![sccm patch deployment best practices sccm patch deployment best practices](https://i.ytimg.com/vi/J8GFZclOIgE/maxresdefault.jpg)
- #SCCM PATCH DEPLOYMENT BEST PRACTICES INSTALL#
- #SCCM PATCH DEPLOYMENT BEST PRACTICES UPDATE#
- #SCCM PATCH DEPLOYMENT BEST PRACTICES UPGRADE#
- #SCCM PATCH DEPLOYMENT BEST PRACTICES DOWNLOAD#
This is essential for managing Internet-based clients, but can also be implemented on intranet-based Site Systems.
#SCCM PATCH DEPLOYMENT BEST PRACTICES INSTALL#
For small organizations you may want to install several IIS-based site roles onto the same server (although for redundancy you should always have at least two, even in the smallest environments).ĥ: Use HTTPS for communication with Site SystemsĬonfiguration Manager enables some Site Systems to use HTTPS, encrypting the data during transit between the site system and the client, thereby mitigating ‘man-in-the-middle’ attacks. As IIS increases the attack surface on a server, you should keep all the IIS Site Systems off the site server – use separate servers for these.
#SCCM PATCH DEPLOYMENT BEST PRACTICES UPDATE#
You don’t want nasties like Flash or Java creeping onto your site server.Ĥ: Separate the Site Server from IIS-based site systemsįor the most part, Configuration Manager clients interact with Configuration Manager through various IIS-based Site Systems such as Management Points, Distribution Points and Software Update Points.
#SCCM PATCH DEPLOYMENT BEST PRACTICES DOWNLOAD#
(How often have you been tempted to quickly download a free tool to troubleshoot an issue on a server?). With an increasing amount of malware being propagated through websites, you may want to consider restricting internet access on your Configuration Manager servers (in conjunction with restricted admin rights), to prevent installation of unauthorized software directly from the Internet. Applications that interface with Configuration Manager should be installed on a separate server wherever possible and only be given absolute necessary permissions on the Site Server. As well as affecting performance, it increases the attack surface on the server.
![sccm patch deployment best practices sccm patch deployment best practices](https://i.pinimg.com/originals/c3/f4/da/c3f4dac4e28d1e8028f75954e4d9ac5d.jpg)
Consider carefully any external tools that are granted local admin rights on the Site Server.Īvoid installing other applications on the Site Server.
![sccm patch deployment best practices sccm patch deployment best practices](https://i.pinimg.com/736x/0a/34/45/0a3445b8b50b0066794acb5b7644c789--software.jpg)
Avoid logging on to site system servers with admin accounts unless absolutely necessary. Restrict membership of the local Administrators group on the Site Server to only essential system administrators.
![sccm patch deployment best practices sccm patch deployment best practices](https://support.citrix.com/files/public/support/article/CTX205394/images/0EM60000000URAj.png)
This is the most basic security best practice for all systems, but Configuration Manager Site Systems, especially the Site Server, must be stringently managed to prevent unauthorized changes, accidents and limit the damage should any malware manage to execute while a user is logged on. Read access to the database can be given more freely – no doubt you will be using reporting tools or third-party add-ons that use inventory information and such from Configuration Manager, but under normal operational conditions, write access should be limited to the Configuration Manager components.Ģ: Restrict admin rights on the Site Server change a Program Command Line to execute a different process or modify Collection Membership Rules to target different devices).Īny user or process, including in-house or third-party add-ons, that need to make changes to Configuration Manager should always do so through the SMS Provider (the Configuration Manager Console uses the SMS Provider) with its inherent security and auditing features. Any process or user that is able to write directly to the Configuration Manager database can modify existing objects in Configuration Manager (e.g. This blog identifies 8 best practices to make your Configuration Manager infrastructure secure and also reduce the scope and severity of accidents and operator error.ġ: Restrict access to the Configuration Manager DatabaseĬonfiguration Manager is the only thing that should be writing to the Configuration Manager Database. These are all built in defenses against ‘man-in-the-middle’ type attacks, but securing the Configuration Manager infrastructure – especially the Site Server, which should be considered the ‘crown jewels’ – is also necessary to reduce the risk of unauthorized or malicious use from the core. Configuration Manager uses certificate-based signing of client policy, mutual certificate-based authentication of communication between clients and servers, and SHA-256 hashing for integrity-checking of content that has been downloaded before it is executed.
#SCCM PATCH DEPLOYMENT BEST PRACTICES UPGRADE#
It provides IT administrators and operators with visibility of desktop and server system configurations and the ability to change configurations, install software and security patches, execute any code on clients with elevated privileges and even replace or upgrade the operating system on hundreds of thousands of devices, all from a single management console.Īny system that has such power and reach in your environment needs to be protected from unauthorized or malicious use and, as far as possible, operator error and accidents. Microsoft System Center Configuration Manager is an incredibly powerful tool.