User accounts provide both service access and user access to SMS. User account security can be configured to use only a few accounts or it can be configured to use over a dozen accounts to access SMS resources.
There are several different accounts that SMS components use to complete tasks. To simplify administration, use the SMS Service account for all component access and make the user account a member of the Domain Admins global group. While the single user account component access approach simplifies administration, it compromises SMS security. This is because the SMS Service account is granted administrative access to all SMS resources throughout the network. If a user determines the password for the SMS Service account, security for the entire network is compromised.
To protect against unauthorized access using the SMS Service account, rename the account, create a complex password, and verify that this account is a member of the Administrators local group on all Windows NT/2000 site systems in the site. The SMS Service account should not be made a member of the Domain Admins global group if security is a high priority. It is unwise to configure password account restrictions on the SMS Service account, since these restrictions may cause SMS component logon failure. For example, if Password Expiration is configured, Windows NT/2000 will eventually expire the SMS password. When it expires, SMS components will not be able to log on unless the password for the SMS Service is changed everywhere that it is used.
Additional, mandatory user accounts are created by default when SMS is installed. Optional user accounts are created in the SMS Administrator console after installation. These additional user accounts are granted task-specific access rights to SMS resources. For example, a NetWare Bindery Site System account is granted access to volumes on a NetWare bindery site system, and an SMS Windows NT Client Software Installation account is used by the Advertised Programs Manager on Windows NT/2000 client computers for certain types of software distribution functions, such as unattended software installations.
The SMS user accounts are contained in the following categories:
The SMS system accounts are used by the SMS components to access all site systems except the site database.
The SMS Service account is used by the SMS Server services running at primary and secondary site servers. Because it is a mandatory account, it is created when SMS is installed, as shown in Figure 12-7.
Figure 12-7. Creating the SMS Service account.
Most of the SMS components (processes and threads) running on a site server, including SMS Executive, SMS Site Component Manager, and SMS SQL Monitor, use this account. The Crystal Info services, if installed, also use the SMS Service account.
The SMS Service account can be used in place of most other SMS accounts. However, because it has administrative access throughout the domain, it is recommended that you use separate accounts that only have the necessary permissions for their tasks. SMS will use the SMS Service account if other accounts fail to access a given resource. For example, if an SMS site system account configured to access a CAP fails, the site server will attempt to access the CAP using the SMS Service account.
Account Characteristics
The SMS Service account has the following characteristics:
There are several additional accounts that are used for site system access and for transferring data from the site system back to the site server. The reason for using these accounts, rather then the SMS Service account, is to allow local administrative permissions where access is required, but to prevent domain-wide administrative access.
SMS Remote Service Account (Windows NT/2000 local CAP access)
When a CAP is created on a non-site server Windows NT/2000 Server, the installation routine creates the SMSSVC_sitecode_xxxx (sitecode is the site server's site code and xxxx is the instance of this service account type on the site system). The SMS Remote Service account is created in the local SAM database of the site system, not in the site server's domain SAM database. In Figure 12-8, notice that User Manager is showing the local SAM database of SERVER2.
Figure 12-8. The SMS Remote Service account created when the computer becomes a CAP site system.
NOTE
In Figure 12-8 there are two SMS Remote Service accounts. The second instance of this account, SMSSVC_S01_0002, was created the second time SERVER2 became a CAP site system.
The SMS Remote Service account is used to access the site database when SQL Server is installed remote to the site server. If the SMS Provider is installed on the site server, the SMS Provider uses the SMS Service account to communicate with SQL Server.
SMS Logon Service Account (Windows NT/2000 local logon point access)
SMS NT Logon Discovery Agent uses the SMS Logon Service account, SMSLogonSvc, to transfer data from the logon point to the site server. This account is created automatically when the Windows Networking Logon Discovery method or Windows Networking Installation method is enabled for a domain, as shown in Figure 12-9. Notice that this account is created in the domain SAM database.
Figure 12-9. How the SMS Logon Service account is created.
SMS Server Network Connection Account
(site server and remote site system data transfer account)
The SMS Server Network Connection account, SMSSERVER_sitecode, is used by the site server and remote site systems to transfer data. The site server uses this account to access site systems only if the SMS Service account fails to access the remote site system.
The SMS Server Network Connection account is created automatically when the SMS setup routine is run. SMS setup uses the site code defined during installation to create the name of this account. For example, on site S01, the account name is SMSSERVER_S01.
Non-site server site systems use this account in the following ways:
The Inbox Manager thread of the SMS Executive transfers the data.
The SMS NT Logon Discovery Agent (running on a logon point) transfers discovery data records (DDRs) to the site server.
Additional SMS Server Network Connection accounts are created in the SMS Administrator console from the Connection Accounts node in the SMS Administrator console, as shown in Figure 12-10.
Figure 12-10. Creating an SMS Server Network Connection account in the SMS Administrator console.
SMS Server Network Connection accounts are created specifically for the type of site system operating system to be accessed. SMS Server Network Connection accounts other than that created during SMS setup are optional for Windows NT/2000 site systems but mandatory for NetWare bindery site systems and NetWare NDS site systems. These accounts must have permissions to read, create, and delete data on the site server in order to transfer data.
On NetWare bindery site systems, a NetWare Bindery account must be granted NetWare Supervisor equivalence to perform SMS Server Network Connection account functions. On a NetWare NDS server, the NetWare NDS account must be granted the admin NetWare right to the NDS containers and volumes supporting SMS Server Network Connection account functions.
IMPORTANT
You must create the SMS Server Network Connection account on the NetWare site system. If you decide to use an optional SMS Server Network Connection account on a Windows NT/2000 Server site system, you must also create the domain user account. The mandatory SMS Server Network Connection account is created automatically.
When attempting to integrate SMS 2.0 with Novell NetWare servers and client computers using NetWare redirectors, you must verify that SMS user accounts are created in the NetWare security system for SMS service access.
NetWare Bindery
As a last resort, the SMS Service account can be used to access NetWare bindery site systems. First, specific NetWare Bindery Site System accounts are used to attempt site system access. This NetWare account must be created on the NetWare bindery server and assigned Supervisor equivalence. A NetWare Bindery Site System account is then specified in the SMS Administrator console, as previously described.
NetWare NDS
The SMS Service account cannot be used to access NetWare NDS site systems. Therefore, a specific NetWare NDS Site System account must be created. This account must be assigned Create, Erase, and Modify permissions to the NDS object. In addition, it requires Write permission to the properties of the container for login script modification. An NDS Site System account must be created in the NetWare NDS and then specified in the SMS Administrator console, as previously described.
SMS Site Address Account (site server-to-site server access)
The SMS Site Address account is used to connect to either a parent or child site and transfer data. When a parent needs to send administrative data—such as package or collection data—to the child, the sender uses this account to connect to the child site's SMS_SITE share and transfer the data. Also, when a child site needs to transfer data—such as inventory data, discovery records, or status messages—to the parent site, it connects to the parent site's SMS_SITE share using this account. This account needs Change permission to the SMS_SITE share at the remote site. You must create this account and assign it to a destination site when you create the address from the sending site to the receiving site. There are a number of ways to configure user account access, depending on whether a trust relationship is established between the sites and the structure of the domain. This account and its configuration is discussed in Chapter 11.
To remotely install or remove a secondary site server, the Site Address account must be an administrator on the secondary site server. After installation, the account no longer requires administrative privileges.
Software Metering Server Account (software metering server site system local access)
Software metering server site systems use the Software Metering Server account to run the Software Metering service, SMS_LICENSE_SERVER, on the local software metering server site system. This account is created automatically when the first site system is assigned the software metering server role. By default, this account is named SWMACCOUNT, but any account with local Administrator account privilege to the site system can be used to run the Software Metering service.
NOTE
See Chapter 7 for information on Network Monitor security.
The SQL Server account is used by the SMS services to access the SMS site database and the software metering database. Two separate accounts can be used for each database. These accounts are created during setup. Which SQL Server account is used depends on the type of SQL Server security implemented.
Standard Security
If standard security is specified in SQL Server, the sa account or any other standard security account with the necessary rights to the database may be used to access the database. See Chapter 2 for more information on the rights required of the standard security account to access the site database. If an Express setup is performed to install SMS, sa will be used. If a custom installation is performed, SMS setup prompts the installer to specify the account to use when accessing SQL Server. No other standard security accounts are necessary, since user access to the SMS site database is controlled through the WBEM/SMS Provider interface.
Integrated Security or Windows NT Authentication
If Integrated Security, as it is called in SQL Server version 6.5, or Windows NT Authentication, as it is called in SQL Server version 7.0, are used, the SMS services connect to and manipulate the database with a Windows NT/2000 domain user account.
Integrated Security or Windows NT Authentication are the recommended security modes for SQL Server. They are simpler to configure than standard security.
Mixed Security or Mixed Mode Authentication
If Mixed Security (SQL Server version 6.5) or Mixed Mode Authentication (SQL Server version 7.0) is used, then either a Windows NT/2000 account or a SQL Server account may be used for SMS database access.
Windows NT and Windows 2000 client computers run the same type of security subsystem as do Windows NT and Windows 2000 servers. As a result, logged-on users may not be granted enough privileges to their local computer to install software or configure operating system settings. SMS creates a set of domain user accounts that are granted administrative access to Windows NT/2000 client computers to address the robust security present in the Windows NT/2000 operating system. SMS creates domain user accounts to perform the following SMS client computer operations on Windows NT/2000 client computers:
SMS Client Remote Installation Account
The SMS Client Remote Installation account is used to install SMS client computer agents on Windows NT/2000 client computers when the logged-on user does not have administrative permissions to do so or when a user is not logged on to a client computer. Administrative permissions are required because services are installed and started, potentially restricted directories are accessed, and registry entries are added. If the logged-on user does not have administrative permissions, the SMS Client Remote Installation account must be used to complete the installation.
This account is not created automatically. It can be created in User Manager for Domains and given administrative permissions to the client computers. This can be done by adding the account to the Domain Admins global group or by creating the user account in each client computer's SAM database.
Adding this account to each Windows NT/2000 client computer is difficult in a network with many Windows NT/2000 client computers. When a domain user account is added to the Domain Admins global group, all Windows NT/2000 client computers registered in the domain provide administrative access to the SMS Client Remote Installation account.
The SMS Client Remote Installation account is configured from the Accounts tab in the Site Properties dialog box, as shown in Figure 12-11.
Figure 12-11. Configuring the SMS Client Remote Installation account in the SMS Administrator console.
If this account is not created and assigned as the SMS Client Remote Installation account (Figure 12-11), the SMS Service account will be used to install the client software. This account is, by default, a member of the Domain Admins global group, which is automatically added to the local Administrators group on Windows NT/2000 computers registered in the domain.
An SMS client agent installation on a Windows NT/2000 client computer will fail if all of the following conditions are met:
Client Network Connection Accounts
The SMS Client Service accesses CAPs, distribution points, and logon points to transfer data using a client network connection account. There are three types of client network connection accounts:
One Windows NT Client Network Connection account, SMSClient_sitecode, is created automatically (Figure 12-12). This account is a member of the Domain Users global group and the Administrators local group in the domain. Therefore, the account has the required access to site systems. Other Windows NT Client Network Connection accounts, NetWare NDS Connection accounts, and NetWare Bindery Client Connection accounts are configured in the SMS Administrator console, as shown in Figure 12-12.
Figure 12-12. Specifying a Client Network Connection account in the SMS Administrator console.
The NetWare Connection accounts created on NetWare site systems are used by Windows NT/2000 client computers that load a NetWare redirector, such as Client Services for NetWare, as their primary workstation service. These client computers transfer data to NetWare bindery and NetWare NDS logon points, distribution points, and CAPs using the NetWare Client Connection accounts.
SMS Package Access Accounts
By default, the Users local group and the Guest local group are granted Read permission to the package source directory and to all package subdirectories below the parent package directory on distribution points. The Administrators local group is also assigned Full Control permission to the package directory structure. These three local groups are called Generic Access accounts in the SMS Administrator console. Three other account types are assigned to package directories:
This account type includes valid user and group accounts able to access Windows NT/2000 distribution points.
This account type includes valid user and group accounts able to access NDS distribution points.
This account type includes valid user and group accounts able to access NetWare Bindery distribution points.
Windows NT Client Software Installation Account
When a user runs an advertised program locally, the program may run under the context of the currently logged-on user. The user account, however, may not have sufficient privileges to install software on the Windows NT/2000 client computer. Some software requires administrative permissions to install and start services. In this case, the program is configured to require administrative access to complete the installation process (see Chapter 4 for more information).
If the advertised program is configured to run with administrative access to the client computer, a special SMS account, SmsCliToknAcct&, is created in the local SAM database of the client computer and is used to install the software. This account is granted advanced user rights in the local SAM database in order to complete local application installation. However, it is not granted network access to site systems.
An advertised program requiring network access beyond the distribution point in which the client computer is connected uses the Windows NT Client Software Installation account. This is an optional Windows NT/2000 domain user account, which must be created in the domain SAM database. This account does not require local administrator access to the client computer except when it is running an SMS program. Therefore, Advertised Programs Manager (APM) gives it temporary administrative access during program execution. This access level is revoked after the SMS program completes the installation.
After the Windows NT Client Software Installation account is created in the domain SAM database, it is specified from the properties of the Software Distribution object in the SMS Administrator console, as shown in Figure 12-13.
Figure 12-13. Specifying the Windows NT Client Software Installation account.
If a program requires administrative permissions and network access, configure the program to use the Windows NT Client Software Installation account by selecting the 'Use Windows NT client software installation account' checkbox on the program's Environment tab, as shown in Figure 12-14.
Figure 12-14. Configuring a program to use the Windows NT Client Software Installation account.
SMS Windows NT Client Remote Control Accounts
These accounts, contained in the permitted viewer's list, are used to access Windows NT/2000 client computers when an SMS Administrator console user attempts to use Remote Tools utilities on the client computer.
When the SMS Remote Control Client Agent starts on a Windows NT/2000 client computer, it retrieves the list of accounts and validates the accounts in the domain. Then, when a remote control session is established, the user account is validated against this list.
Accounts are added to this list on the Security tab of the Remote Tools Client Agent Properties dialog box, as shown in Figure 12-15.
Figure 12-15. How an SMS Windows NT Client Remote Control account is specified in the SMS Administrator console.
SMS automatically configures and maintains a set of internal accounts for SMS services to use. These accounts are configured for local access to the Windows NT/2000 computers where they are created. SMS depends on these accounts, so they should never be deleted or manually configured in an active SMS site.
SMS Client Service Account
The SMS Client Service, running on Windows NT Workstation, Windows 2000 Professional, or Windows NT/2000 Server client computers that are not domain controllers, use the SMSCliSvcAcct& account for local administrative access. This account is not granted permissions to access site systems.
SMS&_computername
When the SMS Client Service is installed on a domain controller, a different SMS Client Service account is used. This account is a local administrative account and is responsible for running the SMS client services. The computername part of the SMS Client Service account is the computer name of the domain controller.
SMSCliToknAcct&
This account is used to run programs that require administrator permissions when the logged-on user does not have such permissions. This account is also used to create unique user tokens on a domain controller in a unique user context. This prevents user credentials conflicts between client processes.
In this exercise, you will explore the SMS Administrator console security rights for both administrators and users.
NOTE
Complete this exercise from Computer 1 with the SMS Administrator console running.
The assigned security rights appear in the details pane.
In the following steps, you will verify NTFS permissions to the drive containing SMS.
The (D:) Properties dialog box appears.
The Directory Permissions dialog box appears. Notice the default permissions for the root of the SMS drive is Everyone with Full Control.
The Windows NT Explorer window appears.
The Sms Properties dialog box appears.
The Directory Permissions dialog box appears. Notice the default permissions for the SMS directory is Administrators with Full Control and the SMS Server Network Connection account (SMSServer_S01) with Read permission.
The Windows NT Explorer window appears.
In this exercise, you will configure SMS Administrator security rights on objects to allow users access to specific objects in the SMS Administrator console.
NOTE
Complete this exercise from Computer 1 with the SMS Administrator console running.
In the following steps, you will create a user account that will be used to determine if a user can access any objects in the SMS Administrator console.
Configuration parameter | You should use |
---|---|
Username | SecurityTest |
Password | password |
Clear this checkbox | |
Group membership | Domain Users |
The User Rights Policy dialog box appears.
The Add Users and Groups dialog box appears.
The User Rights Policy dialog box appears displaying all accounts that are able to log on to the local computer. This list should include the new user account, SecurityTest.
In the following steps, you will log on as a user to determine if the user account can access the SMS Administrator console.
A Problem with Shortcut message box appears indicating it could not find the Sms.msc file required to start the SMS Administrator console and prompting you to use an alternate file.
In the following steps, you will grant the user permissions to the files necessary to start the SMS Administrator console.
In the following steps, you will log on as a user to determine if the user account can access the SMS Administrator console.
In the following steps, you will grant the user permissions to the SMS site database through the SMS Provider.
The Web Based Enterprise Management (WBEM) Permission Editor dialog box appears.
The User Properties dialog box appears.
The Web Based Enterprise Management (WBEM) Permission Editor dialog box appears displaying the new user added.
A Web Based Enterprise Management (WBEM) Permission Editor message box appears prompting you to save changes.
In the following steps, you will log on as a user to test if the user account can access the SMS Administrator console now that permissions to the WBEM namespace have been granted.
All objects appear in the SMS console tree.
In the following steps, you will grant the user security rights to access the packages object in the SMS Administrator console.
The SMS Administrator console appears.
The security objects appear in the details pane.
The Security Right Properties dialog box appears.
The security objects appear in the details pane. Notice the new object added that allows the user account SecurityTest to read all packages.
In the following steps, you will log on as a user to test if the user account can access the SMS Administrator console now that SMS security rights have been granted to packages.
In this exercise, you will determine which accounts are used by SMS components on site servers and Windows NT Workstation client computers for startup and network access. You will use the SMS Administrator console, User Manager for Domains, and the Services application to verify account use and permissions.
NOTE
Complete this exercise from the Computer 1 with the SMS Administrator console running and Computer 2 running Windows NT Workstation version 4.0.
The SMS Administrator console appears.
The S01 — Central Site Site Properties dialog box appears.
In the following steps, you will determine which account is designated as the SMS Client Remote Installation account.
NOTE
Return to the first part of this exercise if you are not sure how to view site properties.
No account is specified.
In the following steps, you will determine which account is designated as the SQL Server account.
In the following steps, you will identify the domain user account serving as the Software Metering Server account.
The list of site settings appears in the SMS console tree.
The \\SERVER1 Site System Properties dialog box appears.
The Server1 Site System Properties dialog box appears and displays software metering server properties.
In the following steps, you will verify the SMS Client Connection account.
The list of client connection accounts appears in the details pane.
In the following steps, you will determine which account the SMS Client Service on the site server uses to start up.
The SMS Client Service on the site server uses the SMS&_Server1 account, not the SMS Client Connection account.
In the following steps, you will determine which accounts the SMS Client Service and SMS Remote Control Agent services on the Windows NT Workstation client computer use to start up.
NOTE
Complete this procedure from Computer 2.
The Services application appears.
The SMS Client Service on the Windows NT Workstation client computer uses the SMSCliSvcAcct& account, not the SMS Client Connection account.
The SMS Remote Control Agent on the Windows NT Workstation client computer uses the system account.
In the following steps, you will determine which account the SMS Client Service on the Windows NT Workstation client computer uses to start up to determine if it has any access to site systems.
NOTE
Complete the rest of this exercise from Computer 1.
The User Sessions on Server1 dialog box appears.
In the following steps, you will determine which account remote site systems use to transfer data to the site server.
The list of site system connection accounts appears in the details pane.
In the following steps, you will use User Manager for Domains to determine which account domain controllers use to transfer data to the site server.