Last Week on Twitter 2016-09-19 – 2016-09-25

Last Week on Twitter 2016-09-12 – 2016-09-18

Last Week on Twitter 2016-09-05 – 2016-09-11

Last Week on Twitter 2016-08-29 – 2016-09-04

Configuration Manager Security Best Practices

Next week will be the 2 year anniversary that I started working for Dell Services (which has been acquired by NTT Data).

In my position with them as Configuration Management Senior Advisor I transitioned from years of supporting one Configuration Manager (ConfigMgr) site for one company to supporting multiple sites for multiple companies as I was needed.

Often this was coming into a ConfigMgr environment that had already been running, but I was also involved in a stagnated project to migrate ConfigMgr 2007 to ConfigMgr 2012.

One of the things that is always a point of contention was the level of access to ConfigMgr and the resources needed to run the system that was required.

Typically, this manifested itself in the perception that full administrator rights to the ConfigMgr system, and all other aspects of the infrastructure; that are required to perform day to day duties in ConfigMgr.  This is not the case at all.

Now don’t get me wrong, if you are fully responsible for the care and feeding of a ConfigMgr hierarchy, then full rights is kind of essential to do what is necessary to keep things running.

However, if all a user is responsible for is deploying Software Updates, then full administrative rights are not necessary by any means.  This is exactly why Role Based Administration was added to the product in ConfigMgr 2012.  If anyone tells you different, then they are either lying, have no idea what they are talking about, or just want to take the easy way out.  This “easy” way of doing things is exactly why there are so many data breaches in my opinion.

With that in mind we were put into a dilemma when trying too sure up the access to our client ConfigMgr sites. We had no formal written procedure that outlined what proper level of access to ConfigMgr resources should be.

To make a long story short (or is it too late for that?), I was tasked with writing up a “ConfigMgr Security Best Practices” that we could leverage on all of our accounts.

The following is that Best Practice document.  Some may find it too harsh or even not harsh enough, but keep in mind politics always takes a role in things like this.  Hopefully you will find it useful.


System Center Configuration Manager Security Best Practices

Overview

System Center Configuration Manager (ConfigMgr) Security can be broken up into three areas.

  1. Windows Server Security
  2. Microsoft SQL Server (SQL Server)
  3. ConfigMgr Security

Windows Sever Security

Full administrator rights to ConfigMgr servers should be kept to a minimum to allow work to be performed, but reduce risk of service outage.  Keeping the number of accounts that can log on directly to a ConfigMgr server is recommended as well.  This helps secure the server from several different scenarios, including but not limited to the following:

  • Reduces risk of security breach through malware
  • Reduces the resource hit of logging in remotely. Even accounts that disconnect instead of log off of a server remotely use resources.
  • Reduces risk of accidental change of Windows configuration that could affect the stable operation of ConfigMgr.

Best Practice

  • At minimum, the Primary and Backup ConfigMgr Infrastructure Advisor assigned to an account should be added to the local Administrators group; to all resources that are assigned use to the ConfigMgr resources for troubleshooting purposes. This access is required to perform troubleshooting tasks as quickly and efficiently as possible.
  • All other consumers of ConfigMgr services should not be granted any server log on rights to perform ConfigMgr duties. Their tasks can be done through jump server and\or remote administration consoles.
  • All other users granted with server logon rights should be limited to personnel that are in charge of supporting server hardware or the operating system.
  • All modifications to the Windows Server must be performed under an approved change management request.

 

SQL Server Security

SQL Server is the backbone of ConfigMgr and its security is just as important as the operating system’s security in keeping ConfigMgr running smoothly.  SQL Server holds all of the data that ConfigMgr accumulates through all its various agents, and access to that data is the key to using ConfigMgr effectively to manage an enterprise.  With that in mind SQL Server security needs to allow the flow of information, while reducing the risk of data corruption.

The standard way for retrieving information from ConfigMgr is Reporting with its integration with SQL Server Reporting Services.  Reporting in ConfigMgr provides a set of tools and resources that helps use the advanced reporting capabilities of SQL Server Reporting Services (SSRS) and the rich authoring experience that Reporting Services Report Builder provides. Reporting helps you gather, organize, and present information about users, hardware and software inventory, software updates, applications, site status, and other ConfigMgr operations in an organization. Reporting provides a number of predefined reports that you can use without changes, or that can be modified to meet most requirements, and can be used to create custom reports.

Reporting is ideal for gathering information as it can be configured so users do not need any special rights to SQL server itself, as the program itself is what is accessing the ConfigMgr database.  All that is needed to be created is an easily reproducible role in ConfigMgr that all users needing Reporting can be added to, without need for any other access to ConfigMgr as well.

Report Subscriptions can also be made to facilitate the flow of information even further, by scheduling delivery of frequently used reports to a group of users through e-mail, or to be delivered to a specific share on the network for archival purposes.

Best Practice

  • At minimum, the Primary and Backup ConfigMgr Infrastructure Advisor assigned to an account should have full rights to SQL Server. This access is required to perform troubleshooting tasks as quickly and efficient as possible.
  • All other consumers of ConfigMgr services do not require, and will not be given full rights to SQL server.
  • All other users granted with full rights to SQL server should be limited to personnel that are in charge of supporting SQL Server processes.
  • All modifications to SQL Server or the ConfigMgr database must be performed under an approved change management request.
  • Changes to ConfigMgr database are not supported by Microsoft, and any update of the product may reset those changes.

 

ConfigMgr Security

Setting up security for ConfigMgr might seem like a daunting task, but it can a lot simpler if you keep in mind this simple guideline: Never give more security rights than the absolute minimum to do a task.  It is easy to add more security rights a bit at a time to fine tune someone’s role, however human nature makes it difficult to scale back unneeded security rights once they are given.  In some environments, scaling back security rights in ConfigMgr might not be an issue, in others it could cause political fallout that can jeopardize our relationship with a client.

To help with assigning admins to common tasks in ConfigMgr, there are several built in security roles that provide rights to specific functions.  This is not an exclusive list, but an admin can be assigned more than one role and these roles can be copied and made into custom roles to fit other roles as needed.

Here is a list of the built in roles in ConfigMgr 2012 as of R2:

System Center 2012 Configuration Manager 
Built-in Security Roles
Name Description
Application Administrator Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, edit settings for user device affinity, and manage App-V virtual environments.
Application Author Grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages, and App-V virtual environments.
Application Deployment Manager Grants permissions to deploy applications. Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, conditional delivery rules, and App-V virtual environments.
Asset Manager Grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.
Company Resource Access Manager    <R2> Grants permissions to create, manage and deploy company resource access profiles such as Wi-Fi, VPN and certificate profiles to users and devices.
Compliance Settings Manager Grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.
Endpoint Protection Manager Grants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.
Full Administrator Grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.
Infrastructure Administrator Grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.
Operating System Deployment Manager Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.
Operations Administrator Grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.
Read-only Analyst Grants permissions to view all Configuration Manager objects.
Remote Tools Operator Grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.
Security Administrator Grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.
Software Update Manager Grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).

 

Best Practices:

  • The Full Administrator role should only be used for the Primary and Secondary Infrastructure Advisor on the account.
  • Infrastructure Administrator and Operations Administrator should only be used for Junior Admins and\or training purposes when giving full rights are not appropriate.
  • All other roles can be assigned as needed for specific tasks but should only be given to Dell personnel; unless approved by Desktop Engineering management, account leadership, and the designated customer service manager.
  • To give rights to view reports only, a custom Report Readers role will have to be created. See next section for instructions. All modifications to the ConfigMgr permissions must be performed under an approved change management request.

 

 

 

 

Last Week on Twitter 2016-08-22 – 2016-08-28

Last Week on Twitter 2016-08-15 – 2016-08-21