Topic Last Updated—August 2008

Software distribution is a powerful feature that can be used as a major point of attack if not secured properly. When installing packages, Microsoft System Center Configuration Manager 2007 can use elevated rights in either the user or the system context, even if the user does not have administrative rights. This particular capability of Microsoft System Center Configuration Manager 2007 can be used by an attacker to effectively run any attacks that elevate rights.

Best Practices

Always configure advertisements to download content    Configuring to Download content from distribution point and run locally is more secure because Configuration Manager 2007 verifies the package hash after the content is downloaded and discards the package if the hash does not match the hash in the policy. If you configure the advertisement to Run program from distribution point, no verification takes place and attackers can tamper with the content. If you must run the program from the distribution point, use NTFS least permissions on the packages on the distribution points and use Internet Protocol security (IPsec) to secure the channel between the client and the distribution point and between the distribution point and the site server.

Do not allow users to interact with programs if run with administrative rights is required    When you configure a program, you can set the option Allow users to interact with this program so that users can respond to any required prompts in the user interface. If the program is also configured to Run with administrative rights, an attacker at the computer running the program could use the user interface to escalate privileges on the client computer. You should use Windows Installer-based setup programs with per-user elevated privileges for installations that require administrative credentials but that must be run in the context of a user who does not have administrative credentials. Using Windows Installer per-user elevated privileges provides the most secure way of deploying applications with this requirement.

Do not create subcollections if you need to restrict software distribution on them    An advertisement to a collection with subcollections is sent to all members of the collection and subcollections, even if the administrator has only the Advertise right to the collection (not the subcollections). Any administrator who can link a collection to another collection can cause that collection to receive the advertisements targeted to the other collection, even if they do not have Advertise permissions on any collection. For this reason, you should watch for the addition of subcollections to collections with advertisements, and be cautious of whom you give permission to for reading collections that receive advertisements.

Set package access permissions at package creation    Changes to the access accounts on the package files (as opposed to the distribution point shared folders) become effective only when you refresh the package. Therefore, you should set the package access permissions carefully when you first create the package, especially if the package is large, if you are distributing the package to many distribution points, or if your network capacity for package distributions is limited. To quickly initiate the refresh of all distribution points, you can use the Update Distribution Points task for the package.

Secure software at the package access level    By default, the package files on distribution points are fully accessible by administrators and readable by users. Users with administrative rights on client computers can set the client to join any site, even if the computer is not within the boundaries of the site. When the clients have joined the site, they can receive any software distributions that are available at that site and for which the computer or user meets the qualifications of the relevant collections. For this reason, software that should be limited to specific users should be secured at the package access level to those users, rather than being limited by site availability or collection criteria. However, restricting the access of the Internet Guest account to packages will cause package access to fail for Internet-based clients. For more information, see Example Package Access Scenarios.

After upgrading, if you had packages in SMS 2003, update all packages    SMS 2003 (released version) used MD5 to hash packages; Configuration Manager 2007 and SMS 2003 service packs later than SP1 use SHA-1. To rehash all of the packages with SHA-1, you should update all packages created in SMS 2003 (released version) that have not already been updated with an SMS service pack. Failing to do so might cause clients to discard valid packages if the advertisement is configured to download the package and run it locally.

Best Practices for Distribution Points

Remove the distribution point role from the site server    By default, the site server is set up as a standard distribution point. However, you should assign this role to other site systems and remove it from the site server to reduce the attack surface. Clients have no valid reason to talk directly to the site server or any role configured on the site server. This is especially important if you chose to enable Background Intelligent Transfer Service (BITS) on the distribution point, because installing Internet Information Services (IIS) to create a BITS-enabled distribution point greatly increases the attack surface of the site system.

Do not create distribution point shares or branch distribution points on Internet-based clients    Although Configuration Manager 2007 might not block you from doing so, creating any type of distribution point on an Internet-based client greatly increases your attack surface and should be avoided. Create distribution points only on site systems that can be managed within the intranet or the perimeter network.

After switching to a custom Web site, remove the default virtual directories    When you change from using the default Web site to using a custom Web site, Configuration Manager 2007 does not automatically remove the old virtual directories. You should manually remove the virtual directories created under the default Web site. This is especially important if you configured the distribution point to Allow clients to connect anonymously (Required for mobile device clients) while using the default Web site and then you disable anonymous connections after switching to the custom Web site. In this case, the old virtual directories will still be configured for anonymous access. For the list of virtual directories created on BITS-enabled distribution points, see About BITS-Enabled Distribution Points.

Implement access controls to protect branch distribution points    Branch distribution points can be installed on any Configuration Manager 2007 client, including Microsoft Windows XP Professional workstation computers. Workstation computers are generally not subject to the same physical access controls as server computers, so you must monitor your usage of branch distribution points. Do not distribute sensitive source files to branch distribution points if there is a risk of an attacker stealing the hard drive or the entire branch distribution point. You should configure all advertisements so that clients download packages from a branch distribution point and run them locally rather than running them across the network. Configuration Manager 2007 verifies the hash on downloaded packages and discards any packages it cannot verify, but there is no package verification on packages run from the distribution point.

Enable the encrypted mode for Application Virtualization Streaming–enabled distribution points    In Configuration Manager 2007 R2, when you configure an Application Virtualization Streamingenabled distribution point, you have the option of choosing Real Time Streaming Protocol (RTSP) or RTSP over TLS (RTSPS). Enabling encryption helps protect against attackers tampering with the data stream.

Security Issue

The following issue has no mitigation.

Packages are not validated until after they are downloaded    Configuration Manager 2007 validates the signatures on packages only after they have been downloaded to the client cache. If an attacker has tampered with a package, the client could waste considerable bandwidth in downloading the package only to have it discarded due to an invalid signature.

Privacy Information

Software distribution allows you to run any program or script on any client in the site. Configuration Manager 2007 has no control over what types of programs or scripts you run or what type of information they transmit. During the software distribution process, Configuration Manager 2007 might transmit information between clients and servers that identify the computer and logon accounts.

Configuration Manager 2007 maintains status information about the software distribution process. Software distribution status information is not encrypted during transmission unless you enable native mode. Status information is not stored in encrypted form in the database.

Status information is stored in the site database and deleted by default every 30 days. The deletion behavior is configurable by setting both the Status Filter Rule properties and the site maintenance task. No status information is sent back to Microsoft.

The use of Configuration Manager 2007 software installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software and is separate from the Software License Terms for Configuration Manager 2007. You should always review and agree to the Software Licensing Terms prior to installing the software using Configuration Manager 2007.

Software distribution does not happen by default and requires several configuration steps. Before configuring software distribution, consider your privacy requirements.

See Also