An error occurred:

Check: SCOM-AC-000004

Microsoft SCOM STIG: SCOM-AC-000004 (in version v1 r1)

Title

The Microsoft SCOM Agent Action Account must be a local system account. (Cat II impact)

Discussion

The SCOM agent action account is the account agent used to perform tasks on an individual machine. By default, the action agent account is the local system account, but this can be configured to run as a service account. In that scenario, the account will be running locally in memory and could be used by an attacker to laterally move throughout an environment. Using the local system account limits the ability to laterally traverse within the environment if a specific endpoint is compromised.

Check Content

From the SCOM console, go to the administration workspace. Under Run As Configuration, select Profiles. Double-click on the Default Action Account in the center pane. From the box that appears, select the Run As accounts link. Under the Account Name column, verify that ONLY management servers are running with a specified user account. All other accounts should say Local System Action Account. If any non-management servers have a specific user account listed, this is a finding. Elevate to a CAT I if the specified account is a local administrator on other systems. This can be downgraded to CAT III if the agent action account has been restricted from logging on to all other systems except the monitored endpoint, as the risk of credential leakage has been sufficiently mitigated.

Fix Text

From the SCOM console, go to the administration workspace. Under Run As Configuration, select Profiles. Double-click on the Default Action Account in the center pane. From the box that appears, select the Run As accounts link. Click on each non-management server that is configured with a Run As account and click Edit. From the box that appears, select "Local System Account" in the Run As account drop down. Click OK. Click Save once finished with all systems.

Additional Identifiers

Rule ID: SV-237426r643924_rule

Vulnerability ID: V-237426

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement