Discovery in Microsoft System Center Configuration Manager 2007 is a fairly low-risk activity. It might be possible for an attacker to engineer a denial of service attack by creating a large number of data discovery records (DDRs), but this is just one of many ways attackers can try to overwhelm site systems . There are no additional security recommendations for discovery, but you should be aware of the type of data collected by discovery and any potential privacy implications with that data collection.
Discovery creates records for network resources and stores them in the database. Data discovery records contain computer information such as IP address, operating system, and computer name. Active Directory discovery methods can also be configured to discover any information that is stored in Active Directory.
The only discovery method that is enabled by default is Heartbeat Discovery, but that method only discovers computers that are already Configuration Manager 2007 clients. Before configuring additional discovery methods or extending Active Directory discovery, consider your privacy requirements.
Discovery information is not sent back to Microsoft. Discovery information is stored in the site database. Information is retained in the database until deleted by the site maintenance tasks Delete Aged Discovery Data every 90 days. You can configure the deletion interval.