Microsoft System Center Configuration Manager 2007 mixed mode clients have a small window of vulnerability when establishing trust with the management point for their site. If clients cannot query the global catalog for Configuration Manager 2007 information, and if you do not pre-provision the trusted root key on the client during installation, the client will trust the first management point it contacts and accept a trusted root key from that management point. It would be difficult, but not impossible, for an attacker to attempt to hijack the initial communication and trick the client into trusting a fake copy of the trusted root key. To mitigate this threat, you can give the client a copy of the trusted root key when you install it.
 Note |
|---|
| This procedure is not necessary in native mode because trust is established using the PKI certificates. This procedure is not necessary if clients can query the global catalog for management point information. For example, if you have enabled Active Directory publishing then clients in the same forest can query the global catalog, but workgroup clients and clients in different forests should use this procedure. |
If you have already installed your clients, this procedure is probably too late to be of value as a security mitigation because the clients have probably already established a trust relationship with the management point. You can still verify that the trusted root key on a client is the correct trusted root key. For more information, see How to Verify the Trusted Root Key. If you detect an invalid trusted root key, remove the trusted root key and then use this procedure to re-provision the correct trusted root key. For more information about removing the trusted root key, see How to Remove the Trusted Root Key.
If you move clients between sites in the same hierarchy, you do not need to change the trusted root key because all sites in the same hierarchy use the same trusted root key. If you migrate your clients to a new hierarchy, you should pre-provision the clients with the trusted root key for the new site hierarchy using the SMSROOTKEYPATH as described in this topic. SMSROOTKEYPATH will overwrite the old trusted root key. You could also remove the trusted root key and allow the client to establish trust with a management point in a new site, but pre-provisioning is the more secure option.
For more information about the trusted root key, see About the Trusted Root Key.
To pre-provision the trusted root key using a file
-
In a text editor, edit the file <Configuration Manager directory>\bin\<platform>mobileclient.tcf.
-
Locate the entry SMSPublicRootKey= and copy the key from that line to a text file.
-
Save the text file with the trusted root key to a file and place it somewhere where all computers can access it but the file is safe from tampering.
-
When you install the client, using any client installation method, use the Client.msi property SMSROOTKEYPATH=<Full path and filename>.
To pre-provision the trusted root key without using a file
-
In a text editor, edit the file <Configuration Manager directory>\bin\<platform>mobileclient.tcf.
-
Locate the entry SMSPublicRootKey= and write down the key or copy it to the Clipboard.
-
When you install the client, using any client installation method, use the Client.msi property SMSPublicRootKey=<key>, where key is the string you copied from mobileclient.tcf.