Security Frequently Asked Questions


Q. What’s the difference between standard and advanced security?

A. Standard security uses user accounts to run services, configure computers, and connect between computers. Advanced security uses the built-in functionality of Active Directory. It uses the Local System Account to run services, configure computers, and connect between computers. It is more secure, but requires Active Directory. It does not require the schema to be extended. You can change from standard to advanced security, but cannot change back from advanced to standard.

For more information about SMS security modes, see "Securing SMS" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site.

Q. What are the requirements to use advanced security? (updated December 12, 2003)

A. You cannot use advanced security in a Windows NT 4.0 domain or if any site systems are running Windows NT 4.0. For an SMS 2003 site to use advanced security, the SMS site server and all SMS site systems must be in an Active Directory domain. All site systems running Windows 2000 must have SP2 or a later version, except for management points, which must have at least SP3. Site systems can also run an operating system in the Windows Server 2003 family. The SMS site database servers must be running SQL Server 2000 or a later version. A site using advanced security cannot report to a parent site running standard security. For more information about the requirements for advanced security, see "Securing SMS" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site. The Microsoft Systems Management Server 2003: Concepts, Planning, and Deployment Guide incorrectly states that the SQL Server database computers must be in Windows authentication mode only. Mixed mode includes Windows authentication mode, therefore either mode will work with advanced security.

Q. When do I enable advanced security?

A. SMS sites can be set up to use advanced security during installation. Similarly, SMS sites can be set up to use standard security during installation, and then changed to advanced security if they meet the requirements for advanced security. For a site with a remote SQL Server database, in certain cases, a transition from standard to advanced security might partially fail. For details, search on "transitioning from standard to advanced security" in the SMS 2003 Operations Release Notes.

For more information about setting up sites with advanced security, see "Appendix E: SMS Security Procedures" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site.

Q. How do I switch from advanced security back to standard?

A. You cannot switch back to standard security unless you reinstall.

For more information about migrating to advanced security, see the "SMS Implementation Security" section in "Appendix E – SMS Security Procedures" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site.

Q. I recently changed from standard security mode to advanced security mode, but all standard security mode accounts still exist.

A. This is by design. You must manually delete all remaining standard security mode accounts. For more information about migrating to advanced security see the "SMS Implementation Security" section in "Appendix E: SMS Security Procedures" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site.

Q. I just upgraded from standard security to advanced security. Which SMS account can I delete? (Updated August 31, 2004)

A. You can always delete the SMS Service account. The other accounts vary depending on your security mode and client types. For a complete list, see the section "Managing Advanced Security Accounts" or "Managing Legacy Client Accounts" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site.

Q. What does the Advanced Client Network Access Account do? (Updated May 31, 2006)

A.

The Advanced Client Network Access Account is provided for when the Advanced Client must access resources in a non-trusted domain.

Advanced Client Network Access

Function Required rights and permissions Notes

Used for software distribution, when either the currently logged on user account or the client computername$ account does not have sufficient permissions to access the distribution point. Used only for accessing content on the network, but never for running content on the computer.

Appropriate permissions on the software distribution content. Because you can create only one Advanced Client Network Access account, this account must function for all packages for which it is required. This account does not require the right to log on locally on any computer.

If the client computername$ account does not have permissions to access to the content, it is usually because the client is a member of workgroup, or the client has roamed to Windows NT 4.0 domains or untrusted Active Directory forests.

Might be used to install the Advanced Client by using Client Push Installation, capinst.exe, or software distribution when no user is logged on and when the computer is in a workgroup, a Windows NT 4.0 domain, in an untrusted forest, or other situation when the computer account does not have access to the content.

User rights on the location of the client installation files.

If you want to use software distribution to install or upgrade Advanced Client components, SMS can use the Advanced Client Network Access account or wait until a user logs on. To avoid using the Advanced Client Network Access account, configure the program to download from the distribution point instead of running from the distribution point.

  <p>If you do not have Windows NT 4.0 domains, untrusted, forests, or workgroup clients, you do not need this account.</p>
  <p>If you have Windows NT 4.0 domains, untrusted, forests, or workgroup clients, you need this account in only the following situations:</p>
  <ul>
    <li>A mandatory advertisement to a computer is configured to download the program and run locally, but the client Computername$ account does not have permissions to access to the content.</li>
    <li>A program is configured to <strong>Run with Administrative Rights</strong>, and the advertisement is configured to run the program from the distribution point, but the client Computername$ account does not have permissions to access to the content.</li>
    <li>You want to use <strong>Client Push Installation</strong> when no user is logged on and when the computer is in a workgroup, a Windows NT 4.0 domain, or in an untrusted forest.</li>
  </ul>
  <p>The Advanced Client Network Access Account is used in the following two scenarios.</p>
  <ul>
    <li>During Advanced Client upgrade by Ccmsetup to connect to the shared client folder on the management point to download Client.msi.</li>
    <li>To access the distribution point if the logged on user account or computer account does not have permissions. This scenario might occur when the client roams.</li>
  </ul>
  <p> If the Advanced Client Network Access account is not configured, Ccmsetup will try to use the computer account if the client is a member of an Active Directory domain. If the client is a member of a Windows NT 4.0 domain, Ccmsetup will try to use the logged on user account, or wait for the user to log on.<br /><br />If the SMS hierarchy is distributed across trusted forests or other network environments in which the logged-on user or client computer account is a recognized security principal, the client will not need the Advanced Client Network Access account.<br /><br />Unlike the Legacy Client Software Installation account, the Advanced Client Network Access account is not used when an advertised program has to access a shared folder on a server other than the distribution point.<br /><br />For more information about SMS User accounts, see "Appendix C: SMS Accounts, Groups, and Passwords" in <a runat="server" href="https://go.microsoft.com/fwlink/?linkid=31433"><u>Scenarios and Procedures for Microsoft Systems Management Server</u></a>on the <a runat="server" href="https://www.microsoft.com/downloads/"><u>Microsoft Download site</u></a>. For more information about roaming, see the <a runat="server" href="https://www.microsoft.com/downloads/details.aspx?familyid=37ac2246-453a-4418-b026-f7140a6fce3c&amp;"><u>"SMS 2003 Configuration and Operation of Advanced Client Roaming"</u></a> white paper on the <a runat="server" href="https://www.microsoft.com/downloads/"><u>Microsoft Download site</u></a>.<br /><br /></p>
</td>

Q. After I switched to advanced security, I did not see as much network discovery information. What happened? (updated December 12, 2003)

A. By default, DHCP network discovery is disabled when the SMS site is running advanced security. This is by design. Advanced security relies on using the LocalSystem Account context to access server resources such as DHCP data. However, DHCP data cannot be accessed by using the LocalSystem Account security context. Therefore, DHCP network discovery is disabled in advanced security mode.

For more information about choosing a discovery method, see the "Choosing a Discovery Method" section in "Appendix C: Client Deployment Planning" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on the Microsoft Download site.

Q. For standard security, does my SMS service account need domain admin rights? (updated December 12, 2003)

A. The SMS service account does not have to be a member of Domain Admins if SMS is not installed on a Domain Controller. Installing SMS on a member server is the recommended best practice.

For more information, see the "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site.

Q. Do all my sites in the hierarchy have to be advanced security, or can I have both standard and advanced?

A. Your hierarchy can have a mix of advanced security mode and standard security mode sites. However, advanced security sites can report only to advanced security sites, which means the first site that can run in advanced security mode is the central site. At each site, determine whether the site can be an advanced security site. If it cannot, then its direct and indirect child sites must be standard security sites.

For more information about security considerations for site and hierarchy design, see "Securing SMS," in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site.

Q. Will SMS 2003 prevent SMS account lockouts?

A. Account lockouts are a domain policy and a domain function, therefore the only way to prevent account lockouts is to disable that feature. However, SMS 2003 can reduce account lockouts if you use the Advanced Client because you do not have any of those accounts that were being locked out. The accounts that were traditionally being locked out are the SMS Client Token Account and the SMS Client Connection Account. The Advanced Client does not use either of these accounts.

For guidelines to avoid account lockouts, see "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Server on the Microsoft Download site.

Q. Which ports do I have to open in our firewall for SMS 2003 to work? (Added February 27, 2004)

A. The ports that SMS 2003 uses to communicate through a firewall or through a proxy server are documented in article 826852 in the Microsoft Knowledge Base.

Q. Can SMS 2003 Advanced Clients communicate with my management and distribution points through Network Address Translation and Firewall devices? (Added May 31, 2006)

A. No. The use of Legacy and Advanced Clients through a proxy server or devices that perform network address translation are not supported.

Q. Why is anonymous access to my management points required? What are the risks of allowing anonymous access? (Added October 29, 2004)

A.

The management point is the source of command and control data (policy) for SMS Advanced Clients. When Advanced Clients communicate with the management point, they always use the anonymous security context. A decision was made to rely exclusively on the anonymous security context to support the following common scenarios:

  • An SMS hierarchy can span Active Directory® forests and Windows NT4 domains.
  • An SMS hierarchy can span multiple forests.
  • SMS Advanced Clients can roam between forests.
  • SMS 2003 SP1 can allow support for workgroups.
  • The SMS 2003 Operating System Deployment Feature Pack can interact with computers that are being installed.

However, by not requiring clients to authenticate to the management point, the following vulnerabilities are present:

  • An attacker could impersonate a valid client and submit invalid status messages or software metering data.
  • An attacker could impersonate an imaginary client and submit invalid status messages or software metering data.
  • An attacker could submit large quantities of status messages or software metering data, slowing the management point, slowing the site server, and filling the database.
  • With SMS 2003 (with no service pack), an attacker could also submit invalid inventory on behalf of a valid or imaginary client. With SMS 2003 SP1, you can require clients to sign their inventory data. Management points will reject any unsigned inventory.

These vulnerabilities do not allow any one of the following to occur:

  • Elevation of privilege on either the SMS server or client.
  • Loss of confidential or personal information.
  • Unauthorized software installation.

SMS deployments are only supported in an intranet environment, therefore the risks of a Denial of Service (DoS), attack or of a pollution attack on status messages, software metering data, (and inventory in SMS 2003 (with no service pack) are extremely unlikely. SMS also reduces the probability of attacks against inventory because new inventory is collected on a schedule. An attacker would have to continuously supply invalid inventory data.

While there are risks in allowing anonymous access to management points, the benefit of providing flexibility in SMS configuration was judged to be very important to the current customer base. However, because of customer concern regarding anonymous access to management points, we are committed to changing the way management points are authenticated in a future release.

Q. I added my site server computer account to a group, but it doesn’t seem to be working. Why? (Added January 31, 2005)

A. Remember that group membership is evaluated only at logon. For users, group evaluation occurs when the user actually logs on, but for computers, it occurs when the computer starts up. After you add your computer account to a group, reboot the computer for the group membership to take effect.

Q. Does my sysadmin SQL role have to be local administrator on the computer running SQL Server? (Added May 31, 2005)

A. No, you can safely remove the sysadmin role from the local administrators group if you first perform the correct steps for your security mode. If you have standard security, create Microsoft SQL Server logins for both the SMS service account and the Remote Service account and grant both logins sysadmin rights. If you have advanced security, create a SQL login for the site server computer account and grant that login sysadmin rights.

For more information about logins and the sysadmin role, see the "Logins, Users, Roles, and Groups" section in the most recent version of the SQL Server Books Online. For more information about the SMS service account, the Remote Service account, and the site server computer account, see "Appendix C: SMS Accounts, Groups, and Passwords" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on the Microsoft Download site.

Q. Which SMS accounts need to be local administrators on the computer running SQL Server? (Added May 31, 2005)

A.

The following accounts must always be local administrators on the computer running SQL Server:

  • The user installing SMS
  • The user running SMS site reset
  • The SMS Service account (standard security) or the SMS site server account (advanced security)

By default, local administrators group is a member of the sysadmin server role on the SQL Server database; however, you should restrict membership of the sysadmin fixed server role to a few trusted accounts. For SMS operations, you can safely remove the administrators group from the sysadmin role if you first perform the correct steps for your security mode and SMS configuration:

Note It is recommended that you use advanced security and Windows authentication.

  SMS configured to use Windows Authentication SMS configured to use SQL Server authentication

Advanced security

Create a SQL login for the site server computer account and grant that login sysadmin rights.

Create SQL logins for the site server computer account and the SMS SQL Server (site database) account, and grant both logins sysadmin rights.

 

Standard security

Create Microsoft SQL Server logins for both the SMS service account and the Remote Service account and grant both logins sysadmin rights. (The Remote Service account is the account used to run the SMS SQL Monitor service.)

Create SQL Server logins for the SMS SQL Server (site database) account, the SMS service account, and the Remote Service account and grant all three logins sysadmin rights

  <p>
    <br />
  </p>
  <p> For more information about logins and the sysadmin role, see the "Logins, Users, Roles, and Groups" section in the most recent version of the SQL Server Books Online. For more information about the SMS service account, the Remote Service account, the SQL Server/Site Database account, and the site server computer account, see "Appendix C: SMS Accounts, Groups, and Passwords" in <a runat="server" href="https://go.microsoft.com/fwlink/?linkid=31433"><u>Scenarios and Procedures for Microsoft Systems Management Server 2003: Security</u></a> on the <a runat="server" href="https://www.microsoft.com/downloads/"><u>Microsoft Download site</u></a>.<br /><br /></p>
</td>

For More Information

Did you find this information useful? Send your suggestions and comments about the FAQ tosmsdocs@microsoft.com.

 Top of page