Configuration Manager 中软件更新的安全和隐私Security and privacy for software updates in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

此主题包含 Configuration Manager 中软件更新的安全和隐私信息。This topic contains security and privacy information for software updates in Configuration Manager.

软件更新的最佳安全方案Security best practices for software updates

在将软件更新部署到客户端时,请使用以下最佳安全方案:Use the following security best practices when you deploy software updates to clients:

  • 不要更改有关软件更新包的默认权限。Do not change the default permissions on software update packages.

    默认情况下,软件更新包设置为向管理员提供“完全控制” 访问权,以及向用户提供“读取” 访问权。By default, software update packages are set to allow administrators Full Control and users to have Read access. 如果更改这些权限,则可能会使攻击者能够添加、移除或删除软件更新。If you change these permissions, it might allow an attacker to add, remove, or delete software updates.

  • 控制对软件更新下载位置的访问。Control access to the download location for software updates.

    与 SMS 提供程序、站点服务器和实际上将软件更新下载到下载位置的管理用户对应的计算机帐户需要此下载位置的“写入” 访问权。The computer accounts for the SMS Provider, the site server, and the administrative user who will actually download the software updates to the download location require Write access to the download location. 限制对此下载位置的访问,以减少攻击者在下载位置中篡改软件更新源文件的风险。Restrict access to the download location to reduce the risk of attackers tampering with the software updates source files in the download location.

    此外,如果将 UNC 共享用于下载位置,则通过使用 IPsec 或 SMB 签名来保护网络通道,以防止软件更新源文件在通过网络传输时被篡改。In addition, if you use a UNC share for the download location, secure the network channel by using IPsec or SMB signing to prevent tampering of the software updates source files when they are transferred over the network.

  • 使用 UTC 来估计部署时间。Use UTC for evaluating deployment times.

    如果使用本地时间而不是 UTC,则用户可能会通过更改其计算机上的时区来延迟软件更新的安装。If you use local time instead of UTC, users could potentially delay installation of software updates by changing the time zone on their computers

  • 在 WSUS 上启用 SSL,然后按照保护 Windows Server Update Services (WSUS) 的最佳方案进行。Enable SSL on WSUS and follow the best practices for securing Windows Server Update Services (WSUS).

    找到并遵循用于 Configuration Manager 的 WSUS 版本的安全最佳做法。Identify and follow the security best practices for the version of WSUS that you use with Configuration Manager.

    有关启用 SSL 的详细信息,请参阅将软件更新点配置为结合使用 TLS/SSL 与 PKI 证书教程For more information on enabling SSL, see the Configure a software update point to use TLS/SSL with a PKI certificate tutorial.

    重要

    如果配置软件更新点以便为 WSUS 服务器启用 SSL 通信,则必须在 WSUS 服务器上配置 SSL 的虚拟根。If you configure the software update point to enable SSL communications for the WSUS server, you must configure virtual roots for SSL on the WSUS server.

  • 启用 CRL 检查。Enable CRL checking.

    默认情况下,Configuration Manager 不会检查证书吊销列表 (CRL),以便在将软件更新部署到计算机之前验证软件更新上的签名。By default, Configuration Manager does not check the certificate revocation list (CRL) to verify the signature on software updates before they are deployed to computers. 如果在每次使用证书时都检查 CRL,则能更好地抵御因使用已吊销的证书而造成的安全威胁,但这样做会使连接出现延迟,并在执行 CRL 检查的计算机上引发额外的处理操作。Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check.

    有关如何为软件更新启用 CRL 检查的详细信息,请参阅如何对软件更新启用 CRL 检查For more information about how to enable CRL checking for software updates, see How to enable CRL checking for software updates.

  • 配置 WSUS 以使用自定义网站。Configure WSUS to use a custom website.

    在软件更新点上安装 WSUS 时,可以选择使用现有的 IIS 默认网站或创建自定义的 WSUS 网站。When you install WSUS on the software update point, you have the option to use the existing IIS Default Web site or to create a custom WSUS website. 为 WSUS 创建自定义网站,以便 IIS 在专用的虚拟网站中承载 WSUS 服务,而不是共享由其他 Configuration Manager 站点系统或其他应用程序使用的同一个网站。Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications.

    有关详细信息,请参阅 Configure WSUS to use a custom web siteFor more information, see Configure WSUS to use a custom web site.

软件更新的隐私信息Privacy information for software updates

软件更新会扫描客户端计算机,以确定所需的软件更新,然后将该信息发送回站点数据库。Software updates scans your client computers to determine which software updates you require, and then sends that information back to the site database. 在软件更新过程中, Configuration Manager 可能会在客户端和服务器之间传输信息,这些信息标识计算机和登录帐户。During the software updates process, Configuration Manager might transmit information between clients and servers that identify the computer and logon accounts.

Configuration Manager 会维护有关软件部署过程的状态信息。Configuration Manager maintains state information about the software deployment process. 状态信息在传输或存储期间并未加密。State information is not encrypted during transmission or storage. 状态信息存储在 Configuration Manager 数据库中,而且由数据库维护任务删除。State information is stored in the Configuration Manager database and it is deleted by the database maintenance tasks. 状态信息不会发送给 Microsoft。No state information is sent to Microsoft.

使用 Configuration Manager 软件更新在客户端计算机上安装软件更新时,可能要遵守这些更新的软件许可证条款,它们不同于 Configuration Manager 的软件许可证条款。The use of Configuration Manager software updates to install software updates on client computers might be subject to software license terms for those updates, which is separate from the Software License Terms for Configuration Manager. 在使用 Configuration Manager 安装软件更新之前,请务必查看并同意软件许可条款。Always review and agree to the Software Licensing Terms prior to installing the software updates by using Configuration Manager.

默认情况下,Configuration Manager 并不实施软件更新,而且在收集信息前,需要执行几个配置步骤。Configuration Manager does not implement software updates by default and requires several configuration steps before information is collected.

在配置软件更新之前,请考虑隐私要求。Before you configure software updates, consider your privacy requirements.