![]() ![]() Restrict the administrative users that are assigned security roles with permissions that can be used for purposes other than client deployment. Wherever possible, select a client installation method that requires the least security permissions in Configuration Manager. For more information, see How to install clients with client push.įor more information about the different client installation methods, see Client installation methods. This enhancement helps to secure the communication between the server and the client. ![]() When using client push, the site can require Kerberos mutual authentication by not allowing fallback to NTLM before establishing the connection. The number and type of these dependencies increase your attack surface. These dependencies include local administrative permissions, the Admin$ share, and firewall exceptions. Of all the client installation methods, client push installation is the least secure because of the many dependencies it has. Use Kerberos mutual authentication with client push installation. If you apply access controls and change controls, use imaging and manual installation methods. Use the most secure client installation methods that are practical for your environmentįor domain computers, group policy client installation and software update-based client installation methods are more secure than client push installation. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy.įor more information, see Determine whether to block clients. A certificate revocation list (CRL) is only available from a supported public key infrastructure (PKI). In this scenario, a blocked client could rejoin the site with a new self-signed certificate and hardware ID.Ĭertificate revocation is the primary line of defense against potentially compromised certificates. When site systems accept HTTP client connections, don't rely on blocking to protect the Configuration Manager hierarchy from untrusted computers. When all site systems accept HTTPS client connections.To block lost or compromised boot media when you deploy an OS to clients.If clients are blocked, they can't communicate with site systems to download policy, upload inventory data, or send state or status messages.īlocking is designed for the following scenarios: Don't rely on blocking to prevent clients from accessing the Configuration Manager hierarchyīlocked clients are rejected by the Configuration Manager infrastructure. Automatically approving all clients isn't recommended, unless you have other access controls to prevent untrustworthy computers from accessing your network.įor more information about how to manually approve computers, see Manage clients from the devices node. Then manually check and approve all other computers. This option includes cloud-domain joined clients from connected Azure Active Directory (Azure AD) tenants. The most secure approval method is to automatically approve clients that are members of trusted domains. Automatic for computers in trusted domains.The hierarchy has the following options to configure client approval: When you can't use PKI authentication, approval identifies a computer that you trust to be managed by Configuration Manager. Automatically approve client computers from trusted domains and manually check and approve other computers For more information, see Enable the site for HTTPS-only or enhanced HTTP. Configure the site for HTTPS or Enhanced HTTP. Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Microsoft recommends these certificates for all client connections on the intranet.įor more information on the use of certificates in Configuration Manager, see Plan for certificates. Mobile device clients and some internet-based clients require these certificates. Make sure that clients and communicating servers can always access it. ![]() Install clients with the UsePKICert CCMSetup property. For more information, see Configure security. Use public key infrastructure (PKI) certificates for client communications with site systems that run IISĪs a site property, configure Site system settings for HTTPS only. Use the following security guidance to help protect the site from rogue or compromised devices. Deploy the Configuration Manager client only to devices that you trust. For example, they could send malformed inventory, or attempt to overload the site systems. This behavior introduces the risk that the clients could attack the site. The Configuration Manager site accepts data from devices that run the Configuration Manager client. It also includes information for mobile devices that are managed by the Exchange Server connector. This article describes security and privacy information for Configuration Manager clients. Applies to: Configuration Manager (current branch) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |