The permitted viewers are not really accounts that are configured with names and passwords, but a list of users who are allowed to use Microsoft System Center Configuration Manager 2007 Remote Tools functionality on clients. For example, you can specify the users who staff the help desk.

Required rights and permissions

The accounts on the Permitted Viewers list should also have the Use remote tools right for the collections they will control.

When you add users to the Permitted Viewers list, they are automatically added to the ConfigMgr Remote Control Users group, which grants them necessary rights to use remote control on computers running Windows XP, Windows Server 2003, and Windows Vista. The permitted viewers do not require additional rights on Windows 2000 clients. The permitted viewers do not require administrative access to any computers they will control.

Account and password creation

Usually the accounts already exist and are added to the list if they require remote control functionality on the client computers.

Account location

The accounts can be created anywhere.

Account maintenance

No maintenance is required. Configuration Manager 2007 does not store the password information for this account.

Security best practices

Bypassing the Use remote tools right for the collection is easy for knowledgeable or determined attackers. They could set up a Configuration Manager 2007 site that is not part of your hierarchy and create resource records for clients they want to control, and then grant themselves Use remote tools right on those resources. Alternately, they could use the Remote.exe command to create a remote tools session because Remote.exe does not check the database for permitted viewers unless specified in the command line.

You should think of collection security for Remote Tools as an organizational convenience, not a security tool.

Members of global groups that are members of local groups listed in the Permitted Viewers list are not enumerated, and thus members of global groups are not granted access permissions when they are nested in local groups. To avoid confusion, explicitly specify all global groups on the Permitted Viewers list.

The Permitted Viewers list is intentionally ambiguous because a user is authenticated against the list at the client, and the site server might not have access to the same domains as the client. Consequently, you can enter an account name in the Permitted Viewers list without specifying a domain for the account. However, the list must be clear at the client. Therefore, it is recommended that you enter an account name in the Permitted Viewers list by using the domain\account format to remove any ambiguity that might occur at the client.

See Also