Scenarios and Procedures for Microsoft Systems Management Server 2003: Security

Securing your Microsoft® Systems Management Server (SMS) environment is not a task you can complete once and forget about. You start by either by planning with security in mind or securing an existing implementation. Then you must continually review your security configuration, policies, and procedures. Whether you have already deployed SMS or are in the planning stages, follow these established best practices to create the most secure SMS environment possible, and then follow the guidance to maintain the most secure environment possible.


Network management systems bring great benefits to your environment. Well-managed networks are usually more secure networks. However, failure to adequately secure network management software can leave your network vulnerable. If SMS or any other network management tool is compromised, an attacker could potentially take control of every managed node .Before deviating from the recommendations in this document, evaluate the potential risks exposed by these changes and plan appropriate mitigations.

This document is primarily intended for SMS administrators. At companies where there is an established security infrastructure, the SMS administrator must work in conjunction with the security engineers and architects to provide an SMS environment that complies with all company security policies.


You can find content in this document that is specific to SMS 2003 SP1 and SMS 2003 SP2 by searching for the text string “*SP”.

Before you read this guide, be sure you understand the basic concepts of SMS. At a minimum, read Chapter 1 “Introducing Systems Management Server 2003” of the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide ( If you already have SMS installed, read your organization’s SMS documentation and be familiar with the features and design decisions in your implementation. You might find the Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment ( helpful*.* This guide also assumes you understand basic security principles.

This book includes a section called SMS2003 Security checklists. If you are experienced with SMS concepts and security procedures, you might be able to work directly from the checklists and use this guide as reference information.


Most security configurations in SMS can be changed at any time. If you have already deployed SMS, you can make your site more secure by implementing these best practices. The following two settings make your site more secure, but cannot be reversed after they are implemented:

Changing from standard security to advanced security

Enabling client signing

There are two settings that are difficult to change after clients are deployed. If you have not yet deployed Advanced Clients, carefully review the following sections of this document to determine if you should plan for them before deploying your clients:

Consider Configuring the Advanced Client to Use a Non-default HTTP Port

Configure Advanced Clients to Use Active Directory Only Mode

In This White Paper

Security Fundamentals

Securing SMS

Additional Reading

This guide focuses on recommended best practices and configurations. Additional conceptual information is provided in the appendices:

Appendix A: SMS Object Security and WMI

Appendix B: SMS Certificate Infrastructure

Appendix C: SMS Accounts, Groups, and Passwords

Appendix D: Legacy Client Security Environment

Appendix E: SMS Security Procedures

Appendix F: SMS Security Templates

Appendix G: Recommended Configuration for IPsec with SMS

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2006 Microsoft Corporation. All rights reserved. Microsoft, BackOffice, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective owners.

Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA