Operating System Security

SMS is very dependent on the operating systems you use and their security subsystems. Not only does SMS run on the operating system, but it also uses the operating system's file sharing to communicate between SMS sites, SMS component servers, and SMS clients. Understanding operating system security is fundamental to understanding SMS security. You must become familiar with the basics of the security of the operating system, including the concepts related to accounts, groups, and domains. This section identifies specific aspects of the operating system that affect SMS security. For a detailed explanation of the fundamentals of operating system security, see any books about the operating systems you use that include a security discussion.

Important:

• Microsoft Windows® 98 is not considered to be a secure operating system. It does not have many of the Microsoft Windows NT® 4.0, Microsoft Windows 2000, Microsoft Windows XP, or Windows Server(tm) 2003 family security features, such as the ability to run programs in different security contexts, the NTFS file system, a local security database, security auditing, or the ability to authenticate accounts other than during log on. All activity on computers running Windows 98 is done in the context of the logged-on user. For these reasons, the client side of the SMS security model does not apply to computers running Windows 98.

Account Security

SMS can use many accounts to run its various components, which allows it to have very specific security for each component, thus minimizing the overall risk of a breach of SMS security. In order to understand SMS design and how to use SMS accounts properly, you must understand how your operating system uses accounts.

Accounts and Processes

Computer programs run in processes and each process has a security context assigned to it by the operating system. The security context includes details about the privileges that are available for that process to use.

Privileges are given to accounts, and they allow processes that are created for those accounts to perform specific functions on a computer. Typical rights include the ability to shut down a computer or to run programs as services. The ability to use these rights, as granted to the account, is stored in the token when the process (and token) is successfully created.

A common example of a process being created with a new security context is a user logging on to a computer. The user provides a user name, password, and domain (or computer name), which are known collectively as credentials. The credentials are authenticated against a database of accounts. If a match is found, then the user is logged on, and a process is created for the user.

Another example of a process being created with a new security context is when a program is run as a service. Services are started by the operating system (sometimes at the direction of a privileged user). Services can be run in the security context of the operating system, but the local system security context cannot use the network to use resources on other computers. To use resources on other computers, the computer account or an account with a user name and password is used, and those are authenticated using the same authentication process as when a user logs on.

On Legacy Clients and on SMS site servers using standard security, SMS runs many of its server components using SMS accounts. On Advanced Clients and on SMS site servers using advanced security, SMS runs its server components in the local system security context, or using the computer account rather than a user account.

The Legacy Client relies heavily on domain accounts to carry out key tasks on the SMS client computer such as installing software in an administrative context when the logged on user account does not have the appropriate security credentials. The Advanced Client, on the other hand, is engineered to use the local system security context and the computer account to carry out these same key tasks, making the Advanced Client much more secure. It is strongly recommended that you install the Advanced Client as the preferred client on all your SMS client computers, especially those computers running the Windows 2000 or later operating system.

Permissions and Access Control

You set permissions of objects, such as files and folders, at the object level. The operating system security subsystem evaluates which level of permission to assign to a process when the process accesses the object. The operating system compares the user name and domain (or computer name), or the groups the user is in, (as stored in the process token) with the object's access control list (ACL). If a match is found, then the operating system determines whether the kind of access that has been requested is permitted.

Access control lists contain access control entries (ACEs). Each ACE specifies a user or group that can access the object, and the kind of access the user or group is permitted. Operating systems use a wide variety of objects. SMS objects such as collections, packages, and advertisements are secured by using ACLs that you set through the SMS Administrator console.

Account Authentication

Operating system account authentication is performed for process and thread creation and when connecting to other computers. Authentication problems most often occur when a computer connects to other computers. It is important that you understand how accounts authenticate in a Windows environment.

When a user runs a process that attempts to connect to a share on another computer that is running in the Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003 family, the computer serving the share must be confident that the user is who they claim to be. With that confidence, the computer can then ensure that the user is allowed the requested access level, and it can provide the requested data.

Similarly, SMS clients and servers propagate data through the SMS site and SMS hierarchy by connecting to SMS shares on SMS servers. For example, SMS Legacy Clients use the logged on user account or a connection account that you specify to connect to client access points (CAPs). SMS Advanced Clients use the computer account or a network access account that you specify to connect to a distribution point or other server share. SMS parent and child site servers, that are using standard security, use site connection accounts that you define to send information to each other. In addition, SMS parent and child site servers running advanced security can use each other's computer account to send information to each other.

For more information about Windows authentication methods, see the Windows operating system documentation.

For More Information

Did you find this information useful? Please send your suggestions and comments about the documentation to smsdocs@microsoft.com.