The most serious risk from Microsoft System Center Configuration Manager 2007 is that its functionality could be hijacked by an unauthorized user who could then distribute software to all Configuration Manager 2007 clients. Because Configuration Manager 2007 has the ability to install software using administrative rights, an attacker could take control of every Configuration Manager 2007 client, both computers and devices. Configuration Manager 2007 also has the ability to retrieve any file from any client computer, which could have serious consequences to security and privacy, depending on the nature of the document.
In contrast, the nature of the data that Configuration Manager 2007 collects (hardware inventory, software inventory, metering, desired configurations) is not generally considered confidential. Similarly, the loss of Configuration Manager 2007 functionality for a short period of time due to a denial-of-service attack does not generally have a catastrophic impact, unlike, for example, e-mail, network communications, light, and power. The most serious impact from lack of availability usually comes from the inability to deploy new software updates in response to a zero-day exploit. Loss of Configuration Manager 2007 infrastructure could also impact the clients' ability to remediate if they are in restriction due to Network Access Protection evaluation, which could potentially restrict their access to the entire network.
Best Practices
Physically secure your computers There is no security without physical security. An attacker who gets physical access to a Configuration Manager 2007 site system could potentially use Configuration Manager 2007 to attack the entire client base. All potential physical attacks must be considered high risk and mitigated appropriately. The site server and all site systems must be stored in a secure server room with controlled access. Ideally, keep computers that run the Configuration Manager 2007 consoles in a locked room to protect them from unauthorized access. However, if this is not possible, for example, with a branch distribution point, secure these computers when administrators are not physically present by having the operating system lock the workstation, or by using a secured screen saver. To enforce the principle of least privilege, create policies to require Configuration Manager 2007 to log in to remote administration consoles using a low-rights user account, and then use Run As to start the Configuration Manager 2007 console.
It is more difficult to physically secure the Configuration Manager 2007 client computers because they usually must be accessible to end users. To mitigate the threat, restrict access to your business offices to authorized employees and guests. If you have client computers at high risk of compromise, store them in locked offices and use additional security measures like locked cases and antitheft cables. Configuration Manager 2007 clients can be mobile computers and devices. Educate users about good security practices, such as attaching a lock to laptop computers and applying passwords to devices. If a laptop or device is lost or stolen, have established procedures in your organization for preventing that computer from accessing the company network and immediately block the computer in the Configuration Manager 2007 console and, if you use native mode, revoke the client certificate..
Apply the most recent security updates to all computers You can use the Configuration Manager 2007 software update feature to deploy updates to Configuration Manager 2007 client computers. Stay informed about new updates for operating systems, Microsoft SQL Server, and Configuration Manager 2007 by subscribing to the Security Notification service (http://go.microsoft.com/fwlink/?LinkId=28819).
Protect against unauthorized administrators Configuration Manager 2007 has no defense against an authorized Configuration Manager 2007 administrator who uses Configuration Manager 2007 to attack the network. Unauthorized administrators are a high security risk. An unauthorized administrator could launch numerous attacks, including but not limited to the following:
- Using software distribution to automatically
install and run malicious software on every Configuration Manager
2007 client computer in the enterprise.
- Configuring remote control to take remote
control of a Configuration Manager 2007 client without client
permission.
- Configuring rapid polling intervals and
extreme amounts of inventory to create denial-of-service attacks
against the clients and servers.
- Using one site in the hierarchy to write data
to another site's Active Directory data.
You cannot remove all administrative access to the Configuration Manager 2007 console and the Configuration Manager 2007 site systems because Configuration Manager 2007 would become unusable. Audit all administrative activity and routinely review the audit logs. Require all Configuration Manager 2007 administrators to undergo a background check before hiring and periodic rechecks as a condition of employment. High-security jobs routinely involve enforced vacations because it can be easier to discover unauthorized administrative activity while the administrator is away.
Enforce role separation to limit administrative exposure Not all administrators need full administrative access to Configuration Manager 2007. Use collection security to limit the administrative scope to as few administrators as possible. Use role separation; for example, allowing one person to create package objects and a different person to distribute them so that no single person can use Configuration Manager 2007 to deploy malicious software. For more information about assigning rights to Configuration Manager 2007 objects, see Overview of Configuration Manager Object Security and WMI.
Consider designing your sites to limit administrative scope; for example, creating different sites or site hierarchies for clients and servers.
Important |
---|
The site hierarchy is the management boundary. After sites are joined together in a hierarchy, Configuration Manager 2007 design allows the parent site to send software packages, collections, and configurations to child sites, even if object permissions are not granted explicitly at the child site. Attack vectors exist that allow malicious administrators at child sites to control parent sites. To mitigate the risk, limit the number of sites in the hierarchy and carefully screen administrators of all sites in the hierarchy. |
Design for defense in depth Because Configuration Manager 2007 can interact with so many systems, it is important to think about the layers of security in your network and how those layers will interact with Configuration Manager 2007. Security around the perimeter is important, but relying solely on perimeter security like firewalls increases your risk if the firewall is compromised. Designing networks to isolate less-secure clients from more-secure clients provides another layer of defense. Adding personal firewalls to client computers adds an additional layer. Running intrusion detection software and host-based intrusion detection software helps filter out suspicious activity. Running antivirus software is essential, and Configuration Manager 2007 might also be used to deploy and maintain the antivirus software. Educating users about computer security is a critical component of a network security strategy.
Create and maintain secure baselines for all systems A secure baseline is a detailed description of how to configure and administer a computer. It describes all relevant configuration settings for secure computing. Part of creating a secure baseline is using the most secure operating system possible. The more recent the operating system, the more likely it is to be designed with security in mind and the more likely it is to contain features to make it more secure. Keep the operating system and applications up-to-date by applying security updates as they become available. You can use the Configuration Manager 2007 software update feature to deploy software updates to Configuration Manager 2007 clients. Always use NTFS instead of FAT partitions so that you can set access controls. Audit for changes to your secure baseline. You can use the Configuration Manager 2007 desired configuration management feature to monitor for changes to the secure baseline.
Use strong passwords or pass phrases Always use strong passwords with 15 or more characters for all Configuration Manager 2007 accounts and Configuration Manager 2007 administrator accounts. Never use blank passwords. For more information about password concepts, see the “Account Passwords and Policies” white paper on TechNet (http://go.microsoft.com/fwlink/?LinkId=30009). Configuration Manager 2007 automatically creates certain accounts and generates strong passwords for them.
Control access to exported files Configuration Manager 2007 gives you the ability to export several objects to text files, for example, task sequences, collections, packages, site settings, and reports, and then import them later. Implement access control procedures to ensure that all exported files are stored securely so that attackers cannot modify the contents prior to import or search for information in the file content.
Secure package source files Many Configuration Manager 2007 packages, for example, operating system deployment, software distribution, and software updates, require source files from a directory or shared folder, but Configuration Manager 2007 does not control the source location. Implement access control procedures to prevent attackers from tampering with the source files before they are processed into Configuration Manager 2007 packages.