Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The SCOM Web Console must be configured for HTTPS.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-237438 | SCOM-MA-000001 | SV-237438r643960_rule | High |
| Description |
|---|
| HTTP sessions are sent in clear text and can allow a man in the middle to recon the environment. The web console itself does not allow for administrative actions, so most of the risk associated with http authentication is inherently mitigated. However, this would allow an attacker to intercept SCOM web-console traffic for reconnaissance purposes. |
| STIG | Date |
|---|---|
| Microsoft SCOM Security Technical Implementation Guide | 2021-03-15 |
Details
| Check Text ( C-40657r643958_chk ) |
|---|
| This check is Not Applicable if the SCOM web console is not installed. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Examine the bindings for the web console and verify that only https is an option. If http is present or if there is no https binding, this is a finding. |
| Fix Text (F-40620r643959_fix) |
|---|
| Issue a web corticated from a trusted internal CA server, as this will be required for https protocols to function properly. It will need to be installed on the server in advance. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Click the Add button. Under type, select https and enter the appropriate host name in the host name field. For the SSL certificate drop down, choose the certificate that was installed. Click OK. Test https access to the SCOM web console and troubleshoot if connectivity is not working. Once connectivity is established, delete the http binding. |