The Custom Updates Publishing Tool requires that both the user who installs the tool, and the users who perform various actions within the tool, have the appropriate security configured. Review the following sections to ensure that the minimum security has been configured for the Custom Updates Publishing Tool.

Installation

The Custom Updates Publishing Tool must be installed by a user who is a member of the local Administrator's group. After the publishing tool is installed, any user with the appropriate permissions can start and use it.

Configuring a Remote Publishing Tool Database

If a remote database is configured, there are steps that are required before installing the publishing tool. First, create the database on a remote SQL Server computer and then configure the user account permissions. For more information, see How to Pre-Create the Publishing Tool Database.

Configuring the Firewall on a Remote Publishing Tool Database

When connecting to a remote Custom Updates Publishing Tool database that has a firewall enabled, you must configure the firewall to allow access to the instance of the Microsoft SQL Server Database Engine. The default instance listens on TCP port 1433. Named instances are configured for dynamic ports, which mean they connect to an available port when the SQL Server service is started. When connecting to a named instance through a firewall, configure the Database Engine to listen on a specific port, so that the appropriate port can be opened in the firewall.

Caution
Opening ports in your firewall can leave your server exposed to malicious attacks. Be sure to understand firewall systems before opening ports.
To assign a TCP/IP port number to the SQL Server Database Engine
  1. In SQL Server Configuration Manager, in the tree pane, expand SQL Server 2005 Network Configuration, expand Protocols for <instance name>, and then double-click TCP/IP.

  2. In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses appear in the format IP1, IP2, up to IPAll. One of these addresses is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP address on the computer. Identify the IP address that you want to configure.

  3. If the TCP Dynamic Ports dialog box contains 0, indicating the Database Engine is listening on dynamic ports, delete the 0.

  4. In the IPn Properties area box, in the TCP Port box, type the port number you want this IP address to listen on, and then click OK.

  5. In the tree pane, click SQL Server 2005 Services.

  6. In the details pane, right-click SQL Server (<instance name>), and then click restart to stop and restart SQL Server service.

  7. After you have configured SQL Server to listen on a specific port, you must open that port on the firewall.

Synchronizing the Catalog

The user performing the synchronization action in the Custom Updates Publishing Tool must be a member of the SMS Admins local group on the SMS 2003 site server and SQL Server 2005, if it is remote to the site server. The user must also have full security rights to all instances of the Package and Software Updates classes on the SMS 2003 site server. These rights are configured in the Security Rights node in the SMS 2003 Administrator console. For more information about setting security rights in SMS 2003, see Security Configuration in the SMS 2003 Online help.

Synchronizing the Catalog to a Remote Site Server Database

When synchronizing the software updates catalog to a remote SMS 2003 site server database, it may be necessary to perform additional configuration requirements for a firewall and Distributed Component Object Model (DCOM).

Configuring the Firewall on the Remote Site Server

When synchronizing to an SMS 2003 site server that has a firewall enabled, the Remote Administration exception must be configured on the site server computer allowing the Custom Updates Publishing Tool to do remote administration. When you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration by opening TCP ports 135 and 445.

There are two ways to allow for remote administration on the SMS 2003 site server. To enable Windows Firewall: Allow remote administration exception from the command prompt, open a command prompt window and type:

netsh firewall set service RemoteAdmin enable

To enable Windows Firewall: Allow remote administration exception by using the Group Policy editor, use the following procedure.

To enable the Allow remote administration exception in the Group Policy editor
  1. Click Start, click Run, type Gpedit.msc, and click OK.

  2. Navigate to the following Group Policy Object Editor node:

    Local Computer Policy

      └ Computer Configuration

        └ Administrative Templates

          └ Network

            └ Network Connections

              └ Windows Firewall

                └ Domain Profile

  3. Double-click Windows Firewall: Allow remote administration exception.

  4. Click Enabled, enter the IP address or subnet in the Allow unsolicited incoming messages from text box for the Custom Updates Publishing Tool computer, and then click OK.

Configuring DCOM Settings on the Remote Site Server

If the SMS 2003 site server or SQL Server 2005 computers are running Windows Server 2003 SP1 or if the publishing tool user is not a local administrator on the SMS 2003 computer, it is likely that DCOM configuration changes must be made. Use the following procedure to grant DCOM

Grant DCOM remote launch and remote access permissions
  1. Click Start, click Run, type DCOMCNFG, and then click OK.

  2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and click Properties.

  3. Click the COM Security tab in the My Computer Properties dialog box.

  4. Click Edit Limits in the Access Permissions section.

  5. If the SMS Admins group is not listed in the Security Limits section, click Add, type SMS Admins in the Enter the object names to select section, and click OK.

  6. Select SMS Admins from the Group or user names section and click the Allow box for Remote Access. Click OK.

  7. Click Edit Limits in the Launch and Activation Permissions section.

  8. If the SMS Admins group is not listed in the Group or user name section, click Add, type SMS Admins in the Enter the object names to select section, and click OK.

  9. Select SMS Admins from the Group or user names section and click the Allow box for Remote Activation. Click OK.

For more information, see the Windows Server 2003 SP1 section of Site Systems Frequently Asked Questions (http://go.microsoft.com/fwlink/?LinkId=65979).

Low-Rights Users

After the Custom Updates Publishing Tool has been installed, low-rights users can start and make full use of the publishing tool if the following requirements must be met:

  • The user must have a SQL login created on the publishing tool database (mscuptdb) and be granted MS_Custom_Updates_Publishing_Tool_User database role membership rights.

  • The user must have Read and Execute, List, Read, Write, and Modify file system rights on the <installation folder>\Microsoft Custom Update Publishing Tool folder.

  • Full control permissions must be granted to the HKLM\Software\Microsoft\PublishingTool registry key for the user to change the publishing tool data source or perform synchronization of the custom updates catalog to the SMS 2003 site server database.

    To synchronize the custom updates catalog with the SMS 2003 site server, the following configuration is required:

    • The user must be added to the SMS Admins local group on the SMS 2003 computer, and to the SQL Server 2005 computer if it is remote.

    • The user must have full security rights to all instances of the Package and Software Updates classes.

Any user with the above permissions can start the Custom Updates Publishing Tool, perform all actions available in the tool, and access catalogs and log files. The Custom Updates Publishing Tool provides the following to better support low-rights users:

  • The Custom Updates Publishing Tool log files are stored in the user's temporary folder, %TEMP%.

  • The Custom Updates Publishing Tool settings are user-specific and copied to the user's local Application Data folder, %APPDATA%.

  • Custom updates catalogs are published to the %USERPROFILE%\My Documents\My Catalogs folder, by default.

See Also