Configuring security involves finding the right balance between protecting system resources and not making administering the system with SMS difficult or impossible. For example, using the SMS Administrator console, you could restrict the use of Remote Tools to system administrators. However, help desk personnel who are not also system administrators would then not be able to access Remote Tools to do their jobs.
For a summary of considerations for maximizing security or minimizing administration, perform a search for the document "Security Decisions for Your SMS Site," in the SMS Administrator's Guide.
SMS must be installed on an NTFS partition. NTFS permissions secure the SMS file structure from unauthorized users. Security is configured by default to provide administrators with Full Control permission while restricting most non-administrators to Read permission, Change permission, or no access at all. Each of the various site system roles implements security as necessary for SMS component or user access. Except for CAP and logon point shares, permission to SMS shares are defaulted at Full Control for any user who accesses the share. Share rights should not be changed, since they can conflict with NTFS file and directory permissions. NTFS permissions and share rights provide user access as described below.
The SMS root directory is referred to in this guide as smsdir. Its default installation name is SMS. This directory is configured to allow local administrators Full Control permission. In addition, the SMS Server Network Connection account, SMSServer_sitecode, is granted Read permission. This allows remote site systems, such as a component server running a sender, to access the site server for configuration information. In the case of a component server running a sender, the sender accesses the send request file on the site server.
Site servers in the hierarchy communicate with one another through the site communication directory. The physical path to this directory is smsdir\INBOXES\DESPOOLR.BOX\RECEIVE and is shared as SMS_SITE. The RECEIVE directory is configured to allow the SMS Site Address account, the SMS Network Connection account, and the local Administrators group Full Control permission. The SMS Site Address account is a Windows NT/2000 domain user account used by the sending site server to communicate with the receiving site server. This account and the process of communication was discussed in Chapter 11. At minimum, the SMS Site Address account for a remote site needs the Change permission to read, create, modify, and delete files in the RECEIVE directory. The SMS Network Connection account is discussed later in this lesson.
Site servers and client computers communicate with CAP site systems to exchange data. The CAP_sitecode directory is located at the root of an NTFS partition on a Windows NT/2000 Server site system. The FAT file system cannot be used to store the CAP support files. This site system provides both Read and Write permissions to the CAP for client computers, because the client computer agents read installation and configuration information from the CAP and write discovery data, inventory data, and status messages back to various subdirectories below the CAP parent directory. On a Windows NT/2000 site system, administrators (specifically for the Site System Connection account) are granted Full Control permission, while users and the Guest account are granted Change permission (RWXD) for some directories below the CAP_sitecode directory and Read permission (RX) for others.
To see NTFS permissions configured for the CAP_sitecode directory structure, run the Windows NT Resource Kit utility, SHOWACL.EXE, using the following command:
showacls /s drive:\cap_sitecode >capsperm.txt
Replace sitecode with the SMS site code and replace drive with the drive letter containing the CAP. Open the CAPSPERM.TXT file in a text editor to view the NTFS permissions.
The CAP_sitecode share is also configured to grant the Change right to users and the Guest account and the Full Control right to the Administrators group. These share rights are not in conflict with NTFS permissions, since the NTFS permissions on the CAP_sitecode directory are identical.
When the CAP is installed on a NetWare site system, the CAP directory structure is configured to grant Read, Write, Create, Erase, Modify, and File Scan trustee assignments for those directories that NetWare client computers must access to write data to the site system. It is also configured to grant Read and File Scan trustee assignments to directories containing client computer configuration instructions from the site system. All CAPs require that the Site System Connection account be assigned Supervisor equivalence to the CAP directory structure so that data can move to and from the site server and CAP.
Site servers, client computers, and other computer resources communicate with logon point site systems to write discovery, status message, and inventory data and to read client configuration data. The logon point directory SMSLOGON is located at the root of an NTFS partition on a Windows NT/2000 Server site system. Local administrators are granted Full Control permission to the SMSLOGON directory, while everyone else has Read permission only. File system security is implemented to restrict everyone to Read permission for the directory tree, with Change permission granted to DDR.BOX. The share rights grant everyone the Change right to the share and grant administrators Full Control. These rights do not conflict with the NTFS permissions assigned to the administrators for SMSLOGON, but are less restrictive than the permissions assigned to everyone else. Therefore, the Read permission assigned to the Everyone special group takes precedence over the Change right configured for the share.
See the document "Using Windows NT File and Directory Security" in Chapter 4 of the SMS Administrator's Guide for details on NTFS permissions and share rights configured on the directories discussed above.
When the logon point is installed on a NetWare site system, the logon point directory structure is configured to grant Read, Write, Create, Erase, Modify, and File Scan trustee assignments for the directories that NetWare client computers must access to write data to the site system. It is configured to grant Read and File Scan trustee assignments to directories containing configuration instructions from the site system. All logon points require that the Site System Connection account be assigned Supervisor equivalence to the CAP directory structure so that data can move to and from the site server and logon point.
This hidden share stores compressed copies of software packages on the site server. The x in the share name is the drive partition containing the package store directory. The Administrators group is granted Full Control permission, while the SMS Server Network Connection account is granted Read permission to the store. The SMS Server Network Connection account reads the compressed packages in the package store to send packages to distribution point site systems.
This hidden share located on distribution point site systems contains subdirectories that store decompressed packages. The packages root directory is named SMSPKGx$, where x is the drive partition containing the packages directory. On a Windows NT/2000 site system, the Administrators group is granted Full Control permission, while users and the Guest account are granted Read permission (RX). The subdirectories below the packages root directory are assigned permissions based on access account rights configured in the SMS Administrator console for each package. Figure 12-1 shows how the access account rights assigned to a package translate into permissions assigned to the package directory.
Figure 12-1. How access account rights for the Office97 package translate into NTFS permissions on the package directory S0100002.
Trustee assignments on NetWare distribution points are similar to the permissions assigned to Windows NT/2000 distribution points.
This directory contains the Crystal Info application and reports designed by administrative users who have access to report creation in Crystal Info. The directory location for Crystal Info is smsdir\CINFO. The Administrators group is assigned Full Control permission to the directory structure, while the SMS Server Network Connection account is granted Read permission throughout the Crystal Info Report directory structure. The Crystal Info services (Info APS, Info Sentinel, and Info Agent) access the CINFO directory structure in order to operate.
To run Crystal Info and generate reports, a user account must be able to access the WBEM namespace used by the SMS Provider. Users who will create reports but who are not members of the SMS Admins group must use an account that is granted the 'Act as part of the operating system' advanced user right.
The SMS Supplemental Course CD-ROM contains the results of running SHOWACL against all the directories discussed above. Go to \CHAPT12\ARTICLES\ACLS to locate text files whose prefix is the name of the SMS directory where the SHOWACL.EXE program was run. SHOWACL was run against a site with a site code of S01 and a packages root directory located on the D: drive.