Isolate sites in high security environments    When you join two or more sites together in a hierarchy, the parent site by design has the ability to modify any child or grand child site. However, any site could potentially be used to attack any other site in the hierarchy and could potentially gain control of parent, child, or sibling sites. Also, if you are publishing to Active Directory Domain Services, any site can potentially write to any other site's objects in the same forest, including sites that are not in the same hierarchy. The only way to prevent one site from writing to another site is to put the sites in separate forests.

Use the fewest sites possible    Having a large number of sites represents a fairly low risk, but reducing the number of sites reduces the attack surface and should be considered when designing deployments. Reducing the number of sites for security must be weighed carefully against other design considerations, like bandwidth, performance, and client configuration. A single site is the most secure option because there is no need to do the following:

• Transfer data between sites
  
  
• Manage sender accounts between sites
  
  
• Trust administrators at other sites
  
  

Performance enhancements in Configuration Manager 2007 allow a single site to support more clients, making it possible to consolidate sites that were divided for performance reasons. You might be able to replace smaller sites with protected distribution points and thus reduce the number of sites, if this is consistent with your other design goals.

Avoid having sites span forests    Forests are the administrative boundary of Active Directory. Allowing a site to span a forest compromises this boundary by allowing administration from a different forest. The following site systems are supported if they are installed in a forest remote to the site server's forest, but it is not the security best practice.

• Server locator point
  
  
• Fallback status point
  
  
• Distribution point, configured to support Internet-based clients
  
  
• Management point, configured to support Internet-based clients
  
  
• Software update point, configured to support Internet-based clients
  
  
• For network access protection, if you must have a System Health Validator point in a remote forest because the Network Policy Server (NPS) is not in the same forest as the site server.
  
  
• For operating system deployment, when using PXE service points
  
  
• For Internet-based clients, if you must have site system roles installed in a perimeter network to support Internet-based clients.
  
  

It is supported to have a primary site in one forest and a child primary site in a remote forest. It is not supported to have a secondary site in a different forest than the parent site. It is supported to have clients in forests remote to the site server.

Require secure key exchange between all sites in the hierarchy    Secure key exchange is enabled by default for new installations but not for upgrades. Any site in the hierarchy that is accepting unsecured key exchange could potentially replicate the unsecured site data throughout the hierarchy. Always require secure key exchange on all sites, including SMS 2003 sites in the hierarchy. For more information, see How to Manually Exchange Public Keys Between Sites.

In mixed mode, upgrade all clients to Configuration Manager 2007 and configure the site to contain only ConfigMgr 2007 clients    While it is best to use native mode, which requires all clients to run Configuration Manager 2007, if you must use mixed mode you should still upgrade all clients in the hierarchy to Configuration Manager 2007. After all clients are upgraded, for every site in the hierarchy, you should enable the setting This site contains only ConfigMgr 2007 clients on the Site Mode tab of the site properties to prevent policies containing sensitive data being sent to any client.

Upgrade all sites to Configuration Manager 2007    If you have any SMS 2003 sites in the site hierarchy, Configuration Manager 2007 uses MD5 to hash data sent to the SMS 2003 sites.