SMS 2003 Security Test Checklist

  • Article

Test SMS security when you are putting it in place. Try to access all types of SMS resources by using accounts that you have created and delegated tasks to verify that SMS objects and data are protected. Similarly, attempt to access SMS resources with the appropriate accounts and tools to verify that they work as intended and that SMS security is not overly restrictive. Periodically retest.

Verify that SMS Advanced Clients can connect to management points and distribution points for software distribution.

Review the SMS logs on sample clients to verify that routine SMS client tasks are completed as expected.

Review the SMS logs on a sample site server to verify that the routine SMS server tasks are completed as expected. For example, verify that sites are able to send SMS data to each other.

Use a typical administrator account to install an SMS Administrator console, and then access appropriate SMS objects, such as collections and advertisements.

Use an unauthorized administrator account to ensure that it cannot use the SMS Administrator console to access SMS objects.

Use a typical user account to try to install SMS on a client computer.

Use a typical SMS administrator account to remote control different kinds of clients.

Use unauthorized administrative accounts and user accounts to attempt remote control of some clients.

Use the remote control command-line interface (Remote.exe) to repeat the previous remote-control related tests.

Use a typical SMS administrator account to generate and view reports.

Try to use unauthorized SMS administrator accounts and user accounts to view reports.

Try to access the Microsoft® SQL Server™ database by using unauthorized administrator and user accounts.

Repeat each of these tests from the different domains that users and administrators work in at your company.