Choose a Client Installation Method that Fits your Risk Profile

There are several ways to install the SMS client software on your managed computers. This section discusses the potential risks and benefits for each installation method. For more information about client deployment methods, see Appendix C: “Client Deployment Planning” in the Scenarios and Procedures for Microsoft Systems Management Server 2003:  Planning and Deployment (https://go.microsoft.com/fwlink/?linkid=29105).

Manual Installation.

Manual installation by a trusted administrator using a process to manage change and configuration introduces few risks to the client installation process. Requiring administrative interaction provides a high level of assurance that trusted software is installed through a secure channel. A change control process ensures an audit trail of the work being done. The client installation files are not signed or verified by any SMS process. Also, the files are not transmitted by any secure SMS channel. However, you can use IPsec to secure the channel. You can deploy the SMS client manually by adding the software to an image, or by using Group Policy.

Imaging

You can add the SMS client software to an image and deploy it as part of your standard computer configuration. Assuming you use appropriate security controls during the imaging process, this method introduces minimal risk. After the client is installed, you can distribute updated client components using software distribution, which automatically verifies the signature on the package.

Group Policy

You can also use Group Policy to deploy the client.msi file. If your organization routinely distributes software using Group Policy, it is easy to deploy the SMS client using this same method. Take the following issues into consideration, however, when deciding to use using Group Policy:

Clients installed using client.msi experience difficulties with upgrade and repair operations if the version of the .msi file used to install the client is not available when the client is repaired or patched. (Unlike Ccmsetup, client.msi does not manage a local copy of the correct client.msi for future repairs of the client.)

If you install the client using Group Policy, using Advanced Client and Management Point Cleaner (CCMClean.exe) to remove the SMS client is not recommended or supported. Using Group Policy creates registry keys that are not removed by using Advanced Client and Management Point Cleaner and these registry keys might complicate future reinstallation of the Advanced Client through Group Policy. If you configure Group Policy to install the Advanced Client, configure the policy to uninstall this application when the policy no longer applies, then if you need to remove the Advanced Client from a computer, change the permissions on the policy so it does not apply to that computer. Removing the Advanced Client through the software settings in the Group Policy Object (GPO) removes all related registry keys and allows for future reinstallation through Group Policy.

Client Push Installation

The easiest way to install the SMS client software is to use the client push installation method. However this requires an account with administrative rights on all clients to which you plan to install. This introduces significant risk if an attacker can gain control of the account, but you also get the benefit of many manageability features once the clients are installed. If you make this account a member of Domain Admins, it requires less administrative overhead because it automatically has the required rights on all clients, but if the account is compromised the risk to the enterprise is severe and could potentially require reinstallation of the entire forest. Making the account a local administrator but not a member of Domain Admins requires you to manage this account on every client, but the risk of compromise is limited to each individual computer. SMS mitigates the threat by encrypting the account credentials in the site control file. You could further mitigate the threat by using only Kerberos authentication, which is less vulnerable to attacks than LanMAN authentication. If you are not using Active Directory, you will need to upgrade in order to use Kerberos authentication, however.

Important

The SMS site server requires access to the Admin$ share to connect to clients for client push installation. If this share is removed, client push installation will fail.

Logon Script-initiated Client Installation

Although SMS 2003 does not include the same logon installation option as SMS 2.0, it is easy to call capinst.exe from a logon script to initiate client installation. If the user who is logging on does not have administrative rights to the computer, the client software creates a client configuration request (CCR) for the site server. After the site server receives the CCR, it uses client push installation. This has the same risks as client push installation. See the previous section for more information about these risks.

For more information about client deployment methods, see Appendix C: “Client Deployment Planning” in the Scenarios and Procedures for Microsoft Systems Management Server 2003:  Planning and Deployment (https://go.microsoft.com/fwlink/?linkid=29105).