WMI Security

Microsoft System Center Configuration Manager 2007 relies completely on Windows Management Instrumentation (WMI). WMI is the Microsoft implementation of Web Based Enterprise Management (WBEM), which is a unifying architecture that allows access to data from a variety of underlying technologies, including Win32, WMI, the Desktop Management Interface (DMI), and the Simple Network Management Protocol. WBEM is based upon the Common Information Model (CIM) schema, which is an industry standard driven by the Desktop Management Task Force. WMI uses Managed Object Format (MOF) files to determine what information to load into the CIM repository. WMI also uses providers to access the CIM repository.

Essentially, WBEM provides a standard way to define information that a system should collect (the MOF), a standard way to represent that information (the CIM), and a standard way to access that collected information. For example, WMI in a Windows operating system can collect performance information (using the Performance Monitor Provider), from the registry (using the Registry Provider), and from Configuration Manager 2007 hardware inventory (using the SMS Provider), and store them all in the CIM repository. Then you can view the information in the Configuration Manager 2007 console (using the SMS Provider).

However, access to the CIM repository is controlled by WMI permissions. By default, the local administrator account and the local Administrators group have rights to all operations, including remote access. You can use WMI to control global permissions on namespace operations, such as limiting the access of some users to read-only operations. You can use the WMI Control, available in the Computer Management administrative tools, to manage WMI security. When you install Configuration Manager 2007, you designate the computer where the SMS Provider will run and Configuration Manager 2007 creates the SMS Admins group on that computer and on the site server if the SMS Provider is on a remote computer. The SMS Admins group has the necessary permissions to access the SMS Provider. For more information, see About the SMS Admins Group.

Configuration Manager Object Security

The only way that Configuration Manager 2007 itself enforces security is when you access a Configuration Manager 2007 object through the SMS Provider. If a user has been granted direct rights to tables in the site database by the SQL administrator, for example, the user could perform any action within those rights, regardless of the Configuration Manager 2007 object security that has been assigned.

Important
Directly accessing the site database is not supported and could lead to changes that could stop your site from functioning.

Object access is granted through user or group accounts. Group membership is enumerated when the group member attempts to access the object. You can grant rights to an entire class of objects (all packages, all sites, all collections) or to an instance of an object (the "Office 2007 package," the "NYC" child site, the "Computers in Building 44" collection). Not all classes allow you to grant rights to an instance. For example, there are too many status messages to be practical to grant instance permissions to each individual status messages, so Status Message has only a class right. For a complete list of all of the class and instance permissions in Configuration Manager 2007, see Classes and Instances for Object Security in Configuration Manager in the Technical Reference section of the Configuration Manager Documentation Library.

Default Object Security

By default, the only users with rights to all objects in the Configuration Manager 2007 console are the user account that was used to run Configuration Manager 2007 setup (the Configuration Manager Installation account) and the Local System account. You must explicitly add other accounts and grant them permissions to Configuration Manager 2007 objects. Also, if they are not already a member of SMS Admins, you must grant them WMI permissions. Without WMI permissions, users cannot run the Configuration Manager 2007 console at all. Without any object rights, users who can start the Configuration Manager 2007 console can only see the high-level nodes, along with the Security Rights and Tools. Users cannot see any data other than the Security Rights, and they cannot manipulate the Security Rights.

Note
If you upgraded the site from a previous version, the account that had full rights to all objects will not have rights to new object types until you explicitly grant them. For example, even though the software updates administrator had full rights to all Configuration Manager 2007 objects, if the software updates administrator was not the user who performed the upgrade, the software updates administrator will not have any rights to the new deployment objects in Configuration Manager 2007.

For each object type, there must always be at least one account with the class-level Administer right. This prevents administrators from being locked out of the Configuration Manager 2007 system. As a result, it is not possible to delete the final user on an object type with the Administer right. Also, you cannot delete your own Administer rights on an object.

Users who create an instance of an object are automatically assigned Read, Modify, and Delete rights for that instance.

How Rights Accumulate

Configuration Manager 2007 object rights are cumulative. For example, if a user has the Read right on one collection (for example, “All Systems”) and the Use Remote Tools right on another collection (“Collection A”), then the user has the Read and Use Remote Tools rights on all systems that are members of both collections. The user can view a resource in the “All Systems” collection and use Remote Tools with that resource if that resource is also in the “Collection A” collection. If the resource is not in the “Collection A” collection, then the user cannot use Remote Tools with that resource. The fact that the user does not have the Remote Tools right in the “All Systems” collection does not mean that they are denied use of Remote Tools to all computers in the “All Systems” collection. The user is only denied use of Remote Tools to computers in the “All Systems” collection that do not have the Use Remote Tools right in any other collection that includes that computer.

Because Configuration Manager 2007 rights are cumulative, if you grant a user class security rights to a security object and conflicting instance security rights to a specific security object, Configuration Manager 2007 reconciles the class and instance security rights to grant the highest level of permissions. For example, if you grant the user all rights to all packages at the class level and Read to a specific package at the instance level, the user’s effective rights are full rights to all packages, including the specific package set with Read.

Implementing Role-Based Security Using Object Security

You can grant permissions to objects by granting rights to user groups in your organization to address their specific needs. For example, if your help desk technicians have a user group, you can grant that group Use Remote Tools rights for Collections. If users who are not Configuration Manager 2007 administrators want to view and query inventory collected from clients, you can grant those users Read rights to Collections and Queries, along with Read Resource rights to Collections.

Administer vs. Delegate

When creating an object (such as a collection or advertisement), the user might want to allow other users (or groups) to use or manage the object. This is possible if the user has the class-level Administer right, but that also allows them to do anything they want to with any instance of that object type. A better solution is to give the user the class-level Delegate right, which allows them to grant rights to users and groups for objects they create. However, users can only grant rights that they are explicitly granted at the instance level; they cannot grant rights that they are granted through group membership or at the class level.

For example, a user might have the class-level Create and Delegate rights for Collections. The user also has instance-level Read, Read Resource, and Advertise rights for the “All Windows XP Systems” collection. The user can then create a new collection based on the membership of the “All Windows XP Systems” collection. The user can then grant the Read and Read Resource rights to the new collection—but not Create or Delegate rights—to another group so that the members of that group can view members of the new collection.

Note
Grant permissions to each administrator carefully at the instance level, unless they require permissions at the class level. Create a collection of the resources that each administrator manages and grant permissions only to that collection. As a result, each administrator sees only those security objects to which access is granted.

Viewing Resources in Collections and Queries

Often, the rights you set on collections affect your ability to perform tasks in other nodes in the Configuration Manager 2007 console. For example, granting the Read object security right on a collection not only gives the user the right to see that collection but also to see resources within that collection. The user can view the properties of the resource and can invoke the Resource Explorer, but they cannot see the values of the Resource Explorer groups. For that level of detail, the user also requires the Read Resource right. To further manage computer resources, give the user the Use Remote Tools or View Collected Files rights. To remove the resource from Configuration Manager 2007 altogether (as opposed to just removing the collection rule that makes that resource a member of the collection), the user must have the Delete Resource right.

You can manage resources through queries, but the Read right on queries gives you the privilege only to see and run the queries. The right to view resources in a query result window and to manage those resources is granted by the rights set for collections that those resources are in.

Site Maintenance Rights

To manage the site database, site maintenance Microsoft SQL Server commands can be created in the Configuration Manager 2007 console, under the Site Settings node for each site. These commands have complete rights in the site database and can manipulate the data and database in any way. To prevent malicious use of this powerful facility, you should limit the Manage SQL Commands instance of the Site class to only those senior administrators that require this right.

Note
To add, delete, or modify SQL commands, you must also have the Modify right on the Site object.

Software Metering Rights

One of the primary software metering tasks is to create software metering rules. Software metering rules can apply not only to the site they are created for but also to the child sites of that site. To manage software metering rules, the Configuration Manager 2007 administrator must have appropriate software metering rule object security rights. For those rules to apply to a site, the administrator must also have the Site class Meter instance right, or the class-level site Meter right, in which case the rules apply to all sites the rule is distributed to. The Meter rights that are relevant are the rights at the site where the rule originates, not the rights at the sites the rule is distributed to.

Software Updates

To add software updates to a template or to a deployment, either by dragging and dropping or by using the Action menu, you must have the following rights.

  Read Distribute Create Advertise

Configuration items

X

X

 

 

Collection

X

 

 

X

Deployment package

X

X

 

 

Deployment template

X

 

 

 

Deployment

X

 

X

 

Site

x

 

 

 

Software Distribution Rights

Because advertisements involve the package and the collection, you must have the following rights to create an advertisement:

  • Read rights on the collection receiving the advertisement

  • Advertise rights on the collection receiving the advertisement

  • Read rights on the package containing the advertised program

You must have the following rights to delete an advertisement:

  • Delete rights on the advertisement

  • Advertise rights on the collection receiving the advertisement

  • Read rights on the package containing the advertised program

Operating System Deployment

Some operating system deployment tasks require access to packages, collections, advertisements, and site objects.

Object Rights to create Rights to modify Rights to delete Rights to distribute

Boot Images

Create\Boot image package, Read\Boot image package

Modify\Boot image package, Read\Boot image package

Delete\Boot image package, Read\Boot image package

Read\Boot image package, Modify\Boot image package, Distribute\Boot image package, Read\Site

Computer Association

Create\Computer association, Read\Computer association, Read\Collection

Modify\Computer association, Read\Computer association

Delete\Computer association, Read\Computer association

Not applicable

Operating System Images

Create\OS image, Read\OS image

Modify\OS image, Read\OS image

Delete\OS image, Read\OS image

Modify\OS image, Read\OS image, Distribute\OS image, Read\Site

Operating System Install Packages

Create\OS install package, Read\OS install package

Modify\OS install package, Read\OS install package

Delete\OS install package, Read\OS install package

Modify\OS install package, Read\OS install package, Distribute\OS install package, Read\Site

Task Sequences

Create\Task sequence package, Read\Task sequence package, Modify\Task sequence package

Modify\Task sequence package, Read\Task sequence package

Delete\Task sequence package, Read\Task sequence package

Modify\Task sequence package, Read\Task sequence package, Distribute\Task sequence package, Read\Site

Advertisement (for task sequence)

Read\Task sequence package, Read\Collection, Advertise\Collection, Read\Package, Create\Advertisement

Modify\Advertisement, Read\Advertisement

Delete\Advertisement, Read\Advertisement

Not applicable

Task sequence bootable media

Read\Task sequence package, Create Task sequence media\Task sequence package, Read\Site, Manage OSD and ISV Proxy Certificates\Site, Read\Boot image

Modify\Task sequence package, Read\Task sequence package

Delete\Task sequence package, Read\Task sequence package

Not applicable

Drivers

Create\Device driver, Read\Device driver

Modify\Device driver, Read\Device driver

Delete\Device driver, Read\Device driver

Not applicable

Driver package

Create\Driver package, Read\Device driver

Modify\Driver package, Read\Driver package, Distribute\Driver packages

Delete\Driver package, Read\Driver package

Not applicable

Note
If a task sequence requires a software distribution package or an OS image, Configuration Manager 2007 must have Read to the Package class, not just the instance of the package to be distributed.

Some actions might appear to work even if the user does not have sufficient rights. For example, even with no rights to create objects in the Boot image package class, a user can start the import process, but the wizard will fail due to insufficient rights.

Service Manager

In Configuration Manager 2007 Service Manager, you must have the Administer right on the primary site object to perform the following tasks:

  • Query a service

  • Stop a service

  • Start a service

  • Configure service logging

On a secondary site, you must be a member of the local Administrators group to perform these tasks.