Overview of Configuration Manager Security
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Security for Microsoft System Center Configuration Manager 2007 consists of several layers. To begin with, Windows provides security features for both the operating system and the network. For example, Windows provides the following:
File sharing to transfer files between Configuration Manager 2007 components
Access Control Lists to secure files and registry keys
IPsec for securing communications
Group Policy for setting security policy
DCOM permissions for distributed applications
Active Directory Domain Services to store security principals
Windows account security, including some groups that are created during Configuration Manager 2007 installation
Additional security components, such as firewalls and intrusion detection, help provide in-depth defense for the entire environment. Certificates issued by industry standard PKI implementations help provide authentication of Configuration Manager 2007 components.
Configuration Manager 2007 controls access to the Configuration Manager 2007 console in several ways. By default, only administrators have rights to the files and registry keys needed to run the Configuration Manager 2007 console on computers where it is installed. Non-administrators on the computer must first run MMC and then add Configuration Manager 2007 as a snap-in to have rights to run the Configuration Manager 2007 console.
The next layer of security is access through Windows Management Instrumentation (WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of the local SMS Admins group. This group initially contains only the user who installed Configuration Manager 2007. To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.
The final layer of security is permissions to objects in the site database granted by the WMI provider. By default, the Local System account and the user account that you used to install Configuration Manager 2007 have access to administer all objects in the site database. You can grant permissions to additional users in the Configuration Manager 2007 console.
|You must set Configuration Manager 2007 object permissions at each site individually. Rights never flow down a site hierarchy.|
Other ResourcesOverview of Configuration Manager Security and Privacy
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.