Microsoft Confidential © 2012 Microsoft Corporation. All rights reserved.
System Center 2012 Configuration Manager Concepts & Administration Module 9: Console Security Premier Field Engineer Microsoft Your Name
Conditions and Terms of Use This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited. The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non- infringement. Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content at Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Copyright and Trademarks © 2012 Microsoft Corporation. All rights reserved. Microsoft Confidential
Objective In this lesson you will learn about the following: Security in Layers Role-based administration Roles Scopes
Security in Layers SMS Admins group Local group on site server Users automatically added when using “administrative users” in the UI DCOM Need remote activation on server DComcnfg Roles What the user is allowed to do Scopes What objects the user is allowed to work with Collections Limits the resources to be managed
Advertisements DEP5678 DEP1234 DEP5678 DEP9246 DEP5678 DEP8787 DEP1234 Read/Create/ Modify OS Images Windows Server 2008 Role-based Administration Collections All Systems EMEA Finance S. America N. America HR Sales Packages Office – MUI (Japanese) Billing Tool Time Card SAP - HR Office – MUI (Spanish) SAP - Sales Windows Vista Windows 7 Configuration Items Datacenter Servers Standard Desktop HR Systems Software Updates Update for Office 2007 Update for Windows Read/Advertise Read/Create/ Modify Assign role: Software Distribution Administrator Assign Security Scope: South America Assign Security Scope: South America Assign Security Scope: Sales & Marketing Assign Security Scope: Sales & Marketing
Role-based Administration (continued) Roles Scopes Collections Role-based administration provides the following benefits: Sites are no longer administrative boundaries. You create administrative users for the hierarchy and assign security to them one time only. You create content for the hierarchy and assign security to that content one time only. All security assignments are replicated and available throughout the hierarchy. There are built-in security roles to assign the typical administration tasks and you can create your own custom security roles. Administrative users see only the objects that they have permissions to manage. You can audit administrative security actions.
7 RBA in Configuration Manager Refresher 7 Who? What actions? Role Object + Permissions “Application Admin” Object: Package Permissions: Read Modify Delete Which objects? Scope (Group) Permissions to specific instances SEC- DesktopAdmins Role: Application Administrator Scope: Desktop Where? Collection Which Resources? “Desktop Machines”
8 RBA in Configuration Manager Refresher 8 Who? Roles 14 Built-in Roles Copy existing roles and modify Import roles from another hierarchy Scope (mandatory) 2 Built-in Scopes: All (all securable objects) Default (all objects assigned on install) One object can have multiple scopes Collection (Optional) Permissions apply to root and child collections Cannot modify Root Collection
Roles Groups of permissions that allow users to perform tasks Defines the actions a user can take Best practice, provide least privilege necessary How to use roles: Identify group of tasks a user will need to perform Map tasks to built-in security roles Assign to multiple roles if necessary Create additional roles if needed
Import or copy XML files can be imported and exported between sites Roles (continued) Creating custom roles
Scopes A named set of securable objects Applications Packages Boot images Sites Custom client settings Distribution points and distribution point groups Software update groups All objects must be assigned to one or more security scopes Two built-in security scopes All – Can’t assign objects to this scope (grants access to all scopes) Default – All objects assigned to this at install time
12 Unsecured Objects (Secured by Role) 12 Who? Active Directory Forests Administrative users Alerts Boundaries Computer Associations Default Client Settings Deployment templates Device drivers Exchange Server connector Migration site- to-site mappings Mobile device enrollment profiles Security roles Security scopes Site addresses Site system roles Software titles Software updates Status messages User device affinities
Scopes Creating Custom Scopes Scopes can contain many objects Applications Packages Boot images Sites Custom Client Settings Distribution points and distribution point groups Software update groups Create in scope node, then add to objects
Creating Custom Scopes Scopes Scopes can contain many objects Applications Packages Boot images Sites Custom Client Settings Distribution points and distribution point groups Software update groups Create in scope node, then add to objects 14 Microsoft Confidential
Collections Grouping of objects Create for various reasons: Functional – Servers and workstations Geographic – North America and Europe Security and business process – Production and test Organizational alignment – HR, finance, sales. etc. Users can be limited to certain collections through security/administrative users
RBAC Scenarios – Cumulative Rights Administrative Users Security Role Security Scope Collections Appl. Deployment Manager - 2 Create, Read, Modify Apps, Delete Apps User A Scope a, Scope bCollection Y Appl. Deployment Manager - 1 Create, Read, Modify Apps, Deploy Apps Scope a, Scope b User A Collection Y Appl. Deployment Manager – 1, 2 Create, Read, Modify Apps Deploy Apps, Delete Apps Scope a, Scope b
RBAC Scenarios – Cumulative Rights Administrative Users Security Role Security Scope Collections Appl. Deployment Manager - 2 Create, Read, Modify Apps, Delete Apps User A Scope b (Package 1)Collection Y Appl. Deployment Manager - 1 Create, Read, Modify Apps, Deploy Apps Scope a (Package 1) User A Collection Y Appl. Deployment Manager – 1, 2 Create, Read, Modify Apps Deploy Apps, Delete Apps Package 1
RBAC Scenarios – Cumulative Rights Administrative Users Security Role Security Scope Collections Appl. Deployment Manager - 2 Create, Read, Modify Apps, Delete Apps User A Scope a, Scope bCollection Y (Machine 1) Collection X (Machine 1) Appl. Deployment Manager - 1 Create, Read, Modify Apps, Deploy Apps Scope a, Scope b User A Machine 1 Appl. Deployment Manager – 1, 2 Create, Read, Modify Apps Deploy Apps, Delete Apps Scope a, Scope b
RBAC Scenarios – Conflict Resolution Administrative Users Security Role Security Scope Collections Software Update Manager Create, Read, Modify Updates, Deploy Updates User A Scope a, Scope bPatch_Master Collection (Machine 1, 2, 3) SWD_Master Collection (Machine 1) Appl. Deployment Manager Create, Read, Modify Apps, Deploy Apps Scope a, Scope b User A Machine 1 Appl. Deployment Manager Create, Read, Modify Apps, Deploy Apps Scope a, Scope b Software Update Manager Create, Read, Modify Updates, Deploy Updates Software Update Manager Create, Read, Modify Updates, Deploy Updates Scope a, Scope b Machine 2,3
Client Settings Object - CAS Scenario: Primary Site Admin Full Admin, access to Primary Site via “PRI Scope” No Access to the CAS Result: No ability to view Default Client Settings Explanation: Unsecured Object, owned by CAS, hence Site “Read” rights required Solution: Custom Role to allow Site “Read” rights Combine this Role with “CAS Scope”
OSD Manager/Import Systems Scenario: Machine Import with restricted rights Requires access to All Systems collection Result: Default OSD Manager role is excessive Install Client/Block actions on Servers Workarounds: Unknown Computer Support Provide an out-of-console option for addition
Delete Unprovisioned Computers Scenario: Task Sequence error leads to orphaned “Unknown” object existing in All Systems Result: Machine cannot be PXE Booted again as it is not Unknown anymore Solution: Create collection of Unprovisioned Computers Custom Role to Delete Resources
Report Security Security Rights based on Role Assignment “ Read” rights to the “Site” object Security Policies set every 10 min on Report Folders in SSRS by the
RBA Viewer Requires Configuration Manager Console Use has to be a Full Administrator, Read-only Analyst, or Security Administrator. User has to be assigned to All security scope and All collections. To analyze report folder security, user must have SQL access. To analyze report drill through, user must run this tool on the site with reporting services point installed.
Lab Configuring Security for Desktop Administrators Access
Lesson Review What is RBA and what does it contain? What is a Role? What is a Scope? What tool can you use to test and check permissions you are granting to the users/groups? Microsoft Confidential 26
Module Summary In this lesson you learned about the following: Security in Layers Role-based administration Roles Scopes
For More Information How do I get the right permissions in Configuration Manager 2012? (Michael Griswold) How do I get the right permissions in Configuration Manager 2012? Managing Unprovisioned Computers in System Center 2012 Configuration Manager (Inside OSD Blog) Managing Unprovisioned Computers in System Center 2012 Configuration Manager Custom Role Based Administration for Importing Computers (Inside OSD Blog) Custom Role Based Administration for Importing Computers Implementing Packaging and Testing work flows in Configuration Manager 2012 using Role Based Access (MSIT) Implementing Packaging and Testing work flows in Configuration Manager 2012 using Role Based Access Configuration Manager 2012: Maximizing Security (Aaron Czechowski) Configuration Manager 2012: Maximizing Security