Export (0) Print
Expand All

How to Modify the Remote Tools Permitted Viewer Accounts

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Local administrator rights are not required for a user to be able to use Microsoft System Center Configuration Manager 2007 Remote Tools. If a Remote Tools user is on the Permitted Viewers list and has the Use remote tools right for the collection, the user can use Remote Tools on the client.

To specify a new remote tools permitted viewer account

  1. In the Configuration Manager console, navigate to System CenterConfiguration Manager / Site Database / Site Management / <site server name> / Site Settings / Client Agents.

  2. In the results pane, right-click Remote Tools Client Agent and then click Properties.

  3. In the Remote Tools Client Agent Properties dialog box, click the Security tab.

  4. Click the new button to open the New Viewer dialog box, and then specify an existing Microsoft Windows user account or group name.

  5. Click OK to close the dialog box, and then click OK to close the Remote Tools Client Agent Properties dialog box.

To remove a remote tools permitted viewer account

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site server name> / Site Settings / Client Agents.

  2. In the results pane, right-click Remote Tools Client Agent and then click Properties.

  3. In the Remote Tools Client Agent Properties dialog box, click the Security tab.

  4. In Permitted Viewers, click the viewer name and then click the delete button.

  5. Click OK.

Security

ImportantImportant
Bypassing the Use remote tools right for the collection is easy for knowledgeable or determined attackers. They could set up a Configuration Manager 2007 site that is not part of your hierarchy and create resource records for clients they want to control, and then grant themselves Use remote tools permission on those resources. Alternately, they could use the Remote.exe /SMS:nosql switch to create a remote tools session without verifying the permissions in the site database. You should think of collection security for Remote Tools as an organizational convenience, not a security tool.

Members of global groups that are members of local groups listed in the Permitted Viewers list are not enumerated, and thus members of global groups are not granted access permissions when they are nested in local groups. To avoid confusion, explicitly specify all global groups on the Permitted Viewers list.

The Permitted Viewers list is intentionally ambiguous because a user is authenticated against the list at the client, and the site server might not have access to the same domains as the client. Consequently, you can enter an account name in the Permitted Viewers list without specifying a domain for the account. However, the list must be clear at the client. Therefore, it is recommended that you enter an account name in the Permitted Viewers list by using the domain\account format to remove any ambiguity that might occur at the client.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft