Software Distribution (Securing SMS Features)

Software distribution is a powerful feature that can be used as a major point of attack if not secured properly. When installing packages, SMS can use elevated rights in either the user or the system context, even if the user does not have administrative rights. This allows an attacker to effectively run any attacks that elevate rights.

Note

The Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide incorrectly states that you do not need the package Modify right to distribute packages to distribution points. To distribute packages to distribution points, you must have package Read, Distribute and Modify SMS object security rights.

Do Not Allow Users to Interact with Programs if Run with Administrative Rights is Required

When you configure a program, you can set the option Allow users to interact with this program (less secure) so that users can respond to any required prompts in the user interface. If the program is also configured to Run with administrative rights, an attacker at the computer running the program could use the user interface to escalate privilege on the client computer.

It is strongly recommended that you use Windows Installer-based setup programs with per-user elevated privileges for installations that require administrative credentials, but must be run in the context of a user who does not have administrative credentials. Using Windows Installer per-user elevated privileges provides the most secure way of deploying applications with this requirement.

Note

If you advertise a program that is set to Run with administrative rights and you do not select Allow users to interact with this program (less secure), the program might fail if it displays a user interface that requires a user to make a selection or click a button. In such a case, the user interface that the user is required to interact with is not visible to the user and can never be responded to. The program waits for user interaction until the program's Maximum allowed run time that is configured in the program is exceeded. After the Maximum allowed run time is exceeded, the program's process is terminated on the client. If no Maximum allowed run time is specified, the program's process ends after 72 hours. During the period from when the program starts to run until the program's process ends, SMS will not start any other pending software distribution programs.

Always specify the user interaction when using package definition files

If you create a package using the Create Package from Definition wizard and you have not specified the line UserInputRequired=False, SMS creates the program for the package with Allow users to interact with this program (less secure) enabled. If user interaction is not required, always include the line UserInputRequired=False in the package definition file. If you have already created packages from definition files, manually disable the setting Allow users to interact with this program (less secure) on any programs in that package.

Do Not Create Subcollections if You Need to Restrict Software Distribution on Them

An advertisement to a collection with subcollections is sent to all members of the collection and subcollections, even if the administrator only has the Advertise right to the collection (not the subcollections). Any administrator who can link a collection to another collection can cause their collection to receive the advertisements targeted to the other collection, even if they do not have Advertise permissions on any collection. For this reason you should watch for the addition of subcollections to collections with advertisements, and be cautious of who you give the permission to read collections that receive advertisements.

Secure Software at the Package Access Level

By default, the package files on distribution points are fully accessible by administrators and readable by users. Users with administrative rights on their Advanced Clients can set the client to join any site, even if the computer is not within the boundaries of the site. When the clients have joined the site, they can receive any software distributions that are available at that site and where the computer or user meets the qualifications of the relevant collections. For this reason, software that should be limited to specific users should be secured at the package access level to those users, rather than being limited by site availability or collection criteria.

Set Package Access Permissions at Package Creation

Changes to the access accounts on the package files (as opposed to the distribution point shared folders) become effective only when you refresh the package. Therefore, you should set the package access permissions carefully when you first create the package, especially if the package is large, if you are distributing the package to many distribution points, or if your network capacity for package distributions is limited. To quickly initiate the refresh of all distribution points, you can use the Update Distribution Points task for the package.

Secure the Package Source Files

When creating packages, many packages have sources files available from either a directory or shared folder. SMS uses those source files to update the packages. However, because the source files are not in SMS directories, they are not being secured by SMS. If the files have been tampered with, SMS clients could be compromised. Therefore, you must ensure that the source files are secured. The only SMS account that needs access to the package source files is the SMS site server computer account (advanced security) or the SMS Service account (standard security).

Store package source files on a computer running Windows 2000 or later in an Active Directory Domain (Advanced Security only)

Computers running Windows NT 4.0 and computers in a Windows NT 4.0 domain cannot be used as a package source server when the SMS site is in advanced security mode.

When SMS 2003 is in advanced security mode and a package source is on another computer, SMS uses the site server computer account to connect to the package source computer. Computers running Windows NT 4.0 in an Active Directory domain cannot authenticate a computer account. Similarly, computers running a Windows operating system in a Windows NT 4.0 domain cannot authenticate a computer account. A connection from an SMS 2003 site server in advanced security mode would therefore fail.

Do Not Set Restricted Package Files to be Downloaded and Executed

When packages are downloaded to Advanced Clients, the packages can be run by anyone on the computer as long as the package is in the download cache. Or a user could copy the files to a directory or shared folder that can be accessed by other people. If unauthorized people are forbidden to access the files, the download option should not be used for those packages.