Configuration Manager Console Security Best Practices and Privacy Information
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
The Microsoft System Center Configuration Manager 2007 console is the interface to the SMS Provider. Protect the Configuration Manager 2007 console computers to help restrict unauthorized access to the site.
Always use an account with least permissions when running the Configuration Manager console If you install the Configuration Manager 2007 console on a remote server or workstation, do not log on to that server or workstation as the Configuration Manager Administrator account. Instead, log on as an ordinary user account, start the Configuration Manager 2007 console using Run As (Windows Server 2003 and Windows XP) or User Access Control (Windows Vista and Windows Server 2008 operating system), and provide the credentials for an account with Configuration Manager 2007 administrative rights.
Do not allow users who are not administrators to use the Configuration Manager console on the site server If Configuration Manager 2007 administrators do not require full administrative rights on the site server computer, do not allow them to run the console on the site server. Instead, install the Configuration Manager 2007 console on secure client computers and assign Configuration Manager 2007 object security rights to restrict user access to the least possible permissions.
Limit Web browsing from the Configuration Manager console The Configuration Manager 2007 can automatically display Web pages in the Microsoft Management Console (MMC) window to show reports and to present the product Start page. Browsing to other sites using the Web pages in the MMC increases the risk that an attacker can gain control of the console computer and possibly the site.
Do not allow low rights Terminal Service users to establish connections with site system roles Allowing low rights users to have direct access to a terminal server session, is excessive privilege.
Protect the XML output from the Transfer Site Settings wizard The Transfer Site Settings wizard allows you to export your site settings to an XML file to either a local folder or a network shared folder. If you save the XML file to a network location, the communication occurs over SMB and is not secured. Use IPsec to help secure the communication channel or save the file locally and transfer it to a network shared location using a secure method.
Do not allow users who are not administrators to access the site server via Remote Desktop or Terminal Services The way permissions are configured on the site server, terminal service users can access files that could allow them excessive privilege. Instead, install the Configuration Manager 2007 console on secure client computers and assign Configuration Manager 2007 object security rights to restrict user access to the least possible permissions.
When you install Configuration Manager 2007 you have the option of participating in the Customer Experience Improvement Program. If you choose to participate, Configuration Manager 2007 will collect statistical information about your system's configuration, the performance of some Configuration Manager 2007 components, and error events generated by Configuration Manager 2007. Windows periodically sends a small file to Microsoft with the summary data. Microsoft uses the data to identify ways to make the product better.
Your participation status applies to all Configuration Manager 2007 console sessions for the site. You can change your participation status at any time. Changing the setting from one console session changes the setting for all console sessions. For additional, general information about CEIP, see http://go.microsoft.com/fwlink/?LinkId=81182.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.