Topic last updated -- November 2007
Security for Microsoft System Center Configuration Manager 2007 consists of several layers. To begin with, Windows provides security features for both the operating system and the network. For example, Windows provides the following:
- File sharing to transfer files between
Configuration Manager 2007 components
- Access Control Lists to secure files and
- IPsec for securing communications
- Group Policy for setting security policy
- DCOM permissions for distributed
- Active Directory Domain Services to
store security principals
- Windows account security, including some
groups that are created during Configuration Manager 2007
Additional security components, such as firewalls and intrusion detection, help provide in-depth defense for the entire environment. Certificates issued by industry standard PKI implementations help provide authentication of Configuration Manager 2007 components.
Configuration Manager 2007 controls access to the Configuration Manager 2007 console in several ways. By default, only administrators have rights to the files and registry keys needed to run the Configuration Manager 2007 console on computers where it is installed. Non-administrators on the computer must first run MMC and then add Configuration Manager 2007 as a snap-in to have rights to run the Configuration Manager 2007 console.
The next layer of security is access through Windows Management Instrumentation (WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of the local SMS Admins group. This group initially contains only the user who installed Configuration Manager 2007. To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.
The final layer of security is permissions to objects in the site database granted by the WMI provider. By default, the Local System account and the user account that you used to install Configuration Manager 2007 have access to administer all objects in the site database. You can grant permissions to additional users in the Configuration Manager 2007 console.
|You must set Configuration Manager 2007 object permissions at each site individually. Rights never flow down a site hierarchy.|