Best Practices for Hierarchy Security
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Security considerations might influence your need for and placement of Microsoft System Center Configuration Manager 2007 sites or site systems in the design of your hierarchy. Security considerations can be important when deploying clients. Incorporate security efforts as early as possible in your deployment plan so that your Configuration Manager 2007 implementation is functional and secure. If you have already deployed Configuration Manager 2007, revisit your design decisions and analyze them from a security perspective.
Isolate sites in high security environments When you join two or more sites together in a hierarchy, the parent site by design has the ability to modify any child or grand child site. However, any site could potentially be used to attack any other site in the hierarchy and could potentially gain control of parent, child, or sibling sites. Also, if you are publishing to Active Directory Domain Services, any site can potentially write to any other site's objects in the same forest, including sites that are not in the same hierarchy. The only way to prevent one site from writing to another site is to put the sites in separate forests.
Use the fewest sites possible Having a large number of sites represents a fairly low risk, but reducing the number of sites reduces the attack surface and should be considered when designing deployments. Reducing the number of sites for security must be weighed carefully against other design considerations, like bandwidth, performance, and client configuration. A single site is the most secure option because there is no need to do the following:
Transfer data between sites
Manage sender accounts between sites
Trust administrators at other sites
Performance enhancements in Configuration Manager 2007 allow a single site to support more clients, making it possible to consolidate sites that were divided for performance reasons. You might be able to replace smaller sites with protected distribution points and thus reduce the number of sites, if this is consistent with your other design goals.
Avoid having sites span forests Forests are the administrative boundary of Active Directory. Allowing a site to span a forest compromises this boundary by allowing administration from a different forest. The following site systems are supported if they are installed in a forest remote to the site server's forest, but it is not the security best practice.
Server locator point
Fallback status point
Distribution point, configured to support Internet-based clients
Management point, configured to support Internet-based clients
Software update point, configured to support Internet-based clients
For network access protection, if you must have a System Health Validator point in a remote forest because the Network Policy Server (NPS) is not in the same forest as the site server.
For operating system deployment, when using PXE service points
For Internet-based clients, if you must have site system roles installed in a perimeter network to support Internet-based clients.
It is supported to have a primary site in one forest and a child primary site in a remote forest. It is not supported to have a secondary site in a different forest than the parent site. It is supported to have clients in forests remote to the site server.
Require secure key exchange between all sites in the hierarchy Secure key exchange is enabled by default for new installations but not for upgrades. Any site in the hierarchy that is accepting unsecured key exchange could potentially replicate the unsecured site data throughout the hierarchy. Always require secure key exchange on all sites, including SMS 2003 sites in the hierarchy. For more information, see How to Manually Exchange Public Keys Between Sites.
In mixed mode, upgrade all clients to Configuration Manager 2007 and configure the site to contain only ConfigMgr 2007 clients While it is best to use native mode, which requires all clients to run Configuration Manager 2007, if you must use mixed mode you should still upgrade all clients in the hierarchy to Configuration Manager 2007. After all clients are upgraded, for every site in the hierarchy, you should enable the setting This site contains only ConfigMgr 2007 clients on the Site Mode tab of the site properties to prevent policies containing sensitive data being sent to any client.
Upgrade all sites to Configuration Manager 2007 If you have any SMS 2003 sites in the site hierarchy, Configuration Manager 2007 uses MD5 to hash data sent to the SMS 2003 sites.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.