Title

The Microsoft SCOM Service Accounts and Run As accounts must not be granted enterprise or domain level administrative privileges. (Cat I impact)

Discussion

The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account must only have the level of privileges required to perform the defined SCOM actions. An account with full administrative at the domain or enterprise level could be used to breach security boundaries and compromise the endpoint.

Check Content

Obtain the User ID(s) for the appropriate accounts in SCOM: Open the Operations Console and select the Administration workspace. Under Run As Configuration, select Accounts. Double-click on each account listed under the Windows type and select the credentials tab (note that the network system and local system accounts do not need to be checked). Note the Username and domain name. Open Active Directory Users and Computers. Determine rights in Active Directory: Review the Domain Admins, Administrators (in AD), Enterprise Admins, Schema Admins groups, and any group that is a member of these groups. If a SCOM Run-As account or Service account is a member of any of these groups, this is a finding.

Fix Text

Remove the service accounts from these groups and grant appropriate permissions to them. SCOM service account permission documentation can be found at this link: https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix/. Run As accounts that are not being used as SCOM service accounts should be configured to least privileges as well.

Additional Identifiers

Rule ID: SV-237429r643933_rule

Vulnerability ID: V-237429

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.