Much like the character from Seinfeld, finding out that the ‘V-237434 SCOM Web Console SSL Settings’ is NOT STIG Compliant (STIG’d), is just as tramatic as being hungry, and told ‘No soup for you!” With all the many STIG findings, here’s a quick and dirty way to resolve the finding.
Kevin Holman SCOM QuickStart guides for SCOM 2019, SCOM 2022
V-237434 SCOM Web Console SSL Settings
STIG V-237434 requires trusted CA SSL certificates. Previous July blog posts are related to the effort to secure the SCOM web console. The redirect post forces HTTPS, complimenting this STIG finding. As the STIG states, remediation verification that IIS web site binding is HTTPS, and remove HTTP.
Remediate SCOM servers with Web Console role
Assumption = SmartCards are used for authentication, this part is applicable, otherwise skip.
RDP to server, connect to IISManager
Expand IIS Server > Expand Sites > Expand Default Web Site
IIS Manager Default Web Site menu
Click on SSL Settings
If the menu is greyed out, follow the SCOM WebConsole settings blog to setup the SSL certificate. Once complete, proceed below.
Click on SSL Settings > Check box to ‘Require SSL’
If menu is NOT greyed out, click radio button to ‘Accept’ client certificates
Click Apply
IIS Manager, Default Web Site, SSL Settings default when NOT running SSL certificate and bindings
Click on Default Website on left hand pane
In the Actions Pane (right hand side), click on Restart to restart the IIS website
Restart IIS website from IIS manager actions pane
IIS Website bindings
Next pieces is to verify the SSL HTTPS binding is setup correctly. In case you got disconnected, or rebooted the server
RDP to server, connect to IISManager
Expand IIS Server > Expand Sites > Expand Default Web Site
In the Actions pane on the top right, click on Bindings
IISManager, Default Web Site, Actions Pane, Bindings to setup HTTPS and remove HTTPS
Kevin Holman’s QuickStart blog(s) for SCOM 2019, SCOM2022 setup default HTTP binding (i.e. NO SSL cert configured)
Default website, Bindings selection showing HTTP if following SCOM quick start
If HTTP ONLY, click the Add button
Change dropdown for Type to https
Enter Host Name
Click Select to choose the SSL cert
Click OK
Adding HTTPS Binding with server name, SSL cert drop down and selected
Verify SSL certificate added
IIS HTTPS Bindings with SSL cert
If you have the binding above, change your STIG CKL finding and document as NOT a finding, for V-237434 SCOM Web Console SSL Settings!
Airplane movie – AutoPilot with SCOM Web Console settings
Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration. I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’
Quick outline
Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’
Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods. I’ve setup the web console role with defaults, then come back later. Holman’s quick start lets you complete the role with default HTTP setup. After that, we add an SSL cert for HTTPS. Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console. Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation.
Part 1 – Start with the SSL certificate for https
Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question. Add any SAN names/aliases you want (if not load balanced).
NOTE:
Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization. Generally, external certificates require manual effort executing the certreq script.
Sample SSL certificate
SCOM Web Console SSL Cert details
Less typing means less typos
Below SSL certificate example with any SAN names/aliases (if not load balanced). Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager
IIS manager server certificates with SAN DNSName aliases included.
Part 2 – Add authentication Smart Card in IIS
Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’. Additionally, review the Learn.microsoft.com site for IIS here.
Compatibility
Version
Notes
IIS 10.0
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5
The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0
The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0
The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.
Add the Client Certificate feature for the SCOM Web Console
Let’s add SmartCard authentication capability.
Open Server manager >
Open Server manager
Click on Manage > Add roles/features (top right)
Scroll to the top right, and click on Manage, then ‘Add Roles or features’
Click Next twice to get to the Server Roles
Server Manager > Server Roles tab output
Server Manager > Server Roles
Expand Web Server drop down
SCOM Web Console Authentication installing Client Certificate Mapping role
Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]
Expand Server Manager > Web Server > Client Certificate Mapping Authentication
Click Install (mine is greyed out as it’s enabled)
Server Manager Features Install
Allow install to complete, server will prompt if reboot required.
NOTE: Either way, reboot is required to apply new authentication method.
Validate IISManager after reboot
Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.
IIS Authentication with Client Certificate Authentication (after role installed)
After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.
From IISManager > Server > Authentication > Verify method is there and enabled
IIS Authentication with Client Certificate Authentication (after role installed)
Verify Default Web Site Authentication setup
Verify Default Web site has Windows Authentication enabled.
Navigation steps:
IIS Manager > Expand Sites > Default Web Site > Authentication
Windows Authentication should be enabled, others disabled
Default Web Site Authentication showing Windows Authentication ONLY enabled
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
