How to Start Securing ConfigMgr in the Enterprise

Nicolas PilonAdaptiva, SCCMLeave a Comment

Securing ConfigMgr

 

As an IT professional, you already know that a security breach can be devastating. It can also be expensive, $4 million on average according to a 2015 survey sponsored by IBM.

Microsoft System Center Configuration Manager (ConfigMgr) can play a huge part in preventing attacks and implementing an enterprise-wide security solution. ConfigMgr helps companies make sure all endpoints are current with the latest security fixes, configured correctly, behaving normally, and only running authorized applications.

However, like almost everything else in IT these days, ConfigMgr itself is a target for hackers who can use it to distribute malware, take control of computers with access to private data, and engage in all manner of nefarious activity. According to a recent Adaptiva survey of more than 150 IT professionals, 70 percent expressed concern about potential security vulnerabilities in their Microsoft ConfigMgr environments.

Securing the perimeter of your company’s network is usually the #1 priority, and rightly so. However, securing ConfigMgr should also be a key part of your organization’s cyber defense strategy. A full list of security topics for ConfigMgr admins could span dozens or hundreds of topics. In this blog, I am giving you a place to start by explaining some key considerations and pointing you to some helpful online resources.

Securing ConfigMgr

Restrict and Review ConfigMgr Administrative Users

This may seem obvious, but you’d be surprised how many companies overlook it. Admin privileges are the keys to the kingdom, and many IT shops hand them out too freely. Some basic guidelines are:

  • Make sure that nobody has ConfigMgr permissions except people who specifically need them.
  • Use role-based security and least privilege management (LPM) to make sure that nobody has more privileges than needed.
  • Look into all new administrators. Some companies perform a background check, others consider it sufficient to just contact references.
  • Review the assignments on a regular basis. Just because somebody needed ConfigMgr superpowers a year ago does not mean they still need them today.
  • Check the audit logs once in a while to see that nobody is overstepping their bounds. This one is getting into the hard-to-justify-spending-the-time realm, but it will keep your company safer if you do it.

Securing ConfigMgr

Secure the ConfigMgr SQL Server(s)

Securing SQL Servers is a critical part of any security strategy, and that definitely applies to ConfigMgr. In some companies a DBA will be responsible for SQL security, but as a ConfigMgr admin you will likely install SQL server and may end up owning its security.

SQL security is a vast topic, but there are a few very basic things that should apply in almost every deployment. First, always use Windows Authentication (never Mixed Mode). Second, secure the “sa” account by disabling it, deleting it, or protecting it with a complex password—the default password is the first thing hackers try.

Third, don’t forget SQL Express! In an architecture with secondary site servers, ConfigMgr may install SQL Express from files on the primary (unless you point it to a SQL Server instance instead). Those SQL Express install files may be out of date, so be sure to update after installation. However, the broader point is to make sure you update it regularly. Last year, Microsoft issued a SQL Express patch that fixed a remote execution vulnerability, so the threat is real—and easy to mitigate.

Securing ConfigMgr

Lock-down Windows 10 OSD

Windows 10 OSD is a vast field about which volumes could be written. Some OSD security basics that will serve as a good jumping off point include:

  • Never deploy task sequences to the All Unknown Computers collection
  • Limit deployment to systems that have specifically been whitelisted/allowed for OSD
  • Ensure that Task Sequences are kept clear of sensitive data
  • Restrict physical access to OSD media
  • Physically protect any physical system you use to create references images

Go Deep with Security

I’ve mentioned only few key things to look for. Other areas of ConfigMgr security include: permissions and authorization, server management, client management, content, and even business priorities. Also, to truly secure your systems management environment, you’ll need look at business processes in addition to systems and configurations.

To learn more, Adaptiva has put together a few educational security resources that go into much more detail:

Top 20 Security Best Practices Report PDF

Top 20 SCCM Security Best Practices Webinar: Recording & Slides

SCCM Security Checklist

Securing ConfigMgr

Leave a Reply

Your email address will not be published. Required fields are marked *