1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site server name> / Site Settings / Client Agents.

2. In the results pane, right-click Remote Tools Client Agent and then click Properties.

3. In the Remote Tools Client Agent Properties dialog box, click the Security tab.

4. Click the new button to open the New Viewer dialog box, and then specify an existing Microsoft Windows user account or group name.

5. Click OK to close the dialog box, and then click OK to close the Remote Tools Client Agent Properties dialog box.

1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site server name> / Site Settings / Client Agents.

2. In the results pane, right-click Remote Tools Client Agent and then click Properties.

3. In the Remote Tools Client Agent Properties dialog box, click the Security tab.

4. In Permitted Viewers, click the viewer name and then click the delete button.

5. Click OK.

Important

Bypassing the Use remote tools right for the collection is easy for knowledgeable or determined attackers. They could set up a Configuration Manager 2007 site that is not part of your hierarchy and create resource records for clients they want to control, and then grant themselves Use remote tools permission on those resources. Alternately, they could use the Remote.exe /SMS:nosql switch to create a remote tools session without verifying the permissions in the site database. You should think of collection security for Remote Tools as an organizational convenience, not a security tool.

Members of global groups that are members of local groups listed in the Permitted Viewers list are not enumerated, and thus members of global groups are not granted access permissions when they are nested in local groups. To avoid confusion, explicitly specify all global groups on the Permitted Viewers list.

The Permitted Viewers list is intentionally ambiguous because a user is authenticated against the list at the client, and the site server might not have access to the same domains as the client. Consequently, you can enter an account name in the Permitted Viewers list without specifying a domain for the account. However, the list must be clear at the client. Therefore, it is recommended that you enter an account name in the Permitted Viewers list by using the domain\account format to remove any ambiguity that might occur at the client.

Concepts

Other Resources