□

Always use an account with least permissions when running the Configuration Manager console   

□

Do not allow users who are not administrators to use the Configuration Manager console on the site server

□

Limit Web browsing from the Configuration Manager console  

□

Do not allow low rights Terminal Service users to establish connections with site system roles 

□

Protect the XML output from the Transfer Site Settings wizard

□

Do not allow users who are not administrators to access the site server via Remote Desktop or Terminal Services 

□

Always configure advertisements to download content 

□

Do not allow users to interact with programs if run with administrative rights is required

□

Do not create subcollections if you need to restrict software distribution on them 

□

Set package access permissions at package creation

□

Secure software at the package access level

□

After upgrading, if you had packages in SMS 2003, update all packages

□

Do not change the default permissions on software update packages

□

Control access to the download location for software updates 

□

Use UTC for evaluating deployment times

□

Follow best practices for securing WSUS

□

Enable CRL checking

□

If the software update point is configured in a perimeter network, configure the site server to retrieve the data from the site system

□

If you must deploy software updates to SMS 2003 clients, run the Inventory Tool for Microsoft Updates on a primary site server that is highest in the hierarchy

□

Configure WSUS to use a custom web site

□

Enable BITS 2.5 for the site and the distribution points

□

Implement access controls to protect bootable media 

□

If the client certificate is compromised, block the certificate 

□

Secure the communication channel between the site server and the PXE service point

□

Use PXE service points only on secure network segments

□

Configure the PXE service point to respond to PXE requests only on specified network interfaces

□

Require a password to PXE boot 

□

Manually delete state migration point folders when they are decommissioned  

□

Do not configure the deletion policy to delete user state immediately 

□

Control physical access to computers using USB flash drives for task sequences 

□

Implement access controls to protect the reference computer imaging process 

□

Always install the most recent security updates on the reference computer

□

Monitor for unauthorized multicast-enabled distribution points

□

If you must deploy operating systems to unknown computer, implement access controls to prevent unauthorized computers from connecting to the network

□

Always configure task sequence advertisements to download content

□

Enable encryption for multicast packages

□

Protect the registration certificate

□

Restrict queries and reports to authorized viewers

□

Use the reporting users group to control access to the reporting point 

□

Manage security for users who connect directly to the SQL Server computer    

□

Enable HTTPS access for reporting points

□

Sign configuration data to verify the integrity of your configuration items 

□

Use native mode whenever possible 

□

Require mobile device clients to use passwords

□

Do not rely on NAP to secure a network from malicious users 

□

Use consistent NAP policies throughout the site hierarchy to minimize confusion

□

Do not enable the Network Access Protection client agent immediately on new Configuration Manager sites 

□

Do not rely on NAP as an instantaneous or real-time enforcement mechanism

□

Enable inventory encryption    

□

Disable IDMIF and NOIDMIF collection

□

Do not use file collection to collect critical files or sensitive information    

□

Do not use file collection to collect critical files or sensitive information    

□

Use either Group Policy or Configuration Manager to configure Remote Assistance settings, but not both 

□

Do not consider the “Ask for permission” setting to be adequate security for remote tools for Windows 2000 clients

□

Enable "Ask for permission" setting

□

Enable notification 

□

Prevent users from changing policy or notification settings  

□

Limit the Permitted Viewers list 

□

Specify required global groups

□

Specify the domain context for user accounts  

□

Do not rely on collection security to control remote tools access 

□

Do not enter passwords for privileged accounts when remotely administering Windows 2000 computers 

□

Use unicast for sending wake-up packets

□

If you must use subnet-directed broadcasts, configure routers to allow IP-directed broadcasts only from the site server and only on a non-default port number

□

Request customized firmware before purchasing AMT-based computers

□

Use in-band provisioning instead of out of band provisioning    

□

Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site

□

Control the request and installation of the provisioning certificate

□

Ensure that you request a new provisioning certificate before the existing certificate expires

□

If the AMT provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server and reconfigure the out of band management component with a valid AMT provisioning certificate    

□

If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console

□

Use a dedicated certificate template for provisioning AMT-based computers

□

Use out of band management instead of Wake On LAN    

□

Disable AMT in the firmware if the computer is not supported for out of band management

□

Use a dedicated OU to publish AMT-based computers

□

Use Group Policy to restrict user rights for the AMT Accounts

□

Use a dedicated collection for in-band provisioning

□

Configure an alternate port for server provisioning    

□

For Configuration Manager 2007 SP2 only: Ensure only authorized administrators perform auditing actions and manage the audit logs as required