Configuration Manager 中硬件清单的安全和隐私Security and privacy for hardware inventory in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

此主题包含 Configuration Manager 中硬件清单的安全和隐私信息。This topic contains security and privacy information for hardware inventory in Configuration Manager.

硬件清单的最佳安全方案Security best practices for hardware inventory

从客户端收集硬件清单数据时使用下列最佳安全方案:Use the following security best practices for when you collect hardware inventory data from clients:

最佳安全方案Security best practice 更多信息More information
签名和加密清单数据Sign and encrypt inventory data 当客户端使用 HTTPS 与管理点通信时,他们发送的所有数据都使用 SSL 进行加密。When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. 但是,当客户端计算机使用 HTTP 与内部网上的管理点通信时,客户端清单数据和收集的文件可以在未签名和未加密的状态下发送。However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. 请确保将该站点配置为要求签名和使用加密。Make sure that the site is configured to require signing and use encryption. 此外,如果客户端可以支持 sha-256 的算法,选择需要 sha-256 选项。In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256.
不会收集 IDMIF 和 NOIDMIF 文件在高安全性环境中Do not collect IDMIF and NOIDMIF files in high-security environments IDMIF 和 NOIDMIF 文件集合可用于扩展硬件清单收集。You can use IDMIF and NOIDMIF file collection to extend hardware inventory collection. 如有必要,Configuration Manager 创建新表或修改 Configuration Manager 数据库中现有的表,以容纳 IDMIF 和 NOIDMIF 文件中的属性。When necessary, Configuration Manager creates new tables or modifies existing tables in the Configuration Manager database to accommodate the properties in IDMIF and NOIDMIF files. 但是,Configuration Manager 不会验证 IDMIF 和 NOIDMIF 文件,因此可以使用这些文件来更改不希望更改的表。However, Configuration Manager does not validate IDMIF and NOIDMIF files, so these files could be used to alter tables that you do not want altered. 无效数据可以覆盖有效数据。Valid data could be overwritten by invalid data. 此外,可以添加大量数据,但处理此数据可能会导致所有 Configuration Manager 功能出现延迟。In addition, large amounts of data could be added and the processing of this data might cause delays in all Configuration Manager functions. 若要降低这些风险,请将硬件清单客户端设置“收集 MIF 文件” 配置为“无” 。To mitigate these risks, configure the hardware inventory client setting Collect MIF files as None.

硬件清单的安全问题Security issues for hardware inventory

收集清单会暴露潜在的漏洞。Collecting inventory exposes potential vulnerabilities. 攻击者可以执行以下操作:Attackers can perform the following:

  • 发送无效数据,即使禁用了软件清单客户端设置并启用文件收集,管理点也会接受这些数据。Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled.

  • 在一个或多个文件中发送超大量数据,这可能导致拒绝服务。Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service.

  • 在将清单信息传输到 Configuration Manager 时访问清单信息。Access inventory information as it is transferred to Configuration Manager.

    由于具有本地管理权限的用户可以发送任何信息作为清单数据,因此请不要认为 Configuration Manager 收集的清单数据具有权威性。Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative.

    默认情况下,客户端设置中启用了硬件清单。Hardware inventory is enabled by default as a client setting.

硬件清单的隐私信息Privacy information for hardware inventory

硬件清单允许检索 Configuration Manager 客户端上注册表和 WMI 中存储的任何信息。Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. 软件清单允许您发现具有指定类型的所有文件或从客户端收集任何指定的文件。Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. 通过扩展硬件和软件清单并添加新的许可证管理功能,资产智能增强了清单功能。Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality.

默认情况下,客户端设置中启用了硬件清单,并且收集的 WMI 信息由你选择的选项确定。Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. 默认情况下,软件清单处于启用状态,但默认情况下不收集文件。Software inventory is enabled by default but files are not collected by default. 尽管你可以选择启用硬件清单报告类,但资产智能数据集合会自动启用。Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable.

清单信息不会发送到 Microsoft。Inventory information is not sent to Microsoft. 清单信息存储在 Configuration Manager 数据库中。Inventory information is stored in the Configuration Manager database. 当客户端使用 HTTPS 来连接到管理点时,它们向站点发送的清单数据在传输过程中是加密的。When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. 如果客户端使用 HTTP 来连接到管理点,你可以选择启用清单加密。If clients use HTTP to connect to management points, you have the option to enable inventory encryption. 清单数据不会以加密格式存储在数据库中。The inventory data is not stored in encrypted format in the database. 信息将保留在数据库中,直到每 90 天后被站点维护任务“删除过期的清单历史” 或“删除过期的收集文件” 。Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. 可以配置删除间隔。You can configure the deletion interval.

在配置硬件清单、软件清单、文件收集或资产智能数据集合前,请考虑你的隐私要求。Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.