Menu Close

SCOM 2025 Security Account Matrix

Below you will find a security account matrix for SCOM 2025, that includes all the common service and security accounts in SCOM, and their default or recommended permissions.  This includes the management servers, the database servers, SQL Role permissions, and database mappings.  You can use this to correct deployments where permissions got modified incorrectly, or to verify that a least privileged model is being used.

Using a least privileged model is critical to maintain best practices in security.  This can help you ensure you are Secure By Default in your deployments of SCOM.

Remember, additional security best practices:

1.  No SCOM service accounts should EVER have a high level of rights in the domain, especially not Domain Admin.

2.  No SCOM service accounts should EVER have rights on ALL agents.  Sometimes customers do this to ease Agent Push deployment, but this is a worst practice.  If the SCOM service account is compromised, that account could have rights on all servers in your network.

3.  The BUILTIN\Administrators group should be removed from the OperationsManager Administers User Role immediately after installing SCOM.  There is no good reason to leave this in place as it will elevate rights of anyone local admin of a SCOM server to be a SCOM Admin, which is not a best practice.

4.  Always use Local System as the Default Agent Action Account for Agent managed systems.

5.  A single SCOM service account can be used.  Many of our historical examples used unique accounts for DAS, MSAA, DW Reader and DW Write accounts, but this can use a single account for all of these if desired to simplify the number of service accounts.

6.  No SCOM service accounts should have “SA” or “System Administrator” role rights to any SQL instances.  Sometimes customers do this to solve some issue, but this is not a best practice and creates additional risk if an account is compromised.

7.  Use Service SID’s in place of traditional RunAs accounts for monitoring SQL servers, where possible.  This reduces the scope of attack as a traditional RunAs account would have rights across many SQL servers.

 

Download:  https://kevinholman.com/files/SCOM2025_Security_Matrix.xls

 

Example:

image

 

 

This matrix is for SCOM 2025. 

For SCOM 2022, please see:  https://kevinholman.com/2022/09/26/scom-2022-security-account-matrix/

For SCOM 2019, please see:  https://kevinholman.com/2020/07/23/scom-2019-security-account-matrix/

For SCOM 2016, please see:  https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix/

Leave a Reply

Your email address will not be published.