article here to help personalize views like ‘Create Closed Alerts view’

Integrate SCOM and SolarWinds

Steve Irwin quote - what a beauty! — Steve Irwin quote – what a beauty!

I’m ISO (in search of) the mythical single pane of glass. In my best Steve Irwin voice… Integrate SCOM and SolarWinds – We are strong together. To me, integration occurs everywhere, at home, in your job, anyone you work with. Contribute, don’t consume 🙂 Everyone is unique, including preferences, and past experiences. In my career, I’ve been lucky to administer both tools for Fortune 100 companies (and more tools) across my career. I hope this blog provides a way to use both tools to get the full value for the least cost!

Integration

The real meat of this is how to get the most for the least cost!

Let’s ‘Integrate SCOM and SolarWinds’ into our unicorn. To date, getting data from SolarWinds into SCOM allows for easiest PowerBI Apps/reports

In my experience, the MSI requires Solarwinds Support login to download the SolarWinds Management Pack for SCOM.msi. Downlload and configure article here.

3^rd party options (free)

Cookdown vendor method to grab SolarWinds data into SCOM

Webhooks SolarWinds – Cookdown details

SolarWinds Thwack entries – you can find my Thwack submissions there as well 😊

https://thwack.solarwinds.com/resources/thwack-command-center/f/forum/39833/scom-connector

https://thwack.solarwinds.com/product-forums/network-performance-monitor-npm/f/forum/70676/scom-integration

One possible PowerBI report

PowerBI App with multiple reports, dashboards

ITSM integrations

Remedy

Most times the Remedy application is old, deprecated, outside it’s service life, rarely integrated with monitoring. One customer’s PowerBI report shows the utility at a glance (see picture below)

PowerBI report referencing ITSM insights for teams, totals, volume

ITSM integration for ServiceNow (SNow)

Free – https://powerbi.microsoft.com/en-us/blog/explore-your-servicenow-data-with-power-bi/

SNOW PowerBI Connector (pay – requires support contract login)

https://store.servicenow.com/sn_appstore_store.do?#!/store/application/87a42573879e0110fb5033773cbb354f/

Documentation

2021 Blog https://www.upguard.com/blog/solarwinds-vs-scom

Blog https://www.trustradius.com/compare-products/microsoft-system-center-operations-manager-scom-vs-solarwinds-server-application-monitor

Compare SolarWinds and SCOM

My Big Fat Greek Wedding - we're all just fruits! — My Big Fat Greek Wedding – we’re all just fruits!

I think of My Big Fat Greek wedding to ‘Compare SolarWinds and SCOM’. The wedding reception, where the father says the root of his daughter, and son-in-law’s last names, are from the greek word for Orange, and Apple. “so in the end, we’re all fruits” We are the same but different, where diversity and inclusion is key. Everyone’s got a voice. Contribute, don’t consume 🙂

First, I’ve been lucky to administer both tools for Fortune 100 companies (and more tools). Second, I hope this blog provides some clarification of the strengths, weaknesses, and costs associated with both tools. Here’s hoping wordpress readers identify with my background – saving money, cutting coupons, looking for on-sale, buy one get one deals. Thirdly, while everyone’s past experiences may not be the same, cost is still a big factor. Lastly, proprietary tools, Security, and other requirements can make or break an implementation.

Here’s a link to a PPT built to ‘Compare SolarWinds and SCOM’ feature wise, that goes along with ‘My Big Fat Greek Wedding’ and the fruit. PPT title ‘better together’, is loaded with links and breaking out key capabilities.

Some items NOT covered in the PPT comparison

Example context – SAW/PAW/Red Forest

Both tools can store credentials within the application, obfuscated.

SCOM allows gMSA’s (managed service accounts) for key services including run as accounts. View the Monitoring Guys blog plug here for CJ, Scott, and Tyson’s contributions 😛

COST

SolarWinds small enterprise example

Windows Server, SQL licenses (no cost given)

Monitors Windows, Non-Windows, Microsoft products

Community of custom application monitoring

Renewal cost per year in 2020 $48K/year

Add HA for SQL Enterprise licenses is same, where SW HA/High availability is the SolarWinds cost, not compute licenses for Windows Server, SQL

***500 license SAM, VOIP, IPAM, NPM/NCM.

Redesigning licensing to unlimited (site license) was $344K

Wow! Site licenses cost considerably more.

Though for clarification, 500 licenses equates to 500 monitors targeted at 500 servers.

Add unlimited VMAN, DPA, SCM, VNQM adds $256K

Migrate functionality to site license ($48K > $344K)

Adding SolarWinds features with site unlimited licenses

SCOM small enterprise example

Windows Server, SQL licenses (no cost given)
No license limitation for products/features used, community built solutions

Monitors Windows, Non-Windows, Microsoft products

Large community of custom application monitoring

No yearly support costs (included with Microsoft support agreement)

SQL Enterprise licenses is same, where SW HA/High availability is the SolarWinds cost, not compute licenses for Windows Server, SQL

ESX monitoring via NiCE VMWare 3rd party pay pack is $10K/year
OpsLogix Teams integration helps with NOC/NOSC/SOC integration
Including NiCE Oracle monitoring $10k/year

I’ll leave the cost comparisons to you.

Securing the Applications and web consoles

SolarWinds (SW)

Secure SW website search, Smart Cards post, 2FA/MFA/RSA post

NPM (now N-Able RMM – Remote Management & Monitoring)

NCM Thwack forum

SCOM web console

Did you know – gMSA’s (managed service accounts) can be used with SCOM, Windows, AD, etc? Monitoring Guys blog plug here for CJ, Scott, and Tyson 😛

Configuring AD Delegation, Smart cards and SSL certs (Client Certificate Mapping Authentication, IIS configuration, FIPS

Knowledge sources: Learn.Microsoft.Com, TechNet, blogs, STIG Library and more

Vulnerability mitigation

SCOM vulnerability mitigations Blog vuln search, SCOM STIGs plus IIS, Windows Server, SQL, WebServer ALL apply

Solarwinds vulnerability – Trust Center – CVE2023-23836, CVE2021-35211, CVE-2023-33231, all from searches.

NO DISA STIG for SolarWinds, so IIS, Windows Server, SQL, WebServer ALL apply

NOTE: I’ve NOT supported SolarWinds recently to see Security scans for other vulnerabilities and STIG settings (Windows Server, SQL, IIS, Network blog. STIG dashboard ‘how to’

Licensing

Licensing is a big differentiator cost wise

SolarWinds needs an EA for Windows Server, SQL licenses.

SCOM has been part of the EA (Enterprise agreement) for at least 15+ years (since SCOM2007, if not MOM2005). Windows Server license (now CPU based), SQL license, however NOT enterprise comes standard. One reason the System Center suite is successful might be this built-in licensing, as well as the feature depth and cost the tools provide.

Hardware requirements

In my experience interacting with customers, SolarWinds support recommends hardware configuration well above vendor recommendations. Support recommendations requesting high compute to provide memory level SQL speed and responsive web console. However, the compute is basically ESX host level compute in the realm of 128GB of memory per server, in High Availability (HA), meaning x4 – 2 servers for 2 sites.

Monitoring tools are rarely Tier1 Applications with respective Service Level Availability (SLA). Expectation alone presents a disparity, and false impression. People just see a tool and base on personal experience.

Ferrari vs. GMC Cyclone - fooled you eh — Ferrari vs. GMC Cyclone – fooled you eh

Is it really surprising if one is faster than the other?

SQL query Plan howto

SQL Query Plan - can't you do anything right? — SQL Query Plan – can’t you do anything right?

Ever need to build out a capability and the SQL query is your blocker? Use a SQL query Plan ‘howTo’ to figure out what’s taking query so long. My thanks to Dennis Zwahlen (a Data and AI CSA – LinkedIn ) helping me figure out what was causing a SCOM DW SQL query to render data VERY slowly!

Don’t get me wrong, the sheer volume of events is definitely part of the problem. Event rules are using expressions to further restrict collected event data.

SCOM DW Events ingested for DC Security Events when SIEM is a limit, and NOT using ACS feature. Will discuss the SCOM DW Event ingestion and additional XML authoring options to turn down the pressure.

Time to use the ‘SQL query Plan howto’ blog for SQL execution plan, to help to figure out why the DW Query takes so long. Using the execution plan, similar to SQL profiler, will provide insight to possibly speed up query, allowing PowerBI app/report rendering of data.

From SSMS > View > Add Display Estimated Execution Plan

SQL execution plan starting from the left documenting SQL query

SQL query plan starting from the left documenting SQL query

Sort is taking 4.5 minutes in this example of the SQL execution plan visual. You can see moving right from the Join lines documents how SQL behaves, and how each piece affects overall execution.

SQL query plan starting moving right from the left documenting SQL query

Hope this helps for another diagnostic SQL step in your tool box!

Vuln 178852 OLE DB driver

VulnID 178852 - Vulnerable to hackers - SQL OLE DB Driver update required — VulnID 178852 – Vulnerable to hackers – SQL OLE DB Driver update required

Got another vulnerability pop up on the last scan. ‘Vuln 178852 OLE DB driver’ has vulnerabilities and needs updated. My experience links this NOT to ODBC vuln 175441, thereby related to added capabilities and drivers installed with SSMS v19. NOTE: OLE has a pre-req of the new Visual C++ Redistributable x86 and x64 bits. Let’s mitigate Vuln 178852 OLE DB driver update!

Quick outline of steps with Vuln 178852 OLE DB driver

Download the bits (and copy to repository and servers for install)

Update VC_Redist.x64.exe (and subsequent VC_Redist.x86.exe)

Update MSOLEDB drivers (x64 and possibly x86)

Re-scan to validate remediated!

Download the bits

Download Microsoft OLE DB Driver for SQL Server – OLE DB Driver for SQL Server | Microsoft Learn

https://learn.microsoft.com/en-us/sql/connect/oledb/download-oledb-driver-for-sql-server?view=sql-server-ver16

Latest supported Visual C++ Redistributable downloads | Microsoft Learn

https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170

Latest supported Visual C++ Redistributable downloads | Microsoft Learn

https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#visual-studio-2015-2017-2019-and-2022

Once downloaded, copy the OLE DB Driver and VC Redistributable EXE’s for x64 and x86 to the affected servers. Search for OLE first, to assess OLE and Redistributable versions currently installed.

Assess ‘Vuln 178852 OLE DB driver’ updates on affected servers

Log into the server(s)

From Control Panel > Programs > Programs and Features > Search for ‘ole’ to see Redistributable versions

Check Control Panel for OLE DB Version

Check Redistributable version

From Control Panel > Programs > Programs and Features > Search for ‘Red’ to see Redistributable versions

If you don’t upgrade Visual C++ Redistributable first, you’ll get this setup error

Executing OLE DB Driver update pre-requisite error for Visual C++ Redistrubutable update

Update VC_Redist.x64.exe (and subsequent VC_Redist.x86.exe

First, we have to install the Visual C++ updates to the server before we can update the driver.

From PowerShell (as admin) on affected servers

Go to saved directory for EXE and MSI files

PowerShell as admin > go to directory > run the EXE

Click the Check box to EULA ‘I agree’

At the Visual C++ Redistributable EULA splash screen

Check agree checkbox, then click Install button lower right

Visual C++ Redistributable EULA splash screen to check agree checkbox, then click on Install

Update installing

VC_Redistributable installing screenshot

Click Restart button (when in approved change window)

Click Restart when in change window to reboot server for Visual C++ update to apply

Restart server

Update VC_Redist.x86.exe

Second part, if applicable x86 library is installed, is to update.

Install next pre-req, if server contained both x86 and x64 bits for the ‘Vuln 178852 OLE DB driver’

From PowerShell (as admin) on affected servers:

Go to saved directory for EXE and MSI files

.\VC_redist.x86.exe

Powershell as admin window initiating the Visual C++ Redistributable x86 exe

Click the Check box to EULA ‘I agree’

At the Visual C++ Redistributable EULA splash screen

Check agree checkbox, then click Install button lower right

Click on 'I agree' checkbox, and click Install button to begin the x86 Visual C++ Redistributable update — Click on ‘I agree’ checkbox, and click Install button to begin the x86 Visual C++ Redistributable update

Update installing

Screenshot installing the x86 Visual C++ Redistributable update

Update complete

Screenshot showing successful install of the x86 Visual C++ Redistributable update

Update MSOLEDB drivers

Third, assess first if you need x64 AND x86 drivers (my example is only x64)

Start by checking the Control Panel > Programs > Programs and Features > search for ole (and hit enter)

Control Panel > Programs > Programs and Features > searching for ole, showing old v18

From PowerShell (as admin) on affected servers

Go to saved directory for EXE and MSI files

Open MSI to begin install

PowerShell as Admin running the ole MSI install

Click Next if you get the ‘User Account Control’ (UAC) prompt to initiate MSI install

OLE MSI Install - User Account Control (UAC) prompt to initiate MSI install — OLE MSI Install – User Account Control (UAC) prompt to initiate MSI install

Click Next

Click ‘I agree’ radio button and Click Next

OLE MSI Install, EULA splash screen to check 'I Agree' radio button and click Next — OLE MSI Install, EULA splash screen to check ‘I Agree’ radio button and click Next

Next, on the OLE MSI install, click next to accept default features (just the driver install)

Click Install to begin driver install

OLE driver install completed, click Finish

Verify Control Panel for OLE driver install and version

Lastly, assess server and application requirements to verify if the old OLE driver is okay to remove from system to clear vulnerability. The old OLE driver on my system was installed the day I installed SSMS v19.x

Back to your Control Panel > Programs > Programs and Features window

Change search to OLE in the top right > hit enter

Click Delete on old version

On the Warning popup window, click continue

Control Panel view showing two OLE drivers, reflecting the newly installed, and the old version

At the UAC prompt, click Yes

Once complete, verify Control Panel window

STIGs for SCOM FIPS compliance on Windows

What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’

The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.

Install DLL for STIGs for SCOM FIPS compliance on Windows

Time to mitigate!

Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480

Download files

Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link

Download SCOM ISO from my.visualstudio.com/Downloads?q=operations

If you downloaded from my.visualstudio.com, extract from ISO.

Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.

Download the DLL to the SCOM default folder –

Best practice is SCOM Default folder on non-system disk @

D:\Program Files\System Center\Operations Manager\Server

Update the registry on relevant servers

Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.

STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\

Verification via RegEdit (registry editor)

Display of regedit for the FIPS enabled key

PowerShell Verification:

$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

Example Output

PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

PS C:\> $FIPSEnabled

PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

FIPS disabled

PowerShell to set the registry key:

Blog link

$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”

$Name = “Version”

$value = “1”

New-ItemProperty -Path $registryPath -Name $name -Value $value `

-PropertyType DWORD -Force | Out-Null

Reboot web console servers to verify web console functionality!

This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’

Relevant links and documentation of ‘STIGs for SCOM FIPS compliance on Windows’

Download from blog here (Link https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)

Nathan Gau’s blog here

VisualStudio download for SCOM ISO’s here

STIG V-220942 for Windows 10

STIG V-226335 for Windows Server 2012/2012R2

STIG V-73701 for Windows Server 2016

STIG V-93511 for Windows Server 2019

STIG V-254480 for Windows Server 2022

NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions

TechNet migrated forum post here

Tenable link for Server 2016 here

NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf

Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Researching further, Microsoft certified server2016,2019 per learn articles.

Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2

To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/

Quick Download https://github.com/theKevinJustin/ADApplications/

Tailoring the pack to your environment

Set up CRL Validity check and ADFS synthetic

Documentation

Testing the Proactive Daily reports

Useful links

Testing the Proactive Patch alerts

Useful links

Building out the ‘Top Process PowerShell script’

Useful links

Create Closed Alerts view

Integration

3rd party options (free)

Some items NOT covered in the PPT comparison

COST

Securing the Applications and web consoles

Vulnerability mitigation

Licensing

Hardware requirements

Quick outline of steps with Vuln 178852 OLE DB driver

Download the bits

Assess ‘Vuln 178852 OLE DB driver’ updates on affected servers

Update VC_Redist.x64.exe (and subsequent VC_Redist.x86.exe

Update VC_Redist.x86.exe

Update MSOLEDB drivers

Verify Control Panel for OLE driver install and version

Other documentation

Install DLL for STIGs for SCOM FIPS compliance on Windows

Update the registry on relevant servers

Relevant links and documentation of ‘STIGs for SCOM FIPS compliance on Windows’

3^rd party options (free)