Best Practices for Securing Internet-Based Clients
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Microsoft System Center Configuration Manager 2007 allows you to manage clients that do not connect into your internal network with dial-up or VPN technology. While managing these clients can help make them more secure, you must configure your Configuration Manager 2007 infrastructure in such a way as to expose some of your site systems to Internet communications. You must use Configuration Manager 2007 native mode if you plan to support Internet-based clients because it helps mitigate some of the risk of being exposed to the Internet.
Use SSL bridging to SSL, using termination with authentication The benefit of SSL termination at the proxy Web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy Web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy Web server, the client identity (client GUID) is securely contained within the packet payload so that the management point does not consider the proxy Web server to be the client. If your proxy Web server cannot support the requirements for SSL bridging, SSL tunneling is also supported. This is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content.
Use Active Directory to deploy the site server signing certificate There are three options for the client to receive the site server signing certificate: being installed with it using the SMSSIGNCERT parameter, querying Active Directory Domain Services, or automatically obtaining it from the management point. Of the three solutions, automatically deploying it with the management point is the least secure solution and should not be used if you have any doubts about the security of your management point. For example, a management point that resides in a perimeter network to accept connections from the Internet for Internet-based client management is considered less secure than a management point within your intranet that accepts only connections from intranet clients. However, automatically deploying a copy of the site server signing certificate through the management point might be an appropriate solution if the management point accepts only connections from intranet clients and you do not want the administrative overhead of manual deployment. For more information, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode).
Do not create distribution point shares or branch distribution points on Internet-based clients While the Configuration Manager 2007 might not block you from doing so, creating any type of distribution point on an Internet-based client greatly increases your attack surface and should be avoided. Create distribution points only on site systems that can be managed within the intranet or the perimeter network.
Do not use site systems that bridge the perimeter network and intranet While it is possible to configure your server placement for Internet-based clients such that all necessary site systems are multi-homed and connected to both the perimeter network and the intranet, this configuration is not recommended because there is no security boundary between the perimeter network and the intranet. There are several other options available that are more secure than bridging the perimeter boundary. For more information, see Determine Server Placement for Internet-Based Client Management.
When you deploy the Configuration Manager 2007 client, you enable client agents so you can use Configuration Manager 2007 features. The settings you use to configure the features apply to all clients in the site, including clients connected to the Internet that never attach directly to the organization network. For example, you could configure inventory for the site, which would also inventory an Internet-based home office computer that belongs to an employee. Client information is stored in the database and is not sent back to Microsoft. Before configuring the Configuration Manager 2007 client, consider your privacy requirements.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.