The Advanced Client Network Access Account is provided for when the Advanced Client must access resources in a non-trusted domain.

Advanced Client Network Access

If you do not have Windows NT 4.0 domains, untrusted, forests, or workgroup clients, you do not need this account.

If you have Windows NT 4.0 domains, untrusted, forests, or workgroup clients, you need this account in only the following situations:

• A mandatory advertisement to a computer is configured to download the program and run locally, but the client Computername$ account does not have permissions to access to the content.
• A program is configured to Run with Administrative Rights, and the advertisement is configured to run the program from the distribution point, but the client Computername$ account does not have permissions to access to the content.
• You want to use Client Push Installation when no user is logged on and when the computer is in a workgroup, a Windows NT 4.0 domain, or in an untrusted forest.

The Advanced Client Network Access Account is used in the following two scenarios.

• During Advanced Client upgrade by Ccmsetup to connect to the shared client folder on the management point to download Client.msi.
• To access the distribution point if the logged on user account or computer account does not have permissions. This scenario might occur when the client roams.

If the Advanced Client Network Access account is not configured, Ccmsetup will try to use the computer account if the client is a member of an Active Directory domain. If the client is a member of a Windows NT 4.0 domain, Ccmsetup will try to use the logged on user account, or wait for the user to log on.

If the SMS hierarchy is distributed across trusted forests or other network environments in which the logged-on user or client computer account is a recognized security principal, the client will not need the Advanced Client Network Access account.

Unlike the Legacy Client Software Installation account, the Advanced Client Network Access account is not used when an advertised program has to access a shared folder on a server other than the distribution point.

For more information about SMS User accounts, see "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Serveron the Microsoft Download site. For more information about roaming, see the "SMS 2003 Configuration and Operation of Advanced Client Roaming" white paper on the Microsoft Download site.

The management point is the source of command and control data (policy) for SMS Advanced Clients. When Advanced Clients communicate with the management point, they always use the anonymous security context. A decision was made to rely exclusively on the anonymous security context to support the following common scenarios:

• An SMS hierarchy can span Active Directory® forests and Windows NT4 domains.
• An SMS hierarchy can span multiple forests.
• SMS Advanced Clients can roam between forests.
• SMS 2003 SP1 can allow support for workgroups.
• The SMS 2003 Operating System Deployment Feature Pack can interact with computers that are being installed.

However, by not requiring clients to authenticate to the management point, the following vulnerabilities are present:

• An attacker could impersonate a valid client and submit invalid status messages or software metering data.
• An attacker could impersonate an imaginary client and submit invalid status messages or software metering data.
• An attacker could submit large quantities of status messages or software metering data, slowing the management point, slowing the site server, and filling the database.
• With SMS 2003 (with no service pack), an attacker could also submit invalid inventory on behalf of a valid or imaginary client. With SMS 2003 SP1, you can require clients to sign their inventory data. Management points will reject any unsigned inventory.

These vulnerabilities do not allow any one of the following to occur:

• Elevation of privilege on either the SMS server or client.
• Loss of confidential or personal information.
• Unauthorized software installation.

SMS deployments are only supported in an intranet environment, therefore the risks of a Denial of Service (DoS), attack or of a pollution attack on status messages, software metering data, (and inventory in SMS 2003 (with no service pack) are extremely unlikely. SMS also reduces the probability of attacks against inventory because new inventory is collected on a schedule. An attacker would have to continuously supply invalid inventory data.

While there are risks in allowing anonymous access to management points, the benefit of providing flexibility in SMS configuration was judged to be very important to the current customer base. However, because of customer concern regarding anonymous access to management points, we are committed to changing the way management points are authenticated in a future release.

The following accounts must always be local administrators on the computer running SQL Server:

• The user installing SMS
• The user running SMS site reset
• The SMS Service account (standard security) or the SMS site server account (advanced security)

By default, local administrators group is a member of the sysadmin server role on the SQL Server database; however, you should restrict membership of the sysadmin fixed server role to a few trusted accounts. For SMS operations, you can safely remove the administrators group from the sysadmin role if you first perform the correct steps for your security mode and SMS configuration:

Note It is recommended that you use advanced security and Windows authentication.

For more information about logins and the sysadmin role, see the "Logins, Users, Roles, and Groups" section in the most recent version of the SQL Server Books Online. For more information about the SMS service account, the Remote Service account, the SQL Server/Site Database account, and the site server computer account, see "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site.