Inventory Collection (Securing SMS Features)

  • Article

Collecting inventory exposes potential vulnerabilities. Attackers can:

  • Send invalid data.

  • Send excessively large amounts of data.

  • Access inventory information as it is transferred to the site systems.

Inventory attacks are usually considered less serious than attacks that could force unauthorized software distribution because the inventory information can be available through other means.

Disable IDMIF and NOIDMIF Collection in High Security Environments

The IDMIF and NOIDMIF collection can be used to extend SMS hardware inventory collection. When necessary, SMS creates new tables or modifies existing tables in the SMS site database to accommodate the properties in IDMIF and NOIDMIF files. However, IDMIF and NOIDMIF files are not validated, so they could be used to alter tables that you do not want altered. Valid data could be overwritten by invalid data. Large amounts of data could be loaded, causing delays in all SMS functions. To mitigate this risk, you can disable the IDMIF and NOIDMIF collection.

Newly installed SMS 2003 sites have MIF collection disabled by default. SMS 2003 sites that have been upgraded from SMS 2.0 have MIF collection enabled by default.

For the procedure, see Disabling IDMIF and NOIDMIF Collection in Appendix E: “Appendix E: SMS Security Procedures.”

Note

Extending hardware inventory collection by using SMS_def.mof extensions does not have the same security issues. All SMS_def.mof extensions must be made on the server side, which requires administrative rights.

Do Not Use File Collection to Collect Critical Files or Sensitive Information

The Advanced Client inventory is collected using all the rights of the LocalSystem account. This includes the ability to collect copies of critical system files, such as the registry or security account database. When these files are available at the SMS site server, someone with the necessary privileges could analyze their contents and possibly discern important details about the client in order to be able to compromise its security.

Consider both privacy and security when collecting files. Use the principle of least permissions when assigning access to SMS collected files.