VIEWS: 15 PAGES: 5 POSTED ON: 9/11/2012
Microsoft SMS Audit Checklist Audit #: Audit Name: Location: Audit Period: to Auditor: Interviewee: Interview Date: Test Result Conditions Control Configuration of the Obtain a network diagram of the SMS site is such as to SMS network and determine which provide maximum of the 3 scenarios exists: security a. SMS and SQL server are on the same server b. SMS and SQL Server are on separate servers, with the SMS Provider on the SMS server c. SMS and SQL are on separate servers, with the SMS Provider on the SQL server. Which domain model is used: a. Single Domain Model b. Master Domain Model c. Multiple master domain model Access Control exist Obtain a list of users who can access around who can use and the SMS files, distribution file alter: information, SMS objects and a. The SMS files inventory information on the site on your system servers to determine if the access list b. The software is reasonable and compliant with distribution segregation of duties controls. files needed to be exposed c. The inventory information and collected files on the site servers Evaluate the rights users have to directories, files, SMS database objects and the information accessible through the SMS Administrator console. NTFS has been used to limit access to executables and registry to administrators only. Evaluate the rights of service accounts given to ensure that minimum rights required to perform their jobs are given. Minimize what the service accounts can do by keeping the permissions as close as possible to the local level. Evaluate the rights given to administrators to ensure they are minimized as much as possible. For example, if an administrator works only with a subset of users on the system create a collection of those users and give the administrator SMS permissions to that collection only. Evaluate the rights of the administrators to work directly on the site server. Unless it is absolutely necessary for an administrator to work directly on the site server, have them use remote consoles from windows rather than the site server. As a result, they will not require local administrator rights on the site server. Evaluate the rights granted to ensure that each site system has only local administrator rights for SMS services and functions. Ensure that no accounts are members of the Domain Admins group Obtain a drop out using Dumpsec or some other tool of the file share permissions created on the various SMS servers – CAPs, Logon, etc. Ensure that default file share permissions have been changed to eliminate “everyone”. SMS account passwords are encrypted via Windows or SMS. Account passwords that SMS creates are randomly generated. Unused services/functions such as software metering, remote control, etc. have been turned off. Ensure that passwords, account names, and permissions for accounts that SMS automatically creates and maintains are not changed. Otherwise you run the risk of account lockouts. Some of these accounts are: a. SMS Provider Impersonation b. SMS Logon Service c. SMS Client Connection d. SMS Server Connection e. SMS Remote Service For those that can be changed, change the passwords rather than ghe account with the following exceptions: a. SMS Service Account, if this account is shared by more than one site. b. SMS SQL Service account, if this account is shared by more than one site. c. Software Metering Service account, if this account is shared by more than one software metering server. For these accounts, new accounts must be created for these roles and the accounts cycled when the clients have servers that have all been configured with the new accounts. Authentication is Evaluate the authentication process performed for users enforced prior to allowing access to allowed to use the SMS perform SMS tasks or make changes tools to monitor the to the SMS configuration. network and/or control clients. Determine if the default SMS Service Account and SMS Client Remote Installation client names have been renamed, have a technically complex password, and are not Domain Administrators. The CCM Boot Loader (DC) account has been deleted after the client was set up. This is because it is made unique by including the domain controller name in its account name. Access to the SMS Determine if only users who are Console is limited. Windows Administrators can use the console on the site server. The default directory level permissions allow them to use the console only on the site server and it is recommended that this level of security be maintained. Database security is Evaluate who is allowed to view and enforced. change database objects to ensure access to the database is limited to those requiring such access. Determine if the sa password has an obscure password and is not used. Another “copy cat” account with a different name and complex pass word should be used. Ensure that the SQL database access is secured. See the insert from Microsoft below: Typically, if you want to set up security requirements for multiple users, you add the users to a group and arrange security requirements for the group. However, the SMS Security Manager doesn't recognize SQL Server groups. The SMS Security Manager accepts only database users to set security. Thus, if you work with groups, you still have the cumbersome task of defining security rights for each database user. A workaround to this problem is to use aliases instead of groups. An alias is an extension of a mapping from a login to a database user. After creating a map, you can tell any number of logins to share the same database user. So, if you create one database user for each role in your SMS database (e.g., Helpdesk, Administrator) and map a login to that database user, you can extend as many of your other logins to this mapping as necessary to ensure that they all receive the same permissions. Necessary security Identify special situations in the exposures are identified audit environment such as and special controls or unattended software distributions to workarounds are used determine if special administrator to minimize the security rights have been assigned to risks. minimize security risks. Configuration of the Determine if the SMS site is installed tool is established in on a Windows member server rather such a way as to than a Domain Controller. maximize security. Audit trails are created Determine what audit logging is and reviewed to ensure occurring around SMS use and inappropriate use of services. Evaluate the SMS does not go reasonableness of the logging. undetected. Patch levels are kept Evaluate the patch notification current to ensure process for SMS and determine if the vulnerabilities are current patch level has been addressed quickly and installed. effectively.
Pages to are hidden for
"Microsoft SMS Audit Checklist"Please download to view full document