General Principles

  • Article

The following principles apply to both advanced and standard security.

Use Unique Accounts at Each Site or in Each Domain

In this way, if an account is compromised at one location, it cannot be used at any other location. To avoid confusion, give the unique accounts unique user names (instead of only being in unique SAM databases).

Select a Client Installation Method that Balances Ease of Administration with Tolerance for Risk

Installing the SMS client requires administrative credentials on the computers. Those credentials can be made available in several possible ways, each of which is appropriate for different client installation methods:

  • The users themselves might have administrative credentials on the computers they use. In this case, those credentials can be used for client installation during logon if the client is installed as part of the logon script. Alternatively, the users can install the software from a shared folder, a Web site, or similar source.

  • You might have a domain or local account that has administrative credentials on all computers. That account can be used by Client Push Installation to install the clients. If such an account is not available, you can attempt to get an account that is a Domain User, but is added to the local Administrators group on all the client computers. You can use the Restricted Group feature of Group Policy to automatically add a member to a group and enforce its membership in the group.

  • You might have a software distribution method in place that has the ability to install software with administrative credentials. For example, you might want to upgrade SMS 2.0 clients to SMS 2003 Advanced Clients. In that case, you can deploy the Advanced Client to those computers using software distribution.

  • In a high security environment, you might have network administrators manually install all SMS clients to control where and how the client components are installed.

Add Users to SMS Admins When They Need to Access the SMS Administrator Console but Do Not Need to be Local Administrators

SMS Admins provides its members with access to the SMS Provider, through WMI.

If you want to use a different local group to grant access to the SMS Administrator console, assign the necessary WMI permissions

If you create your own local or domain local group to provide access to the SMS Administrator console, you must also grant that local or domain local group the same WMI permission as the SMS Administrators group. By default, the Everyone account has Execute Methods, Provider Write, and Enable Account permissions. The SMS Admins group is explicitly granted Enable Account and Remote Enable on the Root\SMS namespace.

Add Users to Reporting Users if They Need to Only Access Reports and not the SMS Administrator Console

Reporting Users controls access to the SMS Reports Web site when using Windows Authentication mode on the server running SQL Server. Because Reporting Users is a local group, you must add users to each reporting point individually if they require access to more than one.

If Only One Administrator Knows an Account Password, Seal and Store it Centrally

To maintain SMS security, make the passwords of the most powerful SMS accounts (or possibly all accounts) known to only one administrator. This is usually possible in smaller organizations. In such cases, the administrator can store the written passwords in a sealed envelope in a secure location, such as a company safe, that can be accessed only by authorized staff.

With this provision in place, if the SMS administrator is unavailable when important SMS changes must be made, a manager or other authorized staff member can provide the necessary passwords to a sufficiently knowledgeable SMS expert. The sealed envelope shows that no one has obtained the passwords since they were set.

It is important to remember to update the record of the passwords in the envelope whenever the passwords are changed.

Note

Another option is to institute joint custody of the SMS Administrator passwords. Split the passwords into two or three parts and give each part to a different administrator. All administrators must enter their part of the password in the correct sequence to access the account.

In high security environments, require a smart card for the SMS Administrator account.