Security Frequently Asked Questions
Q. What’s the difference between standard and advanced security?
A. | Standard security uses user accounts to run services, configure computers, and connect between computers. Advanced security uses the built-in functionality of Active Directory. It uses the Local System Account to run services, configure computers, and connect between computers. It is more secure, but requires Active Directory. It does not require the schema to be extended. You can change from standard to advanced security, but cannot change back from advanced to standard. For more information about SMS security modes, see "Securing SMS" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site. |
Q. What are the requirements to use advanced security? (updated December 12, 2003)
A. | You cannot use advanced security in a Windows NT 4.0 domain or if any site systems are running Windows NT 4.0. For an SMS 2003 site to use advanced security, the SMS site server and all SMS site systems must be in an Active Directory domain. All site systems running Windows 2000 must have SP2 or a later version, except for management points, which must have at least SP3. Site systems can also run an operating system in the Windows Server 2003 family. The SMS site database servers must be running SQL Server 2000 or a later version. A site using advanced security cannot report to a parent site running standard security. For more information about the requirements for advanced security, see "Securing SMS" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site. The Microsoft Systems Management Server 2003: Concepts, Planning, and Deployment Guide incorrectly states that the SQL Server database computers must be in Windows authentication mode only. Mixed mode includes Windows authentication mode, therefore either mode will work with advanced security. |
Q. When do I enable advanced security?
A. | SMS sites can be set up to use advanced security during installation. Similarly, SMS sites can be set up to use standard security during installation, and then changed to advanced security if they meet the requirements for advanced security. For a site with a remote SQL Server database, in certain cases, a transition from standard to advanced security might partially fail. For details, search on "transitioning from standard to advanced security" in the SMS 2003 Operations Release Notes. For more information about setting up sites with advanced security, see "Appendix E: SMS Security Procedures" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site. |
Q. How do I switch from advanced security back to standard?
A. | You cannot switch back to standard security unless you reinstall. For more information about migrating to advanced security, see the "SMS Implementation Security" section in "Appendix E – SMS Security Procedures" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site. |
Q. I recently changed from standard security mode to advanced security mode, but all standard security mode accounts still exist.
A. | This is by design. You must manually delete all remaining standard security mode accounts. For more information about migrating to advanced security see the "SMS Implementation Security" section in "Appendix E: SMS Security Procedures" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site. |
Q. I just upgraded from standard security to advanced security. Which SMS account can I delete? (Updated August 31, 2004)
A. | You can always delete the SMS Service account. The other accounts vary depending on your security mode and client types. For a complete list, see the section "Managing Advanced Security Accounts" or "Managing Legacy Client Accounts" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site. |
Q. What does the Advanced Client Network Access Account do? (Updated May 31, 2006)
A. |
The Advanced Client Network Access Account is provided for when the Advanced Client must access resources in a non-trusted domain.
|
Q. After I switched to advanced security, I did not see as much network discovery information. What happened? (updated December 12, 2003)
A. | By default, DHCP network discovery is disabled when the SMS site is running advanced security. This is by design. Advanced security relies on using the LocalSystem Account context to access server resources such as DHCP data. However, DHCP data cannot be accessed by using the LocalSystem Account security context. Therefore, DHCP network discovery is disabled in advanced security mode. For more information about choosing a discovery method, see the "Choosing a Discovery Method" section in "Appendix C: Client Deployment Planning" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on the Microsoft Download site. |
Q. For standard security, does my SMS service account need domain admin rights? (updated December 12, 2003)
A. | The SMS service account does not have to be a member of Domain Admins if SMS is not installed on a Domain Controller. Installing SMS on a member server is the recommended best practice. For more information, see the "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site. |
Q. Do all my sites in the hierarchy have to be advanced security, or can I have both standard and advanced?
A. | Your hierarchy can have a mix of advanced security mode and standard security mode sites. However, advanced security sites can report only to advanced security sites, which means the first site that can run in advanced security mode is the central site. At each site, determine whether the site can be an advanced security site. If it cannot, then its direct and indirect child sites must be standard security sites. For more information about security considerations for site and hierarchy design, see "Securing SMS," in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site. |
Q. Will SMS 2003 prevent SMS account lockouts?
A. | Account lockouts are a domain policy and a domain function, therefore the only way to prevent account lockouts is to disable that feature. However, SMS 2003 can reduce account lockouts if you use the Advanced Client because you do not have any of those accounts that were being locked out. The accounts that were traditionally being locked out are the SMS Client Token Account and the SMS Client Connection Account. The Advanced Client does not use either of these accounts. For guidelines to avoid account lockouts, see "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site. |
Q. Which ports do I have to open in our firewall for SMS 2003 to work? (Added February 27, 2004)
A. | The ports that SMS 2003 uses to communicate through a firewall or through a proxy server are documented in article 826852 in the Microsoft Knowledge Base. |
Q. Can SMS 2003 Advanced Clients communicate with my management and distribution points through Network Address Translation and Firewall devices? (Added May 31, 2006)
A. | No. The use of Legacy and Advanced Clients through a proxy server or devices that perform network address translation are not supported. |
Q. Why is anonymous access to my management points required? What are the risks of allowing anonymous access? (Added October 29, 2004)
A. |
The management point is the source of command and control data (policy) for SMS Advanced Clients. When Advanced Clients communicate with the management point, they always use the anonymous security context. A decision was made to rely exclusively on the anonymous security context to support the following common scenarios:
However, by not requiring clients to authenticate to the management point, the following vulnerabilities are present:
These vulnerabilities do not allow any one of the following to occur:
SMS deployments are only supported in an intranet environment, therefore the risks of a Denial of Service (DoS), attack or of a pollution attack on status messages, software metering data, (and inventory in SMS 2003 (with no service pack) are extremely unlikely. SMS also reduces the probability of attacks against inventory because new inventory is collected on a schedule. An attacker would have to continuously supply invalid inventory data. |
Q. I added my site server computer account to a group, but it doesn’t seem to be working. Why? (Added January 31, 2005)
A. | Remember that group membership is evaluated only at logon. For users, group evaluation occurs when the user actually logs on, but for computers, it occurs when the computer starts up. After you add your computer account to a group, reboot the computer for the group membership to take effect. |
Q. Does my sysadmin SQL role have to be local administrator on the computer running SQL Server? (Added May 31, 2005)
A. | No, you can safely remove the sysadmin role from the local administrators group if you first perform the correct steps for your security mode. If you have standard security, create Microsoft SQL Server logins for both the SMS service account and the Remote Service account and grant both logins sysadmin rights. If you have advanced security, create a SQL login for the site server computer account and grant that login sysadmin rights. For more information about logins and the sysadmin role, see the "Logins, Users, Roles, and Groups" section in the most recent version of the SQL Server Books Online. For more information about the SMS service account, the Remote Service account, and the site server computer account, see "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site. |
Q. Which SMS accounts need to be local administrators on the computer running SQL Server? (Added May 31, 2005)
A. |
The following accounts must always be local administrators on the computer running SQL Server:
By default, local administrators group is a member of the sysadmin server role on the SQL Server database; however, you should restrict membership of the sysadmin fixed server role to a few trusted accounts. For SMS operations, you can safely remove the administrators group from the sysadmin role if you first perform the correct steps for your security mode and SMS configuration:
|
For More Information
Did you find this information useful? Send your suggestions and comments about the FAQ tosmsdocs@microsoft.com.
Top of page