SMS: Security Considerations for SMS Service Accounts

Last reviewed: February 16, 1998
Article ID: Q180978
The information in this article applies to:
  • Microsoft Systems Management Server, version 1.2

SUMMARY

The Systems Management Server service account is used by the Site Configuration Manager, Hierarchy Manager, and Systems Management Server Executive services. This account is also used for the Package Command Manager (PCM) client component service on Systems Management Server logon servers in the site. Because this account sets up and maintains directories and shares, installs services, and writes to the registry, it requires local Administrator rights on the computers it maintains (including logon servers, distribution servers, and helper servers). Additionally, if the "Auto-detect All Logon Servers" option is enabled, every member server will also have the Systems Management Server Inventory Agent and the PCM service installed on them. The PCM service on these servers uses the Systems Management Server service account.

When security boundaries must be drawn to fit into an organizational or administrative model, Systems Management Server hierarchies should be developed. Each site should contain its own service account and password. When a site hierarchy is developed along security divisions, it is necessary to not have multiple sites in a single domain, because the account for each site must reside in the domain.

MORE INFORMATION

Generally speaking, the less secure the environment, the easier it is to administer, in terms of deployment and password changes. A secure environment requires more complex administration.

Normally, the Systems Management Server service account is granted Domain Administrator rights to the domains within the site. When this is done, there is an assumption made that the local administrator of the site server and logon servers is also a Domain Administrator, and visa versa.

It is possible to have a multiple site hierarchy and have all sites use the same account and password. If Systems Management Server is configured this way, account maintenance is simplified. Multiple sites with unique passwords require more account maintenance. It is also possible to create a user account for the sender (a thread of the Systems Management Server Executive service) to use for inter-site communications. The sender account does not need to be a Domain Administrator, rather a Domain User with limited rights. The only requirement of the sender account is that it must have Administrator rights on each site server's SMS_SITE share (<SMS_root>\Sms\Despooler.box\Receive). After creating a user account, you can configure the sender to use a specified account in the Addresses portion of the Site Properties.

For more information, refer to the Concepts and Planning Guide in the online documentation.


Additional query words: prodsms admin admins
Keywords : smsadmin smsconfig smsgeneral
Version : WINNT:1.2
Platform : winnt
Issue type : kbinfo


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 16, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.