Contact Us Get Free Products
Search icon Contact Us Get Free Products
SCCM/MECM

How to Start Securing ConfigMgr in the Enterprise

Nicolas PilonApril 25 20164 Min Read

Founder of System Center Dudes. Nick has been awarded in 2016 to 2019 as a Microsoft MVP in Enterprise Mobility category. Working as a senior SCCM and Intune advisor as well as a specialist Microsoft Cloud solutions specialist.

Nicolas Pilon

Vice-President
Table of Content
SCD Collaborators

Securing ConfigMgr

 

As an IT professional, you already know that a security breach can be devastating. It can also be expensive, $4 million on average according to a 2015 survey sponsored by IBM.

Microsoft System Center Configuration Manager (ConfigMgr) can play a huge part in preventing attacks and implementing an enterprise-wide security solution. ConfigMgr helps companies make sure all endpoints are current with the latest security fixes, configured correctly, behaving normally, and only running authorized applications.

However, like almost everything else in IT these days, ConfigMgr itself is a target for hackers who can use it to distribute malware, take control of computers with access to private data, and engage in all manner of nefarious activity. According to a recent Adaptiva survey of more than 150 IT professionals, 70 percent expressed concern about potential security vulnerabilities in their Microsoft ConfigMgr environments.

Securing the perimeter of your company’s network is usually the #1 priority, and rightly so. However, securing ConfigMgr should also be a key part of your organization’s cyber defense strategy. A full list of security topics for ConfigMgr admins could span dozens or hundreds of topics. In this blog, I am giving you a place to start by explaining some key considerations and pointing you to some helpful online resources.

Securing ConfigMgr

Restrict and Review ConfigMgr Administrative Users

This may seem obvious, but you’d be surprised how many companies overlook it. Admin privileges are the keys to the kingdom, and many IT shops hand them out too freely. Some basic guidelines are:

  • Make sure that nobody has ConfigMgr permissions except people who specifically need them.
  • Use role-based security and least privilege management (LPM) to make sure that nobody has more privileges than needed.
  • Look into all new administrators. Some companies perform a background check, others consider it sufficient to just contact references.
  • Review the assignments on a regular basis. Just because somebody needed ConfigMgr superpowers a year ago does not mean they still need them today.
  • Check the audit logs once in a while to see that nobody is overstepping their bounds. This one is getting into the hard-to-justify-spending-the-time realm, but it will keep your company safer if you do it.

Securing ConfigMgr

Secure the ConfigMgr SQL Server(s)

Securing SQL Servers is a critical part of any security strategy, and that definitely applies to ConfigMgr. In some companies a DBA will be responsible for SQL security, but as a ConfigMgr admin you will likely install SQL server and may end up owning its security.

SQL security is a vast topic, but there are a few very basic things that should apply in almost every deployment. First, always use Windows Authentication (never Mixed Mode). Second, secure the “sa” account by disabling it, deleting it, or protecting it with a complex password—the default password is the first thing hackers try.

Third, don’t forget SQL Express! In an architecture with secondary site servers, ConfigMgr may install SQL Express from files on the primary (unless you point it to a SQL Server instance instead). Those SQL Express install files may be out of date, so be sure to update after installation. However, the broader point is to make sure you update it regularly. Last year, Microsoft issued a SQL Express patch that fixed a remote execution vulnerability, so the threat is real—and easy to mitigate.

Securing ConfigMgr

Lock-down Windows 10 OSD

Windows 10 OSD is a vast field about which volumes could be written. Some OSD security basics that will serve as a good jumping off point include:

  • Never deploy task sequences to the All Unknown Computers collection
  • Limit deployment to systems that have specifically been whitelisted/allowed for OSD
  • Ensure that Task Sequences are kept clear of sensitive data
  • Restrict physical access to OSD media
  • Physically protect any physical system you use to create references images

Go Deep with Security

I’ve mentioned only few key things to look for. Other areas of ConfigMgr security include: permissions and authorization, server management, client management, content, and even business priorities. Also, to truly secure your systems management environment, you’ll need look at business processes in addition to systems and configurations.

To learn more, Adaptiva has put together a few educational security resources that go into much more detail:

Top 20 Security Best Practices Report PDF

Top 20 SCCM Security Best Practices Webinar: Recording & Slides

SCCM Security Checklist

Securing ConfigMgr

Adaptiva Administrative Users Best Practices OSD RBAC SCCM 2012 SQL SQL Windows 10
SCD Collaborators
Comments (0)
Related posts
Benoit LecoursApril 24 202411 Min Read
Step-by-Step SCCM 2403 Upgrade Guide

Microsoft has released the first SCCM version for 2024 as the release cadence is now reduced to 2...

SCCM/MECM
Benoit LecoursApril 23 20244 Min Read
In-place OS upgrade for SCCM site server

Some releases of SCCM versions require that you upgrade your site server Operating System to...

SCCM/MECM
Marc-Andre ChartrandApril 18 20244 Min Read
SCCM Office 365 dashboard Unmanaged clients

If you’ve always been managing your Office 365 (Now Microsoft 365 Apps) clients with SCCM,...

Office 365 SCCM/MECM
Request a Quote

Please fill out the form, and one of our representatives will contact you in Less Than 24 Hours. We are open from Monday to Friday.

Consulting Services

Subscription

PatchMyPC

Reports and Guides

I'm interested in working with you

Consulting services and time banks are used for generic requests. All others are fixed-price plans.

Never share sensitive information (credit card numbers, social security numbers, passwords) through this form.
Request Sent

Thank you for your request. You will receive an email with more details. Take note that we normally work from Monday to Friday. We will get in touch with you as soon as possible.

Comment Sent

Thank for your reply!

Error

Something went wrong!