If a certificate is used for the SCOM web console, this certificate must be generated by a DoD CA or CA approved by the organization.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-237434	SCOM-CM-000003	SV-237434r643948_rule		Low

Description
Web certificates should always be signed by a trusted signer and never self-signed.

STIG	Date
Microsoft SCOM Security Technical Implementation Guide	2021-03-15

Details

Check Text ( C-40653r643946_chk )
From the web console server, open IIS. Right-click on the Default Website and choose Edit Bindings. Select the https binding and click edit. Click View to view the certificate being used to protect the website. If the certificate is not issued by a DoD CA or a trusted internal CA, this is a finding.

Fix Text (F-40616r643947_fix)
Issue a web corticated from a trusted internal CA server as this will be required for https protocols to function properly. It will need to be installed on the server in advance. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Click on the https binding and click edit. For the SSL certificate drop down, choose the new certificate. Click OK. Test https access to the SCOM web console and troubleshoot if connectivity is not working. Once connectivity is established, delete the http binding.

Fix Text (F-40616r643947_fix)

Issue a web corticated from a trusted internal CA server as this will be required for https protocols to function properly. It will need to be installed on the server in advance.

From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Click on the https binding and click edit. For the SSL certificate drop down, choose the new certificate. Click OK. Test https access to the SCOM web console and troubleshoot if connectivity is not working. Once connectivity is established, delete the http binding.