The Microsoft SCOM administration console must only be installed on Management Servers and hardened Privileged Access Workstations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-237428	SCOM-AC-000006	SV-237428r643930_rule		Low

Description
The Microsoft SCOM management servers are considered high value IT resources where compromise would cause a significant impact to the organization. The Operations Manager console contains APIs that an attacker can use to decrypt Run As accounts or install malicious management packs. If a SCOM console sits on a Tier 2 device, an attacker could use the administrator's alternate credentials to exploit SCOM. A Privileged Admin Workstation (PAW) device provides configuration and installation requirements for dedicated Windows workstations used exclusively for remote administrative management of designated high-value IT resources.

Description

The Microsoft SCOM management servers are considered high value IT resources where compromise would cause a significant impact to the organization. The Operations Manager console contains APIs that an attacker can use to decrypt Run As accounts or install malicious management packs. If a SCOM console sits on a Tier 2 device, an attacker could use the administrator's alternate credentials to exploit SCOM. A Privileged Admin Workstation (PAW) device provides configuration and installation requirements for dedicated Windows workstations used exclusively for remote administrative management of designated high-value IT resources.

STIG	Date
Microsoft SCOM Security Technical Implementation Guide	2021-03-15

Details

Check Text ( C-40647r643928_chk )
If the SCOM console is installed on a Terminal Server within a dedicated hardened management forest, this check is Not Applicable. If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts. From the SCOM Administrator(s) productivity workstation (i.e. it has internet, or office applications), check for the presence of the operations console. This can be done by clicking the windows button and typing "Operations" in the search bar. If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts. If the Operations console appears, this is a finding.

Check Text ( C-40647r643928_chk )

If the SCOM console is installed on a Terminal Server within a dedicated hardened management forest, this check is Not Applicable.

If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts.

From the SCOM Administrator(s) productivity workstation (i.e. it has internet, or office applications), check for the presence of the operations console. This can be done by clicking the windows button and typing "Operations" in the search bar.

If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts.

If the Operations console appears, this is a finding.

Fix Text (F-40610r643929_fix)
Remove any SCOM consoles from productivity workstations.