STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Microsoft SCOM Security Technical Implementation Guide

Version

V1R2

Release Date

Feb 11, 2025

SCAP Benchmark ID

MS_SCOM_STIG

Total Checks

19

Tags

other
CAT I: 8CAT II: 7CAT III: 4

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (19)

V-237423MEDIUMMembers of the SCOM Administrators Group must be reviewed to ensure access is still required.V-237424HIGHManually configured SCOM Run As accounts must be set to More Secure distribution.V-237425HIGHSCOM Run As accounts used to manage Linux/UNIX endpoints must be configured for least privilege.V-237426MEDIUMThe Microsoft SCOM Agent Action Account must be a local system account.V-237427MEDIUMThe Microsoft SCOM Run As accounts must only use least access permissions.V-237428LOWThe Microsoft SCOM administration console must only be installed on Management Servers and hardened Privileged Access Workstations.V-237429HIGHThe Microsoft SCOM Service Accounts and Run As accounts must not be granted enterprise or domain level administrative privileges.V-237430HIGHSCOM SQL Management must be configured to use least privileges.V-237431MEDIUMThe Microsoft SCOM server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.V-237432HIGHThe Microsoft SCOM server must be running Windows operating system that supports modern security features such as virtualization based security.V-237433LOWSCOM unsealed management packs must be backed up regularly.V-237434LOWIf a certificate is used for the SCOM web console, this certificate must be generated by a DoD CA or CA approved by the organization.V-237435LOWThe Microsoft SCOM SNMP Monitoring in SCOM must use SNMP V3.V-237436MEDIUMThe Microsoft SCOM server must use an active directory group that contains authorized members of the SCOM Administrators Role Group.V-237437MEDIUMThe default Builtin\Administrators group must be removed from the SCOM Administrators Role Group.V-237438HIGHThe SCOM Web Console must be configured for HTTPS.V-237439HIGHAll SCOM servers must be configured for FIPS 140-2 compliance.V-237440MEDIUMA host-based firewall must be configured on the SCOM management servers.V-272361HIGHThe version of SCOM running on the system must be a supported version.