Title

The Microsoft SCOM administration console must only be installed on Management Servers and hardened Privileged Access Workstations. (Cat III impact)

Discussion

The Microsoft SCOM management servers are considered high value IT resources where compromise would cause a significant impact to the organization. The Operations Manager console contains APIs that an attacker can use to decrypt Run As accounts or install malicious management packs. If a SCOM console sits on a Tier 2 device, an attacker could use the administrator's alternate credentials to exploit SCOM. A Privileged Admin Workstation (PAW) device provides configuration and installation requirements for dedicated Windows workstations used exclusively for remote administrative management of designated high-value IT resources.

Check Content

If the SCOM console is installed on a Terminal Server within a dedicated hardened management forest, this check is Not Applicable. If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts. From the SCOM Administrator(s) productivity workstation (i.e. it has internet, or office applications), check for the presence of the operations console. This can be done by clicking the windows button and typing "Operations" in the search bar. If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts. If the Operations console appears, this is a finding.

Fix Text

Remove any SCOM consoles from productivity workstations.

Additional Identifiers

Rule ID: SV-237428r643930_rule

Vulnerability ID: V-237428

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.