Configuration Manager Security and Privacy Planning
Updated: December 1, 2009
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Microsoft System Center Configuration Manager 2007 security controls are flexible and can be implemented or changed at any time. Several security-related configurations, such as changing default port numbers and using custom Web sites, are easier to implement if they are planned for in advance. Privacy is also an important planning consideration when using Configuration Manager 2007.
Recommended Security Configuration
The following configuration is considered the most secure Configuration Manager 2007 environment possible.
Use native mode throughout the hierarchy.
Extend the Active Directory schema for Configuration Manager 2007 and enable Active Directory publishing. Configure clients in the same forest so that they can query Active Directory.
Use IPsec to secure communications between site systems.
Even if you have already installed Configuration Manager 2007 with a different configuration, you can upgrade to this configuration at any time.
Use native mode
Native mode requires you to upgrade all of your sites and clients to Configuration Manager 2007 and to use certificates from a public key infrastructure (PKI) to authenticate site systems and clients. While it increases administrative overhead, the authentication and encryption between clients and site systems eliminates many attack vectors. For example, in native mode, the management point authenticates the client before accepting inventory information but in mixed mode, the client is not authenticated. For more information, see Choose between Native Mode and Mixed Mode.
|In mixed mode, if the check box This site contains only ConfigMgr 2007 clients is selected, only clients that are approved can receive policies containing sensitive data. However if the check box is not selected, then policies containing sensitive data can be sent to any client.|
Use schema extensions and Active Directory publishing
Schema extensions are not required to run Configuration Manager 2007, but they do create a more secure environment. You should enable Active Directory Configuration Manager 2007 schema extensions and Configuration Manager 2007 publishing to Active Directory so that management points can publish their certificates and their location in Active Directory. You should also plan your sites so that all clients are in the same forest as the site server; this allows clients in the forest to identify authorized management points from a trustworthy source. You should not use clients in workgroups because they cannot query Active Directory for site information.
Active Directory can also store the public key used for signing intersite data transfer. When the public key changes during a recovery operation, the new key automatically propagates to child and parent sites. If you are upgrading from SMS 2003 you should also upgrade your schema extensions for Configuration Manager 2007. For more information about schema extension, see Decide If You Should Extend the Active Directory Schema.
Use IPsec to secure communications between site systems
Neither native mode nor mixed mode secure the communication channel between the site server and the site systems. If you do not use some method like IPsec to secure these channels, attackers can use various spoofing and man-in-the-middle attacks against site systems. For more information, see Implementing IPsec for Configuration Manager 2007.
Using non-default ports is often beneficial from a security standpoint because it makes it harder for attackers to explore the environment in preparation for an attack. If you are going to use non-default ports, it is easiest to plan for them at the beginning and use them consistently across all sites in the hierarchy, especially if you will support roaming. If you do not deploy clients with the chosen non-default ports, you will have to go back and reconfigure them later.
Custom Web Site Planning
Configuration Manager 2007 allows you to use custom Web sites instead of the default Web site for IIS. While using site systems to host non-Configuration Manager 2007 applications in IIS is not recommended, if you do choose to co-locate applications you should always use a custom Web site. Custom Web sites are a site -wide setting, not a site systems setting; you must configure all site systems in your organization to use custom Web sites.
Configuration Manager 2007 primarily uses the Local System account for most site operations, but there are several optional accounts that can be created and configured in the Configuration Manager 2007 console to perform specific functions. During the planning phase, decide which optional accounts you will need to configure and work with the accounts administrator in your organization to have them created. For more information, see the detailed description of each account in Accounts and Groups in Configuration Manager.
Security Rights Planning
System Center Configuration Manager 2007 grants access to its functionality based on security rights. One part of configuring Configuration Manager 2007 security is creating various security rights so that Configuration Manager 2007 administrators have access to certain functionality and data.
You should determine the roles you will use in your environment and plan to assign the least possible security rights to perform the role. For more information, see Overview of Configuration Manager Object Security and WMI.
While configuration management products let you effectively manage large numbers of clients, you must also be aware of ways that this software could impact the privacy of users in your organization. Configuration Manager 2007 includes many tools to gather data and monitor client computers, some of which could raise privacy concerns. Before deploying Configuration Manager 2007, consider your privacy requirements. For more information, see Overview of Configuration Manager Privacy.
If you installed a new Configuration Manager 2007 site server, a site reset sets the access control lists (ACLs) back to the original settings. If you upgrade an existing Systems Management Server (SMS) 2003 site, Setup does not change the permissions on the upgraded directories. Also, if you do a site reset of a site that was upgraded from SMS 2003, the site reset does not reset the ACLs on the upgraded directories.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.