The Microsoft SCOM Run As accounts must only use least access permissions.
An XCCDF Rule
Description
The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. Run As Accounts are interactive logon sessions on a system. An attacker who has compromised one of those systems could potentially reuse the credentials of a Run As account on another system.
- ID
- SV-237427r643927_rule
- Version
- SCOM-AC-000005
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Create an active directory group in which the account is a member. Assign this group the appropriate permissions on only the servers that need this account. Remove the Run As account from all additional administrative AD groups.