SCCM 2012 – Security (Part 1)
security is always a hot topic and people think that only blocking certain actions from the console is enough. but what about the data that is being sent to/from a client? from a server? is it secure?
Well…before i answer this questions, you need to understand a bit more about SCCM.
SCCM 2007 had 2 installation modes. Mixed mode and Native mode. the mixed mode was “unsecure” by default while the native mode was “a bit secure” by default. what i mean by this? in a mixed mode, all network traffic was not encrypted and the default protocol for client communication was HTTP while on native mode the default protocol was HTTPS.
This changed on SCCM 2012 as you can set this option per role, it means that you can have a management point accepting either HTTP or HTTPS and another management point accepting HTTPS only. for all other roles, it depends as well. there are site roles that accept HTTP or HTTPS but the concept is still the same.
if HTTPS more is more secure, why people don’t use it? Well..i can answer this question in 2 different ways. 1- PKI. Do you have a PKI in place? is it working? do you have anyone to manage it? etc…
2- A bit more difficult…only because you rely on a PKI environment and if this PKI is not health or it is not configured properly, you will have problems. a normal problem is when you configure the CRL…
anyway, let’s not focus on PKI here, let’s only focus on the SCCM part…as you can see HTTPS will help you out, but it is not 100% secure. the reason is simple. data will be kept in the database “unencrypted”…if your Hardware or Software inventory sends sensitive data, people with access to the database will have access to it. the same is with you CA is compromised, people may capture the network traffic and be able to decompress the data…
this helps, but is this enough?!?!!? well..it depends on your environment and how crazy you are related security. If you’re totally crazy, i’d recommend the following:
1- Set the security at SCCM Level (encrypting the data)
2- Use only HTTPS mode for site as well as any role.
3- at network level, secure it using IPSEC and/or IPv6 or any other solution that allows you to encrypt network traffic.
anyway…i hope i gave you a bit of information about SCCM security (network level). As you read, this is only part I, the next posts we’ll be talking how to migrate a HTTP site to HTTPS site.