Configuring SMS Security

SMS and NTFS Security Overview

The SMS site server must be installed on an NTFS partition. This ensures that NTFS permissions secure the SMS file structure from access by unauthorized users. By default, administrators have Full Control permission. Standard users who are not administrators have the either the Change permission, or the Read permission, or no permissions.

Each SMS site system role enforces security for the SMS components and for user access. With regard to directories and shares, for all site system roles other than the client access point and logon point role, the share permissions are set to Full Control for users that access the share.

If you install SMS 2.0 with service pack 1, a number of permissions are automatically applied.

The SMS Service Pack 1 CAP permission updates are listed in Table 1.

TABLE 1: *SMS Service Pack 1 CAP Permission updates*
Share/Directory	Administrators	Users	Everyone	Guest
CAP_sitecode share	Not assigned	Not assigned	Full Control	Not assigned
CAP_sitecode	Full Control	Read	Not assigned	Read
Ccr.box	Full Control	Write	Not assigned	Write
Clicomp.box	Full Control	Read	Not assigned	Read
Clicomp.box subfolders	Full Control	Read	Not assigned	Read
Clidata.box	Full Control	Read	Not assigned	Read
Clifiles.box	Full Control	Read	Not assigned	Read
Clifiles.box subfolders	Full Control	Read	Not assigned	Read
Ddr.box	Full Control	Write	Not assigned	Write
Inventory.box	Full Control	Write	Not assigned	Write
Offerinf.box	Full Control	Read	Not assigned	Read
Pkginfo.box	Full Control	Read	Not assigned	Read
Sinv.box	Full Control	Write	Not assigned	Write
Statmsgs.box	Full Control	Write	Not assigned	Write

The SMS logon points folder and share permissions are listed in Table 2.

TABLE 2: SMS Logon Points Folder and Share Permissions
Share/Directory	Administrators	Everyone
SMSLogon (share)	Full Control	Read
SMSLogon	Full Control	Read
Alpha	Full Control	N/a
Alpha.bin	Full Control	Read
Alpha.bin subfolders	Full Control	Read
Config	Full Control	Read
Ddr.box	Full Control	Wtite
i386	Full Control	N/a
Logs	Full Control	N/a
Sites	Full Control	Read
Sites subfolders	Full Control	Read
Sitescfg	Full Control	N/a
X86.bin	Full Control	Read
X86.bin subfolders	Full Control	Read

The SMS distribution points folder and share permissions are listed in Table 3.

TABLE 3: *SMS* *Distribution Points Folder and Share Permissions*
Share/Directory	Administrators	Users	Everyone	Guest
SMSPKGx$ (share)	Not assigned	Not assigned	Full Control	Not assigned
SMSPKGx$	Full Control	Read	Not assigned	Read
package id	Full Control	Read	Not assigned	Read

The SMS site server folder and share permissions are listed in Table 4.

TABLE 4: *SMS* *Site Server folder and Share Permissions*
Share/Directory	Purpose	Administrators	Everyone	SMS Server sitecode account
SMS_sitecode (share)	Associated with the SMS installation directory on a site server	Not assigned	Full Control	Not assigned
SMS	Associated with the SMS\Inboxes\Despoolr.box\Receive directory.	Full Control	Not assigned	Read
SMS_SITE (share)	Associated with the SMS\Inboxes\Despoolr.box\Receive directory.	Not assigned	Full Control	Not assigned
SMS\Inboxes\Despoolr.box\Receive	Utilized when passing data from a child site to its associated parent site.	Full Control	Not assigned	Full Control
CINFO (share)	Associated with the \SMS\Cinfo directory.	Not assigned	Full Control	Not assigned
SMS\Cinfo	Utilized to store report information created through using Crystal Reports.	Full Control	Not assigned	Read
SMS_CPSx$ (share)	Associated with the \SMSPKG.Stores directory	Not assigned	Full Control	Not assigned
SMSPKG	Utilized to store the compressed package source file which gets created during package distribution.	Full Control	Not assigned	Read

The SMS software metering server folder and share permissions are listed in Table 5.

TABLE 5: SMS Software Metering Server Folder and Share Permissions
Share/Directory	Administrators	Users
LICMTR (share)	Full Control	Full Control
SWMTR	Full Control	Read
DLL files	Full Control	Read
EXE files	Full Control	Read

Understanding SMS User and Group Accounts

The user and group accounts which SMS utilizes can be categorized as follows:

Site server service accounts
Server connection account
Site system connection accounts
Remote site system service accounts
Client service accounts
Client installation accounts
Group accounts

Site server service accounts
There are three site server service accounts that SMS utilizes to perform its functions:

SMS Service account: The SMS Service account is created when the SMS site server is installed and is used by the SMS Server services running on the primary site server and secondary site servers. The SMS Service account is one of the main accounts created by SMS.

The primary site server and secondary site servers use the SMS Service account to perform the following functions:

Install SMS components and services
Create shares and directories on the SMS site systems.
Define permissions
Copy files.
Verify operation of the site system.

The SMS components ad services that utilize the SMS Service account are listed here:

SMS Executive
SMS Site Component Manager
SMS Client Configuration Manager
SMS Site Backup
SMS SQL Monitor
Info Agent service
Info APS service
Info Sentinel service

The main characteristics of the SMS Service account are summarized below:

Installed during SMS site server installation.
Member of the following groups:
- Local Administrators group
- Domain Admins global group
- Domain Users
Granted the following user rights:
- Log on as a service
- Act as part of the operating system

SQL Server account:SMS services utilize the SQL Server account to access the SMS site database and the software metering database. The SQL Server account is created when you install MS SQL Server. The actual type of SQL Server account used is determined by the type of SQL Server security implemented, that is, whether standard security or integrated security is used when accessing SQL Server. The SQL Server Enterprise Manager utility is used to manage the SQL Server accounts.

SMS Site Address account: SMS uses the SMS Site Address account to facilitate communication between a parent site and a child site. The information passed during these communication sessions include:
- Discovery data records (DDRs)
- Site control information.
- Inventory information.
- Packages.

Server connection account
The SMS Server Connection account is automatically created when you install the SMS site server.

The SMS Server Connection account is used for the following purposes:

Remote systems use the SMS Server Connection account to connect to the site server to transfer information.
The SMS Provider utilizes the SMS Server Connection account to access SMS directories on the site server and the package definition file (PDF) store.
The Logon Discovery Agent service running on logon points utilize the SMS Server Connection account to forward Discovery data records (DDRs) created with logon discovery.
The Inbox Manager Assistant component on client access points (CAPs) utilizes the SMS Server Connection account to forward client data to the proper inboxes on the SMS site server.

Site system connection accounts
SMS site system connection accounts are created on site systems. They are then used to connect to these site systems and transfer information to the site systems.

Site system connection accounts are used by the following SMS components:

Distribution Manager
Inbox Manager
Logon Server Manager

The information transferred through the SMS site system connection accounts to the site systems include:

Logon script updates
Client configuration information
Advertisements

The different site system connection accounts are listed here:

Windows Networking Site System Connection account
NetWare Bindery Site System Connection account
NetWare NDS Site System Connection account

Remote site system service accounts
Remote site system service accounts are installed on remote site systems.

The different remote site system service accounts are:

SMS Logon Service account: If the Windows Networking Logon Discovery method is used, then the SMS Logon Service account is created on the logon points.

The SMS Logon Service account has the following characteristics:

Member of the local Administrators group
Member of the Domain Users group
Granted the Log on as a service user right.

SMS Remote Service account: This account is used to access the SMS site database in cases where SQL Server is installed remote to the SMS site server. The SMS Remote Service account is a member of the local Administrators group on each client access point, and is granted the Log on as a service user right.
Software Metering Service account: This account is installed on the software metering server and is used to manage software license usage.

Client service accounts
The SMS Client Service accesses client access points, distribution points and logon points to transfer data through a client network connection account. The client service accounts are used by SMS services running on clients to perform a number of functions.

The different client service accounts are listed here:

Client Services DC account: Created on domain controllers which are SMS clients.

The Client Services DC account has the following characteristics:

Member of the local Administrators group.
Granted the Log on as a service user right.
Granted the Act as part of the operating system user right.
Granted the Replace a process level token user right.

Client Services Non-DC account: Created on SMS clients that are not domain controllers.

The Client Services Non-DC account has the following characteristics:

Member of the local Administrators group.
Granted the Log on as a service user right.
Granted the Act as part of the operating system user right.
Granted the Replace a process level token user right.

Client User Token account: Used by SMS to create a user token on a client with the necessary access to run a program that needs administrator access (context) to run.

The Client User Token account has the following characteristics:

Granted the Act as part of the operating system user right.
Granted the Replace a process level token user right.
Granted the Log on as a service user right.

SMS Client Connection account: Used by SMS client components running on SMS clients to:
- Connect to client access points (CAPs) to transfer data.
- Connect to distribution points to transfer data.

Client installation accounts
The different client installation accounts are:

SMS Client Remote Installation account: Used to install SMS components on a SMS client computer.
SMS Windows Client Software Installation account: Used to run an advertised program on the SMS client.

Group accounts
SMS creates internal group accounts which it then utilizes to provide additional security. The SMS Group account is used to grant its members access to the SMS database. The Administrator account on the SMS site server is a member of the SMS Admins group account by default.

Understanding Security Objects in SMS

With SMS, object class security provides a user(s) with access to instances of a specific object class. You can assign security rights to the following SMS object classes:

Advertisements
Collections
Packages
Queries
Sites
Status messages

The permissions that can be assigned to SMS objects are determined by the object type. The typical permissions which can be assigned are:

Administer
Create
Delete
Modify
Read
For packages, the Distribute right can be assigned.
For collections, the Advertise right and Remote Tools right can be assigned.

The following types of security can be configured for SMS objects:

Class security: With class security, permissions defined for the object class applies to all members of the object class.
Instance security: With instance security, permissions can be defined for each specific member of an object class.

The different SMS object permissions that can be defined are listed here, together with the object type associated with the permission.

Administer permission: Used to manage object classes, assign security rights, and change existing security rights. The Administer permission can be defined for all security object types.
Advertise permission: Used to advertise programs to a collection. The Advertise permission can be defined for the Collections object type.
Create permission: Used to create an instance of an object type and can be defined for each available security object type.
Delete permission: Used to delete an instance of an object type and can be defined for all security object types, other than Status Messages.
Delete Resource permission: Used to delete a resource from a collection, and can be defined for the Collections object type.
Distribute permission: Used to install a package at a distribution point and can be defined for the Packages object type.
Modify permission: Used to modify an object and can be defined for all security object types, other than Status Messages.
Modify Resource permission: Used to modify a resource in a collection, and can be defined for the Collections object type.
Read permission: Used to view an instance of an object type, and can be defined for all security object types, other than Status Messages.
Read Resource permission: Used to view a resource in a collection, and can be defined for the Collections object type.
Use Remote Tools permission: Used to start a Remote Tools session with a SMS client in a collection and can be defined for the Collections object type.
View Collected Files permission: Used to view files collected from a client, and can be defined for the Collections object type.

How to assign permissions to object classes and instances

Open the SMS Administrator console.
Select the Security Rights node.
Right-click the Security Rights node and select New from the shortcut menu.
To assign permissions to an object class, select Class Security Right.
To assign permissions to an object instance, select Instance Security Right.
The Security Right Properties dialog box is displayed if you have selected the Class Security Right option.
Specify the user name or group name in the User name box.
Choose the object class in the Class drop-down list box.
Specify the permissions to assign in the Permissions box.
When you select the Instance Security Right, then the Instance box would be available to define the object instance.
Click OK.

How to assign permissions at the object class level

Open the SMS Administrator console.
Locate the specific object folder thats object class permissions you want to assign.
Right-click the folder and then select Properties from the shortcut menu.
The Properties dialog box for the object which you have selected opens.
Click the Security tab.
If you want to add a user or group, then click the New button.
The Object Class Security Right Properties dialog box opens.
Enter the name of the user or group in the User name box.
Assign the permissions using the Permissions box.
Click OK.
If you want to change the rights assigned for an existing entry, then choose the entry in the Class Security Rights list on the Security tab.
Click the Properties button.
When the Object Class Security Right Properties dialog box opens, perform the desired modifications.
Click OK.
Click OK to close the Object Properties dialog box.

How to assign permissions at the object instance level

Open the SMS Administrator console.
Locate the specific object instance thats permissions you want to assign.
Right-click the specific object instance and then select Properties from the shortcut menu.
The Properties dialog box for the specific object instance which you have selected opens.
Click the Security tab.
Specify the desired class permissions for the object.
Specify the desired permissions for the instance.
If you want to assign instance permissions, in the Instance Security Rights area, click the New button.
The Object Instance Security Right Properties dialog box opens.
Enter the name of the user or group in the User name box.
Assign the permissions using the Permissions box.
Click OK.
Click OK to close the Object Instance Properties dialog box.

Creating Custom SMS Administrator consoles

Because the SMS Administrator console is a Microsoft Management Console (MMC) snap-in, you can create custom SMS Administrator consoles that only present specific SMS objects in the console. You can then make the custom console available to a user that only needs to perform a specific SMS administration function. This basically means that the user will only see those SMS objects required to perform the delegated tasks.

The first step in creating a custom SMS Administrator console is to assign the necessary security to the SMS objects. After this, you can create the actual custom SMS Administrator console.

To create a custom SMS Administrator console,

Click Start, and then Run. Type mmc in the text box. Click OK.
This action opens a blank MMC window which you will use to add the Systems Management Server snap-in.
Use the File/Console menu to choose Add/Remove Snap-in. The Console menu is renamed the File menu in the latest MMC version, MMC 2 version 5.2.
When the Add/Remove Snap-in dialog box opens, click Add.
The Add Standalone Snap-in dialog box opens.
In the Add Standalone Snap-in dialog box choose Systems Management Server from the list of available snap-ins, and then click Add.
The Site Database Connection Wizard starts.
Click Next on the Welcome to the Site Database Connection Wizard screen.
On the Locate Site Database page, provide the site server that you want this SMS Administrator console to connect to.
Choose the Select Console Tree Items To Be Loaded (Custom) option, and then click the Next button.
On the Console Tree Items screen, specify the items which you want displayed in the console tree for the site database. Click Next.
On the Completing The Database Connection Wizard screen, verify the settings that you specified and then click Finish.
In the Add Standalone Snap-In dialog box, click Close.
In the Add/Remove Snap-In dialog box, click OK.
Use the File/Console menu to choose Options. The Console menu is renamed the File menu in the latest MMC version, MMC 2 version 5.2.
The Options Properties dialog box opens.
To ensure that the user cannot make changes to the console, verify that the Always Open Console Files In Author Mode checkbox is not selected on the User tab.
Click the Console tab.
Click the Change Icon button if you want to change to the SMS Administrator Console icon.
Provide a name of the console.
Specify the console mode in the Console Mode drop-down list box. If you do not want the user to be able to modify the console; and if you want to hide the top level console menus, then you should select the User Mode - Delegated Access, Single Window option from the Console Mode drop-down list box.
Click OK in the Options Properties dialog box.
Use the File/Console menu to choose Save As.
When the Save As dialog box opens, specify the folder where the console file should be saved, and enter the file name for the console.
Click Save.

Bookmark Configuring SMS Security

Latest Blog Posts

Acai Berry Spam via MSN

Obama Seeks Power to Shut Down the Internet

Help Beta Test Tech-FAQ 2.0!

Windows 7 Forum

Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

Google Hacked?

Recycle your old phone – Make some money, and save the environment too!

SourceForge vs. Freshmeat

Fastest Web Browser: Google Chrome

New Webmaster Forum