Reporting (Securing SMS Features)

Attackers usually try to gather as much information about a company as possible to find vulnerabilities. An attacker might attempt to gain access to SMS reports to find information about the network environment. For example, if an attacker can view the report showing software update compliance, she can use specific attacks against computers that are not updated against those attacks.

Attacks against SMS reporting are usually lower risk than attacks against the site server, SMS site database server, software distribution, and remote tools.

SMS Reporting accesses the SMS SQL Server views using a SQL Server application role named webreport_approle. This role is secured with a random password automatically generated and securely stored by SMS.

Restrict Queries and Reports to Authorized Viewers

Use the principle of least privilege when assigning permission to queries and reports. Reports can be run from the SMS Administrator console or through a report viewer, such as Internet Explorer.

Only queries viewed in the SMS Administrator console are subject to SMS Object security. When you run SMS queries, you must have SMS object security permissions on the objects included in the query. In addition, when you create a query, Values on the Criteria tab of the Query Statement Properties dialog box returns no data if you do not have Read and Read Resource permissions to the Collections class.

A query can be collection limited, so that users can only query data for resources in collections they are authorized to use. Even when the user does not specify collection limiting when creating a query, SMS applies collection limiting if the user is not authorized to view all resources. If someone requires access to information, verify that they will not be restricted by collection limiting.

For more information see SMS Object Security, see Appendix A: “Appendix A: SMS Object Security and WMI.”

Use the Reporting Users Group to Control Access to the Reporting Point

By default, all members of the Administrators and Reporting Users groups have access to the reporting point Web site. If users need access to reports on the reporting point, add them to the Reporting Users local groups on each required reporting point. The Reporting Users group does not have any members by default.

The SMS Reporting Users group does not have SMS object security rights configured by default. This group needs Read security rights on the Report SMS class or members of the group are not able to access reports, even though they do have access to the reporting Web site. For more information about setting SMS class rights, see SMS Object Rights in Appendix E: Appendix E: SMS Security Procedures.

Important

Internet Explorer 6.0 default security must be modified for report viewer users. This issue is corrected in SMS 2003 SP1. Internet Explorer 6.0 and later has increased default security settings. Those settings need to be modified for report viewer users. For each user, add the URL for each reporting point that the user has access permissions to. For the detailed procedure, see Granting Users Access to Reports on Reporting Points in Appendix E: “Appendix E: SMS Security Procedures.”

Manage Security for Users Who Connect Directly to the SMS SQL Server Computer

Products, such as Microsoft Access or non-Microsoft report tools access the SMS site database through Windows Management Instrumentation (WMI) by using the Web-based Enterprise Management (WBEM) ODBC driver. Scripts, Web pages, and similar tools use the WMI scripting model to query SMS. All of these reporting options require access to WMI and the SMS Provider, and you control access using WMI security and SMS object security.

Reports that use SMS data that is accessed through SQL Server views are generated by products such as Microsoft Access or non-Microsoft report tools that access SMS data through SQL Server views. They use the SQL Server ODBC driver or any other scripting model that accesses SQL Server data directly, thus bypassing WMI security and SMS object security.

Add users who connect to the SMS site database using Windows Authentication to view reports to the Reporting Users group. Add users who connect to the SMS site database using SQL Server Authentication to view reports to the smsschm_users SQL Server role. The smsschm_users SQL Server role has the “SELECT” right to all SMS SQL Server views. Alternatively, you can grant individual users or role permissions to specific views if you want to limit access to the SMS data.

For the procedures to manage SQL Server roles, see the SQL Server documentation.