Microsoft SMS Audit Checklist by HC12091103340


									                           Microsoft SMS Audit Checklist
                                      Audit #:
                                    Audit Name:
                               Audit Period:     to
                    Interview Date:
                                             Test                     Result   Conditions
Configuration of the        Obtain a network diagram of the
SMS site is such as to      SMS network and determine which
provide maximum             of the 3 scenarios exists:
security                         a. SMS and SQL server are on
                                      the same server
                                 b. SMS and SQL Server are on
                                      separate servers, with the
                                      SMS Provider on the SMS
                                 c. SMS and SQL are on
                                      separate servers, with the
                                      SMS Provider on the SQL

                            Which domain model is used:
                                 a. Single Domain Model
                                 b. Master Domain Model
                                 c. Multiple master domain
Access Control exist        Obtain a list of users who can access
around who can use and      the SMS files, distribution file
alter:                      information, SMS objects and
     a. The SMS files       inventory information on the site
        on your system      servers to determine if the access list
     b. The software        is reasonable and compliant with
        distribution        segregation of duties controls.
        files needed to
        be exposed
     c. The inventory
        and collected
        files on the site

                            Evaluate the rights users have to
                            directories, files, SMS database
                            objects and the information
                            accessible through the SMS
                            Administrator console. NTFS has
                            been used to limit access to
                            executables and registry to
administrators only.

Evaluate the rights of service
accounts given to ensure that
minimum rights required to perform
their jobs are given. Minimize what
the service accounts can do by
keeping the permissions as close as
possible to the local level.

Evaluate the rights given to
administrators to ensure they are
minimized as much as possible. For
example, if an administrator works
only with a subset of users on the
system create a collection of those
users and give the administrator
SMS permissions to that collection
Evaluate the rights of the
administrators to work directly on
the site server. Unless it is
absolutely necessary for an
administrator to work directly on the
site server, have them use remote
consoles from windows rather than
the site server. As a result, they will
not require local administrator rights
on the site server.
Evaluate the rights granted to ensure
that each site system has only local
administrator rights for SMS services
and functions.
Ensure that no accounts are members
of the Domain Admins group
Obtain a drop out using Dumpsec or
some other tool of the file share
permissions created on the various
SMS servers – CAPs, Logon, etc.
Ensure that default file share
permissions have been changed to
eliminate “everyone”.
SMS account passwords are
encrypted via Windows or SMS.
Account passwords that SMS creates
are randomly generated.
Unused services/functions such as
software metering, remote control,
etc. have been turned off.
Ensure that passwords, account
names, and permissions for accounts
that SMS automatically creates and
maintains are not changed.
Otherwise you run the risk of
account lockouts. Some of these
                         accounts are:
                         a. SMS Provider Impersonation
                         b. SMS Logon Service
                         c. SMS Client Connection
                         d. SMS Server Connection
                         e. SMS Remote Service

                         For those that can be changed, change the
                         passwords rather than ghe account with
                         the following exceptions:
                         a. SMS Service Account, if this account
                            is shared
                              by more than one site.
                         b. SMS SQL Service account, if this
                            account is
                             shared by more than one site.
                         c. Software Metering Service account, if
                            account is shared by more than one
                            software              metering server.
                            For these accounts, new
                            accounts must be created for these
                            roles and the accounts cycled when the
                            clients have servers
                             that have all been configured with the

Authentication is        Evaluate the authentication process
performed for users      enforced prior to allowing access to
allowed to use the SMS   perform SMS tasks or make changes
tools to monitor the     to the SMS configuration.
network and/or control
                         Determine if the default SMS
                         Service Account and SMS Client
                         Remote Installation client names
                         have been renamed, have a
                         technically complex password, and
                         are not Domain Administrators.
                         The CCM Boot Loader (DC) account
                         has been deleted after the client was
                         set up. This is because it is made
                         unique by including the domain
                         controller name in its account name.
Access to the SMS        Determine if only users who are
Console is limited.      Windows Administrators can use the
                         console on the site server. The
                         default directory level permissions
                         allow them to use the console only
                         on the site server and it is
                         recommended that this level of
                         security be maintained.
Database security is     Evaluate who is allowed to view and
enforced.                change database objects to ensure
                         access to the database is limited to
                           those requiring such access.
                           Determine if the sa password has an
                           obscure password and is not used.
                           Another “copy cat” account with a
                           different name and complex pass
                           word should be used.
                           Ensure that the SQL database access
                           is secured. See the insert from
                           Microsoft below:

                           Typically, if you want to set up
                           security requirements for multiple
                           users, you add the users to a group
                           and arrange security requirements for
                           the group. However, the SMS
                           Security Manager doesn't recognize
                           SQL Server groups. The SMS
                           Security Manager accepts only
                           database users to set security. Thus,
                           if you work with groups, you still
                           have the cumbersome task of
                           defining security rights for each
                           database user.

                           A workaround to this problem is to
                           use aliases instead of groups. An
                           alias is an extension of a mapping
                           from a login to a database user. After
                           creating a map, you can tell any
                           number of logins to share the same
                           database user. So, if you create one
                           database user for each role in your
                           SMS database (e.g., Helpdesk,
                           Administrator) and map a login to
                           that database user, you can extend as
                           many of your other logins to this
                           mapping as necessary to ensure that
                           they all receive the same

Necessary security         Identify special situations in the
exposures are identified   audit environment such as
and special controls or    unattended software distributions to
workarounds are used       determine if special administrator
to minimize the security   rights have been assigned to
risks.                     minimize security risks.
Configuration of the       Determine if the SMS site is installed
tool is established in     on a Windows member server rather
such a way as to           than a Domain Controller.
maximize security.
Audit trails are created   Determine what audit logging is
and reviewed to ensure     occurring around SMS use and
inappropriate use of       services. Evaluate the
SMS does not go            reasonableness of the logging.
Patch levels are kept   Evaluate the patch notification
current to ensure       process for SMS and determine if the
vulnerabilities are     current patch level has been
addressed quickly and   installed.

To top