The Microsoft SCOM Run As accounts must only use least access permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-237427	SCOM-AC-000005	SV-237427r643927_rule		Medium

Description
The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. Run As Accounts are interactive logon sessions on a system. An attacker who has compromised one of those systems could potentially reuse the credentials of a Run As account on another system.

STIG	Date
Microsoft SCOM Security Technical Implementation Guide	2021-03-15

Details

Check Text ( C-40646r643925_chk )
Obtain the User ID(s) in SCOM: Open the Operations Console and select the Administration workspace. Under Run As Configuration, select Accounts. Double-click on each account listed under the Windows type and select the credentials tab (note that the network system and local system accounts do not need to be checked). Note the Username and domain name. Click on the Distribution tab and note the computer names that the account is distributed to. Validate Permissions in Active Directory: For each SCOM Run As account, open the Active Directory Users and Computers MMC and if necessary connect to the appropriate domain. Right-click on the domain and select "Find". In the "Name" field, type the User ID and click "Find Now". The account will appear in the results below. Double-click on the account and select the "Member Of" tab. Review the groups listed. If any group listed is an administrator on any system other than the systems the account is distributed to, this is a finding. If the account is part of Domain Administrators or Enterprise Administrators, elevate to CAT I.

Check Text ( C-40646r643925_chk )

Obtain the User ID(s) in SCOM:

Open the Operations Console and select the Administration workspace.

Under Run As Configuration, select Accounts.

Double-click on each account listed under the Windows type and select the credentials tab (note that the network system and local system accounts do not need to be checked). Note the Username and domain name. Click on the Distribution tab and note the computer names that the account is distributed to.

Validate Permissions in Active Directory:

For each SCOM Run As account, open the Active Directory Users and Computers MMC and if necessary connect to the appropriate domain. Right-click on the domain and select "Find". In the "Name" field, type the User ID and click "Find Now". The account will appear in the results below. Double-click on the account and select the "Member Of" tab.

Review the groups listed. If any group listed is an administrator on any system other than the systems the account is distributed to, this is a finding.

If the account is part of Domain Administrators or Enterprise Administrators, elevate to CAT I.

Fix Text (F-40609r643926_fix)
Create an active directory group in which the account is a member. Assign this group the appropriate permissions on only the servers that need this account. Remove the Run As account from all additional administrative AD groups.