Site Systems Security

For more detail about these tasks, see Securing SMS Site Systems. You can also refer to the checklists in SMS2003 Security checklists for a list of recommended steps for hardening Internet Information Services (IIS) and Microsoft SQL Server™.

Verifying Installed IIS Components

To reduce the attack profile for your Internet Information Services (IIS) systems, install only the minimum required components. For a list of the minimum required components, see Table 2: Site System Roles and IIS Components.

To verify the installed IIS components

1. Click Start, click Control Panel, double-click Add or Remove Programs, and then click Add/Remove Windows Components.

2. Under Components, click Application Server, and then click Details.

3. In the Application Server dialog box, under Subcomponents of Application Server, click Internet Information Services (IIS), and then click Details.

4. In the Internet Information Services (IIS) dialog box, under Subcomponents of Internet Information Services (IIS), verify the installed IIS components.

5. Click OK until you return to the Windows Component Wizard.

6. Click Next, and then click Finish.

Configuring SQL Server and SMS to use Windows Authentication

Windows Authentication is the recommended security mode for Microsoft SQL Server™. First, you must configure SQL Server to run in Windows Authentication mode; then, you must configure SMS to access SQL Server in Windows Authentication mode.

To set up Windows Authentication mode security with Enterprise Manager in SQL Server

1. From the Start menu, click Enterprise Manager.

2. Expand a server group.

3. Right-click your SMS site database server, and then click Properties.

4. Click the Security tab, and under Authentication, select Windows only.

For more information, see the "Authentication Mode" topic in SQL Server Books Online.

To configure SMS to use SQL Server with Windows Authentication

1. Log on to the primary site server that you are upgrading. Use an account that belongs to the local Administrators group.

2. On the Start menu, click Systems Management Server, and then click SMS Setup.

3. Setup detects your SMS 2003 installation. To view your setup options, click Next.

4. On the Setup Options page, select Modify or reset the current installation, and then click Next.

5. On the Setup Installation Options page, click Next.

6. On the SMS Security Information page, click Next.

7. On the Database Modification page, click Next.

8. On the Authentication Mode for SMS Site Database page, select Yes, use Windows Authentication.

9. On the final page of the wizard, click Finish.

After SMS Setup installs the components on your site, a message appears indicating that the setup was successful.

Remove the Local Administrators Group from the Sysadmin Role

The following user accounts must always be local administrators on the computer running SQL Server:

• The user installing SMS (SMS Installation account)

• The user running SMS site reset

• The SMS Service account (standard security) or the SMS site server account (advanced security)

By default, the local administrators group is a member of the sysadmin server role on the SQL Server database; however Microsoft recommends that you restrict membership of the sysadmin fixed server role to a few trusted accounts. For SMS operations, you can safely remove the administrators group from the sysadmin role if you first perform the correct steps for your security mode and SMS configuration. See the following table for more information.

Note

Microsoft recommends using advanced security and Windows authentication.

For more information about logins and the sysadmin role, see the “Logins, Users, Roles, and Groups” section in the most recent version of the SQL Server Books Online. For more information about the SMS service account, the Remote Service account, the SQL Server/Site Database account, and the site server computer account, see Appendix C: SMS Accounts, Groups, and Passwords earlier in this document.

Important

If other SQL Server applications are used on the SMS site database server, there is the potential, when using Standard Security, for the SMS Service or Remote Service account to access these other SQL Server application databases unless they are secured appropriately in SQL. In Advanced Security, there is less risk of the accounts being used by an attacker because the computer account is used.

Microsoft does not recommended using the SMS site database server to run other SQL Server applications, but if you do, make sure to lock down the SQL permissions to these application databases.

Enabling HTTPS Access for Reporting Points

In SMS 2003 SP1 sites, it is recommended that you configure the SMS Administrator console to launch the report viewer by using HTTPS. However, you should first configure your IIS server to use SSL according to the IIS documentation.

To configure the SMS Administrator console to use HTTPS when connecting to reporting points

1. In the SMS Administrator console, navigate to Site Systems.

   Systems Management Server

       Site Database (site code - site name)

           Site Hierarchy

               site code - site name

                   Site Settings

                       Connection Accounts

                           Site Systems

2. In the Detail pane, right-click the site system that you want to modify, and then click Properties.

3. On the Reporting Point tab, select the Use https check box, and specify a port number or accept the default SSL port 443.