The Microsoft SCOM Service Accounts and Run As accounts must not be granted enterprise or domain level administrative privileges.
An XCCDF Rule
Description
<VulnDiscussion>The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account must only have the level of privileges required to perform the defined SCOM actions. An account with full administrative at the domain or enterprise level could be used to breach security boundaries and compromise the endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-237429r643933_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Remove the service accounts from these groups and grant appropriate permissions to them. SCOM service account permission documentation can be found at this link: https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix/. Run As accounts that are not being used as SCOM service accounts should be configured to least privileges as well.