Microsoft System Center Configuration Manager 2007 must accept data from clients, which introduces the risk that the clients could attack the site, for example by sending malformed inventory, or attempting to overload the site systems. Deploy the Configuration Manager 2007 only to computers and devices that you trust.

The following section applies only to client computers. For information about mobile device clients, see Mobile Device Clients Security Best Practices and Privacy Information.

Best Practices for Mixed Mode

Automatically approve clients from trusted domains     Approval can be manual, automatic for computers in trusted domains, or automatic for all computers and is configured as a site property on the site mode tab for mixed mode sites. The most secure approval method is to automatically approve clients that are members of trusted domains. In this mode, clients that are not members of a trusted domain, including workgroup clients, must be manually approved. If you want to manually verify every client before it is allowed to receive policies containing sensitive data, set the approval mode to manual. Automatically approving all clients is not recommended unless you have other access controls to prevent untrustworthy computers from accessing your network. If a client is not approved by an automatic method, it still displays in the Configuration Manager 2007 console and can be manually approved by locating it in a collection and using Approve from the Action menu.

Note
If a client that was previously approved is deleted from the Configuration Manager 2007 console, and then not approved when it reappears in the console, the client will still have any policies containing sensitive data.

Do not rely on blocking to prevent clients from accessing the site     Blocked clients are rejected by the Configuration Manager 2007 infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages. However, do not rely on blocking to protect the site from untrusted computers or mobile devices if the site is in mixed mode, because a blocked client could re-join the site with a new self-signed certificate and hardware ID. This feature is designed to be used to block lost or compromised boot media when deploying clients with the operating system deployment feature, and with native mode clients. If the site is in native mode and your public key infrastructure supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager 2007 offers a second line of defense to protect your hierarchy. For more information, see Determine If You Need to Block Configuration Manager Clients.

Upgrade all clients to Configuration Manager 2007 and select "This site contains only ConfigMgr 2007 clients"    If the check box This site contains only ConfigMgr 2007 clients is selected, only clients that are approved can receive policies containing sensitive data. However if the check box is not selected, then policies containing sensitive data can be sent to any client.

Best Practices for Native Mode

Use native mode whenever possible    Native mode uses certificates issued by a PKI to provide authentication between site systems and clients. Native mode is designed to be the most secure mode for Configuration Manager 2007.

Configure all distribution points to use BITS     If you do not configure the setting Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS, then clients will communicate with those distribution points using server message blocks (SMB), even in native mode. SMB communication is not authenticated or encrypted by Configuration Manager 2007, even in native mode.

Do not enable "HTTP communication for roaming and site assignment"     Enabling this setting allows native mode clients to communicate with resident management points and distributions points using HTTP instead of HTTPS when they roam to mixed mode sites. However, this setting must be enabled if Active Directory Domain Services schema is not extended for Configuration Manager 2007, or the native-mode site manages clients on the intranet from untrusted domains or workgroups. For more information, see Decide If You Need to Configure HTTP Communication for Roaming and Site Assignment (Native Mode).

Follow the recommended best practices for certificate management    For more information, see Best Practices for Certificate Management.

Best Practices for All Client Computers

Choose a client installation method that fits your risk profile    There are several ways to install the Configuration Manager 2007 client software on your managed computers. The following table discusses the security pros, cons, and considerations for each method.

Method Pros Cons Considerations

Manual Installation

Can be very secure if access controls and change controls are implemented.

Very resource and process intensive; does not scale well.

Requires a user with administrative rights at each computer.

The administrator must create security controls for the entire process.

Imaging

Can be very secure if access controls and change controls are implemented.

Only practical for deploying a new client base, not deploying to existing computers.

The operating system deployment feature of Configuration Manager 2007 can be used to install the Configuration Manager 2007 client software as the new operating system is deployed.

Group Policy

Scales easily to large numbers of client computers.

Uses security controls already present in Active Directory Domain Services.

Automatically runs with administrative rights.

Requires coordination with Active Directory Domain Services Administrator.

Organizational Units might not match how clients should be deployed throughout the site.

Does not work for workgroup clients.

Group policy interactions can be complex to evaluate. Monitor to be sure computers receive the client software and correct client settings.

Client Push Installation

Scales easily to large numbers of client computers.

Requires an account with administrative rights on each client.

Requires File and Printer sharing.

Requires the file and print sharing ports and the Remote Administration service be open in the client personal firewall. For more information, see Windows Firewall Settings for Configuration Manager Clients.

Do not use a Domain Admin account as the Client Push Installation account. Consider using multiple Client Push Installation accounts with smaller scopes of administration, so if attackers compromise one account they do not gain administrative control of all Configuration Manager 2007 client computers. For more information, see About the Client Push Installation Account.

Software Update Point Client Installation

Integrates with the software update feature.

Low risk of file tampering because all software updates are signed.

Automatically runs with administrative rights.

Requires WSUS infrastructure.

You cannot use a different WSUS server for client installation and software updates.

If the client is not already installed, you must configure an Active Directory Group Policy object using the correct server name format and port number.

An incorrectly configured Active Directory Group Policy object could prevent the client from obtaining software updates from the software update point. For more information, see How to Install Configuration Manager Clients Using Software Update Point Based Installation.

Software distribution

Easy way to upgrade existing clients without requiring a local administrator account

Scales easily to large numbers of client computers.

Can be configured to run with administrative rights.

Works only for existing client computers that need to be upgraded.

As with all software distribution, you must secure the source files that Configuration Manager 2007 uses to create the package.

Remove certificates prior to imaging clients    If you plan to deploy clients using imaging technology, always remove certificates such as native mode client authentication certificates or mixed mode self-signed certificates prior to capturing the image. Failure to do so could allow clients to impersonate each other and could make it impossible to verify the data for each client. For more information about using Sysprep to prepare a computer for imaging, see http://go.microsoft.com/fwlink/?LinkId=93068.

Ensure that the Configuration Manager clients get an authorized copy of the trusted root key upon installation    If you have not extended the Active Directory schema, clients rely on the trusted root key to authenticate valid management points. Without the trusted root key, the client has no way to verify that the management point is a trusted management point for the site, allowing a skilled attacker to direct the client to a rogue management point.

Configure client computers to use Active Directory Only mode    The most secure option for client configuration is SMSDIRECTORYLOOKUP=NoWINS, however it can be used only if your clients can query the global catalog so it should not be used for clients in remote forests or workgroups, or if Active Directory schema has not been extended. If clients must use WINS for service location and SMSDIRECTORYLOOKUP=NoWINS, then service location will fail. For more information, see Configuration Manager and Service Location (Site Information and Management Points). If no properties are specified, the client installs in Secure WINS mode. The Any WINS mode is not secure and is not recommended. For more information, see About Configuration Manager Client Installation Properties.

Ensure maintenance windows are large enough to deploy critical software updates    Configuration Manager 2007 gives you the ability to configure maintenance windows on the collections that clients are members of to restrict the times which Configuration Manager 2007 can use to install software. If you set too small of a window, the client might not be able to install critical software updates, leaving the client vulnerable to the attack mitigated by the software update.

Security Issues

The following security issues have no mitigation.

Status messages are not authenticated    No authentication is performed on status messages. In mixed mode, any computer can send status messages to the management point. In native mode, a computer would have to obtain a valid client authentication certificate from a trusted root CA, but could also then send any status message. If a client sends an invalid status message it will be discarded. There are a few potential attacks against this vulnerability. An attacker could send a bogus status message to gain membership in a collection based on status message queries. Any client could launch a denial of service against the management point by flooding it with status messages. If status messages are triggering actions in status message filter rules, an attacker could trigger the status message filter rule. An attacker could also send status message that would render reporting information inaccurate.

Policies can be retargeted to non-targeted clients    There are several methods attackers could use to make a policy targeted to one client apply to an entirely different client. For example, an attacker at a trusted client could send false inventory or discovery information to have the computer added to a collection it should not belong to, and then receive all of the advertisements to that collection. While controls exist to help prevent attackers from modifying policy directly, attackers could take an existing policy to reformat and redeploy an operating system and send it to a different computer, creating a denial of service. These types of attacks would require precise timing and extensive knowledge of Configuration Manager 2007 infrastructure.

Client logs allow user access    All of the client log files allow users Read access and Interactive Users Write access. If you enable verbose logging, attackers might read the log files to look for information about compliance or system vulnerabilities. Processes such as software distribution that are performed in a user's context must be able to write to logs with a low-rights user account. This means an attacker could also write to the logs with a low rights account. The most serious risk is that an attacker could remove information in the log files that an administrator might need for auditing and intruder detection.

Privacy Information

When you deploy the Configuration Manager 2007 client, you enable client agents so you can use Configuration Manager 2007 features. The settings you use to configure the features apply to all clients in the site, regardless whether they are directly connected to the corporate network, connected through a remote session, or connected to the Internet but supported by the site. Client information is stored in the database and is not sent back to Microsoft. Before configuring the Configuration Manager 2007 client, consider your privacy requirements.

See Also