SMS Feature Security (Appendix E: SMS Security Procedures)

For more detail about these tasks, see Securing SMS Features.

Granting Users Access to Reports on Reporting Points

SMS Admins and local administrators on the reporting point automatically have permissions to access reports on reporting points.

To give a non-administrator the ability to run SMS Reports

1. Add the user, or a group the user is a member of, to the Reporting Users group on the reporting point.

1. If the user must access reports on multiple reporting points, repeat step 1 for each of those reporting points.

Modifying Internet Explorer 6.0 Default Security for Report Viewer Users

Internet Explorer 6.0 and later has increased default security settings. Those settings need to be modified for report viewer users. Perform this procedure on each client computer running Internet Explorer 6.0 that needs to view SMS reports.

To modify Internet Explorer 6.0 default security for Report Viewer users

1. In Internet Explorer, select Tools, and then select Internet Options.

2. Click the Security tab, and select Web content zone Trusted sites.

3. Click Sites. To the list of the trusted Web sites, add the URL for each reporting point that the user has access rights to.

4. Under Security level for this zone, click Custom Level.

5. Scroll down to User Authentication and change logon to Automatic logon with current username and password.

6. Save the new settings.

Modifying the Permitted Viewers list for Remote Tools

If you upgraded from SMS 2.0, you might have localized administrator names in the Permitted Viewers list that are not needed and should be removed. When you specify users in the Permitted Viewers list, use the format domain\account to remove any ambiguity.

To modify the Permitted Viewers list for Remote Tools

1. In the SMS Administrator console, navigate to Client Agents.

   Systems Management Server

       Site Database (site code - site name)

           Site Hierarchy

               (site code - site name)

                   Site Settings

                       Client Agents

2. Click Client Agents.

3. In the details pane, right-click Remote Tools Client Agent, and then click Properties.

4. In the Remote Tools Client Agent Properties dialog box, click the Security tab.

5. Click the New iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAADAFBMVEUAAACAAAAAgACAgAAAAICA AIAAgIDAwMDA3MCmyvAEBAQICAgMDAwREREWFhYcHBwiIiIpKSlVVVVNTU1CQkI5OTn/fID/UFDW AJPM7P/v1sbn59atqZAzAABmAACZAADMAAAAMwAzMwBmMwCZMwDMMwD/MwAAZgAzZgBmZgCZZgDM ZgD/ZgAAmQAzmQBmmQCZmQDMmQD/mQAAzAAzzABmzACZzADMzAD/zABm/wCZ/wDM/wAAADMzADNm ADOZADPMADP/ADMAMzMzMzNmMzOZMzPMMzP/MzMAZjMzZjNmZjOZZjPMZjP/ZjMAmTMzmTNmmTOZ mTPMmTP/mTMAzDMzzDNmzDOZzDPMzDP/zDMz/zNm/zOZ/zPM/zP//zMAAGYzAGZmAGaZAGbMAGb/ AGYAM2YzM2ZmM2aZM2bMM2b/M2YAZmYzZmZmZmaZZmbMZmYAmWYzmWZmmWaZmWbMmWb/mWYAzGYz zGaZzGbMzGb/zGYA/2Yz/2aZ/2bM/2b/AMzMAP8AmZmZM5mZAJnMAJkAAJkzM5lmAJnMM5n/AJkA ZpkzZplmM5mZZpnMZpn/M5kzmZlmmZmZmZnMmZn/mZkAzJkzzJlmzGaZzJnMzJn/zJkA/5kz/5lm zJmZ/5nM/5n//5kAAMwzAJlmAMyZAMzMAMwAM5kzM8xmM8yZM8zMM8z/M8wAZswzZsxmZpmZZszM Zsz/ZpkAmcwzmcxmmcyZmczMmcz/mcwAzMwzzMxmzMyZzMzMzMz/zMwA/8wz/8xm/5mZ/8zM/8z/ /8wzAMxmAP+ZAP8AM8wzM/9mM/+ZM//MM///M/8AZv8zZv9mZsyZZv/MZv//ZswAmf8zmf9mmf+Z mf/Mmf//mf8AzP8zzP9mzP+ZzP/MzP//zP8z//9m/8yZ///M////ZmZm/2b//2ZmZv//Zv9m//+l ACFfX193d3eGhoaWlpbLy8uysrLX19fd3d3j4+Pq6urx8fH4+Pj/+/CgoKSAgID/AAAA/wD//wAA AP//AP8A//////9YIk63AAAAAWJLR0QAiAUdSAAAAAxjbVBQSkNtcDA3MTIAAAADSABzvAAAAGBJ REFUKFNlUEESACEI8ub//8kPuCyoNdXaTBkBapETjE7myCRe4GAE9WiGZYVDiC6laqI4RNuOEuS4 inhHZMDLjMpGIgc7bw+XEGsD1QNcq6tUPW/m3LOsTq39Tbu+4QNVm0Ulks+9FgAAAABJRU5ErkJg gk== button to open the New Viewer dialog box, and then specify an existing Windows user account or group name.

Setting Package Access Permissions

The default package access permissions allow users Read and Administrators Full Control permissions to the package files on distribution points that hold the package. If all users do not require access to the package, modify the list of package access accounts to specify the least permissions. To perform this procedure, you must have the Modify permission for the Package security object class or instance.

To specify package access accounts

1. In the SMS Administrator console, navigate to Access Accounts.

   Systems Management Server

       Site Database (site code - site name)

           Packages

               packages

                   Access Accounts

2. Right-click Access Accounts, point to New, and then click the type of access account you want (Windows or generic).

3. In the Access Account Properties dialog box, specify the user or user group account that can access a package on the distribution points for this package.

To remove package access accounts

1. In the SMS Administrator console, navigate to Access Accounts.

   Systems Management Server

       Site Database (site code - site name)

           Packages

               packages

                   Access Accounts

2. In the details pane, right-click the account you want to delete, and then click Delete.

3. Click Yes to confirm that you want to delete the selected package access account.

Disabling IDMIF and NOIDMIF Collection

Collecting IDMIFs or NOIDMIFs can be a security risk, so you can disable their collection if that risk is significant to you. Newly installed SMS 2003 sites have MIF collection disabled by default. SMS 2003 sites that have been upgraded from SMS 2.0 have MIF collection enabled by default. Disabling hardware inventory MIF collection does not disable software distribution status MIF collection.

To enable or disable MIF collection

1. Click the MIF Collection tab in the Hardware Inventory Client Agent Properties dialog box.

2. Clear the options to collect IDMIF or NOIDMIF files for the Legacy Client and Advanced Client.

Important

When NOIDMIF collection is disabled, the data collected using NOIDMIFs is deleted from the SMS site that the clients are assigned to.