IIS addendum packs to tune IIS from 2012 forward.’IIS addendum packs’ to tune IIS from 2012 forward. The GitHub repository has two packs 2012/2016+ (version agnostic pack). This includes an IIS enabled group, Daily report and cleanup DataSource and WriteAction (tasks), as well as a regular expression to set up the IIS enabled group. The IIS enabled group is to enable IIS monitoring on servers IIS monitoring is needed.
Customize for environment
Update addendums to server naming conventions for enabled IIS monitoring. Read below to better understand addendum functionality.
First, the addendums include class/group, datasource and write action alert reports and automated alert closure workflows, as well as event count logic/reset monitorType.
Second, the group discovery, find/replace the pattern to various application/web server naming conventions where IIS monitoring IS wanted.
Third, the version agnostic has overrides to disable most perf and rule alerts. Can provide OFF packs to turn off performance counter collection rules, to keep both the OperationsManager, and OperationsManagerDW databases cleaner, thereby faster with less data.
IIS2012 overrides
Lastly, once addendum updated, save file, move to SCOM MS, and import.
Enjoy the ‘IIS addendum packs’ for how few alerts, perhaps life changing?! (sarcasm)
What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’
The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.
Install DLL for STIGs for SCOM FIPS compliance on Windows
Time to mitigate!
Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480
Download files
Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link
Download SCOM ISO from my.visualstudio.com/Downloads?q=operations
If you downloaded from my.visualstudio.com, extract from ISO.
Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.
Download the DLL to the SCOM default folder –
Best practice is SCOM Default folder on non-system disk @
Much like the character from Seinfeld, finding out that the ‘V-237434 SCOM Web Console SSL Settings’ is NOT STIG Compliant (STIG’d), is just as tramatic as being hungry, and told ‘No soup for you!” With all the many STIG findings, here’s a quick and dirty way to resolve the finding.
Kevin Holman SCOM QuickStart guides for SCOM 2019, SCOM 2022
V-237434 SCOM Web Console SSL Settings
STIG V-237434 requires trusted CA SSL certificates. Previous July blog posts are related to the effort to secure the SCOM web console. The redirect post forces HTTPS, complimenting this STIG finding. As the STIG states, remediation verification that IIS web site binding is HTTPS, and remove HTTP.
Remediate SCOM servers with Web Console role
Assumption = SmartCards are used for authentication, this part is applicable, otherwise skip.
RDP to server, connect to IISManager
Expand IIS Server > Expand Sites > Expand Default Web Site
IIS Manager Default Web Site menu
Click on SSL Settings
If the menu is greyed out, follow the SCOM WebConsole settings blog to setup the SSL certificate. Once complete, proceed below.
Click on SSL Settings > Check box to ‘Require SSL’
If menu is NOT greyed out, click radio button to ‘Accept’ client certificates
Click Apply
IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings
Click on Default Website on left hand pane
In the Actions Pane (right hand side), click on Restart to restart the IIS website
Restart IIS website from IIS manager actions pane
IIS Website bindings
Next pieces is to verify the SSL HTTPS binding is setup correctly. In case you got disconnected, or rebooted the server
RDP to server, connect to IISManager
Expand IIS Server > Expand Sites > Expand Default Web Site
In the Actions pane on the top right, click on Bindings
IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS
Kevin Holman’s QuickStart blog(s) for SCOM 2019, SCOM2022 setup default HTTP binding (i.e. NO SSL cert configured)
Default website, Bindings selection showing HTTP if following SCOM quick start
If HTTP ONLY, click the Add button
Change dropdown for Type to https
Enter Host Name
Click Select to choose the SSL cert
Click OK
Adding HTTPS Binding with server name, SSL cert drop down and selected
Verify SSL certificate added
IIS HTTPS Bindings with SSL cert
If you have the binding above, change your STIG CKL finding and document as NOT a finding, for V-237434 SCOM Web Console SSL Settings!
Authentication Authentication Authentication! SCOM Web Console authentication settings
SCOM Web Console authentication settings discussion! Let’s go through standard IIS authentication settings like disabling Anonymous Authentication, and enabling Windows Authentication, AD Client Certificate Authentication, and binding providers (Negotiate before NTLM). Ready to begin?! A shout out to Alden Hatten as we worked through this and resetting the Web Console run here recently, that brought up the urgency to document.
Kevin Holman’s SCOM QuickStart guides for SCOM 2019, 2022 (Including WebConsole default setup steps)
SCOM Web Console Authentication settings defaults
RDP to server with SA or Local admin level account
Go into IISManager > Expand the tree to then click on ‘Default Web Site’
Click on Authentication
IIS Manager output for ‘Default Web Site’
IISManager Default Authentication settings
SmartCard aka AD Client Certificate Authentication defaults
In IIS Manager for the server > Click on Authentication
Verify AD Client Certificate Authentication is added and enabled.
IIS Manager Authentication, with SmartCard or Client Certificate Authentication
Windows Authentication
Set Authentication Providers order
From IIS Manager > Expand Default Web Site
Click on Authentication > Click on Providers at the top right
If Negotiate is not on top, highlight, and click Move Up button > Click OK to set. Restart IIS to make setting take effect ( also use iisreset from command prompt or PowerShell )
NOTE: Anonymous Authentication should be disabled!
IIS Manager Authentication, Windows Authentication, Providers, Negotiate on top
If screenshot is your setup, close the Providers window
After reviewing these authentication settings, you should be one step closer to encrypted authentication.
Use this post when the SCOM WebConsole gets flagged for HTTP Redirect. The IIS configuration is pretty easy to set up. When your Security team contacts you to resolve VulnID 121040, the steps below should resolve the compliance finding. Use the Microsoft learn site for more details.
Add HTTP Redirect role from Server Manager
Time to Configure ‘SCOM WebConsole HTTP Redirect’
RDP to server, open Server Manager
Click on Manage on top right
Click Next on the ‘before you begin popup’
Server Manager splash screen
Click Next
Server Manager Role Installation Type popup wizard
Click Next
Server Manager Destination Manager screen
Expand the ‘Web Server’ drop down menu
Server Manager Roles
Expand Web Server drop down menu
Expand Common HTTP Features
Check box for HTTP Redirection
Server Manager Roles expanding Web Server for HTTP Redirect
Click Next
Server Manager HTTP Redirection check box selected
Click Next at the Features tab
Server Manager Features window
Click Install to install the feature
NOTE the checkbox to ‘Restart if required is NOT selected’
Most change processes don’t allow this on the fly (unplanned outage)
Server Manager Selections window
Wait while the feature(s) install
Click Close once complete
Server Manager feature install in progress
Setup Redirection in IIS Manager
Open IISManager
NOTE If IISManager was open before the feature was closed, exit and open IISManager again. IISManager refresh does NOT make HTTP Redirect reappear (even if restarting IIS service).
Click on your webServer > Double click on HTTP Redirect
IIS Manager with HTTP Redirect
IISManager HTTP Redirect Default splash screen
Check the ‘Redirect requests to this destination:’ check box
Enter the WebConsole URL for your installation.
NOTE SCOM default WebConsole URL is http://<webserverName>/OperationsManager
Check the two (2) boxes for Redirect behaviors
IISManager HTTP Redirect configuration screen
Click Apply
Recommend restart/reboot of server (off hours) to apply configuration before having Security team scan server.
Verify HTTP Redirect after reboot
After reboot, verify current settings (shown are default)
Click on ‘Default WebSite’ dropdown > Select HTTP Redirect
I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication
Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation. I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication. Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)
If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478
Configure delegation on SCOM and/or PowerBI servers
Take the list of affected servers, to take action. Use the steps below to configure relevant SCOM or PowerBI servers.
Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.
From ADUC > change ‘Find’ drop-down to Computers
In the Computer name text box, enter <SCOMWebConsoleServerName> and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <SCOMWebConsoleServerName>, and then select OK.
Click the Add button to add services
Select the w3svc and www processes
Select OK.
ADUC SCOM Lab server choosing process
Verification of delegation settings
ADUC Delegation flags with SCOM MS processes selected.
Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.
PowerBI Report Server
With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in. NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)
In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search
Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>, select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter the service account for the data source, and then select OK.
Select the SPN that you created for <PowerBI Report Server Name>
Select both as FQDN and the NetBIOS names are in the SPN
Select OK.
Back to ADUC (AD Users and Computers), change Find drop-down to Computers
Enter <PowerBI Report Server Name>, and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <Example can be SCOMDataAccessReader Account>, and then select OK.
Click the Add button to add services
Select the HTTP process
ADUC Delegation Add Services > HTTP, WWW
Select OK.
ADUC Delegation Settings for http for PowerBI Report Server (PBIRS)
Airplane movie – AutoPilot with SCOM Web Console settings
Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration. I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’
Quick outline
Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’
Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods. I’ve setup the web console role with defaults, then come back later. Holman’s quick start lets you complete the role with default HTTP setup. After that, we add an SSL cert for HTTPS. Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console. Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation.
Part 1 – Start with the SSL certificate for https
Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question. Add any SAN names/aliases you want (if not load balanced).
NOTE:
Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization. Generally, external certificates require manual effort executing the certreq script.
Sample SSL certificate
SCOM Web Console SSL Cert details
Less typing means less typos
Below SSL certificate example with any SAN names/aliases (if not load balanced). Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager
IIS manager server certificates with SAN DNSName aliases included.
Part 2 – Add authentication Smart Card in IIS
Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’. Additionally, review the Learn.microsoft.com site for IIS here.
Compatibility
Version
Notes
IIS 10.0
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0
The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0
The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.
Add the Client Certificate feature for the SCOM Web Console
Let’s add SmartCard authentication capability.
Open Server manager >
Open Server manager
Click on Manage > Add roles/features (top right)
Scroll to the top right, and click on Manage, then ‘Add Roles or features’
Click Next twice to get to the Server Roles
Server Manager > Server Roles tab output
Server Manager > Server Roles
Expand Web Server drop down
SCOM Web Console Authentication installing Client Certificate Mapping role
Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]
Expand Server Manager > Web Server > Client Certificate Mapping Authentication
Click Install (mine is greyed out as it’s enabled)
Server Manager Features Install
Allow install to complete, server will prompt if reboot required.
NOTE: Either way, reboot is required to apply new authentication method.
Validate IISManager after reboot
Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.
IIS Authentication with Client Certificate Authentication (after role installed)
After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.
From IISManager > Server > Authentication > Verify method is there and enabled
IIS Authentication with Client Certificate Authentication (after role installed)
Verify Default Web Site Authentication setup
Verify Default Web site has Windows Authentication enabled.
Navigation steps:
IIS Manager > Expand Sites > Default Web Site > Authentication
Windows Authentication should be enabled, others disabled
Default Web Site Authentication showing Windows Authentication ONLY enabled
IIS Error 500 – Don’t let a vulnerability cause downtime with your SCOM web console
This article will help resolve security HSTS vulnerability CVEs on IIS10. The steps apply to Windows Server 2016+, to help resolve multiple vulnerabilities, including CVE-2023-23915 CVE-2023-23914 CVE-2017-7789. There are a few ways to configure IIS, and the blog post will show how to set up HTTP response, and HTTP redirect for the SCOM web console role’d server(s).
Setting HSTS on IIS10 to resolve with Server2016 1609
Open PowerShell window as Admin cd c:\windows\winsxs gci wow64_microsoft-windows-iis-shared* | ft Name
Example aim for latest directory
NOTE bottom entry based on software versioning
Example output
PS C:\windows\winsxs> gci wow64_microsoft-windows-iis-shared* | ft Name
Name
—-
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.0_none_48b28891ffe5bdae
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.1613_none_90c5a57843ef1621
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.5246_none_90f3a94643cc33e1
# AppCMD lines .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.enabled:True” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.max-age:31536000” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.includeSubDomains:True” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.redirectHttpToHttps:True” /commit:apphost
For Server2016 1709 and greater
To add the HSTS Header, follow the steps below:
Open IIS manager.
Select your site.
Open HTTP Response Headers option.
Click on Add in the Actions section.
In the Add Custom HTTP Response Header dialog, add the following values:
Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Or directly in web.config as below under system.webServer:
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
