280 likes | 847 Views
SMS 2.0 Security Model Wally Mead Program Manager SMS Product Group Microsoft Corporation SMS 2.0 Security Model Agenda Overview of Microsoft Systems Management Server 2.0 security concepts Levels of SMS 2.0 security Configuring SMS 2.0 security SMS 2.0 security features Security Overview
E N D
SMS 2.0 Security ModelWally MeadProgram ManagerSMS Product GroupMicrosoft Corporation
SMS 2.0 Security ModelAgenda • Overview of Microsoft Systems Management Server 2.0 security concepts • Levels of SMS 2.0 security • Configuring SMS 2.0 security • SMS 2.0 security features
Security Overview • Desktop management systems are complex and powerful thus require good security • Touch most of network infrastructure • Must balance administration overhead with the need for stronger security • Minimum security – easy administration • SMS defaults provide minimum security • Most accounts are administrative accounts (local or domain) • Maximum security – more administrative overhead • Give administrators minimum rights • Give SMS accounts minimum rights – use optional accounts • Install Site Server on member server
Security Prerequisites • To properly manage SMS security, the administrator must understand security concepts for • Windows NT® security (accounts, processes, permissions, privileges, and rights) • Windows NT and pass-through authentication • Various Windows NT domain models • SQL Server™, WMI, and DCOM security • SMS uses client/server, shared resources, RPCs, anonymous connections among its processes
SMS Account Basics • SMS uses many accounts for security • Not one account as in SMS 1.2 (more secure from compromised accounts) • Some accounts are domain accounts • Some accounts are local accounts • Improved security uses many accounts • Generally administrative-level accounts are only used locally • Data transfers usually use a User account • Improves security
SMS Account Specifics • SMS manages many accounts itself • Uses strong passwords • Should not attempt to manage our accounts • Never turn off “Password never expires” • Never expire SMS accounts • Generally server accounts are more controllable by administrators • Use of optional accounts instead of the SMS service account • For more security, install on member server, not DC (local accounts)
SMS Account Lockouts • Most issues are solved in SP2 • SMS Service account • Usually locked by CCM pushes (domain context switches) • SMS Server Connect account • Usually locked by site reset (account changed and not replicated to SMS site systems) • SMS Client Connect account • Usually locked by site reinstall (password changed on reinstall) • SMSCliToknAcct& • Usually locked by hardware inventory or software distribution
Physical Security • Absolutely required • Especially if site server is a domain controller • Hacked SMS service account provides domain admin rights • Site reset can reset some accounts • Do SMS administration on remote systems • Site Server Administrator Console locked by the NTFS file system • Only administrators have access by default
SMS File System Security • NTFS provides user-level security • Required for most site systems • SMS Site Server directories • Client access point security • Logon point security • Distribution point security • Software Metering Server security
Troubleshooting SMS NTFS Security Issues • Primarily done through log files (Windows NT Event Viewer, if auditing enabled) • Site server to site systems • Inboxmgr.log, Distmgr.log, Nt_logon.log, Licsvcfg.log, Licsrvc.log, Sitecomp.log, Sender.log • Ccm.log for site server to client • Client to site system access • Wn_logon.log, Wnmanual.log, Wnremote.log • Ccim32.log, Cqmgr32.log • Smsapm32.log, Odp*.logs • Liccli.log
SMS Site Database Security • SMS Provider (WMI) access • SMS Object security • Custom SMS Administrator Consoles
SMS Provider Access • Controls who has access to the SMS site database • Three ways to gain access to WMI (prior to the SMS Provider) • SMSAdmins local group • Wbemperm.exe (WMI Control in Windows 2000) • Member of local Administrators group • Access to SMS Provider is logged in Smsprov.log (automatically enabled)
SMS Provider Location • SMS Provider can reside: • On site server computer • On SQL Server computer • Logged on user requires access to SMS Provider • Needs Windows NT, RPC, and DCOM security rights (by default Everyone) • Needs WMI rights (SMS Admins)
WMI Security • Used by SMS for many tasks • Hardware inventory • Health Monitor • Network Monitor Control tool • SMS site database access • Network Discovery and Network Trace • SMS Service Manager • WMI 1.1 does not provide namespace security (full permissions to all users) • WMI 1.5 does provide security on namespaces (some users read-only permission)
Troubleshooting SMS Provider Issues • Use Wbemtest.exe • Uses SMS Provider • Can duplicate SMS Administrator console tasks • Shows what is available in SQL Server • Use CIM Studio • http://msdn.microsoft.com/downloads/sdks/wmi/download.asp • Connect to the computer the SMS Provider is installed on • \\providercomputer\root\sms • \\providercomputer\root\sms\site_sc
Verifying the Provider Site • Check registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\AdminUI\Connection for site server name • Connect to \\providercomputer\root\sms • To verify the site code: • select * from SMS_ProviderLocation where providerforlocalsite = True, then Apply • This is what the SMS Administrator Console attempts to connect to • You may get multiple instances returned if a reinstall occurred with a new site code
Verifying the User Account • Connect to \\providercomputer\root\sms\site_sc • To verify user account: • Execute method • SMS_Identification, then OK • GetCurrentUser, then Execute • Edit Out Parameters, then Show MOF • This account needs SMS security rights
Verifying User Group Membership • Connect to \\providercomputer\root\sms\site_sc • To verify user group membership: • Execute method • SMS_SecuredObject, then OK • RefreshNTGroupMembership, then Execute • Edit Out Parameters, then Show MOF • This account will inherit SMS security rights for those groups
SMS Security Objects • Controls who has access to what in SMS database • SMS security rights • Class or Instance • Advertisement, Collection, Package, Query, Site, Status Message • Rights are additive – highest possible • Three methods to assign rights • Manage SMS Users Wizard • Manual creation of a right • Create on Security tab of specific SMS object
Verifying SMS Security Rights • Connect to \\providercomputer\root\sms\site_sc • To verify security rights: • select * from sms_UserInstancePermissions • select * from sms_UserClassPermissions • To view the object keys: • select * from sms_securedobject • These accounts have those SMS security rights
SMS Security Permissions • Viewed on security right in Wbemtest • Read = 1 • Modify = 2 • Delete = 4 • Distribute = 8 • Remote Control = 32 • Advertise = 64 • Modify Resource = 128 • Administer = 256 • Delete Resource = 512 • Create = 1024 • View Collected File = 2048 • Read Resource = 4096
Security Rights Issues • Must have Class Read rights to Packages and Collections to view Advertisements • Some Queries Don't Show Results Unless User Has Class Rights to Collections (Q259861) • To use the Distribute Software Wizard, user must have Class Read and Advertise rights to Collections • User Instance creates Class Instance with no permissions
More Security Rights Issues • Create Package from Definition wizard requires Modify rights for Sites class • Viewing status requires Read Rights to Sites and Status messages • Running and creating queries (Values button) requires Read and Read Resource Rights to the collection
Custom SMS Administrator Consoles • Provides limited view of SMS objects • Only see what administrator has rights to • Deters “exploration” • Save and Send to Remote Admin Consoles • Save as Sms.msc and write to \Smsadmin\Bin\I386 • Can have multiple custom consoles if necessary • Still requires SMS Security Rights
SQL Server Account • Used by SMS to access site database • Depends on SQL Server security mode • Standard – sa account is default • Integrated – Windows NT logon account • Mixed – either SQL Server account or Windows NT logon account • Created and specified during setup • Don’t restrict account permissions
Windows 2000 Specific Issues • SMS May Time Out Attempting a PDC/BDC Resynchronization in a Large Windows 2000 Active Directory Environment - Q271724 • SMS: Systems Management Server Services May Reinstall Repeatedly - Q263398 • SMS: Security Based on Global Groups Fails in Windows 2000 Domains - Q266712 • DCOM on Microsoft Windows 2000 Does Not Support Any Datagram Protocols (UDP) - Q242022
Additional Resources • SMS Security Essentials white paper • SMS 2.0 SP2 CD and Web site • SMS 2.0 Administrator’s Guide • Hard copy can be ordered (part no. 271-00617) • SMS 2.0 Resource Guide • Microsoft® BackOffice® Resource Kit 4.5 • Microsoft Systems Management Web site • http://www.microsoft.com/smsmgmt/ • Product information, white papers, downloads • Microsoft Product Newsgroups • msnews.microsoft.com • microsoft.public.sms