Microsoft System Center Configuration Manager 2007 introduces some significant security changes from Systems Management Server (SMS) 2003.

Configuration Manager 2007 Has One Security Mode

In SMS 2003, you had the option of standard security or advanced security, and advanced security was recommended. In Configuration Manager 2007, you have only one security mode and that mode is equivalent to SMS 2003 advanced security mode. In SMS 2003, some sites could not comply with the advanced security requirement that all site systems had to belong to an Active Directory domain, but this is now a requirement to run Configuration Manager 2007.

If you are installing a new site, you will not be prompted to choose a security mode. If you are upgrading from SMS 2003, you must convert your site to advanced security prior to running Setup. After converting, you should delete any accounts that will not be required. For more information, see Accounts to Delete after Upgrading from SMS 2003. You should also verify that you have the proper accounts in place for Configuration Manager 2007 to function. For more information, see Checklist for Configuration Manager Account Security.

Configuration Manager 2007 Has Two Site Modes

Configuration Manager 2007 gives you a choice between Configuration Manager 2007 native mode and Configuration Manager 2007 mixed mode. Native mode requires an existing public key infrastructure (PKI) implementation but provides mutual authentication between Configuration Manager 2007 clients and servers. It is the most secure choice. Mixed mode is provided for backward compatibility with hierarchies that must support SMS 2003 sites and for organizations without the resources to deploy a PKI. If you deploy in mixed mode, you have the option to manually approve all clients before they can join the site or you can allow all domain-joined clients to be automatically approved. It is possible to allow all clients to be automatically approved, whether or not they belong to a trusted domain, but that increases your security risk by allowing unknown clients to join your site.

Configuration Manager 2007 Supports Only One Client Type

In SMS 2003, you had a choice between the Legacy Client and the Advanced Client. Starting with SMS 2003 SP1, you could install the Legacy Client only on Windows 98 or Windows NT 4.0 clients. In Configuration Manager 2007, there is just one client called simply the Configuration Manager 2007 client, and it is similar to the SMS 2003 Advanced Client. Before upgrading to System Center Configuration Manager 2007, you must remove all Legacy Clients in the site hierarchy.

Configuration Manager 2007 Supports Only SQL Server Windows Authentication

In SMS 2003, you configure SMS to access the site database server using either SQL Server Authentication, previously known as standard security, or Windows Authentication, previously called integrated security. If you used SQL Server Authentication, you had to provide a SQL login for SMS to use when accessing the site database. Configuration Manager 2007 supports only Windows Authentication, meaning Configuration Manager 2007 uses the site server computer account to access the site database. Several database roles have been added to better control Configuration Manager 2007 access to the SQL Server.

Inter-Site Communication Security

In SMS 2003, you had the option of whether or not a site could accept unsigned data from another site. In Configuration Manager 2007, all data must be signed between sites and there is no option to disable the signing requirement.

Also, in SMS 2003, secure key exchange was not enabled by default between sites. In Configuration Manager 2007, the requirement for secure key exchange between sites is enabled by default for fresh installations.

Client Push Installation Can Use Computer$ Account

Even if your SMS 2003 site used advanced security, you had to configure a user account to perform Client Push Installation. In Configuration Manager 2007, if you do not have a user account configured, Configuration Manager 2007 will try the site server computer$ account. If no client push installation accounts are defined and if the computer$ account does not have administrative rights to the client computer, Client Push Installation will fail.

Important
Adding the site server computer$ account to the Domain Admins global group is not recommended because it breaches the principal of least privilege. A better alternative is to add the site server computer$ account to a different global group and then use Group Policy to add the global group to the local Administrators group as a restricted group. For more information, see Microsoft KB article 320065, "How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations."

Security Configuration Wizard Helps Secure Site Roles

With the release of Windows Server 2003 SP1, the Security Configuration Wizard (SCW) provides server hardening based on the roles performed by the server. Configuration Manager 2007 templates can be added to SCW to provide the recommended security configuration for Configuration Manager 2007 site system roles. Running the SCW replaces the previous security recommendations to run IIS Lockdown and URLScan on Configuration Manager 2007 roles that require IIS. Because the SCW provides an automated way to help secure servers, the manual hardening checklists for IIS and SQL provided in "Scenarios and Procedures for SMS 2003: Security" are no longer provided.

Before you can run the SCW on your site server and site systems, you must install the Configuration Manager 2007 SCW template, which is scheduled to be included in the Configuration Manager 2007 Toolkit (http://go.microsoft.com/fwlink/?LinkId=93071).

Upgraded Administrators Do Not Have Access to All Objects

After upgrading, the user who ran the upgrade has access to all of the objects in the Configuration Manager 2007 console but existing administrators have access only to objects that existed prior to upgrade. This is true even for software updates objects. Users who had full rights to all SMS 2003 software updates objects will have full rights to the same objects in Configuration Manager 2007 but will not have any rights to new object types, such as templates.

Account Changes

Because standard security and the Legacy Client are not used in Configuration Manager 2007, any accounts related to those configurations are no longer needed. Configuration Manager 2007 does not create any user accounts during Setup or client installation. Several new accounts, described in the following table, are introduced in Configuration Manager 2007.

Account Name Used for

Site System Installation account

Installing and configuring site systems

Health State Reference Publishing account

Network Access Protection publishing to Active Directory Domain Services

Health State Reference Querying account

Network Access Protection querying from Active Directory Domain Services

Capture Operating System Image account

Capturing images for operating system deployments

Software update point proxy server account

Synchronizing the software update catalog, if your proxy server requires authentication

Task Sequence Editor Domain Joining account

Task sequences in operating system deployment that require a security context to join a domain

Proxy Account for Internet-based clients

Internet-based clients that need to authenticate to a proxy server when accessing the Internet

The SMS_SiteSystemToSQLConnection group is no longer needed because database access is controlled by SQL Server roles that are automatically created during Configuration Manager 2007 Setup. For more information, see About the Database Roles for Configuration Manager.

A new group, the ConfigMgr Remote Control Users group, has been added to contain the members of the Permitted Viewers list.

See Also