SMS Communications Security
For more details about these tasks, see Securing SMS Communications.
Disabling Unsigned Communications Between Sites
Unsigned communications are permitted by default. Disabling unsigned communication is more secure, but will prevent communication with sites that are not running SMS 2.0 SP5.
To disable unsigned communications between sites
In the SMS Administrator console, navigate to the site’s node.
Systems Management Server
Site Database (site code - site name)
Site Hierarchy
(site code - site name)
Right-click the site, and then select Properties.
In the Site Properties dialog box, click the Advanced tab, and then select Do not accept unsigned data from sites that are running SMS 2.0 SP4 and earlier.
Requiring Secure Key Exchange
Secure key exchange is not required by default. Enabling it is more secure, but it will prevent communication with sites that are not running SMS 2.0 SP5.
To require secure key exchange between sites
In the SMS Administrator console, navigate to the site’s node.
Systems Management Server
Site Database (site code - site name)
Site Hierarchy
(site code - site name)
Right-click the site, and then click Properties.
In the Site Properties dialog box, click the Advanced tab, and then select Require secure key exchange between sites.
Installing the Trusted Root Key by Using Windows Group Policy installation (Client.msi)
If you install the Advanced Client by using Group Policy installation (Client.msi), the client does not automatically obtain the trusted root key during installation and you must manually configure the key to install.
To install the trusted root key
In Notepad, open the file C:\sms\bin\i386\mobileclient.tcf.
Copy the key that comes after SMSPublicRootKey=, and save the key to a text file in any location you choose.
Configure the group policy to use this syntax when installing: msiexec /i \\server\share\client.msi /L*v c:\install.log SMSROOTKEYPATH=<Fullpathandfilename>
Verifying the Installation of the Trusted Root Key
If you are not sure if an Advanced Client has received the trusted root key, or if you want to verify that a client has the correct trusted root key, you can view the trusted root key in the WMI on the Advanced Client.
To verify the installation of the trusted root key
From the Start menu, click Run, and then type Wbemtest.
In the Windows Management Instrumentation Tester dialog box, click Connect. The Connect dialog box appears.
In the Connect dialog box, in the Namespace field, type root\ccm\locationservices, and then click Connect. The Windows Management Instrumentation Tester dialog box reappears.
In the IWbemServices section, click Enum Classes. The Superclass Info dialog box appears.
In the Superclass Info dialog box, select Recursive, and then click OK. The Query Result window appears.
In the Query Result window, scroll to the end of the list, and then double-click TrustedRootKey (). The Object editor for TrustedRootKey dialog box appears.
In the Object editor for TrustedRootKey dialog box, click Instances. A new Query Result window appears to display the instances of TrustedRootKey.
In the Query Result window, double-click TrustedRootKey=@. The Object editor for TrustedRootKey=@ dialog box appears.
In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root key. It should match the SMSPublicRootKey in the file C:\sms\bin\i386\mobileclient.tcf.
Removing the Trusted Root Key
If you move an Advanced Client from one hierarchy to a different hierarchy and to a site that does not have the schema extended for SMS, you must remove the trusted root key before moving the client to the new site.
On the Advanced Client computer, run CCMSetup RESETKEYINFORMATION = TRUE.
Reinstalling the Trusted Root Key
If you have removed the trusted root key while moving a client to a new hierarchy, you should reinstall the trusted root key.
To reinstall the trusted root key
In Notepad, open the file C:\sms\bin\i386\mobileclient.tcf.
Copy the key that comes after SMSPublicRootKey=, and save the key to a text file in any location you choose.
Install the client using one of the following three methods and the appropriate syntax:
CCMSetup/trustedkeyfile:<Fullpathandfilename>
msiexec /i \\server\share\client.msi /L*v c:\install.log SMSROOTKEYPATH=<Fullpathandfilename>
Capinst.exe /advcli /advlicmd /trustedkeyfile:<Fullpathandfilename>
Configuring the Advanced Client TCP Port
SMS 2003 SP1 allows you to change the TCP port used to communicate with management points, server locator points, and BITS-enabled distribution points. A maximum of two ports can be configured and one port can be designated as the default port assigned to newly installed clients.
To change the default TCP port
In the SMS Administrator console, navigate to the site’s node.
Systems Management Server
Site Database (site code - site name)
Site Hierarchy
(site code - site name)
Right-click the site, and then click Properties.
In the Site Properties dialog box, click the Ports tab. Add a new port number and description.
You can use the portswitch.vbs script to change the default TCP port on existing Advanced Clients. For more information about the portswitch.vbs script see the section “Consider Configuring the Advanced Client to Use a Non-Default HTTP Port” earlier in this document.
Enabling Client Signing and Encrypting of Inventory Data
Enable client authentication to prevent unauthorized clients from injecting invalid data into the SMS database. Enable client encryption to encrypt all client-initiated communication, such as inventory and status messages.
Important
After client inventory signing is enabled, you cannot disable it.
To enable inventory protection
In the SMS Administrator console, navigate to the site’s node.
Systems Management Server
Site Database (site code - site name)
Site Hierarchy
(site code - site name)
Right-click the site, and then click Properties.
In the Site Properties dialog box, click the Advanced tab, and then select Sign data before sending to Management Point and Encrypt data before sending to Management Point.