SCCM 2012 – Security (Part 1)

Hi All,

security is always a hot topic and people think that only blocking certain actions from the console is enough. but what about the data that is being sent to/from a client? from a server? is it secure?

Well…before i answer this questions, you need to understand a bit more about SCCM.

SCCM 2007 had 2 installation modes. Mixed mode and Native mode. the mixed mode was “unsecure” by default while the native mode was “a bit secure” by default. what i mean by this? in a mixed mode, all network traffic was not encrypted and the default protocol for client communication was HTTP while on native mode the default protocol was HTTPS.

This changed on SCCM 2012 as you can set this option per role, it means that you can have a management point accepting either HTTP or HTTPS and another management point accepting HTTPS only. for all other roles, it depends as well. there are site roles that accept HTTP or HTTPS but the concept is still the same.

if HTTPS more is more secure, why people don’t use it? Well..i can answer this question in 2 different ways. 1- PKI. Do you have a PKI in place? is it working? do you have anyone to manage it? etc…
2- A bit more difficult…only because you rely on a PKI environment and if this PKI is not health or it is not configured properly, you will have problems. a normal problem is when you configure the CRL…

anyway, let’s not focus on PKI here, let’s only focus on the SCCM part…as you can see HTTPS will help you out, but it is not 100% secure. the reason is simple. data will be kept in the database “unencrypted”…if your Hardware or Software inventory sends sensitive data, people with access to the database will have access to it. the same is with you CA is compromised, people may capture the network traffic and be able to decompress the data…

to secure this traffic, SCCM has a built-in solution that you can set on a site level, that allows you to encrypt client inventory and state message that is sent to the Management Point
security1

this helps, but is this enough?!?!!? well..it depends on your environment and how crazy you are related security. If you’re totally crazy, i’d recommend the following:
1- Set the security at SCCM Level (encrypting the data)
2- Use only HTTPS mode for site as well as any role.
3- at network level, secure it using IPSEC and/or IPv6 or any other solution that allows you to encrypt network traffic.

anyway…i hope i gave you a bit of information about SCCM security (network level). As you read, this is only part I, the next posts we’ll be talking how to migrate a HTTP site to HTTPS site.

About

Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , ,