‘File Services Addendum’, named Microsoft Windows Server FileServices 2016 Addendum, adds replication health/backlog script, seed and group classes, replication/service monitors, recovery tasks, and overrides to tune monitored environment.
Addendum assumes the file services version agnostic version 10. pack is installed.
Looking at XML file in Notepad++, the pack references are what packs the workflows refer to (other management packs). Kevin Holman taught building backwards compatibility with MP authoring. Backwards compatibility allows SCOM2012+ import without errors. To take this one step further, the v10.0.0.0 file services packs referenced represent the version agnostic packs.
NOTE: File Services Addendum references may need updates if the whole file services management packs are NOT installed.
References screenshot
Addendum logic
Capabilities
Daily report and close automation, on-demand tasks for reports
DFS backlog script errors
SmSvc, DFSN, DFSR service recovery and rule alerts (from Holman fragments library)
DFS replication backlog watcher, script, alerts
Notepad++ screenshot
Next, we look at the group/class discoveries
Update the Class/Group discoveries for DFS servers or script install paths for replication script.
Update Class/Group discoveries for DFS servers or script install paths for replication script.
Find and replace FilePath and ##DFSServerNamingConvention## variable.
Leverage DHCP addendum to tune DHCP subnet monitoring.
Leverage the ‘DHCP Addendum pack’. Why? DHCP manages IP ranges, particularly customer facing issues like VPN connectivity, VDI/AVD/appliance devices, as well as client workstations/laptops/GFE’s. The DHCP management pack alerts when a subnet is nearing zero available IP’s before you have an outage. This article will help you understand how the addendum’s new capabilities tune DNS monitoring to best practice.
What capabilities does the ‘DHCP Addendum pack’ provide?
Two groups, one DHCP server group, and DHCP subscription group to configure notifications to SME for DHCP related classes
Overrides for common alerts, disable event collection rules
Utilize the DHCP Addendum
Download the DHCP Addendum on GitHub, to get alerts where manual intervention required.
Update XML
The pack greatly decreases alerts, and the XML authoring is an easy feat. After you import the pack, find/replace is required for two pieces.
Discovery group regular expressions (RegEx)
##DHCPServerRegEx##
Find ##DHCPServerRegEx## and replace with your DNS server expressions.
Example server names: 12dc01, 19dc01,19dc02,19dc03, etc.
RegEx = (?i)12dc0|19dc0
Using PowerShell on SCOM management server (MS) to determine group GUIDs for replace in Overrides/Discoveries.
Update group GUIDs, after installing this pack.
Find/replace the GUIDs, as they are unique to every SCOM management group, hard coding the group ID GUID is not possible. We will be running Get-SCOMClassInstance to determine the group GUID’s applicable in the management group.
From PowerShell, on your SCOM management server, run get-SCOMClassInstance commands for the two groups added.
get-scomclassinstance -DisplayName “Microsoft Windows DHCP 2016+ Servers” | ft Id
get-scomclassinstance -DisplayName “Microsoft Windows DHCP 2016+ subscription components” | ft Id
Example
Leveraging Notepad++ to find/replace the group GUID with SCOM environment specific GUIDs
Find/Replace the GUID in the pack with the ID from the output above.
OS Addendum packs for Windows Server from 2012 forward
Download the ‘OS Addendum packs’ for new capabilities contains Event count logic monitor type, Disk cleanup, Group Policy, self-healing/reset monitors, as well as ‘eventLog full’ logic and reports. Additional monitors reduce alert noise. Examples of common alert scenarios are: StorPort storage errors, Group Policy 1096 identification and rebuild. Disk Cleanup & EventLog service recovery, which includes Event Log file expansion and rollover.
Update logical disk paths and retentions. The default report contains quite a few common checks, including root folders broken out by path, highest to lowest GB’. The workflow is scalable to add additional application paths, as well as file retention timeframes. Workflow runs on a weekly basis to cleanup/archive log files, paths. See Disk cleanup logic blog for more details.
‘ OS Addendum packs’ contains Logical disk breakdown of root folders to list paths were files stored, highest to lowest
UpdateStorPortCountForRepeatedStorageErrors
StorPort storage errors typically cut lots of alerts with storage reads/writes. The ‘count’ monitors decrease the alerts, and the daily alert report consolidates the warning alerts (critical by default). If you’re seeing these alerts, the default should decrease overall alerts to near zero. Tune as needed for disk alerts, by updating MatchCount or TimerWait in Seconds (the x events in y time piece of the monitor logic)
Update StorPort Count for Repeated Storage read/write errors
nslookup to find out IP to name or name to IP resolution.
Simply put: Leverage the ‘DNS Addendum pack’. Why? DNS is a translation method to convert names to IP’s. Can you imagine if we wanted to connect to google via IP? The amount of workflows in the SCOM DNS pack (built by the DNS Product Group) makes for an astounding number of workflows running on your DC every minute. Forward and reverse lookups are a good check, verifying DNS is functioning. In a complex environment with 100’s of zones, SCOM becomes a utilization culprit for a DC’s primary missions – authenticate and resolve. This article will help you understand how the pack will add new capabilities and tune DNS monitoring to best practice.
What capabilities does the ‘DNS Addendum pack’ provide?
Count logic monitors (i.e. x events in y time, and self heal)
Daily summary report of DNS alerts broken out
DNS service(s) recovery automation
Daily alert closure workflow to close out DNS rules/monitor
Synthetic internal/external nslookup monitor (scoped to PDC emulators versus ALL DNS servers
WMI validation alert recovery to prevent false positive alerts with weird one off scenarios – one example: Security tools randomly block WMI access.
Download the DNS Addendum on GitHub and the PDF install guide, to improve AD Integrated (ADI) DNS monitoring on Windows Server 2016+ (version agnostic).
XML authoring
The pack greatly decreases alerts, workflows on your AD integrated DNS servers, and the XML authoring is an easy feat. After you import the pack, find/replace is required for two pieces.
Group GUIDs update, after installing this pack.
Find/replace the GUIDs, as they are unique to every SCOM management group, hard coding the group ID GUID is not possible.
From PowerShell, on your SCOM management server, run these commands (after DNS Addendum installed)
Use get-scomclassinstance -DisplayName “GroupNameHere” | ft Id
Find/Replace the GUID in the pack with the ID from the output above.
Discovery group regular expressions (RegEx)
##DNSServerRegEx##
Find ##DNSServerRegEx## and replace with your DNS server expressions.
Example server names: 16dns01, 19dc01,16dns02,19dc02,19dc03, etc.
RegEx = (?i)16dns0|19dc0
DNS Group discovery example of RegEx for find/replace
Extra Extra read all about it, VMwareTools OpenSSL vulnerabilities!
Update VMwareTools to solve OpenSSL vulnerabilities CVE-2023-3446, CVE-2023-2975. The ‘VMwareTools OpenSSL vulnerabilities’ showed up two (2) weeks ago, but it took about a week for the update to post. Latest Tenable scan article shows OpenSSL update to v3.0.10 required for VMware Tools.
Update VMwareTools
Start with the Security scan and the plugin ID to mitigate ‘Tenable Scan output of OpenSSL PlugIn ID documenting problems’
Tenable Scan output of OpenSSL PlugIn ID documenting problems
Talk with your security team to identify the offending path for guidance on which application might be the culprit. The diagnostic/debug details can be a lifesaver!
Snippet of Tenable OpenSSL path from scan diagnostic of OpenSSL vulnerabilities
Newer version of VMwareTools required to fix OpenSSL vulnerabilities.
Originally, no VMwareTools update posted
VmWare tools v12.6 resolves CVE-2023-3446, CVE-2023-2975. Hopefully your virtualization team uses an Endpoint Manager to manage server configurations, and they have an application/package wrapper to install VMwareTools without this being a manual process
Either way, you’ll have to download the update download link
VmWare tools v12.6 has OpenSSL update to resolve CVE-2023-3446, CVE-2023-2975
What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’
The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.
Install DLL for STIGs for SCOM FIPS compliance on Windows
Time to mitigate!
Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480
Download files
Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link
Download SCOM ISO from my.visualstudio.com/Downloads?q=operations
If you downloaded from my.visualstudio.com, extract from ISO.
Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.
Download the DLL to the SCOM default folder –
Best practice is SCOM Default folder on non-system disk @
IIS Error 500 – Don’t let a vulnerability cause downtime with your SCOM web console
This article will help resolve security HSTS vulnerability CVEs on IIS10. The steps apply to Windows Server 2016+, to help resolve multiple vulnerabilities, including CVE-2023-23915 CVE-2023-23914 CVE-2017-7789. There are a few ways to configure IIS, and the blog post will show how to set up HTTP response, and HTTP redirect for the SCOM web console role’d server(s).
Setting HSTS on IIS10 to resolve with Server2016 1609
Open PowerShell window as Admin cd c:\windows\winsxs gci wow64_microsoft-windows-iis-shared* | ft Name
Example aim for latest directory
NOTE bottom entry based on software versioning
Example output
PS C:\windows\winsxs> gci wow64_microsoft-windows-iis-shared* | ft Name
Name
—-
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.0_none_48b28891ffe5bdae
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.1613_none_90c5a57843ef1621
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.5246_none_90f3a94643cc33e1
# AppCMD lines .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.enabled:True” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.max-age:31536000” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.includeSubDomains:True” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.redirectHttpToHttps:True” /commit:apphost
For Server2016 1709 and greater
To add the HSTS Header, follow the steps below:
Open IIS manager.
Select your site.
Open HTTP Response Headers option.
Click on Add in the Actions section.
In the Add Custom HTTP Response Header dialog, add the following values:
Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Or directly in web.config as below under system.webServer:
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
