Local administrator rights are not required for a user to be able to use Microsoft System Center Configuration Manager 2007 Remote Tools. If a Remote Tools user is on the Permitted Viewers list and has the Use remote tools right for the collection, the user can use Remote Tools on the client.

To specify a new remote tools permitted viewer account

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site server name> / Site Settings / Client Agents.

  2. In the results pane, right-click Remote Tools Client Agent and then click Properties.

  3. In the Remote Tools Client Agent Properties dialog box, click the Security tab.

  4. Click the new button to open the New Viewer dialog box, and then specify an existing Microsoft Windows user account or group name.

  5. Click OK to close the dialog box, and then click OK to close the Remote Tools Client Agent Properties dialog box.

To remove a remote tools permitted viewer account

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site server name> / Site Settings / Client Agents.

  2. In the results pane, right-click Remote Tools Client Agent and then click Properties.

  3. In the Remote Tools Client Agent Properties dialog box, click the Security tab.

  4. In Permitted Viewers, click the viewer name and then click the delete button.

  5. Click OK.

Security

Important
Bypassing the Use remote tools right for the collection is easy for knowledgeable or determined attackers. They could set up a Configuration Manager 2007 site that is not part of your hierarchy and create resource records for clients they want to control, and then grant themselves Use remote tools permission on those resources. Alternately, they could use the Remote.exe /SMS:nosql switch to create a remote tools session without verifying the permissions in the site database. You should think of collection security for Remote Tools as an organizational convenience, not a security tool.

Members of global groups that are members of local groups listed in the Permitted Viewers list are not enumerated, and thus members of global groups are not granted access permissions when they are nested in local groups. To avoid confusion, explicitly specify all global groups on the Permitted Viewers list.

The Permitted Viewers list is intentionally ambiguous because a user is authenticated against the list at the client, and the site server might not have access to the same domains as the client. Consequently, you can enter an account name in the Permitted Viewers list without specifying a domain for the account. However, the list must be clear at the client. Therefore, it is recommended that you enter an account name in the Permitted Viewers list by using the domain\account format to remove any ambiguity that might occur at the client.

See Also