Share via


Security Considerations for MDM Self Service Portal

2/9/2009

The following shows how MDM Self Service Portal helps protect information. These are the default settings.

Protection Description

Helps limit user access by default.

Only the following users can access the portal by default:

  • Users who are members of SCMDMAuthorizedUsers (InstanceName) or SCMDMServerAdmins (InstanceName) — where InstanceName is the name of the MDM instance
  • Users who are domain administrators

However, in MDM 2008 SP1, by default, all domain-authenticated users are part of the SCMDMAuthorizedUsers group and therefore have access to the portal. For more information, see MDM Self Service Portal Security.

Helps provide strong authentication.

MDM Self Service Portal uses Windows Integrated Authentication in Internet Information Services (IIS) to help provide strong user authentication. Windows Integrated Authentication results in either NTLM or Kerberos authentication and is dependent on the client and server computer configurations.

Requires access authorization.

Access to pages in MDM Self Service Portal is based on user credentials.

Access to cmdlets is based on the machine credentials of MDM Self Service Portal.

To access the Portal Administration page, the user must have write access to the SelfService.config file. By default, only the local administrator and members of the SCMDM2008ServerAdminstrators group have write access to the file.

Helps protect communication.

IIS and MDM Self Service Portal use Secure Sockets Layer (SSL) to help secure data transmission between the user and the portal. The SSL protocol enables Web servers and Web clients to communicate more securely by using encryption. This helps block packet sniffing.

Note

MDM Self Service Portal code is designed and implemented to use Windows Integrated Authentication. You can change the authorization method that the portal uses. However, specifications to make these changes are beyond the scope of this content.