Security Fundamentals
Security is not an absolute state. Network administrators must attempt to make the network as secure as necessary to protect vital assets, while still allowing day-to-day business functions to occur without interruption. Sometimes an administrator might relax certain security principles in order to meet business needs, but this should only be done with a clear understanding of the possible vulnerabilities, threats, attacks, and risks involved in the decision.
Vulnerability Any product flaw, administrative process or act, or physical exposure that makes a computer susceptible to attack by a hostile user
Threat Any activity that represents possible danger to assets
Attack The result of exploiting some vulnerability of the system to compromise the asset
Risk The possibility of suffering a loss. Risk is a fundamental part of operations. It is not something to fear, but something to manage
Use this guide to help you assess the threats and vulnerabilities in your SMS environment and prioritize the actions you can take to reduce your risk. When introducing network management software like Systems Management Server (SMS), you must ensure that the configuration of SMS in the environment does not introduce unacceptable risk.
Use Risk Management to Determine Your Level of Acceptable Risk
Risk management is essentially the process of identifying risks and deciding what to do about them. You must identify the potential source of the risk, assess the probability of that risk occurring, prioritize the risk based on impact to your business priorities, and then plan to minimize that probability. All risks are not equally damaging. The most serious risk from SMS is that its functionality could be hijacked by an unauthorized user who could then distribute software to all SMS clients. Because SMS has the ability to install software using administrative rights, an attacker could take control of every SMS client. SMS also has the ability to retrieve any file from any client computer, which could have serious consequences to security and privacy, depending on the nature of the document.
Caution
SMS was not designed to collect or deliver time-critical confidential information. There are vulnerabilities in this area that could be exploited. Do not collect any confidential data through SMS.
In contrast, the nature of the data that SMS collects (hardware inventory, software inventory, and metering) is not generally considered confidential. Similarly the loss of SMS functionality for a short period of time due to a denial of service attack does not generally have a catastrophic impact, unlike for example e-mail, network communications, light, and power.)
Microsoft provides guidance on risk management through the Microsoft Operations Framework. The white paper Microsoft Operations Framework Risk Management Discipline for Operations (https://go.microsoft.com/fwlink/?LinkId=28816) explains the core principles and components of the MOF Risk Management Discipline. This paper is available on the Microsoft Download site.
Physically Secure Your Computers
There is no security without physical security. An attacker who gets physical access to an SMS site system could potentially use SMS to attack the entire client base. All potential physical attacks must be considered high risk and mitigated appropriately. The site server and all site systems must be stored in a secure server room with controlled access. Ideally, keep computers that run the SMS Administrator consoles in a locked room to protect them from unauthorized access. However, if this is not possible, secure these computers when administrators are not physically present by having the operating system lock the workstation, or by using a secured screen saver. To enforce the principle of least privilege, create policies to require SMS Administrators to log in to remote administration consoles using a low-rights user account, and then use Run As to start the SMS Administrator console.
It is more difficult to physically secure the SMS clients because they usually must be accessible to end users. To mitigate the threat, restrict access to your business offices to authorized employees and guests. If you have client computers at high risk of compromise, store them in locked offices and add additional security measures like locked cases and anti-theft cables.
SMS clients can be mobile computers. Educate laptop users about good security practices like attaching a lock to their computer any time they use it, even if they think they will be sitting with the computer at all times. If a laptop is lost or stolen, have established procedures in your organization for preventing that computer from accessing the company network.
Design for Defense in Depth
Because SMS can interact with so many systems, it is important to think about the layers of security in your network and how those layers will interact with SMS. Security around the perimeter is important, but relying solely on perimeter security like firewalls increases your risk if the firewall is compromised. Designing networks to isolate less secure clients from more secure clients provides another layer of defense. If you have to use the SMS Legacy Client, you might isolate them on a separate network. Adding personal firewalls to client computers adds an additional layer. Running antivirus software adds an additional layer and SMS might be used to deploy and maintain the antivirus software. Educating users about computer security is a critical component of a network security strategy.
Be advised that personal firewalls like the Windows Firewall in Microsoft Windows® XP SP2 can be configured to block any externally initiated traffic, including SMS. Stringent controls block attacks, but could also block valid network management functions like software distribution. For more information see Client Personal Firewalls later in this book.
Protect Against Unauthorized Administrators
SMS has no defense against an authorized SMS administrator who uses SMS to attack the network. Unauthorized administrators are a high security risk. An unauthorized administrator could launch numerous attacks, including:
Using software distribution to automatically install and run malicious software on every SMS client computer in the enterprise.
Enabling SMS Remote Tools and configuring them to take remote control of an SMS client without client permission.
Configuring rapid polling intervals and extreme amounts of inventory to create denial of service attacks against the clients and servers.
Running the Network Monitor tool to conduct unauthorized packet sniffing.
You cannot remove all administrative access to SMS because it would become unusable. Audit all administrative activity and routinely review the audit logs. Require all SMS administrators to undergo a background check before hiring and periodic rechecks as a condition of employment. High security jobs routinely involve enforced vacations because it can be easier to discover unauthorized administrative activity while the administrator is away.
Assign the Least Permissions Possible
The principle of least privilege says assign only the minimum permissions necessary to complete a task. For example, when using software distribution, configure the package access permissions so that only authorized installers of the software have to access the files on the distribution points. Grant users permissions only to the minimum necessary classes or instances in SMS Object Security (Appendix A: SMS Object Security and WMI). Do not put accounts in groups that can have access to more resources than required. If you can use a non-administrative account to perform a task, do not use an account with administrative rights. Grant the SMS accounts the minimum possible permissions necessary to perform their required functions, and follow the security best practices for accounts as described in Appendix C: Appendix C: SMS Accounts, Groups, and Passwords.
Enforce role separation to limit administrative exposure
Not all administrators need full administrative access to SMS. You can apply security permissions to collections to limit which administrators can perform which functions on a given collection. For example, if one network administrator manages the servers, and another administrator is responsible for desktop computers in a site, create separate collections and assign permissions to the class or instance accordingly.
If you have not designed and implemented your SMS hierarchy yet, you can design your sites to limit the administrative sphere of control. You can assign your servers and clients to separate sites and assign administrative access to the site accordingly. If you use this approach, however, you must make sure that one site is not above the other in the SMS hierarchy. Parent sites have the ability to impose software packages, collections, and configurations on child sites, even if object permissions are not granted explicitly at the child site.
Consider separating the functions of packaging and advertising administrators. If one person is allowed to both create packages and advertisements, that person can easily distribute malicious software. You can control who can distribute packages to distribution points by assigning package Read and Distribute SMS object security permissions, but not assigning the package Modify permission to change the package. You can control the permission to advertise software on a collection-by-collection basis, or you can restrict who has permissions on each advertisement.
Create and Maintain Secure Baselines for All Systems
A secure baseline is a detailed description of how to configure and administer a computer. It describes all relevant configuration settings for secure computing. Elements of a secure baseline include:
Settings for services and applications. For example, only specified users have permissions to start a service or run an application.
Configuration of operating system components. For example, all sample files that are included with Internet Information Services (IIS) must be removed from the computer.
Permissions and rights assignments. For example, only administrators have permissions to change operating system files.
Administrative procedures. For example, the Administrator password on a computer is changed every 30 days.
Use the most secure operating systems possible
Your environment will only be as secure as the least secure operating system on your network. Although SMS supports Microsoft Windows® 98 and Microsoft Windows NT® 4.0 as clients, those operating systems are not as secure as Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server™ 2003 clients. The decision to upgrade the entire client base is probably outside the scope of your SMS implementation, but should be seriously discussed as part of your overall security strategy. If the vulnerabilities introduced by these operating systems create unacceptable risk, you will have to upgrade as soon as possible. When your environment no longer has computers running Windows 98 or Windows NT 4.0, you will be able to use the SMS Advanced Client, which provides additional SMS security features.
Use the Windows security templates
Windows 2003 can use security templates to provide a secure environment. Microsoft has created prescriptive guidance for how to use these templates for legacy, enterprise, and high security environments. For more information about security templates for Windows Server 2003, see the Windows Server 2003 Security Guide (https://go.microsoft.com/fwlink/?LinkId=28827).
If you use the Windows security templates, also use the SMS security templates
The Windows security templates include the Member Server Baseline template that configures the computers in a very secure condition with most services disabled. Group the SMS computers in a separate organizational unit (OU) and apply the SMS template so that it takes precedence over the Windows security template. Apply the SMS security template last to enable most of the Windows settings to take effect, while still allowing the settings and services required by SMS to function.
For more information about the SMS security templates, see Appendix F: Appendix F: SMS Security Templates.
Use a secure file system
All partitions of all SMS site systems should use NTFS. All clients running Windows 2000 or later should use only NTFS partitions. FAT is not considered a secure file system.
Apply security updates as needed
You can use the SMS software update feature to deploy updates to SMS client computers. Stay informed about new updates for operating systems and SMS by subscribing to the Security Notification service to receive the latest security notifications.
Important
*SPVirtual machines running Microsoft Virtual PC are supported by SMS 2003 SP1. If virtual machines connect to the network, they need to also apply all critical security updates. SMS can apply security updates to the virtual machine by using the software update feature; however, the updated state will be lost if the virtual machine is turned off without saving the changes. SMS does not detect changes made on the virtual machine and will report that client as updated.*SP
Audit for changes to the secure baseline
Every organization needs a process to control authorized change and configuration management. Enable auditing and review audit logs regularly to look for unauthorized changes to the approved operating system baseline. Run the Microsoft Security Baseline Analyzer, or a similar tool, to look for known vulnerabilities in configuration.
Use Strong Passwords or Pass Phrases
The strongest security measures in the world can be rendered useless by a weak password. Weak passwords are an unnecessary risk to the network environment. If users have difficulty remembering sufficiently complex passwords, consider implementing smart cards or biometric authentication. Pass phrases that combine several words can be easier to remember but are usually longer and harder to break.
Always use strong passwords with 15 or more characters for all SMS service accounts and SMS Administrator accounts. Never use blank passwords. For more information about password concepts, see the Account Passwords and Policies white paper on TechNet (https://go.microsoft.com/fwlink/?LinkId=30009https://go.microsoft.com/fwlink/?LinkId=30009).
SMS automatically creates certain accounts and generates strong passwords for them. If your organization enforces the security policy Password Must Meet Complexity Requirements, the passwords that SMS generates will meet the default complexity requirements imposed by the built-in filter Passfilt.dll.
Caution
If you modify the default password filter, passwords that SMS automatically generates might fail to pass the password filter rules, causing the accounts creation to fail. SMS tries five times to generate a password and generates a status message in the case of failure. Examples of password filter rules that SMS might not comply with are those in which a certain type of character has to be used between the third and sixth character, or those that do not allow punctuation.
Use Secure Authentication Methods
The default method of network authentication for services in Windows 2000, Windows XP, and Windows Server 2003 is Kerberos version 5 protocol. This is an industry standard protocol that is used with either a password or a smart card for interactive logon. As an alternative, you can use NTLM authentication. NTLM authentication is a challenge response protocol that is used to provide compatibility with versions of Windows earlier than Windows 2000.
The Kerberos protocol has many advantages over NTLM. Kerberos architecture allows additional or alternate security methods to be specified. Also, the default shared secret key process can be supplemented with private/public key pairs through the use of smart cards. By using the Kerberos protocol, a party at either end of a network connection can verify that the party on the other end is the entity it claims to be. Although NTLM enables servers to verify the identities of their clients, NTLM does not enable clients to verify the identity of a server, nor does NTLM enable one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers were assumed to be genuine. The Kerberos version 5 protocol makes no such assumption.
For more information about Kerberos and NTLM authentication, see the “Windows Security Collection” section of the Windows Server 2003 Technical Reference on microsoft.com (https://go.microsoft.com/fwlink/?LinkId=30010).
As you implement SMS, evaluate your current domain environment for potential risks. While you might not have the necessary resources to upgrade to Microsoft Active Directory® directory service immediately, if your current domain environment introduces unacceptable risk to your organization you must upgrade as soon as possible.