Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Microsoft SCOM Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2021-03-15
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Members of the SCOM Administrators Group must be reviewed to ensure access is still required.
AC-2 - Medium - CCI-002142 - V-237423 - SV-237423r643915_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002142
Version
SCOM-AC-000001
Vuln IDs
  • V-237423
Rule IDs
  • SV-237423r643915_rule
When people leave their roles, their group memberships are often times not updated.
Checks: C-40642r643913_chk

From Active Directory Users and Computers, search for the group containing SCOM administrators. Review the users who are listed in this group. If any user in this group is no longer with the organization, no longer requires SCOM administration rights, or is no longer in a SCOM administration role within the organization, this is a finding.

Fix: F-40605r643914_fix

From Active Directory Users and Computers, search for the group containing SCOM administrators. Double-click on the group and select the members tab. For each user that no longer needs rights, select the account and click the Remove button. Click OK once finished.

c
Manually configured SCOM Run As accounts must be set to More Secure distribution.
AC-3 - High - CCI-000213 - V-237424 - SV-237424r643918_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SCOM-AC-000002
Vuln IDs
  • V-237424
Rule IDs
  • SV-237424r643918_rule
The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account creates an interactive log on session to perform its tasks. The interactive session could allow an attacker to harvest and reuse these credentials. The SCOM less-secure distribution option configures a Run As account to run on every SCOM agent within the environment, making it easier for an attacker to compromise a critical account. The use of the SCOM "More Secure" option restricts Run As accounts to specific systems. This restricts a compromised account to a specific set of systems limiting the ability of an attacker to move laterally within the network. A less secure distribution means that if any server running a SCOM agent is compromised, then the accounts credentials may be reused by an attacker.
Checks: C-40643r643916_chk

Review the account distribution settings on the SCOM Management server. Open the Operations Console and select the Administration workspace. Under Run As Configuration, select Accounts. Double-click on each account listed under the Windows type and select the distribution tab (note that the network system and local system accounts do not need to be checked). If any Run As account is set to the "less secure" distribution option, this is a finding.

Fix: F-40606r643917_fix

Open the Operations Console and select the Administration workspace. Under Run As Configuration, select Accounts. Double-click on the account(s) in question. Click the Distribution tab. Click the "More Secure" radio button and then click the "Add" button next to the green plus sign. In the filter by section, type the computer name(s) for each computer that is required to use the Run As account and click "Search". Double-click on the account in the available users section to add it to the selected users section. Click OK when finished. Note: If the Run As account in question is not assigned to any run-as profile, it is recommended that the Run As account be deleted.

c
SCOM Run As accounts used to manage Linux/UNIX endpoints must be configured for least privilege.
AC-3 - High - CCI-000213 - V-237425 - SV-237425r643921_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SCOM-AC-000003
Vuln IDs
  • V-237425
Rule IDs
  • SV-237425r643921_rule
The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account must only have the level of privileges required to perform the defined SCOM actions. An account with full administrative (SUDO) privileges could be used to breach security boundaries and compromise the endpoint.
Checks: C-40644r643919_chk

If the Microsoft SCOM environment is not used to monitor Linux/UNIX endpoints, this check is Not Applicable. Review the account permission settings on the SCOM Management server. Log on to a subset of Linux or UNIX servers being monitored by SCOM and look at the Sudoers file. Verify that the SCOM account does not have Sudo all permissions. Alternatively, the following command can be run from the machine "sudo -l -U <Run As account Name>". If any Run As account used for Linux\UNIX endpoint management has the SUDO ALL permissions, this is a finding.

Fix: F-40607r643920_fix

Configure the permissions on the Run As accounts used on Linux/UNIX endpoints to remove the SUDO ALL permissions. This will be dependent on the specific versions and flavor of the Linux/UNIX operating systems in question. Microsoft's least privilege recommendations for supported versions can be found at the following location: https://social.technet.microsoft.com/wiki/contents/articles/7375.scom-configuring-sudo-elevation-for-UNIX-and-linux-monitoring.aspx.

b
The Microsoft SCOM Agent Action Account must be a local system account.
AC-3 - Medium - CCI-000213 - V-237426 - SV-237426r643924_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
SCOM-AC-000004
Vuln IDs
  • V-237426
Rule IDs
  • SV-237426r643924_rule
The SCOM agent action account is the account agent used to perform tasks on an individual machine. By default, the action agent account is the local system account, but this can be configured to run as a service account. In that scenario, the account will be running locally in memory and could be used by an attacker to laterally move throughout an environment. Using the local system account limits the ability to laterally traverse within the environment if a specific endpoint is compromised.
Checks: C-40645r643922_chk

From the SCOM console, go to the administration workspace. Under Run As Configuration, select Profiles. Double-click on the Default Action Account in the center pane. From the box that appears, select the Run As accounts link. Under the Account Name column, verify that ONLY management servers are running with a specified user account. All other accounts should say Local System Action Account. If any non-management servers have a specific user account listed, this is a finding. Elevate to a CAT I if the specified account is a local administrator on other systems. This can be downgraded to CAT III if the agent action account has been restricted from logging on to all other systems except the monitored endpoint, as the risk of credential leakage has been sufficiently mitigated.

Fix: F-40608r643923_fix

From the SCOM console, go to the administration workspace. Under Run As Configuration, select Profiles. Double-click on the Default Action Account in the center pane. From the box that appears, select the Run As accounts link. Click on each non-management server that is configured with a Run As account and click Edit. From the box that appears, select "Local System Account" in the Run As account drop down. Click OK. Click Save once finished with all systems.

b
The Microsoft SCOM Run As accounts must only use least access permissions.
AC-3 - Medium - CCI-000213 - V-237427 - SV-237427r643927_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
SCOM-AC-000005
Vuln IDs
  • V-237427
Rule IDs
  • SV-237427r643927_rule
The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. Run As Accounts are interactive logon sessions on a system. An attacker who has compromised one of those systems could potentially reuse the credentials of a Run As account on another system.
Checks: C-40646r643925_chk

Obtain the User ID(s) in SCOM: Open the Operations Console and select the Administration workspace. Under Run As Configuration, select Accounts. Double-click on each account listed under the Windows type and select the credentials tab (note that the network system and local system accounts do not need to be checked). Note the Username and domain name. Click on the Distribution tab and note the computer names that the account is distributed to. Validate Permissions in Active Directory: For each SCOM Run As account, open the Active Directory Users and Computers MMC and if necessary connect to the appropriate domain. Right-click on the domain and select "Find". In the "Name" field, type the User ID and click "Find Now". The account will appear in the results below. Double-click on the account and select the "Member Of" tab. Review the groups listed. If any group listed is an administrator on any system other than the systems the account is distributed to, this is a finding. If the account is part of Domain Administrators or Enterprise Administrators, elevate to CAT I.

Fix: F-40609r643926_fix

Create an active directory group in which the account is a member. Assign this group the appropriate permissions on only the servers that need this account. Remove the Run As account from all additional administrative AD groups.

a
The Microsoft SCOM administration console must only be installed on Management Servers and hardened Privileged Access Workstations.
AC-3 - Low - CCI-000213 - V-237428 - SV-237428r643930_rule
RMF Control
AC-3
Severity
Low
CCI
CCI-000213
Version
SCOM-AC-000006
Vuln IDs
  • V-237428
Rule IDs
  • SV-237428r643930_rule
The Microsoft SCOM management servers are considered high value IT resources where compromise would cause a significant impact to the organization. The Operations Manager console contains APIs that an attacker can use to decrypt Run As accounts or install malicious management packs. If a SCOM console sits on a Tier 2 device, an attacker could use the administrator's alternate credentials to exploit SCOM. A Privileged Admin Workstation (PAW) device provides configuration and installation requirements for dedicated Windows workstations used exclusively for remote administrative management of designated high-value IT resources.
Checks: C-40647r643928_chk

If the SCOM console is installed on a Terminal Server within a dedicated hardened management forest, this check is Not Applicable. If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts. From the SCOM Administrator(s) productivity workstation (i.e. it has internet, or office applications), check for the presence of the operations console. This can be done by clicking the windows button and typing "Operations" in the search bar. If the console is installed on a general purpose device and the user is NOT a SCOM administrator, this is not a finding. Examples would be individuals in the Network Operations Center (NOC) who only respond to alerts. If the Operations console appears, this is a finding.

Fix: F-40610r643929_fix

Remove any SCOM consoles from productivity workstations.

c
The Microsoft SCOM Service Accounts and Run As accounts must not be granted enterprise or domain level administrative privileges.
AC-3 - High - CCI-000213 - V-237429 - SV-237429r643933_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SCOM-AC-000007
Vuln IDs
  • V-237429
Rule IDs
  • SV-237429r643933_rule
The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account must only have the level of privileges required to perform the defined SCOM actions. An account with full administrative at the domain or enterprise level could be used to breach security boundaries and compromise the endpoint.
Checks: C-40648r643931_chk

Obtain the User ID(s) for the appropriate accounts in SCOM: Open the Operations Console and select the Administration workspace. Under Run As Configuration, select Accounts. Double-click on each account listed under the Windows type and select the credentials tab (note that the network system and local system accounts do not need to be checked). Note the Username and domain name. Open Active Directory Users and Computers. Determine rights in Active Directory: Review the Domain Admins, Administrators (in AD), Enterprise Admins, Schema Admins groups, and any group that is a member of these groups. If a SCOM Run-As account or Service account is a member of any of these groups, this is a finding.

Fix: F-40611r643932_fix

Remove the service accounts from these groups and grant appropriate permissions to them. SCOM service account permission documentation can be found at this link: https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix/. Run As accounts that are not being used as SCOM service accounts should be configured to least privileges as well.

c
SCOM SQL Management must be configured to use least privileges.
AC-3 - High - CCI-000213 - V-237430 - SV-237430r643936_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SCOM-AC-000008
Vuln IDs
  • V-237430
Rule IDs
  • SV-237430r643936_rule
Microsoft SCOM's SQL management requires a Run as solution because the local system account will not have the required permissions to monitor SQL. If the Run As account is created with elevated database privileges on the SQL endpoint, this can be used to modify SQL databases, breach security boundaries, or otherwise compromise the endpoint.
Checks: C-40649r643934_chk

If the Microsoft SQL management packs for SCOM are not imported, this check is Not Applicable. Determine which SQL Servers are managed by SCOM: From the Operations Console, click on the Monitoring workspace. In the left pane, expand the "Microsoft SQL Servers folder" and click on the Computers icon (note older versions of this management pack may be version specific). Make note of the servers listed. Log on to SQL Server Management Studio and connect to servers being managed in SCOM. Expand the Security Tab and select Logins. Verify that NT System\Authority, NT Service\HealthService, or the SQL Run As account has not been granted System Admin privileges (SA rights). If the any of these accounts have been granted SA privileges, this is a finding.

Fix: F-40612r663056_fix

Configure the NT System\Authority or SCOM Run As accounts for least privileges as described in the documentation for the SCOM SQL management pack. The documentation can be found with the management pack download, and permissions may vary depending on the version of the SQL management pack being used. Generally speaking, the account used for monitoring will need to view server state, view any definition, and view any database. Additional information on this topic can be found at this location along with a management pack that can automate this process: https://kevinholman.com/2016/08/25/sql-mp-run-as-accounts-no-longer-required/

b
The Microsoft SCOM server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
CM-6 - Medium - CCI-000366 - V-237431 - SV-237431r643939_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SCOM-AU-000001
Vuln IDs
  • V-237431
Rule IDs
  • SV-237431r643939_rule
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained.
Checks: C-40650r643937_chk

Determine if the security logs as well as the Operations Manager logs on the SCOM management server are being ingested by a tool such as Splunk, ArcSite, or Azure Log Analytics. If no effort is being made to retain log data on the SCOM server, this is a finding.

Fix: F-40613r643938_fix

Establish and implement a process for keeping the Security Log as well as the Operations Manager log. Most DoD enclaves are already running tools such as Splunk or Azure Log Analytics. It is important that these logs be ingested by these tools.

c
The Microsoft SCOM server must be running Windows operating system that supports modern security features such as virtualization based security.
CM-6 - High - CCI-000366 - V-237432 - SV-237432r643942_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SCOM-CM-000001
Vuln IDs
  • V-237432
Rule IDs
  • SV-237432r643942_rule
Network devices running older but supported operating systems lack modern security features that mitigate attack surfaces. Attackers face a higher level of complexity to overcome during a compromise attempt.
Checks: C-40651r663057_chk

Check the operating system version. From the SCOM management servers, type winver and press enter. If the operating system is not Windows Server 2016 or later, this is a finding.

Fix: F-40614r643941_fix

Upgrade the network device to an operating that supports modern security features such as virtualization based security.

a
SCOM unsealed management packs must be backed up regularly.
CM-6 - Low - CCI-000366 - V-237433 - SV-237433r643945_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
SCOM-CM-000002
Vuln IDs
  • V-237433
Rule IDs
  • SV-237433r643945_rule
SCOM's configuration information is stored within unsealed management packs. Even without SQL backups, a catastrophic failure to SCOM can be recovered from quickly if the unsealed management packs have been backed up. Satisfies: SRG-APP-000516-NDM-000340, SRG-APP-000516-NDM-000341
Checks: C-40652r643943_chk

There is more than one way to configure this, and it will be at an administrator's discretion. Open task scheduler and check for the presence of a scheduled task to back up unsealed management packs. If present, review the script to determine where backups are being stored. Verify that the unsealed management packs are being saved to the location specified in the task and that the location is being backed up regularly. Alternatively, several free management packs do exist to automate this process within SCOM, or an administrator could automate this with their own custom management pack or using an orchestration tool such as System Center Orchestrator. This is not a finding if an administrator can show that one of these is installed/configured and that unsealed management packs are being written to the configured location. If unsealed management packs are not being exported to disk and backed up, this is a finding.

Fix: F-40615r643944_fix

The quickest solution available is to download the management pack referenced in this article and configure it accordingly: https://kevinholman.com/2017/07/07/scom-2012-and-2016-unsealed-mp-backup/ Ultimately, this is an organizational decision as to how the administrator would like to proceed.

a
If a certificate is used for the SCOM web console, this certificate must be generated by a DoD CA or CA approved by the organization.
CM-6 - Low - CCI-000366 - V-237434 - SV-237434r643948_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
SCOM-CM-000003
Vuln IDs
  • V-237434
Rule IDs
  • SV-237434r643948_rule
Web certificates should always be signed by a trusted signer and never self-signed.
Checks: C-40653r643946_chk

From the web console server, open IIS. Right-click on the Default Website and choose Edit Bindings. Select the https binding and click edit. Click View to view the certificate being used to protect the website. If the certificate is not issued by a DoD CA or a trusted internal CA, this is a finding.

Fix: F-40616r643947_fix

Issue a web corticated from a trusted internal CA server as this will be required for https protocols to function properly. It will need to be installed on the server in advance. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Click on the https binding and click edit. For the SSL certificate drop down, choose the new certificate. Click OK. Test https access to the SCOM web console and troubleshoot if connectivity is not working. Once connectivity is established, delete the http binding.

a
The Microsoft SCOM SNMP Monitoring in SCOM must use SNMP V3.
IA-3 - Low - CCI-001967 - V-237435 - SV-237435r643951_rule
RMF Control
IA-3
Severity
Low
CCI
CCI-001967
Version
SCOM-IA-000001
Vuln IDs
  • V-237435
Rule IDs
  • SV-237435r643951_rule
SNMP Versions 1 and 2 do not use a FIPS-validated Keyed-Hash message Authentication Code (HMAC). SCOM has the capability of monitoring all versions of SNMP. As such, SNMP 1 and 2 monitoring should only be done if the device being monitored does not support SNMP V3.
Checks: C-40654r643949_chk

From the SCOM Console, select the Administration workspace. Navigate to Run As Configuration and select Accounts. Review all of the listed Accounts. If any account is listed under the "Community String" type, this is a finding.

Fix: F-40617r643950_fix

Create SNMP V3 Run As accounts and use these to monitor network devices: Note that for this to work, SNMP V3 must be set up on the network device being monitored and some of the configuration info for this account must be obtained from that device. From the SCOM Operations Console, select the Administration workspace, expand Run As Configuration, and select Accounts. Right-click and choose "Create Run As accounts". Click "Next" at the first screen and in the Run As account type, choose SNMP V3 account. Give it an appropriate display name and complete the wizard supplying the relevant information from the monitored network device(s).

b
The Microsoft SCOM server must use an active directory group that contains authorized members of the SCOM Administrators Role Group.
IA-5 - Medium - CCI-002041 - V-237436 - SV-237436r643954_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002041
Version
SCOM-IA-000002
Vuln IDs
  • V-237436
Rule IDs
  • SV-237436r643954_rule
During the initial installation, SCOM grants the Builtin\Administrators group administrator rights to the application. This configuration will allow any local administrator to the SCOM server to have full administrative rights into SCOM.
Checks: C-40655r643952_chk

Open the Operations Console and select the Administrative workspace. In the left pane, expand Security and select User Roles. In the center pane, double-click on Operations Manager Administrators. If Builtin\Administrators is listed, this is a finding.

Fix: F-40618r643953_fix

From Active Directory Users and Computers, create a group following the organizational naming standards for SCOM Administrators. Add the SCOM service accounts to this group along with any user's administrative account that is required to administer SCOM. Make note of the group name. Log on to the SCOM console with an administrative account. Select the Administration workspace. Expand Security and click User Roles. From the center pane, double-click on Operations Manager Administrators. Click the Add button and type the name of the group created above and click Check Names. The name should validate. Click OK. The new group should now be added to the Operations Manager Administrators role. Click on Builtin\Administrators and click Remove. Click OK.

b
The default Builtin\Administrators group must be removed from the SCOM Administrators Role Group.
IA-5 - Medium - CCI-002041 - V-237437 - SV-237437r643957_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002041
Version
SCOM-IA-000003
Vuln IDs
  • V-237437
Rule IDs
  • SV-237437r643957_rule
SCOM servers with default well-known operating system groups defined the SCOM Administrators Global Group may allow a local administrator access to privileged SCOM access.
Checks: C-40656r643955_chk

Review the SCOM Administrators Global Group and verify that the Built-in\Administrators Group is not a member. If the Built-in\Administrators group is a member, this is a finding.

Fix: F-40619r643956_fix

Remove the Built-in\Administrators group from the SCOM Administrators Role Group.

c
The SCOM Web Console must be configured for HTTPS.
MA-4 - High - CCI-003123 - V-237438 - SV-237438r643960_rule
RMF Control
MA-4
Severity
High
CCI
CCI-003123
Version
SCOM-MA-000001
Vuln IDs
  • V-237438
Rule IDs
  • SV-237438r643960_rule
HTTP sessions are sent in clear text and can allow a man in the middle to recon the environment. The web console itself does not allow for administrative actions, so most of the risk associated with http authentication is inherently mitigated. However, this would allow an attacker to intercept SCOM web-console traffic for reconnaissance purposes.
Checks: C-40657r643958_chk

This check is Not Applicable if the SCOM web console is not installed. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Examine the bindings for the web console and verify that only https is an option. If http is present or if there is no https binding, this is a finding.

Fix: F-40620r643959_fix

Issue a web corticated from a trusted internal CA server, as this will be required for https protocols to function properly. It will need to be installed on the server in advance. From the SCOM web console server, open IIS. Right-click on the Default Website and choose edit bindings. Click the Add button. Under type, select https and enter the appropriate host name in the host name field. For the SSL certificate drop down, choose the certificate that was installed. Click OK. Test https access to the SCOM web console and troubleshoot if connectivity is not working. Once connectivity is established, delete the http binding.

c
All SCOM servers must be configured for FIPS 140-2 compliance.
IA-7 - High - CCI-000803 - V-237439 - SV-237439r643963_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
SCOM-SC-000001
Vuln IDs
  • V-237439
Rule IDs
  • SV-237439r643963_rule
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. SCOM is FIPS-compliant out of the box with the exception of the Web Console.
Checks: C-40658r643961_chk

From a SCOM Management server, open the registry editor. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy Verify that the "Enabled" key is set to 1. If the "Enabled" key is not set to 1 or is not present, this is a finding. From a command prompt, open the following file with notepad: C:\Windows\Micosoft.NET\Framework]v2.0.50727\CONFIG\machine.config. Immediately following the <ConfigSection>, look for <cryptographySettings>. If the <cryptographySettings> section does not exist under <ConfigSection> of the machine.config file, this is a finding.

Fix: F-40621r643962_fix

From a SCOM Management server, open the registry editor. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy Double-click on "Enabled" and set the value to 1. Note that many organizations use a GPO to accomplish this task. Older versions of SCOM may require additional configuration. That is documented here: https://nathangau.wordpress.com/2016/12/02/scom-2012-webconsole-and-fips-compatibility/

b
A host-based firewall must be configured on the SCOM management servers.
SC-5 - Medium - CCI-002385 - V-237440 - SV-237440r643966_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
SCOM-SC-000002
Vuln IDs
  • V-237440
Rule IDs
  • SV-237440r643966_rule
To prevent a DDoS, a firewall that inspects and drops packets must be configured.
Checks: C-40659r643964_chk

The steps in this check will vary based on the host-based firewall being used in the environment. For Windows Firewall, type wf.msc. Verify that the firewall is set to On. Click on Inbound rules and verify that there are no any-any allow rules in any profile. If McAfee is installed, it will be visible in the system tray. Verify with a McAfee administrator that there are no any-any rules allowing full access. If no host-based firewall is installed, or a host-based firewall is configured to allow all traffic inbound, this is a finding.

Fix: F-40622r643965_fix

Configure a host-based firewall based on the organization's standards. A full list of ports needed for SCOM to function properly can be found here: https://docs.microsoft.com/en-us/system-center/scom/plan-security-config-firewall?view=sc-om-2019.