Title

The SCOM Web Console must be configured for HTTPS. (Cat I impact)

Discussion

HTTP sessions are sent in clear text and can allow a man in the middle to recon the environment. The web console itself does not allow for administrative actions, so most of the risk associated with http authentication is inherently mitigated. However, this would allow an attacker to intercept SCOM web-console traffic for reconnaissance purposes.

Check Content

This check is Not Applicable if the SCOM web console is not installed. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Examine the bindings for the web console and verify that only https is an option. If http is present or if there is no https binding, this is a finding.

Fix Text

Issue a web corticated from a trusted internal CA server, as this will be required for https protocols to function properly. It will need to be installed on the server in advance. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Click the Add button. Under type, select https and enter the appropriate host name in the host name field. For the SSL certificate drop down, choose the certificate that was installed. Click OK. Test https access to the SCOM web console and troubleshoot if connectivity is not working. Once connectivity is established, delete the http binding.

Additional Identifiers

Rule ID: SV-237438r643960_rule

Vulnerability ID: V-237438

Group Title: SRG-APP-000412-NDM-000331

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.