Automatically approve clients from trusted domains     Approval can be manual, automatic for computers in trusted domains, or automatic for all computers and is configured as a site property on the site mode tab for mixed mode sites. The most secure approval method is to automatically approve clients that are members of trusted domains. In this mode, clients that are not members of a trusted domain, including workgroup clients, must be manually approved. If you want to manually verify every client before it is allowed to receive policies containing sensitive data, set the approval mode to manual. Automatically approving all clients is not recommended unless you have other access controls to prevent untrustworthy computers from accessing your network. If a client is not approved by an automatic method, it still displays in the Configuration Manager 2007 console and can be manually approved by locating it in a collection and using Approve from the Action menu.

Note
If a client that was previously approved is deleted from the Configuration Manager 2007 console, and then not approved when it reappears in the console, the client will still have any policies containing sensitive data.

Do not rely on blocking to prevent clients from accessing the site     Blocked clients are rejected by the Configuration Manager 2007 infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages. However, do not rely on blocking to protect the site from untrusted computers or mobile devices if the site is in mixed mode, because a blocked client could re-join the site with a new self-signed certificate and hardware ID. This feature is designed to be used to block lost or compromised boot media when deploying clients with the operating system deployment feature, and with native mode clients. If the site is in native mode and your public key infrastructure supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager 2007 offers a second line of defense to protect your hierarchy. For more information, see Determine If You Need to Block Configuration Manager Clients.

Upgrade all clients to Configuration Manager 2007 and select "This site contains only ConfigMgr 2007 clients"    If the check box This site contains only ConfigMgr 2007 clients is selected, only clients that are approved can receive policies containing sensitive data. However if the check box is not selected, then policies containing sensitive data can be sent to any client.

Use native mode whenever possible    Native mode uses certificates issued by a PKI to provide authentication between site systems and clients. Native mode is designed to be the most secure mode for Configuration Manager 2007.

Configure all distribution points to use BITS     If you do not configure the setting Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS, then clients will communicate with those distribution points using server message blocks (SMB), even in native mode. SMB communication is not authenticated or encrypted by Configuration Manager 2007, even in native mode.

Do not enable "HTTP communication for roaming and site assignment"     Enabling this setting allows native mode clients to communicate with resident management points and distributions points using HTTP instead of HTTPS when they roam to mixed mode sites. However, this setting must be enabled if Active Directory Domain Services schema is not extended for Configuration Manager 2007, or the native-mode site manages clients on the intranet from untrusted domains or workgroups. For more information, see Decide If You Need to Configure HTTP Communication for Roaming and Site Assignment (Native Mode).

Follow the recommended best practices for certificate management    For more information, see Best Practices for Certificate Management.

Choose a client installation method that fits your risk profile    There are several ways to install the Configuration Manager 2007 client software on your managed computers. The following table discusses the security pros, cons, and considerations for each method.

Remove certificates prior to imaging clients    If you plan to deploy clients using imaging technology, always remove certificates such as native mode client authentication certificates or mixed mode self-signed certificates prior to capturing the image. Failure to do so could allow clients to impersonate each other and could make it impossible to verify the data for each client. For more information about using Sysprep to prepare a computer for imaging, see http://go.microsoft.com/fwlink/?LinkId=93068.

Ensure that the Configuration Manager clients get an authorized copy of the trusted root key upon installation    If you have not extended the Active Directory schema, clients rely on the trusted root key to authenticate valid management points. Without the trusted root key, the client has no way to verify that the management point is a trusted management point for the site, allowing a skilled attacker to direct the client to a rogue management point.

Configure client computers to use Active Directory Only mode    The most secure option for client configuration is SMSDIRECTORYLOOKUP=NoWINS, however it can be used only if your clients can query the global catalog so it should not be used for clients in remote forests or workgroups, or if Active Directory schema has not been extended. If clients must use WINS for service location and SMSDIRECTORYLOOKUP=NoWINS, then service location will fail. For more information, see Configuration Manager and Service Location (Site Information and Management Points). If no properties are specified, the client installs in Secure WINS mode. The Any WINS mode is not secure and is not recommended. For more information, see About Configuration Manager Client Installation Properties.

Ensure maintenance windows are large enough to deploy critical software updates    Configuration Manager 2007 gives you the ability to configure maintenance windows on the collections that clients are members of to restrict the times which Configuration Manager 2007 can use to install software. If you set too small of a window, the client might not be able to install critical software updates, leaving the client vulnerable to the attack mitigated by the software update.

The following security issues have no mitigation.

Status messages are not authenticated    No authentication is performed on status messages. In mixed mode, any computer can send status messages to the management point. In native mode, a computer would have to obtain a valid client authentication certificate from a trusted root CA, but could also then send any status message. If a client sends an invalid status message it will be discarded. There are a few potential attacks against this vulnerability. An attacker could send a bogus status message to gain membership in a collection based on status message queries. Any client could launch a denial of service against the management point by flooding it with status messages. If status messages are triggering actions in status message filter rules, an attacker could trigger the status message filter rule. An attacker could also send status message that would render reporting information inaccurate.

Policies can be retargeted to non-targeted clients    There are several methods attackers could use to make a policy targeted to one client apply to an entirely different client. For example, an attacker at a trusted client could send false inventory or discovery information to have the computer added to a collection it should not belong to, and then receive all of the advertisements to that collection. While controls exist to help prevent attackers from modifying policy directly, attackers could take an existing policy to reformat and redeploy an operating system and send it to a different computer, creating a denial of service. These types of attacks would require precise timing and extensive knowledge of Configuration Manager 2007 infrastructure.

Client logs allow user access    All of the client log files allow users Read access and Interactive Users Write access. If you enable verbose logging, attackers might read the log files to look for information about compliance or system vulnerabilities. Processes such as software distribution that are performed in a user's context must be able to write to logs with a low-rights user account. This means an attacker could also write to the logs with a low rights account. The most serious risk is that an attacker could remove information in the log files that an administrator might need for auditing and intruder detection.

When you deploy the Configuration Manager 2007 client, you enable client agents so you can use Configuration Manager 2007 features. The settings you use to configure the features apply to all clients in the site, regardless whether they are directly connected to the corporate network, connected through a remote session, or connected to the Internet but supported by the site. Client information is stored in the database and is not sent back to Microsoft. Before configuring the Configuration Manager 2007 client, consider your privacy requirements.

Other Resources