Securing SMS
Each organization must evaluate their tolerance for risk. If a high level of security risk is unacceptable in the Systems Management Server (SMS) deployment, the following four configurations are the foundation of a secure SMS environment:
Upgrade all sites and all clients to SMS 2003 SP1.
Use advanced security instead of standard security.
Use the Advanced Client instead of the Legacy Client.
Extend the Active Directory schema for SMS and enable Active Directory publishing.
Even if you have already installed SMS with a different configuration, you can upgrade to this configuration at any time.
Important
Advanced security and Advanced Clients are not related. You can use advanced security without using Advanced Clients and vice versa, but both are recommended for the most secure configuration.
Upgrade All Sites and Clients to SMS 2003 SP1
Several new security features were added to SMS 2003 SP1.
Note
You can find content in this document that is specific to SMS 2003 SP1 by searching for the text string “*SP”.
Use Advanced Security Instead of Standard Security
SMS 2003 advanced security uses the LocalSystem account on SMS servers to run SMS services and make changes on the server. Advanced security uses computer accounts (rather than user accounts) to connect to other computers and to make changes on other computers. Whenever possible, you should use advanced security mode because it gives you the highest level of SMS security and the least amount of security maintenance work. However, your sites must meet the requirements for advanced security mode.
Requirements for advanced security
For an SMS 2003 site to use advanced security, the SMS site server and all SMS site systems must be running Windows 2000 SP2 or later, or an operating system in the Windows Server 2003 family, in an Active Directory domain. It is not possible to use an advanced security site in a Windows NT 4.0 domain. The SMS site database servers must be running Microsoft SQL Server™ 2000 or later.
Note
If you have upgraded from SQL Server 7.0 to SQL Server 2000 or later, you must restart the computer before changing the SMS security mode to advanced security. This allows SQL Server to report to SMS that it is now running a supported version.
Your hierarchy can have a mix of advanced security mode and standard security mode sites. However, advanced security sites can report only to advanced security sites. The following SMS hierarchy configurations are supported for advanced security:
SMS 2003 advanced security site reporting to an SMS 2003 advanced security central site
SMS 2003 standard security site reporting to an SMS 2003 advanced security site
SMS 2.0 site reporting to an SMS 2003 advanced security site
For the procedure, see Migrating to advanced security in Appendix E: "Appendix E: Appendix E: SMS Security Procedures."
Use the Advanced Client Instead of the Legacy Client
The Legacy Client relies heavily on domain accounts to carry out key tasks on the SMS client computer, such as installing software in an administrative context when the logged-on user account does not have the appropriate security credentials. The Advanced Client, on the other hand, is engineered to use the LocalSystem security context and the computer account to carry out these same key tasks, which reduces the complexity of account management. The Advanced Client is able to verify the digital signature on communications received from the management points, reducing the possibility of attackers hijacking clients through unauthorized management points.
It is strongly recommended that you install the Advanced Client as the preferred client on all your SMS client computers, especially those computers running a Windows 2000 or later operating system. On Windows NT 4.0 and Windows 98 clients, you must run the Legacy Client instead. Because the Legacy Client is not considered an optimal security environment, all discussion about security in the Legacy Client environment has been moved to Appendix D: “Appendix D: Legacy Client Security Environment.”
Important
SMS 2003 SP1 will not allow the Legacy Client to install on computers running a Windows 2000 or later operating system. If you currently have the Legacy Client installed on computers running a Windows 2000 or later operating system, you must plan to upgrade them as part of deploying SMS 2003 SP1.
Deploy SMS in an Active Directory Domain with SMS Schema Extensions and SMS Publishing
Any domain environment is more secure than a workgroup environment. Active Directory domains are more secure than Windows NT 4.0 domains.
SMS 2003 does not support workgroup environments. *SPSMS 2003 SP1 provides limited support for computers in a workgroup, with the following conditions and exceptions:
Workgroup support is for Advanced Clients only.
Clients must use NetBIOS for name resolution.
Installing the SMS client software requires administrative credentials on the computer.
Active Directory discovery and user targeting is not supported.
Global roaming is not supported.
You can use trusted and encrypted discovery and inventory data in a workgroup environment. *SP
Schema extensions are not required to run SMS, but they do create a more secure environment. If the Active Directory schema has the SMS extensions and publishing permissions are granted, management points can publish their certificates and their location in Active Directory. This allows clients to identify authorized management points from a trustworthy source. Active Directory can also store the public key used for signing intersite data transfer. When the public key changes during a recovery operation, the new key automatically propagates to child and parent sites.
You can extend the Active Directory schema during SMS Setup or by using the command-line tool ExtADSch.exe at any time before or after SMS installation. Modifying the schema is an advanced operation best handled by experienced programmers and administrators. Attributes or classes cannot be removed after they are created. At best, they can be modified or deactivated. Modify the schema in accordance with your network change and configuration management procedures. For more information about extending the schema, see the Help and Support Center.
Follow the principle of least privilege when extending the schema and granting publishing permissions
To extend the Active Directory schema for SMS 2003, you must be a member of the Schema Admins group in the root domain. If you are not a member of the Schema Admins group, request that a member of that group run the ExtADSch.exe and review the ExtADSch.log created in the root of the %system% directory. If you are a domain admin in the root domain, you can add the SMS Administrator account to the Schema Admins group before installing SMS or running ExtADSch.exe; however, best practice dictates that you remove your account from the Schema Admins group immediately after you successfully extend the schema.
Important
Extending the schema does not automatically grant SMS the necessary permissions to publish information to Active Directory. Manual steps are required to enable publishing. If you do not grant the appropriate permissions, SMS will log errors and will not publish any information to Active Directory.
Before SMS can publish information to Active Directory, the System Management container must be created and SMS must have full control of that container and all child objects. If you are using advanced security, SMS uses the computer account of the site server to publish information. If you are using standard security, SMS uses the SMS Service Account to publish information.
If you grant SMS full control to the System container and all child objects, SMS can automatically create the System Management container under the System container. For security reasons, it is instead recommended that you manually create the System Management container by using the ADSIEdit administrative tool and grant SMS full control only to the System Management container and all child objects.
Important
Each SMS site requires explicit permissions to publish to the System Management container in Active Directory. Child sites do not inherit permissions to the System Management container.
For specific procedures to extend the schema and grant the necessary publishing permissions in Active Directory, see the Active Directory Schema Modification and Publishing for Systems Management Server 2003 white paper on the Microsoft Download site (https://go.microsoft.com/fwlink/?linkid=24970).
Note
Management points also publish their certificates to Active Directory. After SMS has full control permissions on the System Management container and all child objects, it automatically creates objects for the management points and grants the computer account for the management point all required permissions to the management point object.
*SPConfigure Advanced Clients to use Active Directory Only mode
If the Advanced Client cannot locate the management point by using Active Directory, the default configuration allows the client to fall back to using Windows Internet Name Service (WINS). WINS lookup is less secure because unlike Domain Name Service (DNS), the permission to update a WINS entry is not controlled by an access control list. An attacker would, however, require administrative rights to the WINS server in order to create or modify the static WINS entry used to locate the default management point.
You can configure the Advanced Client to use Active Directory Only mode by installing the client with the installation property SMSDIRECTORYLOOKUP= NOWINS.
Important
The only supported way to change the configuration of an existing Advanced Client to use Active Directory Only mode is to reinstall the client.
For more information about using Advanced Client Installer, see Appendix I: “Installing and Configuring SMS Clients” in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment (https://go.microsoft.com/fwlink/?LinkId=19627). For more information about the directory lookup modes, see Management Point Authentication to Clients in Appendix B: “Appendix B: SMS Certificate Infrastructure.” *SP
After you have a secure SMS foundation, there are additional security considerations: