Configuration Manager 中硬體清查的安全性與隱私權Security and privacy for hardware inventory in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本主題包含 Configuration Manager 中應體清查的安全性與隱私權資訊。This topic contains security and privacy information for hardware inventory in Configuration Manager.

硬體清查的安全性最佳做法Security best practices for hardware inventory

當您要收集來自用戶端的硬體清查資料時,請使用下列安全性最佳做法:Use the following security best practices for when you collect hardware inventory data from clients:

安全性最佳做法Security best practice 更多資訊More information
簽署並加密清查資料Sign and encrypt inventory data 用戶端使用 HTTPS 與管理點進行通訊時,它們傳送的所有資料都是使用 SSL 進行加密。When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. 不過,用戶端電腦使用 HTTP 與內部網路上的管理點進行通訊時,可以透過未簽署和未加密方式傳送用戶端清查資料和收集到的檔案。However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. 請確定站台設定成需要簽署並使用加密。Make sure that the site is configured to require signing and use encryption. 此外,如果用戶端可以支援 sha-256 演算法,選取 需要 sha-256 的選項。In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256.
不會收集在高安全性環境中的 IDMIF 和 NOIDMIF 檔案Do not collect IDMIF and NOIDMIF files in high-security environments 您可以使用 IDMIF 和 NOIDMIF 檔案集合來擴充硬體清查彙總。You can use IDMIF and NOIDMIF file collection to extend hardware inventory collection. Configuration Manager 會在必要時建立新的資料表或修改現有資料表中的 Configuration Manager 資料庫,以容納 IDMIF 和 NOIDMIF 檔案中的屬性。When necessary, Configuration Manager creates new tables or modifies existing tables in the Configuration Manager database to accommodate the properties in IDMIF and NOIDMIF files. 不過,Configuration Manager 不會驗證 IDMIF 和 NOIDMIF 檔案,因此這些檔案可以用來改變您不想更改的資料表。However, Configuration Manager does not validate IDMIF and NOIDMIF files, so these files could be used to alter tables that you do not want altered. 有效的資料可能會覆寫不正確的資料。Valid data could be overwritten by invalid data. 此外,無法新增大量的資料和處理這項資料可能會導致延遲所有 Configuration Manager 函式。In addition, large amounts of data could be added and the processing of this data might cause delays in all Configuration Manager functions. 若要降低這些風險,請將硬體清查用戶端設定 [收集 MIF 檔案] 設定為 [無] 。To mitigate these risks, configure the hardware inventory client setting Collect MIF files as None.

硬體清查的安全性問題Security issues for hardware inventory

收集清查可找出潛在的漏洞。Collecting inventory exposes potential vulnerabilities. 攻擊者可以執行下列作業:Attackers can perform the following:

  • 傳送無效資料是管理點無法接受的作業,即使停用軟體清查用戶端設定但未啟用檔案收集也是一樣。Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled.

  • 透過單一檔案和許多檔案傳送極大量的資料,可能會造成拒絕服務。Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service.

  • 存取清查資訊,就像是傳送至 Configuration Manager 一樣。Access inventory information as it is transferred to Configuration Manager.

    因為具有本機系統管理權限的使用者可以將任何資訊傳送為清查資料,所以請不要將 Configuration Manager 所收集的清查資料視為已授權。Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative.

    硬體清查預設會啟用為用戶端設定。Hardware inventory is enabled by default as a client setting.

硬體清查的隱私權資訊Privacy information for hardware inventory

硬體清查可讓您擷取登錄以及 Configuration Manager 用戶端之 WMI 中所儲存的任何資訊。Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. 軟體清查可讓您找出所指定類型的所有檔案,或從用戶端中收集任何指定的檔案。Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence 透過擴充硬體與軟體清查,並加入新的授權管理功能,來增強清查功能。Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality.

硬體清查預設會啟用為用戶端設定,而收集到的 WMI 資訊取決於您選取的選項。Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. 預設會啟用軟體清查,但預設不會收集檔案。Software inventory is enabled by default but files are not collected by default. 雖然您可以選取要啟用的硬體清查報告類別,但是會自動啟用 Asset Intelligence 資料收集。Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable.

清查資訊不會傳送給 Microsoft。Inventory information is not sent to Microsoft. 清查資訊會儲存在 Configuration Manager 資料庫中。Inventory information is stored in the Configuration Manager database. 用戶端使用 HTTPS 來連線到管理點時,會在傳輸期間加密他們傳送到站台的清查資料。When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. 如果用戶端使用 HTTP 來連線到管理點,則您可以選擇啟用清查加密。If clients use HTTP to connect to management points, you have the option to enable inventory encryption. 清查資料不會以加密格式儲存在資料庫中。The inventory data is not stored in encrypted format in the database. 資訊會保留在資料庫中,直到每 90 天由站台維護工作 [刪除過時清查歷程記錄] 或 [刪除過時收集檔案] 刪除為止。Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. 您可以設定刪除間隔。You can configure the deletion interval.

設定硬體清查、軟體清查、檔案收集或 Asset Intelligence 資料收集之前,請考慮您的隱私權需求。Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.