Check: SCOM-CM-000003
Microsoft SCOM STIG:
SCOM-CM-000003
(in version v1 r1)
Title
If a certificate is used for the SCOM web console, this certificate must be generated by a DoD CA or CA approved by the organization. (Cat III impact)
Discussion
Web certificates should always be signed by a trusted signer and never self-signed.
Check Content
From the web console server, open IIS. Right-click on the Default Website and choose Edit Bindings. Select the https binding and click edit. Click View to view the certificate being used to protect the website. If the certificate is not issued by a DoD CA or a trusted internal CA, this is a finding.
Fix Text
Issue a web corticated from a trusted internal CA server as this will be required for https protocols to function properly. It will need to be installed on the server in advance. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Click on the https binding and click edit. For the SSL certificate drop down, choose the new certificate. Click OK. Test https access to the SCOM web console and troubleshoot if connectivity is not working. Once connectivity is established, delete the http binding.
Additional Identifiers
Rule ID: SV-237434r643948_rule
Vulnerability ID: V-237434
Group Title: SRG-APP-000516-NDM-000344
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-001159 |
The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider. |