Tag: SSRS

SCOM SSRS ReportExtensions

For a smooth install, everything comes down to SCOM SSRS prerequisites.  The SCOM Reporting role install really comes down to three (3) things – permissions, latest SSRS EXE downloaded (for install 2019, 2022), and ReportExtensions configuration.  The go-to reference is Holman’s QuickStart deployment guides for SCOM2019 forward list the how-to starting point.  This post focuses on ReportExtensions configuration, where more ‘how to’ details are needed.

Quick Start links:

SCOM 2022 – QuickStart Deployment Guide

SCOM 2019 – QuickStart Deployment Guide

SSRS learn.microsoft.com site article https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/cannot-deploy-operations-manager-reports

 

Configure Report Extensions via SSMS (GUI)

RDP to server with enabled account

Open SSMS that has connectivity to SSRS install/server

Change ‘Server type’ drop-down to Reporting Service

Change SSMS Server Type from Database Engine to Reporting Service
Change SSMS Server Type from Database Engine to Reporting Service

Click Connect

Right click on Server > Properties

In the Server Properties window, select the Advanced Tab

Click on the AllowedResourceExtensionsForUpload, and add *.*

Click OK

Screenshot of SSMS Connected to Reporting Service, expanding SSRS Properties > Advanced Tab > showing AllowedResourceExtensionsForUpload
Screenshot of SSMS Connected to Reporting Service, expanding SSRS Properties > Advanced Tab > showing AllowedResourceExtensionsForUpload

Don’t forget to restart SSRS to make changes take effect!

Once restarted, verify SVC/MSA account permissions, and begin SCOM Reporting role!

 

Configure Report Extensions via PowerShell

Testing learn article PowerShell for SSRS Defaults (pre-requisite for SCOM Reporting role with SSRS2017+ versus SSMS).   > Reporting Services

SSRS Note for ServiceAddress (SSRS URL) is other than localhost

On respective server, open PowerShell as Admin

Paste the following:

$ServiceAddress = ‘http://localhost

$ExtensionAdd = @(

                ‘*’

                ‘CustomConfiguration’

                ‘Report’

                ‘AvailabilityMonitor’

                ‘TopNApplications’

                ‘Settings’

                ‘License’

                ‘ServiceLevelTrackingSummary’

                ‘CustomPerformance’

                ‘MostCommonEvents’

                ‘PerformanceTop’

                ‘Detail’

                ‘DatabaseSettings’

                ‘ServiceLevelObjectiveDetail’

                ‘PerformanceDetail’

                ‘ConfigurationChange’

                ‘TopNErrorGroupsGrowth’

                ‘AvailabilityTime’

                ‘rpdl’

                ‘mp’

                ‘TopNErrorGroups’

                ‘Downtime’

                ‘TopNApplicationsGrowth’

                ‘DisplayStrings’

                ‘Space’

                ‘Override’

                ‘Performance’

                ‘AlertDetail’

                ‘ManagementPackODR’

                ‘AlertsPerDay’

                ‘EventTemplate’

                ‘ManagementGroup’

                ‘Alert’

                ‘EventAnalysis’

                ‘MostCommonAlerts’

                ‘Availability’

                ‘AlertLoggingLatency’

                ‘PerformanceTopInstance’

                ‘rdl’

                ‘PerformanceBySystem’

                ‘InstallUpdateScript’

                ‘PerformanceByUtilization’

                ‘DropScript’

)

Write-Output ‘Setting Allowed Resource Extensions for Upload’

$error.clear()

try

{

                $Uri = [System.Uri]”$ServiceAddress/ReportServer/ReportService2010.asmx”

                $Proxy = New-WebServiceProxy -Uri $Uri -UseDefaultCredential

                $Type = $Proxy.GetType().Namespace + ‘.Property’

                $Property = New-Object -TypeName $Type

                $Property.Name = ‘AllowedResourceExtensionsForUpload’

$ValueAdd = $ExtensionAdd | ForEach-Object -Process {

                                “*.$psItem”

                }

$Current = $Proxy.GetSystemProperties($Property)

                if ($Current)

    {

                $ValueCurrent = $Current.Value -split ‘,’

                $ValueSet = $ValueCurrent + $ValueAdd | Sort-Object -Unique

                }

                else

    {

        $ValueSet = $ValueAdd | Sort-Object -Unique

    }

$Property.Value = $ValueSet -join ‘,’

                $Proxy.SetSystemProperties($Property)

    Write-Output ‘  Successfully set property to: *.*’

}

catch

{

                Write-Warning “Failure occurred: $error”

}

Write-Output ‘Script completed!’

 

Successfully set property to: *.*
PS C:\Windows\system32> Write-Output ‘Script completed!’
Script completed!
PS C:\Windows\system32>

 

Don’t forget to restart SSRS.

Verify SVC/MSA account permissions, then begin SCOM Reporting role!

Enjoy!

Setting up PowerBI Report Server SPN

Ah - 'Setting up PowerBI Report Server SPN's for PowerBI and SQL to help securely communicate and authenticate.
Ah – ‘Setting up PowerBI Report Server SPN’s for PowerBI and SQL to help securely communicate and authenticate.

‘Setting up PowerBI Report Server SPN’ in hybrid environments when the PowerBI cloud service is not <yet> an option in an organization.  This article will go through SPN commands, to secure via Kerberos authentication and/or smart card usage for Security requirements (i.e. STIG, CCRI, SOX, HIPAA, PCI, Security Scans, <insert other regulatory requirements here>).  Lastly, PowerBI Report Server can be setup to run parallel to SSRS SQL instance.  Refer to SPN commands below which helped me setup SmartCards authentication based on SPN setup.

 

Find/replace

DOMAIN

POWERBIREPORTSERVER

FQDN

svc.PowerBI.scomda

svc.PowerBI.scomdr

 

 

SPN commands to set up SQL & PowerBI

Create SPN for PowerBI Report Server

# RE: PBIRS SPN’s
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”

 

Create PowerBi Report Server SPN’s for OLAP

# PBIRS & MSSQL
# Remove the SPN’s for SQL on Report Server
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER POWERBIREPORTSERVER
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER.FQDN POWERBIREPORTSERVER

 

Create PowerBI Report Server SPN for service/gMSA account

setspn -d HTTP/POWERBIREPORTSERVER.FQDN:443 DOMAIN\svc.PowerBI.scomdr
setspn -d HTTP/POWERBIREPORTSERVER:443 DOMAIN\svc.PowerBI.scomdr

 

Create SQL SPN’s for SSRS reporting

SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”

 

Create SQL HTTP SPN’s for SSRS reporting

setspn -s HTTP/reports.FQDN DOMAIN\svc.PowerBI.scomdr
setspn -s HTTP/reports DOMAIN\svc.PowerBI.scomdr

 

Lastly, test authentications to PowerBI server…

Verify PBIRS (PowerBI Report Server) log file for ReportServerService_HTTP_ entries after successful auth

File PATH = D:\Program Files\Microsoft Power BI Report Server\PBIRS\LogFiles

 

Documentation

PowerBI with Service Principal https://powerbi.microsoft.com/en-us/blog/use-power-bi-api-with-service-principal-preview/

Configure Kerberos SSO https://learn.microsoft.com/en-us/power-bi/connect-data/service-gateway-sso-kerberos

STIGs for SCOM FIPS compliance on Windows

What does your mind link to with the FIPS acronym?  FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’

 

The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files.  The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022).  As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files.   My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.

 

 

Install DLL for STIGs for SCOM FIPS compliance on Windows

Time to mitigate!

Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’.  Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480

 

Download files

Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link

Download SCOM ISO from my.visualstudio.com/Downloads?q=operations
Download SCOM ISO from my.visualstudio.com/Downloads?q=operations

 

If you downloaded from my.visualstudio.com, extract from ISO.

Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.

Download the DLL to the SCOM default folder –

Best practice is SCOM Default folder on non-system disk @

D:\Program Files\System Center\Operations Manager\Server

 

Update the registry on relevant servers

Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.

 

STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\

Verification via RegEdit (registry editor)

Display of regedit for the FIPS enabled key
Display of regedit for the FIPS enabled key

 

PowerShell Verification:

$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

 

Example Output

PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

PS C:\> $FIPSEnabled

0

PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

FIPS disabled

 

 

PowerShell to set the registry key:

Blog link

$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”

$Name = “Version”

$value = “1”

New-ItemProperty -Path $registryPath -Name $name -Value $value ` 

    -PropertyType DWORD -Force | Out-Null

 

 

 

Reboot web console servers to verify web console functionality!

This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’

 

 

 

Relevant links and documentation of  ‘STIGs for SCOM FIPS compliance on Windows’

Download from blog here (Link  https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)

Nathan Gau’s blog here

VisualStudio download for SCOM ISO’s here

STIG V-220942 for Windows 10

STIG V-226335 for Windows Server 2012/2012R2

STIG V-73701 for Windows Server 2016

STIG V-93511 for Windows Server 2019

STIG V-254480 for Windows Server 2022

NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions

TechNet migrated forum post here

Tenable link for Server 2016 here

NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf

Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Researching further, Microsoft certified server2016,2019 per learn articles.

Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2

To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/

 

 

 

 

Check your delegation settings

 

Sometimes as the monitoring admin, you may be responsible to secure your servers, being told from Security/Cyber Teams about new vulnerabilities.  The vulnerabilities may be from Tanium, ACAS, Tenable or other security tools.   This article is how to help you secure related SCOM web console, and SSRS reporting sites against Unconstrained Delegation vulnerabilities CVE-2020-17049, also AD STIG V-36435.

 

First we need to identify IF this is a true finding.

Typically this comes from Server/SystemsAdmin with domain admin access:

From PowerShell run:

Get-ADComputer -LDAPFilter
“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

After identifying SCOM servers with unconstrained delegation (scope of blog post is focused on SCOM in a hybrid scenario (prem/cloud), we need to resolve.

With domain administrator rights, open the Active Directory Users and Computers MMC snap-in.

In ADUC, change Find drop-down to Computers
In the Computer name text box, enter <SCOMServer>  and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

ADUC view of lab server delegation setting

 

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMServer>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC GUI adding services for delegation on SCOM server

Once set in AD, reboot server.  Running ‘gpupdate /force’ may not apply AD changes to the server object.

After reboot, reach out to SCOM Admins to test webconsole authentication

From edge browser, go to SCOM web console, typically @ https://<SCOMServer>/OperationsManager

On the Monitoring tab, click on Active Directory dashboard on left

Verify authentication works

 

Documentation

Pentestlab – Detecting Unconstrained Delegation Exposures in AD Environment

Petri.com find and block unconstrained delegation

Learn.Microsoft.com unconstrained kerberos article

Explanatory documents on what/why

Remove Unconstrained Kerberos Delegation