Proactive Security bundle to help with three (3) various DC authentication event sets encompassing Kerberos, NetLogon, and DCOM. These events were enabled as part of the server cumulative patches. The management packs run workflows on the servers, then combine into a daily alert report of the unique event description details.
Save the files from GitHub to your local SCOM MS and import.
Proactive Security bundle components
Proactive DC Kerberos KDC Authentications 1.0.0.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC Kerberos authentication alerts on CA, DC role servers, as well as any operating system. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive DC NetLogon Allowed Sessions 1.0.3.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC NetLogon authentication alerts on DC role servers. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive Microsoft Windows DCOM Server Security Bypass 1.0.0.8
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC DCOM security bypass event ID’s 10036,7,8 in Security EventLog. Pull from DC and run SCOM alert report, as well as on-demand report task.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation. I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication. Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)
If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478
Configure delegation on SCOM and/or PowerBI servers
Take the list of affected servers, to take action. Use the steps below to configure relevant SCOM or PowerBI servers.
Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.
From ADUC > change ‘Find’ drop-down to Computers
In the Computer name text box, enter <SCOMWebConsoleServerName> and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <SCOMWebConsoleServerName>, and then select OK.
Click the Add button to add services
Select the w3svc and www processes
Select OK.
ADUC SCOM Lab server choosing process
Verification of delegation settings
Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.
PowerBI Report Server
With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in. NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)
In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search
Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>, select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter the service account for the data source, and then select OK.
Select the SPN that you created for <PowerBI Report Server Name>
Select both as FQDN and the NetBIOS names are in the SPN
Select OK.
Back to ADUC (AD Users and Computers), change Find drop-down to Computers
Enter <PowerBI Report Server Name>, and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <Example can be SCOMDataAccessReader Account>, and then select OK.
Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration. I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’
Quick outline
Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’
Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods. I’ve setup the web console role with defaults, then come back later. Holman’s quick start lets you complete the role with default HTTP setup. After that, we add an SSL cert for HTTPS. Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console. Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation.
Part 1 – Start with the SSL certificate for https
Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question. Add any SAN names/aliases you want (if not load balanced).
NOTE:
Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization. Generally, external certificates require manual effort executing the certreq script.
Sample SSL certificate
Less typing means less typos
Below SSL certificate example with any SAN names/aliases (if not load balanced). Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager
Part 2 – Add authentication Smart Card in IIS
Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’. Additionally, review the Learn.microsoft.com site for IIS here.
Compatibility
Version
Notes
IIS 10.0
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0
The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0
The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.
Add the Client Certificate feature for the SCOM Web Console
Let’s add SmartCard authentication capability.
Open Server manager >
Click on Manage > Add roles/features (top right)
Click Next twice to get to the Server Roles
Server Manager > Server Roles tab output
Expand Web Server drop down
SCOM Web Console Authentication installing Client Certificate Mapping role
Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]
Expand Server Manager > Web Server > Client Certificate Mapping Authentication
Click Install (mine is greyed out as it’s enabled)
Allow install to complete, server will prompt if reboot required.
NOTE: Either way, reboot is required to apply new authentication method.
Validate IISManager after reboot
Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.
After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.
From IISManager > Server > Authentication > Verify method is there and enabled
Verify Default Web Site Authentication setup
Verify Default Web site has Windows Authentication enabled.
Navigation steps:
IIS Manager > Expand Sites > Default Web Site > Authentication
Windows Authentication should be enabled, others disabled
Sometimes as the monitoring admin, you may be responsible to secure your servers, being told from Security/Cyber Teams about new vulnerabilities. The vulnerabilities may be from Tanium, ACAS, Tenable or other security tools. This article is how to help you secure related SCOM web console, and SSRS reporting sites against Unconstrained Delegation vulnerabilities CVE-2020-17049, also AD STIG V-36435.
First we need to identify IF this is a true finding.
Typically this comes from Server/SystemsAdmin with domain admin access:
After identifying SCOM servers with unconstrained delegation (scope of blog post is focused on SCOM in a hybrid scenario (prem/cloud), we need to resolve.
With domain administrator rights, open the Active Directory Users and Computers MMC snap-in.
In ADUC, change Find drop-down to Computers
In the Computer name text box, enter <SCOMServer> and click search
Right click the server in the results box > Select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only > Use any authentication protocol.
Under Services to which this account can present delegated credentials, select Add.
In the new dialog box, select Users or Computers.
Enter <SCOMServer>, and then select OK.
Click the Add button to add services
Select the w3svc and www processes
Select OK.
Once set in AD, reboot server. Running ‘gpupdate /force’ may not apply AD changes to the server object.
After reboot, reach out to SCOM Admins to test webconsole authentication
From edge browser, go to SCOM web console, typically @ https://<SCOMServer>/OperationsManager
On the Monitoring tab, click on Active Directory dashboard on left
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.