在 Configuration Manager 中進行軟體更新的安全性和隱私權Security and privacy for software updates in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

此主題包含 Configuration Manager 中軟體更新的安全性與隱私權資訊。This topic contains security and privacy information for software updates in Configuration Manager.

軟體更新的安全性最佳做法Security best practices for software updates

為用戶端部署軟體更新時,請參閱下列安全性最佳作法:Use the following security best practices when you deploy software updates to clients:

  • 請勿變更軟體更新套件的預設權限。Do not change the default permissions on software update packages.

    軟體更新套件預設為允許系統管理員進行 [完全控制] ,使用者則擁有 [讀取] 權限。By default, software update packages are set to allow administrators Full Control and users to have Read access. 如果變更這些權限,攻擊者就有可能趁機新增、移除或刪除軟體更新。If you change these permissions, it might allow an attacker to add, remove, or delete software updates.

  • 控制軟體更新下載位置的存取權限。Control access to the download location for software updates.

    SMS 提供者、站台伺服器及實際將軟體更新下載至下載位置的系統管理使用者必須具備下載位置的 [寫入] 存取權限。The computer accounts for the SMS Provider, the site server, and the administrative user who will actually download the software updates to the download location require Write access to the download location. 限制下載位置存取權限可以降低攻擊者在下載位置竄改軟體更新來源檔案的風險。Restrict access to the download location to reduce the risk of attackers tampering with the software updates source files in the download location.

    此外,如果以 UNC 共用區作為下載位置,請使用 IPsec 或 SMB 簽署功能保護網路通道,防止攻擊者趁機在透過網路傳送軟體更新來源檔案時進行竄改。In addition, if you use a UNC share for the download location, secure the network channel by using IPsec or SMB signing to prevent tampering of the software updates source files when they are transferred over the network.

  • 使用 UTC 評估部署時間。Use UTC for evaluating deployment times.

    如果您使用本機時間而非 UTC,使用者只要變更電腦的時區即可延後安裝軟體更新。If you use local time instead of UTC, users could potentially delay installation of software updates by changing the time zone on their computers

  • 請在 WSUS 啟用 SSL 並依照最佳作法進行,以保障 Windows Server Update Services (WSUS) 的安全性。Enable SSL on WSUS and follow the best practices for securing Windows Server Update Services (WSUS).

    識別並依照與 Configuration Manager 一起使用之 WSUS 版本的最佳安全性作法。Identify and follow the security best practices for the version of WSUS that you use with Configuration Manager.

    如需有關如何啟用 SSL 的詳細資訊,請參閱設定軟體更新點以搭配 PKI 憑證使用 TLS/SSL 教學課程For more information on enabling SSL, see the Configure a software update point to use TLS/SSL with a PKI certificate tutorial.

    重要

    如果設定軟體更新點以在 WSUS 伺服器上啟用 SSL 通訊,您必須在 WSUS 伺服器上設定 SSL 的虛擬根。If you configure the software update point to enable SSL communications for the WSUS server, you must configure virtual roots for SSL on the WSUS server.

  • 啟用 CRL 檢查。Enable CRL checking.

    根據預設,在部署至電腦上之前,Configuration Manager 不會透過檢查憑證撤銷清單 (CRL) 的方式驗證軟體更新的簽章。By default, Configuration Manager does not check the certificate revocation list (CRL) to verify the signature on software updates before they are deployed to computers. 每次使用憑證時皆檢查,提供比使用已撤銷憑證更多的安全性,但同時也會造成連線延遲,以及對執行 CRL 檢查的電腦產生額外的處理需求。Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check.

    如需有關啟用軟體更新 CRL 檢查方式的詳細資訊,請參閱如何啟用軟體更新的 CRL 檢查For more information about how to enable CRL checking for software updates, see How to enable CRL checking for software updates.

  • 設定 WSUS 使用自訂網站。Configure WSUS to use a custom website.

    在軟體更新點上安裝 WSUS 時,您可以選擇使用現有的 IIS 預設網站或建立自訂的 WSUS 網站。When you install WSUS on the software update point, you have the option to use the existing IIS Default Web site or to create a custom WSUS website. 為 WSUS 建立自訂網站可讓 IIS 在專用的虛擬網站上裝載 WSUS 服務,而不是共用與其他 Configuration Manager 站台系統或其他應用程式使用的相同網站。Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications.

    如需詳細資訊,請參閱 Configure WSUS to use a custom web siteFor more information, see Configure WSUS to use a custom web site.

軟體更新的隱私權資訊Privacy information for software updates

軟體更新會掃描用戶端電腦以判定所需的軟體更新,再將資訊傳回站台資料庫。Software updates scans your client computers to determine which software updates you require, and then sends that information back to the site database. 軟體更新期間,Configuration Manager 可能會在用戶端和伺服器之間傳送可識別電腦與登入帳戶的資訊。During the software updates process, Configuration Manager might transmit information between clients and servers that identify the computer and logon accounts.

Configuration Manager 會保存軟體部署程序的相關資訊。Configuration Manager maintains state information about the software deployment process. 傳送或儲存時均不會加密狀態資訊。State information is not encrypted during transmission or storage. 狀態資訊儲存在 Configuration Manager 資料庫中,由資料庫維護工作進行刪除。State information is stored in the Configuration Manager database and it is deleted by the database maintenance tasks. 所有狀態資訊皆不會傳送給 Microsoft。No state information is sent to Microsoft.

使用 Configuration Manager 軟體更新在用戶端電腦上安裝軟體更新時,必須遵守這些更新的軟體授權條款,這些條款不同於 Configuration Manager 的軟體授權條款。The use of Configuration Manager software updates to install software updates on client computers might be subject to software license terms for those updates, which is separate from the Software License Terms for Configuration Manager. 請務必先詳閱並同意軟體授權條款,再使用 Configuration Manager 安裝軟體更新。Always review and agree to the Software Licensing Terms prior to installing the software updates by using Configuration Manager.

Configuration Manager 預設不會實作軟體更新,而且在收集資訊之前必須執行數個設定步驟。Configuration Manager does not implement software updates by default and requires several configuration steps before information is collected.

設定軟體更新之前,請考慮您的隱私權需求。Before you configure software updates, consider your privacy requirements.