If no account information is returned, this is not a finding.
If account information is returned, this is a finding.
Tab delimited view –
Remove Computer Accounts DB SQL6-D0-000400 V-213902 CAT II Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Remove Computer AccountsSQL6-D0-004200V-213935CAT IINon-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Can provide one work-around to mitigate.
Awaiting CSS engagement for official mitigation from support and SCOM PG.
The MCM addendum pack helps monitor MEM. See start menu folder structure for Endpoint Manager software.
Rebranding central – MEM, EM, MECM, SCCM, Configuration manager, depending on the synonym, we’re referring to the same product. Tune the most common critical alerts per the health model to warning.
Did you know – MCM discoveries are based on registry keys added with various role installs on windows servers. These registry keys are typically under this path: HKLM\SOFTWARE\Microsoft\SMS\Operations Management\Components
What capabilities does the ‘MCM addendum pack’ provide?
Quite simply, the pack provides warning severity overrides for common alerts, disable event collection rules.
9 overrides for monitors and rules included in addendum.
Includes warning severity changes for the following rules and monitors:
One more admin process and workflow is to ‘update SCAP tools’ on servers. Many times overlooked, this can save many headaches with the newest version installed on servers.
Check DOD Cyber Exchange
Check the website here, to search for Win in SCAP tools, then download & Install
SCAP tool download from DOD Cyber Exchange public website.
Navigation steps:
Control Panel > Programs > Programs and Features
In the search bar (top right) enter scap (and hit enter)
SCAP Control panel output showing multiple versions installed. Need to install latest application, then remove the old versions (in this case, all three!)
SCAP Control panel output showing multiple versions installed.
Install SCAP application
Extract files from ZIP
Copy folder to repository (my path example below)
Save SCAP zip and files to folder repository and on server to install SCAP on.
Save SCAP zip and files to folder repository and on server to install SCAP on.
Run SCAP application
Take the defaults (unless you want the checker icon on desktop). Run SCAP application from PowerShell (as admin) window.
Open PowerShell as admin window
Example:
cd “D:\MonAdmin\STIGS\scc-5.7.2_Windows”; gci; .\SCC_5.7.2_Windows_Setup.exe
Hit enter to begin install
Run SCAP install from PowerShell (as admin) window.
On the SCAP EULA radio button application install screen, click ‘I accept’ radio button and click Next.
SCAP EULA radio button application install screen.
Select Destination location (preferably on non-system disk), and click Next
Click on Start > start typing SCAP > Click on SCAP Compliance Checker
From the SCAP checker UAC prompt, click Yes to continue
SCAP checker UAC prompt, click Yes to continue
Click OK to end the install
SCAN new features popup after install
Run Local Scan
Run local scan to prove functionality.
Select STIG(s) in the middle pane > Click Start Scan
Run SCAP scan against server, choose your STIGs and Start Scan
Verify SCAP tool modified files after installation
Recheck Windows Explorer for OpenSSL; look at file properties for version details. Interesting, NONE of these files have versions (openssl, x509 searches show nothing file version wise)
Verify SCAP tool modified files after installation
The ‘MSSQL Addendum pack’ wouldn’t be possible without Brandon Pires contributions. Brandon dealt with my many questions to better alert! If you need more background, check the ‘why addendum pack’ post.
The pack is based on the SQL engineering blog and program team making multiple updates per year for SQL monitoring. The addendum creates two groups for dev/test and notification/subscription modeling. Second, the overrides, man there are a bunch! aid consumption of real issues. Lastly, most environments should be SQL 2016+, as the 2012R2 EOL/EOSL is quickly approaching in October!
MSSQL groups defined in the Addendum pack
MSSQL group discoveries require updates to be applicable to environment
Tailor addendum
First, the Addendum pack requires the MSSQL packs MUST be installed. The addendum is based on the MSSQL 2016+ version agnostic is currently supported, as the 2012,2012R2 products are near end of support.
Find/Replace the variables as needed:
Example ##TESTSERVER##|##DEVSERVER##
Save file
Overrides
Addendum pack contains discovery, monitor, and rule overrides to tune MSSQL to CSA (old PFE/CE/CSAe Microsoft Field engineer recommendations), to match the health model reducing critical ‘wake me up in the middle of the night’ alerts.
IT Ninja required for improving monitoring hence ‘Why addendum packs’
‘Why addendum packs’? What value can they bring to my customer? Kevin Holman started the Addendum thought process quite a while back. Added functionality to a core application/program/product. The first example of this pack naming convention is his SQL RunAs Addendum to simplify SQL monitoring. Let’s break down a number of examples how the SCOM community has built packs to better monitoring, and how I believe the addendum packs bring IT Ninja lessons from Microsoft experts monitoring to your environment.
Why Addendum packs
Better monitoring from the experts, including customer examples for other ‘blind spots’ in monitoring. Blind spots consist of ‘not monitored’ pieces of infrastructure, from simply an event, ping, service, tcp port check, process, web site, scripted workflow, with the purpose to identify a problem.
The goal of monitoring is to:
Identify, self-heal, automatically run recovery or diagnostic workflows alert when manual intervention is required. Doesn’t matter what tool you use, they all do some portion of these steps.
The addendum packs do these things, adding a few differentiators.
Auto closure daily scripts (close rules/monitors)
Auto reports of problems (M-F 0600-0700 local, reflecting last 24-72 hours of open/closed alerts)
Employ count logic (x in y time)
Self-heal monitors with no new events
Adjust alert severities to health model
where critical (red) = outage, warning (yellow) = issue, informational reports or FYI’s
Capable of updating alerts (status, owner, ticketID+)
Tasks to run workflows on-demand
Recovery tasks – (i.e. service restart automation or TopProcess, Logical disk cleanup, MECM Client cache clean )
Ever need to build out a capability and the SQL query is your blocker? Use a SQL query Plan ‘howTo’ to figure out what’s taking query so long. My thanks to Dennis Zwahlen (a Data and AI CSA – LinkedIn ) helping me figure out what was causing a SCOM DW SQL query to render data VERY slowly!
Don’t get me wrong, the sheer volume of events is definitely part of the problem. Event rules are using expressions to further restrict collected event data.
SCOM DW Events ingested for DC Security Events when SIEM is a limit, and NOT using ACS feature. Will discuss the SCOM DW Event ingestion and additional XML authoring options to turn down the pressure.
Time to use the ‘SQL query Plan howto’ blog for SQL execution plan, to help to figure out why the DW Query takes so long. Using the execution plan, similar to SQL profiler, will provide insight to possibly speed up query, allowing PowerBI app/report rendering of data.
From SSMS > View > Add Display Estimated Execution Plan
From SSMS > View > Add Display Estimated Execution Plan
SQL execution plan starting from the left documenting SQL query
SQL query plan starting from the left documenting SQL query
Sort is taking 4.5 minutes in this example of the SQL execution plan visual. You can see moving right from the Join lines documents how SQL behaves, and how each piece affects overall execution.
SQL query plan starting moving right from the left documenting SQL query
Hope this helps for another diagnostic SQL step in your tool box!
VulnID 178852 – Vulnerable to hackers – SQL OLE DB Driver update required
Got another vulnerability pop up on the last scan. ‘Vuln 178852 OLE DB driver’ has vulnerabilities and needs updated. My experience links this NOT to ODBC vuln 175441, thereby related to added capabilities and drivers installed with SSMS v19. NOTE: OLE has a pre-req of the new Visual C++ Redistributable x86 and x64 bits. Let’s mitigate Vuln 178852 OLE DB driver update!
Quick outline of steps with Vuln 178852 OLE DB driver
Download the bits (and copy to repository and servers for install)
Once downloaded, copy the OLE DB Driver and VC Redistributable EXE’s for x64 and x86 to the affected servers. Search for OLE first, to assess OLE and Redistributable versions currently installed.
Assess ‘Vuln 178852 OLE DB driver’ updates on affected servers
Log into the server(s)
From Control Panel > Programs > Programs and Features > Search for ‘ole’ to see Redistributable versions
Check Control Panel for OLE DB Version
Check Redistributable version
From Control Panel > Programs > Programs and Features > Search for ‘Red’ to see Redistributable versions
From Control Panel > Programs > Programs and Features > Search for ‘Red’ to see Redistributable versions
If you don’t upgrade Visual C++ Redistributable first, you’ll get this setup error
Executing OLE DB Driver update pre-requisite error for Visual C++ Redistrubutable update
First, we have to install the Visual C++ updates to the server before we can update the driver.
From PowerShell (as admin) on affected servers
Go to saved directory for EXE and MSI files
PowerShell as admin > go to directory > run the EXE
Click the Check box to EULA ‘I agree’
At the Visual C++ Redistributable EULA splash screen
Check agree checkbox, then click Install button lower right
Visual C++ Redistributable EULA splash screen to check agree checkbox, then click on Install
Update installing
VC_Redistributable installing screenshot
Click Restart button (when in approved change window)
Click Restart when in change window to reboot server for Visual C++ update to apply
Restart server
Update VC_Redist.x86.exe
Second part, if applicable x86 library is installed, is to update.
Install next pre-req, if server contained both x86 and x64 bits for the ‘Vuln 178852 OLE DB driver’
From PowerShell (as admin) on affected servers:
Go to saved directory for EXE and MSI files
.\VC_redist.x86.exe
Powershell as admin window initiating the Visual C++ Redistributable x86 exe
Click the Check box to EULA ‘I agree’
At the Visual C++ Redistributable EULA splash screen
Check agree checkbox, then click Install button lower right
Click on ‘I agree’ checkbox, and click Install button to begin the x86 Visual C++ Redistributable update
Update installing
Screenshot installing the x86 Visual C++ Redistributable update
Update complete
Screenshot showing successful install of the x86 Visual C++ Redistributable update
Update MSOLEDB drivers
Third, assess first if you need x64 AND x86 drivers (my example is only x64)
Start by checking the Control Panel > Programs > Programs and Features > search for ole (and hit enter)
Control Panel > Programs > Programs and Features > searching for ole, showing old v18
From PowerShell (as admin) on affected servers
Go to saved directory for EXE and MSI files
Open MSI to begin install
PowerShell as Admin running the ole MSI install
Click Next if you get the ‘User Account Control’ (UAC) prompt to initiate MSI install
OLE MSI Install – User Account Control (UAC) prompt to initiate MSI install
Click Next
OLE MSI install, click Next
Click ‘I agree’ radio button and Click Next
OLE MSI Install, EULA splash screen to check ‘I Agree’ radio button and click Next
Next, on the OLE MSI install, click next to accept default features (just the driver install)
OLE MSI install, click next to accept default features (just the driver install)
Click Install to begin driver install
OLE MSI install, click install
OLE driver install completed, click Finish
OLE driver install completed, click Finish
Verify Control Panel for OLE driver install and version
Lastly, assess server and application requirements to verify if the old OLE driver is okay to remove from system to clear vulnerability. The old OLE driver on my system was installed the day I installed SSMS v19.x
Back to your Control Panel > Programs > Programs and Features window
Change search to OLE in the top right > hit enter
Click Delete on old version
On the Warning popup window, click continue
Control Panel view showing two OLE drivers, reflecting the newly installed, and the old version
At the UAC prompt, click Yes
OLE MSI Install – User Account Control (UAC) prompt to initiate MSI install
Once complete, verify Control Panel window
Control Panel > Programs > Programs and Features > searching for ole, showing old v18
Other documentation
Security Updates for Microsoft SQL Server OLE DB Driver (June … | Tenable®
First, some background – the Snapshot Synchronization alert just tells you there was a SQL issue running the workflow.
Second, the Snapshot Synchronization alert from a health model perspective, is NOT a critical issue (outage). Create override severity to 1 (warning) to prevent false wake-up calls. I’ll get this to my GitHub repo shortly!
Let’s troubleshoot the alert
Start with Tyson’s SCOM Maintenance pack, and run the tasks
Tyson’s SCOM Maintenance pack tasks
Alternative long steps
Login to server with SSMS installed –
Open SSMS > Connect to the SCOM OpsMgr DB > Click on New Query
Select WorkItemName, b.WorkItemStateName, ServerName, StartedDateTimeUtc, CompletedDateTimeUtc, DurationSeconds, ERRORMESSAGE
from cs.WorkItem a , cs.WorkItemState b
where a.WorkItemStateId= b.WorkItemStateId
and WorkItemName = ‘SnapshotSynchronization’
Solution:
The jobs may show Succeeded by the time you login to SQL = EOJ (end of job)
If Failed is latest date/timestamp, re-run the task “Request Snapshot Synchronization” which can be found when we select “Management Configuration Service Group” in the below mentioned view.
View:
From Monitoring Tab > Click on Operations Manager folder > Click on Management Group Health widget > Highlight unhealthy state from Management Group Functions.
Click on the ‘Request Snapshot Synchronization’ task to execute the Stored Procedure “SnapshotSynchronizationForce” on the OpsMgr DB.
NOTE: There are two tasks with same name but with different targets i.e. ‘Management Configuration Service Group’ and ‘Management Configuration Services’
The other task can be found on below view after selecting the Management Server you want the Task to be executed on
View:
From Monitoring Tab > Expand Operations Manager folder > Expand Management Configuration Service folder > Click on Services State view
Create Override for the alert
To change snapshot monitor to warning
From SCOM Console > Authoring Tab
Expand ‘Management Pack Objects’ > Click on Monitors
In the ‘Look for:’ bar type Snapshot synchronization state and hit enter
Monitor name = Snapshot synchronization state
Right click on monitor > Overrides > Override the monitor > For all objects of class
Click checkbox for Severity > change Critical to Warning
Click Edit – add comment – i.e. date/time changing to warning
Select your override pack > Click OK
Click OK to execute change
Override snapshot monitor to warning
Resources
Tyson’s MonitoringGuys blog for SCOM Maintenance pack – download here
Weird SQL issue from SCOM DB move to new SQL servers
Fix SQL2017+ .NET assembly errors after moving DB’s to new SQL servers.
Scenario: Moved the SCOM 2019 databases from a SQL 2014 database engine to a SQL 2019 database engine. SQL ApplicationThe following error occurred when opening the SCOM admin console:
Operations Manager Event Log, Event ID 26317
Date: 10/22/2021 11:17:27 AM
Application: Operations Manager
Application Version: 10.19.10505.0
Severity: Error
Message:
An error occurred in the Microsoft .NET Framework while trying to load assembly id 65537. The server may be running out of resources, or theassembly may not be trusted. Run the query again, or check documentation to see how to solve the assembly trust issues. For more information about this error:
System.IO.FileLoadException: Could not load file or assembly ‘microsoft.enterprisemanagement.sql.userdefineddatatype, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null’ or one of its dependencies. An error relating to security occurred. (Exceptionfrom HRESULT: 0x8013150A)
at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
at System.Reflection.Assembly.Load(String assemblyString)
Fix SQL2017+ .NET assembly
In addition, Operations Manager event ID’s 26317 events document the error (also check SQL Application log, see Holman’s blog). Here is an example from the Operations Manager event log:
Operations Manager event log, EventID 26319
Weird SQL issue from SCOM DB move to new SQL servers
Cause:
Starting with SQL 2017, SQL restricts trusted managed assemblies.
See more details in Microsoft TechNet article here
First, ensure that SQL CLR execution is enabled with the following SQL query:
sp_configure @configname=clr_enabled, @configvalue=1 GO RECONFIGURE GO
NOTE: It is important to make sure the SQL Server Service is re-started after the query above.
Second, execute ‘add trusted’ stored procedure queries to mark both as trusted:
Verify assemblies are successfully registered as trusted run:
Select * from sys.trusted_assemblies
The output should look like this:
At this point, re-start the SCOM services System Center Data Access, and System Center Management Configuration, on all management servers, and re-launch the SCOM admin console to make sure everything is working properly.
His blog brings up SQL MP Disk Latency performance counters.
His blog got me thinking about SQL DB and DB file design, where multiple DB files are on the same Drive, causes duplicate performance counters (SCOM workflows) on the agent, and will typically be one of the culprits for HealthService restarts.
XLS sheets to allow you to go to the SQL team and ask them what performance counters they use
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
