V-237434 SCOM Web Console SSL Settings

No Soup for you! You have STIG findings :-( — No Soup for you! You have STIG findings 🙁

Much like the character from Seinfeld, finding out that the ‘V-237434 SCOM Web Console SSL Settings’ is NOT STIG Compliant (STIG’d), is just as tramatic as being hungry, and told ‘No soup for you!” With all the many STIG findings, here’s a quick and dirty way to resolve the finding.

Vendor documentation

STIG V-237434

SCOM Web Console Authentication on learn.microsoft.com

Kevin Holman SCOM QuickStart guides for SCOM 2019, SCOM 2022

V-237434 SCOM Web Console SSL Settings

STIG V-237434 requires trusted CA SSL certificates. Previous July blog posts are related to the effort to secure the SCOM web console. The redirect post forces HTTPS, complimenting this STIG finding. As the STIG states, remediation verification that IIS web site binding is HTTPS, and remove HTTP.

Remediate SCOM servers with Web Console role

Assumption = SmartCards are used for authentication, this part is applicable, otherwise skip.

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

Click on SSL Settings

If the menu is greyed out, follow the SCOM WebConsole settings blog to setup the SSL certificate. Once complete, proceed below.

Click on SSL Settings > Check box to ‘Require SSL’

If menu is NOT greyed out, click radio button to ‘Accept’ client certificates

Click Apply

IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings

Click on Default Website on left hand pane

In the Actions Pane (right hand side), click on Restart to restart the IIS website

Restart IIS website from IIS manager actions pane

IIS Website bindings

Next pieces is to verify the SSL HTTPS binding is setup correctly. In case you got disconnected, or rebooted the server

RDP to server, connect to IISManager

Expand IIS Server > Expand Sites > Expand Default Web Site

In the Actions pane on the top right, click on Bindings

IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS

Kevin Holman’s QuickStart blog(s) for SCOM 2019, SCOM2022 setup default HTTP binding (i.e. NO SSL cert configured)

Default website, Bindings selection showing HTTP if SCOM quick start followed — Default website, Bindings selection showing HTTP if following SCOM quick start

If HTTP ONLY, click the Add button

Change dropdown for Type to https

Enter Host Name

Click Select to choose the SSL cert

Click OK

Adding HTTPS Binding with server name, SSL cert drop down and selected

Verify SSL certificate added

If you have the binding above, change your STIG CKL finding and document as NOT a finding, for V-237434 SCOM Web Console SSL Settings!

Have fun

Resolve HSTS vulnerability CVEs on IIS10

IIS Error 500 – Don’t let a vulnerability cause downtime with your SCOM web console

This article will help resolve security HSTS vulnerability CVEs on IIS10. The steps apply to Windows Server 2016+, to help resolve multiple vulnerabilities, including CVE-2023-23915 CVE-2023-23914 CVE-2017-7789. There are a few ways to configure IIS, and the blog post will show how to set up HTTP response, and HTTP redirect for the SCOM web console role’d server(s).

Setting HSTS on IIS10 to resolve with Server2016 1609

Open PowerShell window as Admin
cd c:\windows\winsxs
gci wow64_microsoft-windows-iis-shared* | ft Name

Example aim for latest directory
NOTE bottom entry based on software versioning

Example output
PS C:\windows\winsxs> gci wow64_microsoft-windows-iis-shared* | ft Name

Name
—-
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.0_none_48b28891ffe5bdae
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.1613_none_90c5a57843ef1621
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.5246_none_90f3a94643cc33e1

# AppCMD lines
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.enabled:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.max-age:31536000” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.includeSubDomains:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.redirectHttpToHttps:True” /commit:apphost

For Server2016 1709 and greater

To add the HSTS Header, follow the steps below:

Open IIS manager.
Select your site.
Open HTTP Response Headers option.
Click on Add in the Actions section.
In the Add Custom HTTP Response Header dialog, add the following values:
Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Or directly in web.config as below under system.webServer:

NOTE iisreset may be required to restart IIS and apply settings

Verify HTTP Response Headers

From IIS10 (IIS Manager) > click on ‘Default Web Site’ > HTTP Response Headers

Verify Strict-Transport-Security blurb matches

HSTS IIS10 HTTP Response Headers screenshot verifying settings applied

Set HTTP Redirect

Now to set the HTTP redirect, to prevent denial of service (DoS) attacks.

From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > HTTP Redirect

Screenshot

Default Web Site HTTP Redirect to SCOM web console URL

From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > go through each Application to set HTTP redirect

Screenshot

Set HSTS HTTP Redirect on other web applications

Test your web console URL to verify components

References

NIST CVE-2023-23915 CVE-2023-23914

Mitre CVE-2017-7789

Blog link https://inthetechpit.com/2019/07/17/add-strict-transport-security-hsts-response-header-to-iis-hosted-site/

SCOM 2016 web console hot fix released

Burglar stealing a monitor — Security hotfix for SCOM 2016 web console released before your information is stolen

SCOM 2016 web console hot fix

Security teams may be contacting you for CVE-2020-1331 vulnerability on the 2016 web console. In my example, the Tenable scanner listed ALL SCOM management group servers – under SCOM2016/2019).

NOTE KB does not install on server, so does not show up under ‘Installed Updates’

Background

HotFix DLL comes with a readme to replace the DLL for the SCOM 2016 WebConsole role

If you don’t already know this, the roles each get their own directory on your SCOM server

Security scanners run scripts to help validate if system is vulnerable. It is possible that the scanner is just looking for some string for the install of SCOM, NOT the actual role that is vulnerable.

SCOM 2016 typically installs @ (‘\Program Files\Microsoft System Center 2016’)

SCOM 2019 typically installs @ (‘\Program Files\Microsoft System Center’)

Identify SCOM roles

Open PowerShell window to identify roles

cd “D:\Program Files\Microsoft System Center 2016\Operations Manager”

Resolve Web Console vulnerability

High level steps

Download the KB here

Execute KB

Copy dll and readme file

Backup DLL and replace

Reboot server

Contact Security Team to re-scan server

Mitigate vulnerability

Download the KB here

Extract downloaded the KB

Click Run to extract, and list extraction path

Copy Windows Explorer Path you want to extract to, and paste in the path

Example

S:\MonAdmin\MSDN images\SCOM\2016\WebConsole HotFix

Enter path to extract Hot Fix — Extract Hot Fix

Copy current DLL & replace with hotfix DLL

Open PowerShell window (as admin)

# Backup DLL

# Change Drive letter if you hopefully installed SCOM on D: drive (non-system drive)

copy “C:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\MonitoringView\bin\Microsoft.EnterpriseManagement.OperationsManager.MonitoringViews.dll” “C:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\MonitoringView\bin\Microsoft.EnterpriseManagement.OperationsManager.MonitoringViews-old.dll”

# Replace DLL

copy “C:\MonAdmin\Microsoft*.dll” “C:\Program Files\Microsoft System Center 2016\Operations Mana
ger\WebConsole\MonitoringView\bin”

# Verify

cd “D:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\MonitoringView \bin”

gci Microsoft.EnterpriseManagement.Operations*.dll

Sample screenshot from Windows Explorer view of Bin directory for replaced DLL – Same size, only timestamp changes July Page 4

Windows Explorer window showing DLL's — Windows Explorer window showing DLL’s

Reboot server

Test WebConsole functionality

Verify from SCOM Console > Administration Tab > Settings > Web

Example

http://16ms01/OperationsManager

Contact Security Team to re-scan SCOM asset(s)

References

CVE-2020-1331 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1331

Microsoft Support article

https://support.microsoft.com/en-us/help/4566040/prevent-javascript-injection-in-operations-manager-2016-web-console

Tenable forum post https://community.tenable.com/s/question/0D53a000074LGapCAG/plugin-137369-security-updatesfor-microsoft-system-center-operations-manager

UNIX Logical Disk classes

Time to talk about SCOM2019 UNIX classes!

Just came across an example where the UNIX Logical disk class was targeted.

Did you know: This class in the UNIX library is not like the Windows library, where Logical Disk has a matched discovery.

Logical Disk is broke out to the various UNIX flavors, where the version of UNIX has it’s own class and discovery, but the class refers to the base class of UNIX Library.

Let’s go through an example from the SCOM Console

Monitoring Tab > Discovered Inventory > Change Target Type

This lab example is for an Ubuntu (Universal Linux Library)

The Logical Disk target for the UNIX/Linux Core Library has the same output in SCOM for the flavor (i.e. Logical Disk for the Universal Linux Operating System)

How’s that possible… ?

Let’s look at the examples for the various Logical Disk Classes.

Example

AIX 7 pack – AIX Logical disk discovery/class

Universal Linux Monitoring Library

Linux Operating System Library

This makes sense, as Linux operating systems are SUSE, RHEL, Universal Debian and RPM. Solaris and AIX are their own operating systems. This helps describe the class hierarchy.

UNIX

Flavor of Unix (Linux, Solaris, or AIX)

Version or flavor of Linux, Solaris, or AIX

How did I get to this conclusion?

MPViewer will help view the classes and discoveries.

What does this mean to me: Create a single view to view ALL UNIX ‘Logical Disk’ entries discovered. As the UNIX flavors all use UNIX Logical Disk class for their base class, ALL the inherited classes are displayed.

AIX Logical Disk Discovery

Univeral Linux Discovery

Universal Linux Classes

Windows Server packs are very similar

Windows Logical Disk class

SYSTEM CENTER 2016/2019 Operations Manager – Anti-Virus Exclusions

Updated 30 June, 7 July 2020 and includes docs.microsoft.com article updates

NOTE: Process name exclusion wildcards could potentially prevent some dangerous programs from being detected.

Hopefully this table is helpful (my thanks to Matt Goedtel for the docs site updates, and Matt’s efforts to keep docs the ‘go-to’ site)

Previously the blog left the SCOM Admin and Security teams with questions where blogs did NOT match vendor site documentation. The blog merged the PFE UK team blog & Kevin Holman blog into an easier tabular view per component)

Original Blog introduction

As we are all aware, antivirus exclusions can affect monitoring data generated, and affect system performance.

Best practice is to implement specific exclusions.

Exclusions\Role	MS	DB	GW	RS	Web	Agent
Folder
Management Server installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\”	*
Agent installation folder Default: “C:\Program Files\Microsoft Monitoring Agent”				*		*
Gateway installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\Gateway\”			*
Reporting installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\Reporting”				*
WebConsole installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole”					*
SQL Data installation folder Default: “C:\Program Files\Microsoft SQL Server\MSSQL.1x<INSTANCENAME>\MSSQL\Data”		*
SQL Log installation folder Default: “C:\Program Files\Microsoft SQL Server\MSSQL.1x<INSTANCENAME>\MSSQL\Log”		*
SQL Reporting installation folder Default: “C:\Program Files\Microsoft SQL Server\MSRS.1x<INSTANCENAME>				*
File Types
EDB	*	*	*	*		*
CHK	*	*	*	*		*
LOG	*	*	*	*		*
LDF		*		*
MDF		*		*
NDF		*		*
Processes
CShost.exe	*
HealthService.exe	*	*	*	*	*	*
Microsoft.Mom.Sdk.ServiceHost.exe	*
MonitoringHost.exe	*	*	*	*	*	*
SQL Server Default: “C:\Program Files\Microsoft SQL Server\MSSQL1x.<Instance Name>\MSSQL\Binn\SQLServr.exe”		*
SQL Reporting Services Default: “C:\Program Files\Microsoft SQL Server\MSRS1x.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe”		*		*

Useful information for decoding the matrix

Docs site https://docs.microsoft.com/en-us/system-center/scom/plan-security-antivirus?view=sc-om-2019

Platform https://support.microsoft.com/en-us/help/822158/virus-scanning-recommendations-for-enterprise-computers-that-are-running-currently-supported-versions-of-windows

SCOM 2012/2012R2 KB975931 https://support.microsoft.com/en-us/help/975931/recommendations-for-antivirus-exclusions-that-relate-to-operations-manager

PFE UK team blog https://blogs.technet.microsoft.com/manageabilityguys/2013/11/26/system-center-2012-r2-operations-manager-anti-virus-exclusions/

SQL

https://support.microsoft.com/en-us/help/309422/choosing-antivirus-software-for-computers-that-run-sql-server

https://blogs.technet.microsoft.com/raymond_ris/2014/01/16/windows-antivirus-exclusion-recommendations-servers-clients-and-role-specific/

Version mapping by folder (my thanks to StackOverFlow https://stackoverflow.com/questions/18753886/sql-server-file-names-vs-versions )
100 = SQL Server 2008    = 10.00.xxxx
105 = SQL Server 2008 R2 = 10.50.xxxx
110 = SQL Server 2012    = 11.00.xxxx
120 = SQL Server 2014    = 12.00.xxxx
130 = SQL Server 2016    = 13.00.xxxx