Site Server

Windows 2003 Server is recommended for all site systems, especially for site servers. Attacks against the site server must be considered high risk. If you run the SMS site server on Windows 2000, you must either upgrade to Windows 2000 SP3 and install SMS 2003 Hotfix Q325804, or upgrade to Windows 2000 SP4 or later. Hotfix Q325804 can be found on the SMS 2003 product CD in the WinQFE\Q325804 folder. It addresses the problem, but requires the installation of Windows 2000 SP3.

Important

When configured to run in advanced security mode, the SMS site server processes run under the LocalSystem account and communicate with SMS site systems by using the site server computer account. Certain operations, such as Client Push Installation and intersite communication, might take an additional set of account credentials as a configuration parameter and communicate with remote computers by using those credentials. Due to an issue in the operating system, the site server is unable to communicate using this additional set of credentials. Hotfix fixes this issue. It can be found on the SMS 2003 product CD in the WinQFE\ folder. It addresses the problem, but requires the installation of Windows 2000 SP3. After applying this hotfix you must restart the server.

Do Not Allow Users Who Are Not Administrators to Use the SMS Administrator Console on the Site Server

The default SMS directory-level permissions allow administrators to use the console only on the site server, and it is recommended that this level of security be maintained. Install the SMS Administrator console on secure client computers and assign SMS object security to restrict user access to the least possible permissions. You can also use Remote Desktop or Terminal Services in remote administration mode to access the site server and run the SMS Administrator console.

Always Use Run As When Starting the SMS Administrator Console from a Remote Workstation

If you install the SMS Administrator console on a remote server or workstation, do not log on to that server or workstation as the SMS Administrator account. Instead, log on as an ordinary user account, start the SMS Administrator console using Run As, and provide the credentials for an account with SMS administrative rights.

For more information, search for “Using Run as” in the Help and Support Center.