Understanding Configuration Manager Security
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Security for Microsoft System Center Configuration Manager 2007 consists of several layers. First, the Windows provides security features for both the operating system and the network. For example, Windows provides the following:
File sharing to transfer files between Configuration Manager 2007 components
Access Control Lists (ACLs) to secure files and registry keys
IPsec for securing communications
Group Policy for setting security policy
DCOM permissions for distributed applications like the Configuration Manager 2007 console
Active Directory Domain Services to store security principals
Windows account security, including some groups that are created during Configuration Manager 2007 installation
Additional security components such as firewalls and intrusion detection help provide defense in depth for the entire environment. Certificates issued by industry standard PKI implementations help provide authentication of Configuration Manager 2007 components and signing for applications distributed to mobile device clients.
Configuration Manager 2007 controls access to the Configuration Manager 2007 console in several ways. By default, only Administrators have rights to the files and registry keys needed to run the Configuration Manager 2007 console on computers where it is in installed.
The next layer of security is access through Windows Management Instrumentation (WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of the local SMS Admins group. This group initially contains only the user who installed Configuration Manager 2007. To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.
The final layer of security is permissions to objects in the site database. By default, the Local System account and the user account that you used to install Configuration Manager 2007 have access to administer all objects in the site database. You can grant permissions to additional users in the Configuration Manager 2007 console.
There are two security modes in Configuration Manager 2007.
Native mode is the recommended site configuration for new Configuration Manager 2007 sites because it offers a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. PKIs can help companies meet their security and business requirements, but they must be carefully designed and implemented to meet the current and future needs. Installing a PKI solely to support Configuration Manager 2007 operations could fulfill certain short term goals but could hamper a more extensive PKI rollout to support other applications at a later time. If your organization already has a well-designed, industry-standard PKI, Configuration Manager 2007 should be able to use certificates from the existing PKI.
|Native mode requires extensive planning and lab testing prior to implementation. If the PKI infrastructure is not implemented properly to support Configuration Manager 2007, the whole site could stop functioning. Do not implement native mode in a production environment without thoroughly understanding the requirements.|
While native mode is the most secure mode available in Configuration Manager 2007, mixed mode can be considered adequate security for many organizations and requires less administrative overhead. Mixed mode is the default when upgrading from an existing Systems Management Server (SMS) 2003 site and provides backwards compatibility for hierarchies that have both SMS 2003 sites and Configuration Manager 2007 sites. It is possible to install with mixed mode and then migrate to native mode later. It is also possible to revert to mixed mode from native mode. Both migrating and reverting require thorough planning prior to implementation.
Native mode sites cannot report to mixed mode sites. When migrating from mixed mode to native mode, always convert the central site first and then work down.
Computers that connect to the organization's network using VPN or dial-up technology can be managed as regular Configuration Manager 2007 clients. Computers that connect to the Internet but never connect to the organization network can be configured as Internet-based clients. Internet-based clients can belong only to native mode sites. Managing Internet-based clients requires carefully planning where site systems will be located. For example, you could put management points and distribution points in your perimeter network, or you could allow Internet-based clients to traverse your firewall to access site systems inside your organization's network, or you could create a separate site in the perimeter network just to support Internet-based clients.
While network management products let you effectively manage large numbers of clients, you must also be aware of ways that this software affects the privacy of users in your organization. Configuration Manager 2007 includes many tools to gather data and monitor client computers, some of which could raise privacy concerns.
For example, when you deploy the Configuration Manager 2007 client, you enable client agents so you can use Configuration Manager 2007 features. The settings you use to configure the features apply to all clients in the site, regardless whether they are directly connected to the corporate network, connected through a remote session, or connected to the Internet but supported by the site. Client information is stored in the database and is not sent back to Microsoft. Before implementing Configuration Manager 2007, consider your privacy requirements.
Configuration Manager Accounts and Groups
Configuration Manager 2007 uses the Local System account for most site operations. Certain configurations might require creating and maintaining additional accounts. Several default groups and SQL Server roles are created during Setup, but you might have to manually add computer or user accounts to these default groups and roles.
Other ResourcesFundamentals of Configuration Manager 2007
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.