Manually configured SCOM Run As accounts must be set to More Secure distribution.
An XCCDF Rule
Description
<VulnDiscussion>The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account creates an interactive log on session to perform its tasks. The interactive session could allow an attacker to harvest and reuse these credentials. The SCOM less-secure distribution option configures a Run As account to run on every SCOM agent within the environment, making it easier for an attacker to compromise a critical account. The use of the SCOM "More Secure" option restricts Run As accounts to specific systems. This restricts a compromised account to a specific set of systems limiting the ability of an attacker to move laterally within the network. A less secure distribution means that if any server running a SCOM agent is compromised, then the accounts credentials may be reused by an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-237424r643918_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Open the Operations Console and select the Administration workspace.
Under Run As Configuration, select Accounts.
Double-click on the account(s) in question. Click the Distribution tab. Click the "More Secure" radio button and then click the "Add" button next to the green plus sign. In the filter by section, type the computer name(s) for each computer that is required to use the Run As account and click "Search". Double-click on the account in the available users section to add it to the selected users section. Click OK when finished.