Best Practices for Maintaining Configuration Manager Security
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Securing your Microsoft System Center Configuration Manager 2007 environment is not a task you can complete once and forget about. Every day, new attacks are being developed to exploit newly discovered vulnerabilities. A merger or new product line might completely change your organization’s tolerance for security risk. Periodically review every aspect of your Configuration Manager 2007 security implementation, including design, implementation, policies, and maintenance.
Create security policies and adhere to them Documented policies and procedures are beneficial for any system, and should be implemented for Configuration Manager 2007 security. Security policies are statements about standards and behavior. Security procedures are detailed instructions of how each organization implements the security policies. For example, your security policy might state when it is acceptable to use Remote Tools. Your security procedures would include the steps for verifying that remote tool status messages are being collected, how frequently the reports should be reviewed, and what to do if a violation is suspected. In order to be effective, policies must be reviewed periodically and revised as needed.
For more information about policies and procedures, see http://go.microsoft.com/fwlink/?LinkId=50941 in the TechNet Security Center.
Use a test lab to test future change configurations for security concerns Do not install Configuration Manager 2007 on any of your production servers before you install it and work with it in your test lab. Installing Configuration Manager 2007 in a production environment without first testing it on an isolated network can cause undesirable and potentially damaging results. Before introducing new security measures in your production environment, test them in your lab. Verify that you can implement the security procedures without introducing new vulnerabilities in your network. Verify that the new measures do not interfere with mission critical business activity. For example, implementing IPsec is an important security measure for data transmission security, but implementing it incorrectly could totally stop all network communications.
Secure your test lab Test labs require as much security as the production environment. Unsecured test labs could allow attackers to study vulnerabilities that could be reproduced in the production environment. Often password security is lax in a lab environment. Passwords might be taped to lab computers or changed very infrequently so as not to interfere with testing. An attacker might gain access to the scripts and packages that are developed in the lab and introduce vulnerabilities that could be exploited in production.
Physically secure the lab environment. Enforce the same password standards for the lab as you do for your production environment. Audit the lab environment for signs of intrusion.
Test your backup and recovery procedures Backup procedures are worthless unless they are periodically tested. Configuration Manager 2007 backup and recovery are complex procedures and should be routinely tested. For more information about developing and implementing your backup and recovery procedures, see Overview of Backup and Recovery.
Secure your backup media The Configuration Manager 2007 backup task makes copies of the registry, the file structure, and the Configuration Manager 2007 site database. Attackers who gain access to the backup media could gain valuable information about the network, such as IP addresses, Active Directory site names, and the state of all client computers. Attacks involving backup media are potentially as serious as physical attacks against servers. As with all backups, store Configuration Manager 2007 backup media in a secure location, consider encrypting the back up files, and institute a controlled procedure to check out and restore the media.
Review Configuration Manager settings Good change and configuration management facilitates good security. Ideally no change should happen in production without proper planning, testing, authorization, and change tracking. Even if you have the best possible change controls, you should still periodically review your Configuration Manager 2007 configuration to verify that there have not been any unauthorized changes. Use desired configuration management to monitor for changes to authorized baseline configurations.
|When you decommission site systems and user accounts, verify that all corresponding rights and permissions are also removed.|
Review audit logs You can monitor operating system security by using the auditing facility of the operating system. After you have enabled security auditing, watch the security event log for Configuration Manager 2007 -related events. Check closely for any failures that involve Configuration Manager 2007 accounts or resources. Windows event logs can get full, and by default, new items will start to overwrite older items. To diagnose problems, and for other reasons, it might be necessary to refer to an older event log. It is recommended that you back up Windows event logs, and store the backups in a safe and accessible location. If necessary, increase default log file size to accommodate larger amounts of data.
Monitor Configuration Manager operations Watch Configuration Manager 2007 operational activities to ensure that only authorized activities are occurring. For example, watch for the creation of large or suspicious collections, the creation of advertisements, the addition of links from large collections to collections that are being advertised to, or package updates.
The Configuration Manager 2007 status subsystem provides audit events to watch for such activities. All audit events are maintained for 180 days by default. Other server status messages are kept for 30 days by default. Configuration Manager 2007 provides several default status message queries that you can use to audit for security-related activity. The following is a partial list of status message queries that you might find useful when monitoring for unauthorized activity:
Security rights created, modified, or deleted
Advertisements created, modified, or deleted
Packages created, modified, or deleted
Programs created, modified, or deleted
Clients that (failed to run) (failed to start) a specific advertised program
Server component configuration changes
Client component configuration changes
Remote tools activity (all)
Site addresses created, modified or deleted
Site boundaries created, modified or deleted
SQL commands created, modified or deleted
SQL tasks created, modified, or deleted
All audit status messages (for a specific user) (from a specific site)
Periodically test Configuration Manager security Test Configuration Manager 2007 security when you are putting it in place and test it periodically thereafter. Try to access all types of Configuration Manager 2007 resources using accounts you have created and delegated tasks to in order to verify that Configuration Manager 2007 objects and data are protected. Attempt to access resources using unauthorized accounts.
Develop an incident response plan Designing an incident response plan could be as crude as “unplug affected computers from the network, reformat, and reinstall” or it might be a sophisticated endeavor with trained forensics experts who know precise techniques for gathering evidence that can be used in prosecution. Decide what your appropriate level of response is and practice your plan periodically. For more information about disaster recovery and incident response, see "Disaster Recovery and Incident Response" (http://go.microsoft.com/fwlink/?LinkId=28825) on the Microsoft TechNet site.
Secure your internal Configuration Manager documentation Your network documentation can provide everything someone needs to know to implement a successful attack. Even your list of internal Configuration Manager 2007 contacts could be used in a social engineering attack. Store your Configuration Manager 2007 documentation in a secure location. Dispose of Configuration Manager 2007 documentation in a shredder or by using a secure document removal service. If you keep backup copies of Configuration Manager 2007 documentation for disaster recovery, secure the backup copies.
Train your organization to follow security best practices Develop a comprehensive user education program for your end users to train them that security is everybody’s responsibility. Train your network administrators on proper security procedures and enforce strict adherence to security policy. Configuration Manager 2007 administrators who do not lock their Configuration Manager 2007 consoles are inviting attacks from disgruntled employees. Receptionists who are trying to be helpful can inadvertently give attackers everything they need to compromise valuable trade secrets.
Backup media contains all of your site information, including sensitive information such as computer names and IP addresses collected by Configuration Manager 2007 features. You should protect the personally identifiable information in backup files in accordance with your local privacy regulations.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.