Securing SCOM in a Privilege Tiered Access Model–Part 2

Previously, I discussed basic security posture and what is needed to secure a SCOM installation. The post can be found here. In summary, we discussed risks associated with malicious management packs and the use of a service account for agent action instead of the local system. This discussion will focus a bit deeper on account…

0

Securing SCOM in a Privilege Tiered Access Model–Part 1

I’ve had a few discussions with some people internally on this subject. One thing that has been consistent in these conversations is that we (Microsoft) don’t have much in the way of good guidance on securing SCOM, and this really needs to be addressed. Since I’ve written quite a bit on Cyber Security and SCOM,…

0

Configuring SCOM to Monitor Dell Storage Solutions

I was asked by a customer recently to configure SCOM to monitor Dell EMC SANs. The request seemed easy enough, until I got to doing it and realized that the documentation is, well, less than stellar. As such, this will be a quick post as to how we managed to get this working. I’m not…

0

In Place Upgrading the SSRS for SCOM

I ran into an odd issue today, doing an in-place upgrade of SQL 2012 SP3 to SQL 2016 in prep for a SCOM upgrade that was worth noting. My customer had separate instances for the DB/DW, and that upgrade was fine. However, when doing an inplace of SSRS, we got the following failure during the…

0

Security Monitoring: A Possible New Way to Detect Privilege Escalation

The problem that most defense mechanisms have in detecting the adversary is that they tend to be focused on detecting the tools far more so than detecting the results. There are reasons for this, the most obvious being that it is very easy for there to be false positives within the results, and as such,…

0

Security Monitoring: Using SCOM to Detect Bypassed Authentication Package Back Door

One persistence method that an attacker can use is to modify an Operating System’s authentication packages in order to give the attacker a back door for entry into a system as desired. Auditing this behavior in SCOM turned out to be a bit trickier than I would have liked.  The key in question is HKLM\System\CurrentControlSet\Control\LSA\Authentication…

5

Security Monitoring: Detecting Wdigest Authentication

One of the noisier items in the Security Monitoring Management Pack is the monitor that triggers against all Windows 2008 R2 and below systems if the proper WDigest post patch configurations have not been applied. WDigest is another older protocol that was addressed with KB 2871997. Prior to 2008R2, Wdigest credentials remained in the LSA…

0

Security Monitoring: Using SCOM to Detect SMB1 Authentications

I think at this point, we are all aware of the dangers posed by continuing SMB1 authentication in an environment. The virus wannacry infected more than 400,000 machines and caused a number of outages across many organizations. Detecting SMB1 is unfortunately not quite as easy as some protocols. A colleague of mine, Leanne Livingstone, provided…

0