Security and Privacy for Content Management in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.
This topic contains security and privacy information for content management in System Center 2012 Configuration Manager. Read it in conjunction with the following topics:
Use the following security best practices for content management:
Security best practice
For distribution points on the intranet, consider the advantages and disadvantages of using HTTPS and HTTP
Differences between HTTPS and HTTP for distribution points:
In most scenarios, using HTTP and package access accounts for authorization provides more security than using HTTPS with encryption but without authorization. However, if you have sensitive data in your content that you want to encrypt during transfer, use HTTPS.
If you use a PKI client authentication certificate rather than a self-signed certificate for the distribution point, protect the certificate file (.pfx) with a strong password. If you store the file on the network, secure the network channel when you import the file into Configuration Manager.
When you require a password to import the client authentication certificate that you use for the distribution point to communicate with management points, this helps to protect the certificate from an attacker.
Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file.
Remove the distribution point role from the site server.
By default, a distribution point is installed on the same server as the site server. Clients do not have to communicate directly with the site server, so to reduce the attack surface, assign the distribution point role to other site systems and remove it from the site server.
Secure content at the package access level.
The distribution point share allows Read access to all users. To restrict which users can access the content, use package access accounts when the distribution point is configured for HTTP.
For more information about the Package Access Account, see the Manage Accounts to Access Package Content section in the Operations and Maintenance for Content Management in Configuration Manager topic
If Configuration Manager installs IIS when you add a distribution point site system role, remove HTTP Redirection and IIS Management Scripts and Tools when the distribution point installation is complete
The distribution point does not require HTTP Redirection and IIS Management Scripts and Tools. To reduce the attack surface, remove these role services for the web server (IIS) role.
For more information about the role services for the web server (IIS) role for distribution points, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.
Set package access permissions when you create the package
Because changes to the access accounts on the package files become effective only when you redistribute the package, set the package access permissions carefully when you first create the package. This is particularly important for the following scenarios:
Implement access controls to protect media that contains prestaged content
Prestaged content is compressed but not encrypted. An attacker could read and modify the files that are then downloaded to devices. Configuration Manager clients will reject content that is tampered with, but they still download it.
Import prestaged content by using only the ExtractContent command-line tool (ExtractContent.exe) that is supplied with Configuration Manager and make sure that is signed by Microsoft
To avoid tampering and elevation of privileges, use only the authorized command-line tool that is supplied with Configuration Manager.
Secure the communication channel between the site server and the package source location
Use IPsec or SMB signing between the site server and the package source location for when you create applications and packages. This helps to prevent an attacker from tampering with the source files.
If you change the site configuration option to use a custom website rather than the default website after any distribution point roles are installed, remove the default virtual directories
When you change from using the default website to using a custom website, Configuration Manager does not remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created under the default website:
For cloud-based distribution points which are available beginning with Configuration Manager SP1: Protect your subscription details and certificates
When you use cloud-based distribution points, protect the following high-value items:
Store the certificates securely and if you browse to them over the network when you configure the cloud-based distribution point, use IPsec or SMB signing between the site system server and the source location.
For cloud-based distribution points which are available beginning with Configuration Manager SP1: For service continuity, monitor the expiry date of the certificates
Configuration Manager does not warn you when the imported certificates for management of the cloud-based distribution point service is about to expire. You must monitor the expiry dates independently from Configuration Manager and make sure that you renew and then import the new certificate before the expiry date. This is particularly important if you purchase a Configuration Manager cloud-based distribution point service certificate from an external certification authority (CA), because you might need additional time to obtain a renewed certificate.
Content management has the following security issues:
Clients do not validate content until after it is downloaded
Configuration Manager clients validate the hash on content only after it is downloaded to their client cache. If an attacker tampers with the list of files to download or with the content itself, the download process can take up considerable network bandwidth for the client to then discard the content when it encounters the invalid hash.
You cannot restrict access to content hosted by cloud-based distribution points to users or groups
Beginning with Configuration Manager SP1, when you use cloud-based distribution points, access to the content is automatically restricted to your enterprise and you cannot restrict it further to selected users or groups.
A blocked client can continue to download content from a cloud-based distribution point for up to 8 hours
Beginning with Configuration Manager SP1, when you use cloud-based distribution points, clients are authenticated by the management point and then use a Configuration Manager token to access cloud-based distribution points. The token is valid for 8 hours so if you block a client because it is no longer trusted, it can continue to download content from a cloud-based distribution point until the validity period of this token is expired. At this point, the management point will not issue another token for the client because the client is blocked.
To avoid a blocked client from downloading content within this 8 hour window, you can stop the cloud service from the Cloud node, Hierarchy Configuration, in the Administration workspace in the Configuration Manager console. For more information, see Manage Cloud Services for Configuration Manager.
Configuration Manager does not include any user data in content files, although an administrative user might choose to do this.
Before you configure content management, consider your privacy requirements.