SMS and NTFS Security Overview

The SMS site server must be installed on an NTFS partition. This ensures that NTFS permissions secure the SMS file structure from access by unauthorized users. By default, administrators have Full Control permission. Standard users who are not administrators have the either the Change permission, or the Read permission, or no permissions.

Each SMS site system role enforces security for the SMS components and for user access. With regard to directories and shares, for all site system roles other than the client access point and logon point role, the share permissions are set to Full Control for users that access the share.

If you install SMS 2.0 with service pack 1, a number of permissions are automatically applied.

The SMS Service Pack 1 CAP permission updates are listed in Table 1.configuring SMS security

TABLE 1: SMS Service Pack 1 CAP Permission updates

Share/Directory

Administrators

Users

Everyone

Guest

CAP_sitecode share

Not assigned

Not assigned

Full Control

Not assigned

CAP_sitecode

Full Control

Read

Not assigned

Read

Ccr.box

Full Control

Write

Not assigned

Write

Clicomp.box

Full Control

Read

Not assigned

Read

Clicomp.box subfolders

Full Control

Read

Not assigned

Read

Clidata.box

Full Control

Read

Not assigned

Read

Clifiles.box

Full Control

Read

Not assigned

Read

Clifiles.box subfolders

Full Control

Read

Not assigned

Read

Ddr.box

Full Control

Write

Not assigned

Write

Inventory.box

Full Control

Write

Not assigned

Write

Offerinf.box

Full Control

Read

Not assigned

Read

Pkginfo.box

Full Control

Read

Not assigned

Read

Sinv.box

Full Control

Write

Not assigned

Write

Statmsgs.box

Full Control

Write

Not assigned

Write

 

The SMS logon points folder and share permissions are listed in Table 2.

TABLE 2: SMS Logon Points Folder and Share Permissions

Share/Directory

Administrators

Everyone

SMSLogon (share)

Full Control

Read

SMSLogon

Full Control

Read

Alpha

Full Control

N/a

Alpha.bin

Full Control

Read

Alpha.bin subfolders

Full Control

Read

Config

Full Control

Read

Ddr.box

Full Control

Wtite

i386

Full Control

N/a

Logs

Full Control

N/a

Sites

Full Control

Read

Sites subfolders

Full Control

Read

Sitescfg

Full Control

N/a

X86.bin

Full Control

Read

X86.bin subfolders

Full Control

Read

The SMS distribution points folder and share permissions are listed in Table 3.

TABLE 3: SMS Distribution Points Folder and Share Permissions

Share/Directory

Administrators

Users

Everyone

Guest

SMSPKGx$ (share)

Not assigned

Not assigned

Full Control

Not assigned

SMSPKGx$

Full Control

Read

Not assigned

Read

package id

Full Control

Read

Not assigned

Read

 

The SMS site server folder and share permissions are listed in Table 4.

 

TABLE 4: SMS Site Server folder and Share Permissions

Share/Directory

Purpose

Administrators

Everyone

SMS Server sitecode account

SMS_sitecode (share)

Associated with the SMS installation directory on a site server

Not assigned

Full Control

Not assigned

SMS

Associated with the SMSInboxesDespoolr.boxReceive directory.

Full Control

Not assigned

Read

SMS_SITE (share)

Associated with the SMSInboxesDespoolr.boxReceive directory.

Not assigned

Full Control

Not assigned

SMSInboxesDespoolr.boxReceive

Utilized when passing data from a child site to its associated parent site.

Full Control

Not assigned

Full Control

CINFO (share)

Associated with the SMSCinfo directory.

Not assigned

Full Control

Not assigned

SMSCinfo

Utilized to store report information created through using Crystal Reports.

Full Control

Not assigned

Read

SMS_CPSx$ (share)

Associated with the SMSPKG.Stores directory

Not assigned

Full Control

Not assigned

SMSPKG

Utilized to store the compressed package source file which gets created during package distribution.

Full Control

Not assigned

Read

 

The SMS software metering server folder and share permissions are listed in Table 5.

TABLE 5:

Share/Directory

Administrators

Users

LICMTR (share)

Full Control

Full Control

SWMTR

Full Control

Read

DLL files

Full Control

Read

EXE files

Full Control

Read

 

Understanding SMS User and Group Accounts

The user and group accounts which SMS utilizes can be categorized as follows:

  • Site server service accounts

  • Server connection account

  • Site system connection accounts

  • Remote site system service accounts

  • Client service accounts

  • Client installation accounts

  • Group accounts

Site server service accounts
There are three site server service accounts that SMS utilizes to perform its functions:

  • SMS Service account: The SMS Service account is created when the SMS site server is installed and is used by the SMS Server services running on the primary site server and secondary site servers. The SMS Service account is one of the main accounts created by SMS.

The primary site server and secondary site servers use the SMS Service account to perform the following functions:

    • Install SMS components and services

    • Create shares and directories on the SMS site systems.

    • Define permissions

    • Copy files.

    • Verify operation of the site system.

The SMS components ad services that utilize the SMS Service account are listed here:

    • SMS Executive

    • SMS Site Component Manager

    • SMS Client Configuration Manager

    • SMS Site Backup

    • SMS SQL Monitor

    • Info Agent service

    • Info APS service

    • Info Sentinel service

The main characteristics of the SMS Service account are summarized below:

    • Installed during SMS site server installation.

    • Member of the following groups:

      • Local Administrators group

      • Domain Admins global group

      • Domain Users

    • Granted the following user rights:

      • Log on as a service

      • Act as part of the operating system

  • SQL Server account:SMS services utilize the SQL Server account to access the SMS site database and the software metering database. The SQL Server account is created when you install MS SQL Server. The actual type of SQL Server account used is determined by the type of SQL Server security implemented, that is, whether standard security or integrated security is used when accessing SQL Server. The SQL Server Enterprise Manager utility is used to manage the SQL Server accounts.

  • SMS Site Address account: SMS uses the SMS Site Address account to facilitate communication between a parent site and a child site. The information passed during these communication sessions include:

    • Discovery data records (DDRs)

    • Site control information.

    • Inventory information.

    • Packages.

Server connection account
The SMS Server Connection account is automatically created when you install the SMS site server.

The SMS Server Connection account is used for the following purposes:

  • Remote systems use the SMS Server Connection account to connect to the site server to transfer information.

  • The SMS Provider utilizes the SMS Server Connection account to access SMS directories on the site server and the package definition file (PDF) store.

  • The Logon Discovery Agent service running on logon points utilize the SMS Server Connection account to forward Discovery data records (DDRs) created with logon discovery.

  • The Inbox Manager Assistant component on client access points (CAPs) utilizes the SMS Server Connection account to forward client data to the proper inboxes on the SMS site server.

Site system connection accounts
SMS site system connection accounts are created on site systems. They are then used to connect to these site systems and transfer information to the site systems.

Site system connection accounts are used by the following SMS components:

  • Distribution Manager

  • Inbox Manager

  • Logon Server Manager

The information transferred through the SMS site system connection accounts to the site systems include:

  • Logon script updates

  • Client configuration information

  • Advertisements

The different site system connection accounts are listed here:

  • Windows Networking Site System Connection account

  • NetWare Bindery Site System Connection account

  • NetWare NDS Site System Connection account

Remote site system service accounts
Remote site system service accounts are installed on remote site systems.

The different remote site system service accounts are:

  • SMS Logon Service account: If the Windows Networking Logon Discovery method is used, then the SMS Logon Service account is created on the logon points.

The SMS Logon Service account has the following characteristics:

    • Member of the local Administrators group

    • Member of the Domain Users group

    • Granted the Log on as a service user right.

  • SMS Remote Service account: This account is used to access the SMS site database in cases where SQL Server is installed remote to the SMS site server. The SMS Remote Service account is a member of the local Administrators group on each client access point, and is granted the Log on as a service user right.

  • Software Metering Service account: This account is installed on the software metering server and is used to manage software license usage.

Client service accounts
The SMS Client Service accesses client access points, distribution points and logon points to transfer data through a client network connection account. The client service accounts are used by SMS services running on clients to perform a number of functions.

The different client service accounts are listed here:

  • Client Services DC account: Created on domain controllers which are SMS clients.

The Client Services DC account has the following characteristics:

    • Member of the local Administrators group.

    • Granted the Log on as a service user right.

    • Granted the Act as part of the operating system user right.

    • Granted the Replace a process level token user right.

  • Client Services Non-DC account: Created on SMS clients that are not domain controllers.

The Client Services Non-DC account has the following characteristics:

    • Member of the local Administrators group.

    • Granted the Log on as a service user right.

    • Granted the Act as part of the operating system user right.

    • Granted the Replace a process level token user right.

  • Client User Token account: Used by SMS to create a user token on a client with the necessary access to run a program that needs administrator access (context) to run.

The Client User Token account has the following characteristics:

    • Granted the Act as part of the operating system user right.

    • Granted the Replace a process level token user right.

    • Granted the Log on as a service user right.

  • SMS Client Connection account: Used by SMS client components running on SMS clients to:

    • Connect to client access points (CAPs) to transfer data.

    • Connect to distribution points to transfer data.

Client installation accounts
The different client installation accounts are:

  • SMS Client Remote Installation account: Used to install SMS components on a SMS client computer.

  • SMS Windows Client Software Installation account: Used to run an advertised program on the SMS client.

Group accounts
SMS creates internal group accounts which it then utilizes to provide additional security. The SMS Group account is used to grant its members access to the SMS database. The Administrator account on the SMS site server is a member of the SMS Admins group account by default.

Understanding Security Objects in SMS

With SMS, object class security provides a user(s) with access to instances of a specific object class. You can assign security rights to the following SMS object classes:

  • Advertisements

  • Collections

  • Packages

  • Queries

  • Sites

  • Status messages

The permissions that can be assigned to SMS objects are determined by the object type. The typical permissions which can be assigned are:

  • Administer

  • Create

  • Delete

  • Modify

  • Read

  • For packages, the Distribute right can be assigned.

  • For collections, the Advertise right and Remote Tools right can be assigned.

The following types of security can be configured for SMS objects:

  • Class security: With class security, permissions defined for the object class applies to all members of the object class.

  • Instance security: With instance security, permissions can be defined for each specific member of an object class.

The different SMS object permissions that can be defined are listed here, together with the object type associated with the permission.

  • Administer permission: Used to manage object classes, assign security rights, and change existing security rights. The Administer permission can be defined for all security object types.

  • Advertise permission: Used to advertise programs to a collection. The Advertise permission can be defined for the Collections object type.

  • Create permission: Used to create an instance of an object type and can be defined for each available security object type.

  • Delete permission: Used to delete an instance of an object type and can be defined for all security object types, other than Status Messages.

  • Delete Resource permission: Used to delete a resource from a collection, and can be defined for the Collections object type.

  • Distribute permission: Used to install a package at a distribution point and can be defined for the Packages object type.

  • Modify permission: Used to modify an object and can be defined for all security object types, other than Status Messages.

  • Modify Resource permission: Used to modify a resource in a collection, and can be defined for the Collections object type.

  • Read permission: Used to view an instance of an object type, and can be defined for all security object types, other than Status Messages.

  • Read Resource permission: Used to view a resource in a collection, and can be defined for the Collections object type.

  • Use Remote Tools permission: Used to start a Remote Tools session with a SMS client in a collection and can be defined for the Collections object type.

  • View Collected Files permission: Used to view files collected from a client, and can b defined for the Collections object type.

How to assign permissions to object classes and instances

  1. Open the SMS Administrator console.

  2. Select the Security Rights node.

  3. Right-click the Security Rights node and select New from the shortcut menu.

  4. To assign permissions to an object class, select Class Security Right.

  5. To assign permissions to an object instance, select Instance Security Right.

  6. The Security Right Properties dialog box is displayed if you have selected the Class Security Right option.

  7. Specify the user name or group name in the User name box.

  8. Choose the object class in the Class drop-down list box.

  9. Specify the permissions to assign in the Permissions box.

  10. When you select the Instance Security Right, then the Instance box would be available to define the object instance.

  11. Click OK.

How to assign permissions at the object class level

  1. Open the SMS Administrator console.

  2. Locate the specific object folder that's object class permissions you want to assign.

  3. Right-click the folder and then select Properties from the shortcut menu.

  4. The Properties dialog box for the object which you have selected opens.

  5. Click the Security tab.

  6. If you want to add a user or group, then click the New button.

  7. The Object Class Security Right Properties dialog box opens.

  8. Enter the name of the user or group in the User name box.

  9. Assign the permissions using the Permissions box.

  10. Click OK.

  11. If you want to change the rights assigned for an existing entry, then choose the entry in the Class Security Rights list on the Security tab.

  12. Click the Properties button.

  13. When the Object Class Security Right Properties dialog box opens, perform the desired modifications.

  14. Click OK.

  15. Click OK to close the Object Properties dialog box.

How to assign permissions at the object instance level

  1. Open the SMS Administrator console.

  2. Locate the specific object instance that's permissions you want to assign.

  3. Right-click the specific object instance and then select Properties from the shortcut menu.

  4. The Properties dialog box for the specific object instance which you have selected opens.

  5. Click the Security tab.

  6. Specify the desired class permissions for the object.

  7. Specify the desired permissions for the instance.

  8. If you want to assign instance permissions, in the Instance Security Rights area, click the New button.

  9. The Object Instance Security Right Properties dialog box opens.

  10. Enter the name of the user or group in the User name box.

  11. Assign the permissions using the Permissions box.

  12. Click OK.

  13. Click OK to close the Object Instance Properties dialog box.

Creating Custom SMS Administrator consoles

Because the SMS Administrator console is a Microsoft Management Console (MMC) snap-in, you can create custom SMS Administrator consoles that only present specific SMS objects in the console. You can then make the custom console available to a user that only needs to perform a specific SMS administration function. This basically means that the user will only see those SMS objects required to perform the delegated tasks.

The first step in creating a custom SMS Administrator console is to assign the necessary security to the SMS objects. After this, you can create the actual custom SMS Administrator console.

To create a custom SMS Administrator console,

  1. Click Start, and then Run. Type mmc in the text box. Click OK.

  2. This action opens a blank MMC window which you will use to add the Systems Management Server snap-in.

  3. Use the File/Console menu to choose Add/Remove Snap-in. The Console menu is renamed the File menu in the latest MMC version, MMC 2 version 5.2.

  4. When the Add/Remove Snap-in dialog box opens, click Add.

  5. The Add Standalone Snap-in dialog box opens.

  6. In the Add Standalone Snap-in dialog box choose Systems Management Server from the list of available snap-ins, and then click Add.

  7. The Site Database Connection Wizard starts.

  8. Click Next on the Welcome to the Site Database Connection Wizard screen.

  9. On the Locate Site Database page, provide the site server that you want this SMS Administrator console to connect to.

  10. Choose the Select Console Tree Items To Be Loaded (Custom) option, and then click the Next button.

  11. On the Console Tree Items screen, specify the items which you want displayed in the console tree for the site database. Click Next.

  12. On the Completing The Database Connection Wizard screen, verify the settings that you specified and then click Finish.

  13. In the Add Standalone Snap-In dialog box, click Close.

  14. In the Add/Remove Snap-In dialog box, click OK.

  15. Use the File/Console menu to choose Options. The Console menu is renamed the File menu in the latest MMC version, MMC 2 version 5.2.

  16. The Options Properties dialog box opens.

  17. To ensure that the user cannot make changes to the console, verify that the Always Open Console Files In Author Mode checkbox is not selected on the User tab.

  18. Click the Console tab.

  19. Click the Change Icon button if you want to change to the SMS Administrator Console icon.

  20. Provide a name of the console.

  21. Specify the console mode in the Console Mode drop-down list box. If you do not want the user to be able to modify the console; and if you want to hide the top level console menus, then you should select the User Mode – Delegated Access, Single Window option from the Console Mode drop-down list box.

  22. Click OK in the Options Properties dialog box.

  23. Use the File/Console menu to choose Save As.

  24. When the Save As dialog box opens, specify the folder where the console file should be saved, and enter the file name for the console.

  25. Click Save.