The SCOM Web Console must be configured for HTTPS.

An XCCDF Rule

Description

<VulnDiscussion>HTTP sessions are sent in clear text and can allow a man in the middle to recon the environment. The web console itself does not allow for administrative actions, so most of the risk associated with http authentication is inherently mitigated. However, this would allow an attacker to intercept SCOM web-console traffic for reconnaissance purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-237438r643960_rule
Severity: High
References: CCI-003123
Updated: about 1 year ago

Issue a web corticated from a trusted internal CA server, as this will be required for https protocols to function properly. It will need to be installed on the server in advance.

From the SCOM web console server, open IIS. 

Right-click on the Default Website and choose edit bindings. 
Click the Add button. 

Under type, select https and enter the appropriate host name in the host name field. 

For the SSL certificate drop down, choose the certificate that was installed. Click OK. 

Test https access to the SCOM web console and troubleshoot if connectivity is not working. 

Once connectivity is established, delete the http binding.

The SCOM Web Console must be configured for HTTPS.

Description

Remediation - Manual Procedure