Proactive Security bundle

DC Security bundle pack is much like the various universe/multiverse sci fi storylines.
DC Security bundle pack is much like the various universe/multiverse sci fi storylines.

Proactive Security bundle to help with three (3) various DC authentication event sets encompassing Kerberos, NetLogon, and DCOM.  These events were enabled as part of the server cumulative patches.  The management packs run workflows on the servers, then combine into a daily alert report of the unique event description details.

 

 

Quick Download HTTPS://GITHUB.COM/THEKEVINJUSTIN/DCAUTHALERTS

 

Save the files from GitHub to your local SCOM MS and import.

 

Proactive Security bundle components

Proactive DC Kerberos KDC Authentications 1.0.0.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC Kerberos authentication alerts on CA, DC role servers, as well as any operating system. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No

Proactive DC NetLogon Allowed Sessions 1.0.3.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC NetLogon authentication alerts on DC role servers. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No

Proactive Microsoft Windows DCOM Server Security Bypass 1.0.0.8
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC DCOM security bypass event ID’s 10036,7,8 in Security EventLog. Pull from DC and run SCOM alert report, as well as on-demand report task.
Change Impact: Low
Security Impact: Low
Any testing needed: No

SCOM WebConsole settings for Kerberos AD Delegation

Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication
I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication

 

Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation.  I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication.  Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)

 

 

If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478

 

Documentation

https://www.sentinelone.com/blog/detecting-unconstrained-delegation-exposure

https://pentestlab.blog/2022/03/21/unconstrained-delegation/

 

 

Outline

Assess affected unconstrained delegation servers in environment

Configure delegation on SCOM and/or PowerBI servers

 

 

 

Assess affected unconstrained delegation servers in environment

From a computer, with ADUC, and RSAT feature installed, search for relevant account(s) used (Read Only RO access displayed below).

ADUC SCOM account examples
ADUC SCOM account examples

 

 

Alternatively, from PowerShell > run this command to see affected servers (much wider list, unless you add a where clause)

Get-ADComputer -LDAPFilter

“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

 

 

 

Configure delegation on SCOM and/or PowerBI servers

Take the list of affected servers, to take action.  Use the steps below to configure relevant SCOM or PowerBI servers.

 

Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.

 

From ADUC > change ‘Find’ drop-down to Computers

In the Computer name text box, enter <SCOMWebConsoleServerName>  and  click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMWebConsoleServerName>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC SCOM Lab server choosing process

ADUC SCOM Lab server choosing process

 

 

Verification of delegation settings

ADUC Delegation flags with SCOM MS processes selected.
ADUC Delegation flags with SCOM MS processes selected.

 

Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.

 

 

PowerBI Report Server

With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in.  NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)

In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search

Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>,  select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter the service account for the data source, and then select OK.

Select the SPN that you created for <PowerBI Report Server Name>

Select both as FQDN and the NetBIOS names are in the SPN

Select OK.

 

Back to ADUC (AD Users and Computers), change Find drop-down to Computers

Enter <PowerBI Report Server Name>, and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <Example can be SCOMDataAccessReader Account>, and then select OK.

Click the Add button to add services

Select the HTTP process

ADUC Delegation Add Services > HTTP, WWW

Select OK.

ADUC Delegation Settings for http for PowerBI Report Server (PBIRS)
ADUC Delegation Settings for http for PowerBI Report Server (PBIRS)

SCOM WebConsole settings for authentication

Auto Pilot for SCOM web console
Airplane movie – AutoPilot with SCOM Web Console settings

 

Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration.  I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’

 

 

Quick outline

Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’

Configuring SSL certs and Smart Cards (this post)

Configuring Kerberos and AD delegation (next post)

Verifying WebConsole functionality blog posts – ReDirect, Authentication, SSL and Bindings

Mitigating SCOM vulnerabilities – Java, HSTS, ODBC

 

 

Knowledge Articles

How to Install Web Console from learn.microsoft.com for SCOM 2019, 2022

Holman’s SCOM quick start install guides for SCOM 2019, 2022

IIS Manager Authentication from learn.microsoft.com

 

 

Configuring SSL Certs and Smart Cards

Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods.  I’ve setup the web console role with defaults, then come back later.  Holman’s quick start lets you complete the role with default HTTP setup.  After that, we add an SSL cert for HTTPS.  Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console.  Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation. 

 

 

Part 1 – Start with the SSL certificate for https

Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question.  Add any SAN names/aliases you want (if not load balanced).

 

NOTE:

Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization.  Generally, external certificates require manual effort executing the certreq script.

 

Sample SSL certificate

SCOM Web Console SSL Cert details
SCOM Web Console SSL Cert details

 

Less typing means less typos

Below SSL certificate example with any SAN names/aliases (if not load balanced).  Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager

 

IIS manager server certificates with SAN DNSName aliases included.
IIS manager server certificates with SAN DNSName aliases included.

 

 

Part 2 – Add authentication Smart Card in IIS

Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’.  Additionally, review the Learn.microsoft.com site for IIS here.

Compatibility

VersionNotes
IIS 10.0The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.

 

 

Add the Client Certificate feature for the SCOM Web Console

Let’s add SmartCard authentication capability.

 

Open Server manager >

Open Server manager
Open Server manager

 

Click on Manage > Add roles/features (top right)

Scroll to the top right, and click on Manage, then 'Add Roles or features'
Scroll to the top right, and click on Manage, then ‘Add Roles or features’

 

Click Next twice to get to the Server Roles

 

Server Manager > Server Roles tab output

Server Manager > Server Roles
Server Manager > Server Roles

 

 

Expand Web Server drop down

SCOM Web Console Authentication installing Client Certificate Mapping role

Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Click Install (mine is greyed out as it’s enabled)

Server Manager Features Install
Server Manager Features Install

 

Allow install to complete, server will prompt if reboot required.

NOTE: Either way, reboot is required to apply new authentication method.

 

Validate IISManager after reboot

Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.

IIS Authentication with Client Certificate Authentication (after role installed)
IIS Authentication with Client Certificate Authentication (after role installed)

 

 

After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.

 

From IISManager > Server > Authentication > Verify method is there and enabled

IIS Authentication with Client Certificate Authentication (after role installed)
IIS Authentication with Client Certificate Authentication (after role installed)

 

 

Verify Default Web Site Authentication setup

Verify Default Web site has Windows Authentication enabled.

 

Navigation steps:

IIS Manager > Expand Sites > Default Web Site > Authentication

Windows Authentication should be enabled, others disabled

Default Web Site Authentication showing Windows Authentication ONLY enabled
Default Web Site Authentication showing Windows Authentication ONLY enabled

Check your delegation settings

 

Sometimes as the monitoring admin, you may be responsible to secure your servers, being told from Security/Cyber Teams about new vulnerabilities.  The vulnerabilities may be from Tanium, ACAS, Tenable or other security tools.   This article is how to help you secure related SCOM web console, and SSRS reporting sites against Unconstrained Delegation vulnerabilities CVE-2020-17049, also AD STIG V-36435.

 

First we need to identify IF this is a true finding.

Typically this comes from Server/SystemsAdmin with domain admin access:

From PowerShell run:

Get-ADComputer -LDAPFilter
“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

After identifying SCOM servers with unconstrained delegation (scope of blog post is focused on SCOM in a hybrid scenario (prem/cloud), we need to resolve.

With domain administrator rights, open the Active Directory Users and Computers MMC snap-in.

In ADUC, change Find drop-down to Computers
In the Computer name text box, enter <SCOMServer>  and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

ADUC view of lab server delegation setting

 

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMServer>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC GUI adding services for delegation on SCOM server

Once set in AD, reboot server.  Running ‘gpupdate /force’ may not apply AD changes to the server object.

After reboot, reach out to SCOM Admins to test webconsole authentication

From edge browser, go to SCOM web console, typically @ https://<SCOMServer>/OperationsManager

On the Monitoring tab, click on Active Directory dashboard on left

Verify authentication works

 

Documentation

Pentestlab – Detecting Unconstrained Delegation Exposures in AD Environment

Petri.com find and block unconstrained delegation

Learn.Microsoft.com unconstrained kerberos article

Explanatory documents on what/why

Remove Unconstrained Kerberos Delegation