Inventory Security Best Practices and Privacy Information
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Collecting inventory exposes potential vulnerabilities. Attackers can:
Send invalid data.
Send excessively large amounts of data.
Access inventory information as it is transferred to the site systems.
Inventory attacks are usually considered less serious than attacks that could force unauthorized software distribution because the inventory information can be available through other means.
Best Practices for Inventory
Enable inventory encryption In Microsoft System Center Configuration Manager 2007 native mode, client communications with the management point are encrypted with SSL. In mixed mode, by default, client inventory reports and collected files sent to management points are signed, but not encrypted. For more information about encrypting inventory reports sent to management points, see How to Encrypt Client Inventory Reports.
Disable IDMIF and NOIDMIF collection in high security environments The IDMIF and NOIDMIF collection can be used to extend hardware inventory collection. When necessary, Configuration Manager 2007 creates new tables or modifies existing tables in the site database to accommodate the properties in IDMIF and NOIDMIF files. However, IDMIF and NOIDMIF files are not validated, so they could be used to alter tables that you do not want altered. Valid data could be overwritten by invalid data. Large amounts of data could be loaded, causing delays in all Configuration Manager 2007 functions. To mitigate this risk, you can disable the IDMIF and NOIDMIF collection on the Hardware Inventory Client Agent properties.
|Extending hardware inventory collection by using SMS_def.mof extensions does not have the same security issues. All SMS_def.mof extensions must be made on the server side, which requires administrative rights.|
Do not use file collection to collect critical files or sensitive information Configuration Manager 2007 collections inventory using all the rights of the LocalSystem account, which has the ability to collect copies of critical system files, such as the registry or security account database. When these files are available at the site server, someone with the Read Resource rights or NTFS rights to the stored file location could analyze their contents and possibly discern important details about the client in order to be able to compromise its security.
Hardware inventory allows you to retrieve any information that is stored in WMI on your Configuration Manager 2007 clients. Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality.
Hardware inventory is on by default and the WMI information collected is determined by the SMS_def.mof file. You can modify the .mof file to collect more or less information. Software inventory and file collection are off by default. Asset Intelligence Data Collection is not enabled by default on new installations, but if it was previously enabled for a SMS 2003 SP3, then it is still enabled after upgrade.
Inventory information is not sent back to Microsoft. Inventory information is stored in the site database. In native mode, inventory is encrypted during transfer to the management point. In native mode, you have the option to enable inventory encryption. Data is not stored in encrypted form in the database in either mode. Information is retained in the database until deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. You can configure the deletion interval.
Before configuring hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.