Reporting Security Best Practices
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Attackers usually try to gather as much information about a company as possible to find vulnerabilities. An attacker might attempt to gain access to Microsoft System Center Configuration Manager 2007 reports to find information about the network environment. For example, if an attacker can view the report showing software update compliance, she can use specific attacks against computers that are not updated against those attacks.
Attacks against Configuration Manager 2007 reporting are usually lower risk than attacks against the site server, site database server, software distribution, and remote tools.
Restrict queries and reports to authorized viewers Use the principle of least privilege when assigning permission to queries and reports. Reports can be run from the Configuration Manager 2007 console or through a report viewer, such as Internet Explorer. Only queries viewed in the Configuration Manager 2007 console are subject to Configuration Manager 2007 object security. When you run Configuration Manager 2007 queries, you must have Configuration Manager 2007 object security permissions on the objects included in the query. In addition, when you create a query, Values on the Criteria tab of the Query Statement Properties dialog box returns no data if you do not have Read and Read Resource permissions to the Collections class.
A query can be collection limited, so that users can query data only for resources in collections they are authorized to use. Even when the user does not specify collection limiting when creating a query, Configuration Manager 2007 applies collection limiting if the user is not authorized to view all resources. If someone requires access to information, verify that they will not be restricted by collection limiting.
Use the reporting users group to control access to the reporting point By default, all members of the Administrators and Reporting Users groups have access to the reporting point Web site. If users need access to reports on the reporting point, add them to the Reporting Users local groups on each required reporting point. The Reporting Users group does not have any members by default.
The Reporting Users group does not have Configuration Manager 2007 object security rights configured by default. This group needs Read security rights on the Report SMS class or members of the group are not able to access reports, even though they do have access to the reporting Web site.
Manage security for users who connect directly to the SQL Server computer If you use reporting mechanisms other than the Configuration Manager console and Configuration Manager reporting, WMI security and Configuration Manager object security are not in effect. If you choose to use reporting mechanisms that access SQL Server views directly, such as using and ODBC driver or scripting, you must implement security controls to restrict data access to authorized users.
Accessing data directly in the tables is not supported. The only supported way to access the data is by using the views.
Enable HTTPS access for reporting points When you configure the reporting point role on a site system, you should configure the reporting point to launch the report viewer using HTTPS. Intercepting the session state or credentials in unencrypted HTTP traffic is a relatively easy security attack. Stealing the session state could give the attacker full access to the reporting point. This setting does not obtain the certificate or configure IIS to use SSL. Complete these configurations before you configure the reporting point for HTTPS access.
Configuring HTTPS on the reporting point is completely separate from native mode configuration. Even in native mode, reporting points default to using HTTP access.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.