Best Practices for Securing Communications
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Microsoft System Center Configuration Manager 2007 activity is never confined to a single computer. Examples include the following:
Clients communicate with management points.
The site server communicates with all site systems, which can be installed on remote computers.
All domain members communicate with the domain controllers for authentication and authorization.
Site hierarchies can be installed spanning wide area network (WAN)links with firewalls and virtual private networks (VPNs).
If you fail to secure Configuration Manager 2007 communications between sites, clients could be hijacked by unauthorized servers, high-rights credentials could be exposed, or bogus data could be inserted into Configuration Manager 2007 site database.
Use native mode Native mode automatically provides mutual authentication and encryption for most communication between Configuration Manager 2007 clients and servers.
Require Secure Key Exchange By default, Require secure key exchange is enabled for new installations; the existing key exchange setting is preserved on upgrade but you should enable it, even if you have only one site in your hierarchy, to reduce the risk of an attacker sending a bogus site control file. If you have extended your Active Directory schema and configured publishing, Configuration Manager 2007 exchanges the keys through Active Directory, which helps secure the key exchange process. If you have not extended your Active Directory schema or if you have not properly configured publishing, the administrator must exchange the keys through the manual process. For more information, see How to Require Secure Key Exchange Between Sites.
Consider using nondefault port numbers for client communication Using nondefault ports for protocols such as HTTP and HTTPS might slow down an attacker. For example, many organizations block TCP port 80 and use a different HTTP port. You configure ports on a site-by-site basis. However, if you do not configure the same ports throughout the hierarchy, the Configuration Manager 2007 clients can experience problems when roaming. For more information, see How to Configure Request Ports for the Configuration Manager Client.
If clients cannot query Active Directory, manage the trusted root key provisioning process If clients cannot query the Global Catalog, either because Active Directory publishing is not enabled or because clients are workgroup or remote forest clients, they must rely on the trusted root key to authenticate valid management points. The trusted root key is stored in the client registry and can be set using Group Policy or configured manually. If the client does not have a copy of the trusted root key before contacting the management point for the first time, it trusts the first management point it communicates with. To reduce the risk of an attacker misdirecting clients to an unauthorized management point, you can preprovision the clients with the trusted root key. For more information, see How to Pre-provision the Trusted Root Key on Clients.
Use IPsec to secure communications between site systems While Configuration Manager 2007 native mode protects the communication channel between the Configuration Manager 2007 clients and the Configuration Manager 2007 site systems, Configuration Manager 2007 does not protect the communication channel between any site systems, whether in the same site or a different site, whether in the internal network or the perimeter network, regardless of the site mode. You should implement IPsec between all site systems to encrypt and authenticate their communications. For more information, see Implementing IPsec for Configuration Manager 2007. If you cannot enable IPsec, you should at least enable SMB signing between all site systems.
Configure your firewalls to permit required configuration manager traffic Security best practice dictates that you deny all ports in your firewall, except those explicitly configured. Configuration Manager 2007 is a complicated product requiring many ports for proper communication. Port usage can vary depending on configuration choices, such as using native mode or mixed mode. For more information, see Ports Used by Configuration Manager.
Secure the communication channel between the site server and package source server Configuration Manager 2007 does not secure the communication channel between the site server computer and the computer that stores sources files used to create packaging. Use IPsec to secure the SMB channel that Configuration Manager 2007 uses when retrieving package source files to help prevent attackers from tampering with the files.
Secure the communication channel between the Setup media and the site server If you run Setup from a network location, make sure you use IPsec between the source location of the Setup files and the site server to help prevent an attacker from tampering with the files.
Other ResourcesSecurity Best Practices for Configuration Manager
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.