Standard and Advanced Security

As stated in Chapter 1, 'Overview,' SMS 2003 offers two security modes. Your choice depends largely on the way you've implemented your network Windows servers. If your network still consists of some Windows NT 4.0 servers or hasn't been upgraded to Active Directory directory service native mode, or if you're upgrading an existing SMS 2.0 site, your choice will be standard security, and the installation of SMS will effectively result in an SMS site that functions not much differently from the way SMS 2.0 sites did. In short, it will create many user accounts that it will use to carry out various SMS-related tasks on SMS servers and SMS clients.

If your network is a fully implemented native mode Active Directory network or if all your SMS component servers are running Windows 2000 or later and are registered in Active Directory (a requirement for advanced security), you can choose advanced security.

To be more specific, advanced security requires that the SMS site server and all SMS site systems are running Windows 2000 Service Pack 4 (SP4) or later (or have Windows Quick Fix Engineering (QFE) update 325804 applied) or an operating system in the Windows Server 2003 family in an Active Directory domain. The SMS site database servers must be running SQL Server 2000 SP3 or later, and they must be run in Windows authentication-only mode.

The main advantage of using advanced security mode is that it's certainly the more secure of the two security modes. As we've said, advanced security doesn't require nor rely on the great number of user accounts that standard security needs to carry out SMS-related tasks. In contrast, advanced security uses two security accounts: the local system account and the computer account. Advanced security uses the local system account on SMS servers to run SMS services and make changes on the server and uses computer accounts (rather than user accounts) to connect to other computers and to make changes on other computers. Because only services running in the local system account context can use computer accounts and only administrators can configure services, advanced security is a highly secure mode and therefore the preferred and recommended security mode.

You can choose advanced security mode during SMS setup, or you can install your SMS site server with standard mode and then upgrade to advanced security later. To upgrade your site to advanced security, complete the following steps:

1. Navigate to the site entry under the Site Hierarchy node in the SMS Administrator Console.

2. Right-click the site entry and select Properties from the context menu.

3. Click Set Security in the General tab shown in Figure 17.1.

   
   Figure 17.1: The General tab of the Site Properties dialog box.

4. Click Yes when prompted to turn on advanced security mode as shown in Figure 17.2.

   
   Figure 17.2: The Set Security Mode prompt.

I make it a practice to always read the prompts that SMS shows me, and I highly recommend it to you as well. For example, in the prompt that displays in Figure 17.2, SMS is clearly stating several things that you must be aware of:

• Once you make this change, you can't go back.

• There are several server requirements that must be confirmed to support advanced security.

• A service (Windows Management Instrumentation) is stopped and restarted.

• You might have a problem with the SMS Administrator Console that requires you to restart it.

The first point is obvious, although, technically, you could revert your site to standard security if you had backed up your site server and its registry and could restore the system state to its previous settings. However, let's just stick with standard procedures and say this: don't upgrade to advanced security unless you're sure you want to do it and you're ready to do it. It's hard to go back.

The second point is perhaps not as obvious, so let's take some time and discuss it. Let's begin with the fact that in advanced security mode, SMS 2003 relies on the local system account mainly to run service-related tasks and on computer accounts mainly to maintain communications. This oversimplifies the case somewhat, but still this is a good rule of thumb to keep in mind.

So with this rule of thumb in mind, note well what the Set Security Mode prompt is telling you to do. The site system requires Administrator access on its site systems and permissions on any parent or child sites that it must communicate with in an SMS hierarchy. You can accomplish the former by adding the SMS site server computer account to the Administrator's group on each site system in the site. Computer accounts are created as hidden accounts, so you can't add the account the way you'd ordinarily do. You need to add the account from a command line. You can add the site server's computer account to the site system's local Administrator's group using the following command line command at the site system:

Net localgroup Administrators /domain\siteservercomputername$ /ADD

Similarly, you'll need to add the computer account of each site system to the site server's Site_System_to_Site_Server_Connection group. SMS will automatically do this for the client access point (CAP) and management point site systems to the Site System to Site Server Connection group and will do so for any new site system you add. When you upgrade to advanced security mode, the site server's computer account is automatically added to the Site_to_Site_Connection group on the parent and child sites, allowing communications and the appropriate level of access between sites in the hierarchy. Although this all happens automatically, as a point of troubleshooting, you should, of course, verify that the computer accounts have been given the appropriate level of access they require.