The Microsoft SCOM Run As accounts must only use least access permissions.
An XCCDF Rule
Description
<VulnDiscussion>The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. Run As Accounts are interactive logon sessions on a system. An attacker who has compromised one of those systems could potentially reuse the credentials of a Run As account on another system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-237427r643927_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Create an active directory group in which the account is a member. Assign this group the appropriate permissions on only the servers that need this account. Remove the Run As account from all additional administrative AD groups.