Configuration Manager 中軟體清查的安全性與隱私權Security and privacy for software inventory in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本主題包含 Configuration Manager 中軟體清查的安全性與隱私權資訊。This topic contains security and privacy information for software inventory in Configuration Manager.

軟體清查的安全性最佳做法Security best practices for software inventory

當您收集來自用戶端的軟體清查資料時,請使用下列安全性最佳做法:Use the following security best practices for when you collect software inventory data from clients:

安全性最佳做法Security best practice 更多資訊More information
簽署並加密清查資料Sign and encrypt inventory data 用戶端使用 HTTPS 與管理點進行通訊時,它們傳送的所有資料都是使用 SSL 進行加密。When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. 不過,用戶端電腦使用 HTTP 與內部網路上的管理點進行通訊時,可以透過未簽署和未加密方式傳送用戶端清查資料和收集到的檔案。However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. 請確定站台設定成需要簽署並使用加密。Make sure that the site is configured to require signing and use encryption. 此外,如果用戶端可以支援 SHA-256 演算法,請選取需要 SHA-256 的選項。In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256.
請不要使用檔案收集來收集重要檔案或機密資訊。Do not use file collection to collect critical files or sensitive information Configuration Manager 軟體清查會使用 LocalSystem 帳戶的所有權限來收集重要系統檔案 (例如登錄或安全性帳戶資料庫) 的複本。Configuration Manager software inventory uses all the rights of the LocalSystem account, which has the ability to collect copies of critical system files, such as the registry or security account database. 這些檔案位於站台伺服器時,具有讀取資源權限或所儲存檔案位置之 NTFS 權限的人員可以分析其內容,而且可能會察覺出用戶端的重要詳細資料,進而危及其安全。When these files are available at the site server, someone with the Read Resource rights or NTFS rights to the stored file location could analyze their contents and possibly discern important details about the client in order to be able to compromise its security.
限制用戶端電腦上的本機系統管理權限Restrict local administrative rights on client computers 具有本機系統管理權限的使用者可以將無效的資料傳送為清查資訊。A user with local administrative rights can send invalid data as inventory information.

軟體清查的安全性問題Security issues for software inventory

收集清查會公開潛在的弱點。Collecting inventory exposes potential vulnerabilities. 攻擊者可以執行下列作業:Attackers can perform the following:

  • 傳送無效資料是管理點無法接受的作業,即使停用軟體清查用戶端設定但未啟用檔案收集也是一樣。Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled.

  • 透過單一檔案和許多檔案傳送極大量的資料,可能會造成拒絕服務。Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service.

  • 存取清查資訊,就像是傳送至 Configuration Manager 一樣。Access inventory information as it is transferred to Configuration Manager.

    如果使用者知道他們可以建立名為 Skpswi.dat 的隱藏檔案,並將它放在用戶端硬碟機的根目錄中以排除不進行軟體清查,則無法收集來自該電腦的軟體清查資料。If users know that they can create a hidden file named Skpswi.dat and place it in the root of a client hard drive to exclude it from software inventory, you will not be able to collect software inventory data from that computer.

    因為具有本機系統管理權限的使用者可以將任何資訊傳送為清查資料,所以請不要將 Configuration Manager 所收集的清查資料視為已授權。Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative.

    軟體清查預設會啟用為用戶端設定。Software inventory is enabled by default as a client setting.

軟體清查的隱私權資訊Privacy information for software inventory

硬體清查可讓您擷取登錄以及 Configuration Manager 用戶端之 WMI 中所儲存的任何資訊。Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. 軟體清查可讓您找出所指定類型的所有檔案,或從用戶端中收集任何指定的檔案。Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence 透過擴充硬體與軟體清查,並加入新的授權管理功能,來增強清查功能。Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality.

硬體清查預設會啟用為用戶端設定,而收集到的 WMI 資訊取決於您選取的選項。Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. 預設會啟用軟體清查,但預設不會收集檔案。Software inventory is enabled by default but files are not collected by default. 雖然您可以選取要啟用的硬體清查報告類別,但是會自動啟用 Asset Intelligence 資料收集。Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable.

清查資訊不會傳送給 Microsoft。Inventory information is not sent to Microsoft. 清查資訊會儲存在 Configuration Manager 資料庫中。Inventory information is stored in the Configuration Manager database. 用戶端使用 HTTPS 來連線到管理點時,會在傳輸期間加密他們傳送到站台的清查資料。When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. 如果用戶端使用 HTTP 來連線到管理點,則您可以選擇啟用清查加密。If clients use HTTP to connect to management points, you have the option to enable inventory encryption. 清查資料不會以加密格式儲存在資料庫中。The inventory data is not stored in encrypted format in the database. 資訊會保留在資料庫中,直到每 90 天由站台維護工作 [刪除過時清查歷程記錄] 或 [刪除過時收集檔案] 刪除為止。Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. 您可以設定刪除間隔。You can configure the deletion interval.

設定硬體清查、軟體清查、檔案收集或 Asset Intelligence 資料收集之前,請考慮您的隱私權需求。Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.