DC Security bundle pack is much like the various universe/multiverse sci fi storylines.
Proactive Security bundle to help with three (3) various DC authentication event sets encompassing Kerberos, NetLogon, and DCOM. These events were enabled as part of the server cumulative patches. The management packs run workflows on the servers, then combine into a daily alert report of the unique event description details.
Save the files from GitHub to your local SCOM MS and import.
Proactive Security bundle components
Proactive DC Kerberos KDC Authentications 1.0.0.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC Kerberos authentication alerts on CA, DC role servers, as well as any operating system. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive DC NetLogon Allowed Sessions 1.0.3.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC NetLogon authentication alerts on DC role servers. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive Microsoft Windows DCOM Server Security Bypass 1.0.0.8
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC DCOM security bypass event ID’s 10036,7,8 in Security EventLog. Pull from DC and run SCOM alert report, as well as on-demand report task.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Trellix bought McAfee, and rebranded, but the service, application, registry keys, etc. have not yet changed. Many times, the pack fills in the gaps that the admin misses. Examples when Application services crash or become non-responsive, or just adding the capability to summarize issues seen in a daily alert report.
System Event ID 7031 is logged for each application/service when the process has issues?
Trellix agent services have a monitor alert when System Event Log, EventID 7031 events have the agent services in the event description.
Second, my own spin for Application monitoring starts with the mantra ‘smarter vs. harder. Besides dynamic discovery based on registry key, adding the Service MonitorType gives additional monitorign flexibility adding Samples and Intervals to decrease false positive alerts. Simply put – count logic – x failures in y time before alerting.
Service MonitorType adds Samples and Intervals to decrease false positive alerts.
Third, the pack adds Trellix Agent rules, monitors, on-demand report task, and recovery scripts build out the manual intervention required alert action mantra.
Trellix Agent rules, monitors, on-demand report task, and recovery scripts build out the manual intervention required alert action mantra.
The PKI addendum pack monitors PKI certificate hierarchy. Certificates can be a challenge, where we want to change focus to WHEN manual intervention is required.
The ‘PKI Addendum pack’ is a tricky pack, due to certificate hierarchy. The decisions included are part of the three pillars – health, Security, Compliance, as well as alerting WHEN manual intervention required.
The PKI pack provides discoveries of the server certificate stores to then analyze certificates for validity, chain, and expiration. The v1.4.3.0 release adds some task logic and script changes that helps discover more stores, trusted root, etc.
WHAT CAPABILITIES DOES THE ‘PKI ADDENDUM PACK’ PROVIDE?
Set timeframe for certificate per organizational standards.
Break out different expiration alerts based on internal/external certificate, or by AD Client Certificate enrollment templates (to build out the manual intervention required scenario when alerts are generated).
Create groups breaking out application self-signed, PKI certificates.
Separate RDP Auth, Domain Controller, Computer, and OCSP certificates.
If this sounds interesting, and you want to dabble in XML authoring…
Download the pack from GitHub to improve PKI monitoring on Windows Servers.
Additional screenshots of addendum components
Addendum pack creates multiple groups to break out various types of certificates that have different decisions/behaviors requiring unique timing
Groups
Addendum pack created groups to help admins get to the ‘manual intervention’ required alerting goal.
Discoveries
Leverage dynamic groups based on server name and EnhancedKeyUsageList (EKU) list
PKI dynamic group discoveries
Overrides
Change PKI pack default discoveries, lifetime threshold expirations and more
Override PKI pack defaults
DOCUMENTATION AND LINKS
Addendum requires the PKI Certificate MP release v1.4.3.0 download
Stop using the SCOM console to push agents. Move this to Endpoint Manager as application/package and task sequence to install and configure on every server built.
Shout out to Neal Smith, for his help simplifying the ‘SCOM agent application’ install per ConfigMgr/MECM best practice! Stop using the SCOM console to push agents. Move this to Endpoint Manager as application/package and task sequence to install and configure on every server built. Need a MECM package (Application) for the SCOM agent. Leverage a best practice, be more secure, include in task sequence, and automate manual install.
Easy button wrapper
Why? Helpdesk and server admin teams don’t have access to Tier0 devices. After no access, the Manual process (instruction steps get missed), then server is not monitored, becoming an outage resolution task/follow-up.
Use the below thread = ‘easy button’ to package SCOM agent when MECM administrator has availability to add SCOM agent to SCCM task sequence.
MECM/SCCM Application/package script :
Using Powershell.exe:
###############Startscript
“SCOM Super Installer”
start-transcript -path “c:\windows\ccm\logs\SCOMSUPERINSTALLER.log”
##ONLY THIS SECTION NEEDS TO BE EDITED, replace different domain FQDNS and the gateway/management server(s), management groups
# Leverage find/replace for the ##something## variables
# Provide SCOM Gateway or SCOM management server MS for $SCOMGATEWAYFQDN variable.
# Include SCOM Mgmt Group Name for ##SCOMMGMTGroupName##
Switch ($domain) {
“##DomainFQDN1##” {$SCOMManagementGroup=”##SCOMMGMTGroupName##”;$SCOMGATEWAYFQDN=”##SCOMServerName##”}
“##DomainFQDN2##” {$SCOMManagementGroup=”##SCOMMGMTGroupName##”;$SCOMGATEWAYFQDN=”##SCOMServerName##”}
}
########ONLY THIS SECTION NEEDS TO BE EDITED
Lastly, after SCOM agent added to Endpoint Manager, monitoring new servers should be a no-brainer. One less manual step having ‘SCOM agent application’ as part of the task sequence.
One more admin process and workflow is to ‘update SCAP tools’ on servers. Many times overlooked, this can save many headaches with the newest version installed on servers.
Check DOD Cyber Exchange
Check the website here, to search for Win in SCAP tools, then download & Install
SCAP tool download from DOD Cyber Exchange public website.
Navigation steps:
Control Panel > Programs > Programs and Features
In the search bar (top right) enter scap (and hit enter)
SCAP Control panel output showing multiple versions installed. Need to install latest application, then remove the old versions (in this case, all three!)
SCAP Control panel output showing multiple versions installed.
Install SCAP application
Extract files from ZIP
Copy folder to repository (my path example below)
Save SCAP zip and files to folder repository and on server to install SCAP on.
Save SCAP zip and files to folder repository and on server to install SCAP on.
Run SCAP application
Take the defaults (unless you want the checker icon on desktop). Run SCAP application from PowerShell (as admin) window.
Open PowerShell as admin window
Example:
cd “D:\MonAdmin\STIGS\scc-5.7.2_Windows”; gci; .\SCC_5.7.2_Windows_Setup.exe
Hit enter to begin install
Run SCAP install from PowerShell (as admin) window.
On the SCAP EULA radio button application install screen, click ‘I accept’ radio button and click Next.
SCAP EULA radio button application install screen.
Select Destination location (preferably on non-system disk), and click Next
Click on Start > start typing SCAP > Click on SCAP Compliance Checker
From the SCAP checker UAC prompt, click Yes to continue
SCAP checker UAC prompt, click Yes to continue
Click OK to end the install
SCAN new features popup after install
Run Local Scan
Run local scan to prove functionality.
Select STIG(s) in the middle pane > Click Start Scan
Run SCAP scan against server, choose your STIGs and Start Scan
Verify SCAP tool modified files after installation
Recheck Windows Explorer for OpenSSL; look at file properties for version details. Interesting, NONE of these files have versions (openssl, x509 searches show nothing file version wise)
Verify SCAP tool modified files after installation
Extra Extra read all about it, VMwareTools OpenSSL vulnerabilities!
Update VMwareTools to solve OpenSSL vulnerabilities CVE-2023-3446, CVE-2023-2975. The ‘VMwareTools OpenSSL vulnerabilities’ showed up two (2) weeks ago, but it took about a week for the update to post. Latest Tenable scan article shows OpenSSL update to v3.0.10 required for VMware Tools.
Update VMwareTools
Start with the Security scan and the plugin ID to mitigate ‘Tenable Scan output of OpenSSL PlugIn ID documenting problems’
Tenable Scan output of OpenSSL PlugIn ID documenting problems
Talk with your security team to identify the offending path for guidance on which application might be the culprit. The diagnostic/debug details can be a lifesaver!
Snippet of Tenable OpenSSL path from scan diagnostic of OpenSSL vulnerabilities
Newer version of VMwareTools required to fix OpenSSL vulnerabilities.
Originally, no VMwareTools update posted
VmWare tools v12.6 resolves CVE-2023-3446, CVE-2023-2975. Hopefully your virtualization team uses an Endpoint Manager to manage server configurations, and they have an application/package wrapper to install VMwareTools without this being a manual process
Either way, you’ll have to download the update download link
VmWare tools v12.6 has OpenSSL update to resolve CVE-2023-3446, CVE-2023-2975
I think of My Big Fat Greek wedding to ‘Compare SolarWinds and SCOM’. The wedding reception, where the father says the root of his daughter, and son-in-law’s last names, are from the greek word for Orange, and Apple. “so in the end, we’re all fruits” We are the same but different, where diversity and inclusion is key. Everyone’s got a voice. Contribute, don’t consume 🙂
First, I’ve been lucky to administer both tools for Fortune 100 companies (and more tools). Second, I hope this blog provides some clarification of the strengths, weaknesses, and costs associated with both tools. Here’s hoping wordpress readers identify with my background – saving money, cutting coupons, looking for on-sale, buy one get one deals. Thirdly, while everyone’s past experiences may not be the same, cost is still a big factor. Lastly, proprietary tools, Security, and other requirements can make or break an implementation.
Here’s a link to a PPT built to ‘Compare SolarWinds and SCOM’ feature wise, that goes along with ‘My Big Fat Greek Wedding’ and the fruit. PPT title ‘better together’, is loaded with links and breaking out key capabilities.
Some items NOT covered in the PPT comparison
Example context – SAW/PAW/Red Forest
Both tools can store credentials within the application, obfuscated.
SCOM allows gMSA’s (managed service accounts) for key services including run as accounts. View the Monitoring Guys blog plug here for CJ, Scott, and Tyson’s contributions 😛
COST
SolarWinds small enterprise example
Windows Server, SQL licenses (no cost given)
Monitors Windows, Non-Windows, Microsoft products
Community of custom application monitoring
Renewal cost per year in 2020 $48K/year
Add HA for SQL Enterprise licenses is same, where SW HA/High availability is the SolarWinds cost, not compute licenses for Windows Server, SQL
***500 license SAM, VOIP, IPAM, NPM/NCM.
Redesigning licensing to unlimited (site license) was $344K
Wow! Site licenses cost considerably more.
Though for clarification, 500 licenses equates to 500 monitors targeted at 500 servers.
SolarWinds costs broken out by feature
Add unlimited VMAN, DPA, SCM, VNQM adds $256K
Migrate functionality to site license ($48K > $344K)
Adding SolarWinds features with site unlimited licenses
SCOM small enterprise example
Windows Server, SQL licenses (no cost given)
No license limitation for products/features used, community built solutions
Monitors Windows, Non-Windows, Microsoft products
Large community of custom application monitoring
No yearly support costs (included with Microsoft support agreement)
SQL Enterprise licenses is same, where SW HA/High availability is the SolarWinds cost, not compute licenses for Windows Server, SQL
ESX monitoring via NiCE VMWare 3rd party pay pack is $10K/year
OpsLogix Teams integration helps with NOC/NOSC/SOC integration
Including NiCE Oracle monitoring $10k/year
I’ll leave the cost comparisons to you.
Securing the Applications and web consoles
SolarWinds (SW)
Secure SW website search, Smart Cards post, 2FA/MFA/RSA post
NO DISA STIG for SolarWinds, so IIS, Windows Server, SQL, WebServer ALL apply
NOTE: I’ve NOT supported SolarWinds recently to see Security scans for other vulnerabilities and STIG settings (Windows Server, SQL, IIS, Network blog. STIG dashboard ‘how to’
Licensing
Licensing is a big differentiator cost wise
SolarWinds needs an EA for Windows Server, SQL licenses.
SCOM has been part of the EA (Enterprise agreement) for at least 15+ years (since SCOM2007, if not MOM2005). Windows Server license (now CPU based), SQL license, however NOT enterprise comes standard. One reason the System Center suite is successful might be this built-in licensing, as well as the feature depth and cost the tools provide.
Hardware requirements
In my experience interacting with customers, SolarWinds support recommends hardware configuration well above vendor recommendations. Support recommendations requesting high compute to provide memory level SQL speed and responsive web console. However, the compute is basically ESX host level compute in the realm of 128GB of memory per server, in High Availability (HA), meaning x4 – 2 servers for 2 sites.
Monitoring tools are rarely Tier1 Applications with respective Service Level Availability (SLA). Expectation alone presents a disparity, and false impression. People just see a tool and base on personal experience.
Ferrari vs. GMC Cyclone – fooled you eh
Is it really surprising if one is faster than the other?
VulnID 178852 – Vulnerable to hackers – SQL OLE DB Driver update required
Got another vulnerability pop up on the last scan. ‘Vuln 178852 OLE DB driver’ has vulnerabilities and needs updated. My experience links this NOT to ODBC vuln 175441, thereby related to added capabilities and drivers installed with SSMS v19. NOTE: OLE has a pre-req of the new Visual C++ Redistributable x86 and x64 bits. Let’s mitigate Vuln 178852 OLE DB driver update!
Quick outline of steps with Vuln 178852 OLE DB driver
Download the bits (and copy to repository and servers for install)
Once downloaded, copy the OLE DB Driver and VC Redistributable EXE’s for x64 and x86 to the affected servers. Search for OLE first, to assess OLE and Redistributable versions currently installed.
Assess ‘Vuln 178852 OLE DB driver’ updates on affected servers
Log into the server(s)
From Control Panel > Programs > Programs and Features > Search for ‘ole’ to see Redistributable versions
Check Control Panel for OLE DB Version
Check Redistributable version
From Control Panel > Programs > Programs and Features > Search for ‘Red’ to see Redistributable versions
From Control Panel > Programs > Programs and Features > Search for ‘Red’ to see Redistributable versions
If you don’t upgrade Visual C++ Redistributable first, you’ll get this setup error
Executing OLE DB Driver update pre-requisite error for Visual C++ Redistrubutable update
First, we have to install the Visual C++ updates to the server before we can update the driver.
From PowerShell (as admin) on affected servers
Go to saved directory for EXE and MSI files
PowerShell as admin > go to directory > run the EXE
Click the Check box to EULA ‘I agree’
At the Visual C++ Redistributable EULA splash screen
Check agree checkbox, then click Install button lower right
Visual C++ Redistributable EULA splash screen to check agree checkbox, then click on Install
Update installing
VC_Redistributable installing screenshot
Click Restart button (when in approved change window)
Click Restart when in change window to reboot server for Visual C++ update to apply
Restart server
Update VC_Redist.x86.exe
Second part, if applicable x86 library is installed, is to update.
Install next pre-req, if server contained both x86 and x64 bits for the ‘Vuln 178852 OLE DB driver’
From PowerShell (as admin) on affected servers:
Go to saved directory for EXE and MSI files
.\VC_redist.x86.exe
Powershell as admin window initiating the Visual C++ Redistributable x86 exe
Click the Check box to EULA ‘I agree’
At the Visual C++ Redistributable EULA splash screen
Check agree checkbox, then click Install button lower right
Click on ‘I agree’ checkbox, and click Install button to begin the x86 Visual C++ Redistributable update
Update installing
Screenshot installing the x86 Visual C++ Redistributable update
Update complete
Screenshot showing successful install of the x86 Visual C++ Redistributable update
Update MSOLEDB drivers
Third, assess first if you need x64 AND x86 drivers (my example is only x64)
Start by checking the Control Panel > Programs > Programs and Features > search for ole (and hit enter)
Control Panel > Programs > Programs and Features > searching for ole, showing old v18
From PowerShell (as admin) on affected servers
Go to saved directory for EXE and MSI files
Open MSI to begin install
PowerShell as Admin running the ole MSI install
Click Next if you get the ‘User Account Control’ (UAC) prompt to initiate MSI install
OLE MSI Install – User Account Control (UAC) prompt to initiate MSI install
Click Next
OLE MSI install, click Next
Click ‘I agree’ radio button and Click Next
OLE MSI Install, EULA splash screen to check ‘I Agree’ radio button and click Next
Next, on the OLE MSI install, click next to accept default features (just the driver install)
OLE MSI install, click next to accept default features (just the driver install)
Click Install to begin driver install
OLE MSI install, click install
OLE driver install completed, click Finish
OLE driver install completed, click Finish
Verify Control Panel for OLE driver install and version
Lastly, assess server and application requirements to verify if the old OLE driver is okay to remove from system to clear vulnerability. The old OLE driver on my system was installed the day I installed SSMS v19.x
Back to your Control Panel > Programs > Programs and Features window
Change search to OLE in the top right > hit enter
Click Delete on old version
On the Warning popup window, click continue
Control Panel view showing two OLE drivers, reflecting the newly installed, and the old version
At the UAC prompt, click Yes
OLE MSI Install – User Account Control (UAC) prompt to initiate MSI install
Once complete, verify Control Panel window
Control Panel > Programs > Programs and Features > searching for ole, showing old v18
Other documentation
Security Updates for Microsoft SQL Server OLE DB Driver (June … | Tenable®
What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’
The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.
Install DLL for STIGs for SCOM FIPS compliance on Windows
Time to mitigate!
Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480
Download files
Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link
Download SCOM ISO from my.visualstudio.com/Downloads?q=operations
If you downloaded from my.visualstudio.com, extract from ISO.
Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.
Download the DLL to the SCOM default folder –
Best practice is SCOM Default folder on non-system disk @
Much like the character from Seinfeld, finding out that the ‘V-237434 SCOM Web Console SSL Settings’ is NOT STIG Compliant (STIG’d), is just as tramatic as being hungry, and told ‘No soup for you!” With all the many STIG findings, here’s a quick and dirty way to resolve the finding.
Kevin Holman SCOM QuickStart guides for SCOM 2019, SCOM 2022
V-237434 SCOM Web Console SSL Settings
STIG V-237434 requires trusted CA SSL certificates. Previous July blog posts are related to the effort to secure the SCOM web console. The redirect post forces HTTPS, complimenting this STIG finding. As the STIG states, remediation verification that IIS web site binding is HTTPS, and remove HTTP.
Remediate SCOM servers with Web Console role
Assumption = SmartCards are used for authentication, this part is applicable, otherwise skip.
RDP to server, connect to IISManager
Expand IIS Server > Expand Sites > Expand Default Web Site
IIS Manager Default Web Site menu
Click on SSL Settings
If the menu is greyed out, follow the SCOM WebConsole settings blog to setup the SSL certificate. Once complete, proceed below.
Click on SSL Settings > Check box to ‘Require SSL’
If menu is NOT greyed out, click radio button to ‘Accept’ client certificates
Click Apply
IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings
Click on Default Website on left hand pane
In the Actions Pane (right hand side), click on Restart to restart the IIS website
Restart IIS website from IIS manager actions pane
IIS Website bindings
Next pieces is to verify the SSL HTTPS binding is setup correctly. In case you got disconnected, or rebooted the server
RDP to server, connect to IISManager
Expand IIS Server > Expand Sites > Expand Default Web Site
In the Actions pane on the top right, click on Bindings
IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS
Kevin Holman’s QuickStart blog(s) for SCOM 2019, SCOM2022 setup default HTTP binding (i.e. NO SSL cert configured)
Default website, Bindings selection showing HTTP if following SCOM quick start
If HTTP ONLY, click the Add button
Change dropdown for Type to https
Enter Host Name
Click Select to choose the SSL cert
Click OK
Adding HTTPS Binding with server name, SSL cert drop down and selected
Verify SSL certificate added
IIS HTTPS Bindings with SSL cert
If you have the binding above, change your STIG CKL finding and document as NOT a finding, for V-237434 SCOM Web Console SSL Settings!
Have fun
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
