SCCM Security Checklist

Permissions and Authorization

SCCM administrative users’ permissions are individually

restricted using least privilege management (LPM) and role-
based security.
Process in place for vetting staff prior to granting SCCM
administrator authority.
SCCM administrator assignments have been reviewed/audited
within the last 12 months (or other timeframe established).
SCCM administrators’ account activity is audited on a regular
basis to validate that use is not significantly deviating from
business duties.
Local administrator privileges are never granted, except to
vetted individuals with a business need for admin rights on their
local machine.
SCCM security groups for site system communication are not
altered or changed from default.
Require approval for computers from untrusted domains (not
using “automatic for all computers” security setting).
If your organization uses SCCM client push installation, carefully
secure and use LPM for the Client Push Installation Account.
If using Exchange, use LPM to lock down the Exchange Server
connector to the minimum rights needed.

Server Management

SCCM is not installed on a Domain Controller.

SQL Server (and SQL Express if used) “sa” accounts not enabled,
or if available not accessible with default password.
SQL Server (and SQL Express if used) uses Windows
Authentication.
SQL Server (and SQL Express if used) are current, patched with
the latest updates and security fixes.
Configure static IP addresses for site systems.
Always remove security certificates from reference computer
before creating OSD images.
Use HTTPS for all supported SCCM communications.

www.adaptiva.com 1
SCCM Security Checklist

Protect .pfx certificate files used by SCCM servers in physical

storage (USB, etc.), network storage (disk), and when in transit
over network—and further secure with a strong password.
Extend the Active Directory Schema for SCCM.
Protect the communications between SCCM and the Exchange
server when using Exchange (IPsec for on-premise Exchange
server; else SSL if Internet-based).
If using SMTP, ensure authenticated access to the mail server.
IIS for SCCM uses a custom website instead of default.
IIS on SCCM machines is protected with IIS best practices.
IIS used for SCCM is secured by disabling features not essential
for SCCM.
Only run setup from a trusted source over a secure network
connection when installing SCCM.
Use IPsec (or other means) to protect communications traffic
between site system servers and sites.
No Internet-based site systems bridge the intranet and the
external network.
Site system servers on untrusted networks are configured to
initiate connections (to the site system).
SCCM backups are secured, and done over secure
communications channels.
Do not rely on NAP for network security (NAP ensures system
integrity, not user or network integrity).
Use non-default port numbers where possible.

Client Management

When using Remote Desktop, always log off session before

disconnecting.
Users are not allowed to specify their own primary device for
user device affinity features.
Deploy x509/PKI certificate types on all clients where possible.
Users’ ability to modify remote control settings in Software
Center is disabled.
Permitted Viewers list for remote control is explicitly restricted.

www.adaptiva.com 2
SCCM Security Checklist

Content

If using maintenance windows, verify that the window is big

enough to allow deployment of large, critical software updates.
If WINS is enabled in your environment, use the
SMSDIRECTORYLOOKUP=NoWINS option when installing
SCCM client from the CCMSetup Client.msi (WINS is a less
secure fallback from AD with schema extensions/DNS).
Managed Object Format (MOF) files that are used to import/
export collections are secured both at rest on disk and in transit
on the network.
Use UTC for deployment times, to avoid scenario where end
user changes time zone to avoid updates.
Distribution Point shares for content are locked down so
content is not readable by all users.
Ensure correct setting of package access permissions on initial
creation, since future access changes are often forgone to avoid
re-distribution over the WAN.

OSD

Protect OSD reference computers from tampering, both

remotely over the network and physically at the PC.
Restrict access to folders containing state migration data, and
put controls in place to ensure deletion from disk (e.g., set the
retention period or manually delete).
After user state migration, computer associations are deleted.
Task Sequences are only exported to network locations that are
secured, and only over secure channels.
State migration is done only over secured network channels.
BitLocker, when used, is re-enabled after unattended OSD.
Prevent deployment of Task Sequences to unknown computers
and other computers not identified for Windows migration,
through whitelisting, PXE passwords, or other means.

www.adaptiva.com 3
SCCM Security Checklist

Keep Task Sequences free and clear of sensitive data including,

but not limited to, passwords.
Restrict physical access to OSD media.
Keep captured WIM current with the latest security updates.

Business Priorities

Establish SCCM security efforts as a priority with IT

management, ensuring that SCCM administrators are
encouraged to spend time on security tasks.

About Adaptiva

Adaptiva is a leading, global provider of IT systems management

solutions for Microsoft System Center Configuration Manager.
Founded in 2004 by the lead architect of Microsoft SMS 2003,
Adaptiva pioneered the world’s first smart scaling peer-to-peer
technology for systems management. This technology empowers IT
professionals to use automated intelligence, not costly
infrastructure, to scale to meet the software and security needs of
their business. Adaptiva’s suite of smart scaling systems
management products include OneSite™ for content distribution
and management, Client Health™ for endpoint security,
troubleshooting, and remediation, and Green Planet™ for energy
efficient power management and patching. Adaptiva’s software is
used by Fortune 500 companies and deployed on millions of
devices in over 100 countries. Learn more at www.adaptiva.com.

Contact

info@adaptiva.com

+1 (425) 823-4500

Facebook

Twitter

LinkedIn

www.adaptiva.com 4