V-237428

Discussion

The Microsoft SCOM management servers are considered high value IT resources where compromise would cause a significant impact to the organization. The Operations Manager console contains APIs that an attacker can use to decrypt Run As accounts or install malicious management packs. If a SCOM console sits on a Tier 2 device, an attacker could use the administrator's alternate credentials to exploit SCOM. A Privileged Admin Workstation (PAW) device provides configuration and installation requirements for dedicated Windows workstations used exclusively for remote administrative management of designated high-value IT resources.

Check Content

If the SCOM console is installed on a Terminal Server within a dedicated hardened management forest, this check is Not Applicable.

If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts.

From the SCOM Administrator(s) productivity workstation (i.e. it has internet, or office applications), check for the presence of the operations console. This can be done by clicking the windows button and typing "Operations" in the search bar. 

If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts.

If the Operations console appears, this is a finding.