Client Access Points

Even if you do not have any Legacy Clients, SMS automatically creates one client access point on the site server. SMS creates a directory called \CAP_sitecod ** on the drive where SMS is installed. This directory is shared as \\*site server\*CAP_sitecode. SMS will not allow you to remove the last CAP in the site but you can lock down the CAP shared folder. Failure to harden the CAP could allow an attacker to submit invalid data to the SMS site database.

Modify the Shared Folder Permissions that Allow Clients to Connect to the CAP Directory Structure

By default, the Everyone account has Full Control to the \\*site server\*CAP_sitecode shared folder. In a secure environment with no Legacy Clients, remove Everyone from the shared folder permissions and assign only Administrators Full Control. This allows SMS to continue its CAP maintenance cycles without generating error messages, but prevents non-administrators from accessing the CAP directory structure.