Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Confidential © 2012 Microsoft Corporation. All rights reserved.

Published byClarence Poole Modified over 7 years ago

Similar presentations

Presentation on theme: "Microsoft Confidential © 2012 Microsoft Corporation. All rights reserved."— Presentation transcript:

1 Microsoft Confidential © 2012 Microsoft Corporation. All rights reserved.

2 System Center 2012 Configuration Manager Concepts & Administration Module 9: Console Security Premier Field Engineer Microsoft Your Name

3 Conditions and Terms of Use This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited. The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non- infringement. Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content at http://www.microsoft.com/about/legal/permissions/ http://www.microsoft.com/about/legal/permissions/ Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Copyright and Trademarks © 2012 Microsoft Corporation. All rights reserved. Microsoft Confidential

4 Objective In this lesson you will learn about the following: Security in Layers Role-based administration Roles Scopes

5 Security in Layers SMS Admins group Local group on site server Users automatically added when using “administrative users” in the UI DCOM Need remote activation on server DComcnfg Roles What the user is allowed to do Scopes What objects the user is allowed to work with Collections Limits the resources to be managed

6 Advertisements DEP5678 DEP1234 DEP5678 DEP9246 DEP5678 DEP8787 DEP1234 Read/Create/ Modify OS Images Windows Server 2008 Role-based Administration Collections All Systems EMEA Finance S. America N. America HR Sales Packages Office – MUI (Japanese) Billing Tool Time Card SAP - HR Office – MUI (Spanish) SAP - Sales Windows Vista Windows 7 Configuration Items Datacenter Servers Standard Desktop HR Systems Software Updates Update for Office 2007 Update for Windows Read/Advertise Read/Create/ Modify Assign role: Software Distribution Administrator Assign Security Scope: South America Assign Security Scope: South America Assign Security Scope: Sales & Marketing Assign Security Scope: Sales & Marketing

7 Role-based Administration (continued) Roles Scopes Collections Role-based administration provides the following benefits: Sites are no longer administrative boundaries. You create administrative users for the hierarchy and assign security to them one time only. You create content for the hierarchy and assign security to that content one time only. All security assignments are replicated and available throughout the hierarchy. There are built-in security roles to assign the typical administration tasks and you can create your own custom security roles. Administrative users see only the objects that they have permissions to manage. You can audit administrative security actions.

8 7 RBA in Configuration Manager 2012 - Refresher 7 Who? What actions? Role Object + Permissions “Application Admin” Object: Package Permissions: Read Modify Delete Which objects? Scope (Group) Permissions to specific instances SEC- DesktopAdmins Role: Application Administrator Scope: Desktop Where? Collection Which Resources? “Desktop Machines”

9 8 RBA in Configuration Manager 2012 - Refresher 8 Who? Roles 14 Built-in Roles Copy existing roles and modify Import roles from another hierarchy Scope (mandatory) 2 Built-in Scopes: All (all securable objects) Default (all objects assigned on install) One object can have multiple scopes Collection (Optional) Permissions apply to root and child collections Cannot modify Root Collection

10 Roles Groups of permissions that allow users to perform tasks Defines the actions a user can take Best practice, provide least privilege necessary How to use roles: Identify group of tasks a user will need to perform Map tasks to built-in security roles Assign to multiple roles if necessary Create additional roles if needed

11 Import or copy XML files can be imported and exported between sites Roles (continued) Creating custom roles

12 Scopes A named set of securable objects Applications Packages Boot images Sites Custom client settings Distribution points and distribution point groups Software update groups All objects must be assigned to one or more security scopes Two built-in security scopes All – Can’t assign objects to this scope (grants access to all scopes) Default – All objects assigned to this at install time

13 12 Unsecured Objects (Secured by Role) 12 Who? Active Directory Forests Administrative users Alerts Boundaries Computer Associations Default Client Settings Deployment templates Device drivers Exchange Server connector Migration site- to-site mappings Mobile device enrollment profiles Security roles Security scopes Site addresses Site system roles Software titles Software updates Status messages User device affinities

14 Scopes Creating Custom Scopes Scopes can contain many objects Applications Packages Boot images Sites Custom Client Settings Distribution points and distribution point groups Software update groups Create in scope node, then add to objects

15 Creating Custom Scopes Scopes Scopes can contain many objects Applications Packages Boot images Sites Custom Client Settings Distribution points and distribution point groups Software update groups Create in scope node, then add to objects 14 Microsoft Confidential

16 Collections Grouping of objects Create for various reasons: Functional – Servers and workstations Geographic – North America and Europe Security and business process – Production and test Organizational alignment – HR, finance, sales. etc. Users can be limited to certain collections through security/administrative users

17 RBAC Scenarios – Cumulative Rights Administrative Users Security Role Security Scope Collections Appl. Deployment Manager - 2 Create, Read, Modify Apps, Delete Apps User A Scope a, Scope bCollection Y Appl. Deployment Manager - 1 Create, Read, Modify Apps, Deploy Apps Scope a, Scope b User A Collection Y Appl. Deployment Manager – 1, 2 Create, Read, Modify Apps Deploy Apps, Delete Apps Scope a, Scope b

18 RBAC Scenarios – Cumulative Rights Administrative Users Security Role Security Scope Collections Appl. Deployment Manager - 2 Create, Read, Modify Apps, Delete Apps User A Scope b (Package 1)Collection Y Appl. Deployment Manager - 1 Create, Read, Modify Apps, Deploy Apps Scope a (Package 1) User A Collection Y Appl. Deployment Manager – 1, 2 Create, Read, Modify Apps Deploy Apps, Delete Apps Package 1

19 RBAC Scenarios – Cumulative Rights Administrative Users Security Role Security Scope Collections Appl. Deployment Manager - 2 Create, Read, Modify Apps, Delete Apps User A Scope a, Scope bCollection Y (Machine 1) Collection X (Machine 1) Appl. Deployment Manager - 1 Create, Read, Modify Apps, Deploy Apps Scope a, Scope b User A Machine 1 Appl. Deployment Manager – 1, 2 Create, Read, Modify Apps Deploy Apps, Delete Apps Scope a, Scope b

20 RBAC Scenarios – Conflict Resolution Administrative Users Security Role Security Scope Collections Software Update Manager Create, Read, Modify Updates, Deploy Updates User A Scope a, Scope bPatch_Master Collection (Machine 1, 2, 3) SWD_Master Collection (Machine 1) Appl. Deployment Manager Create, Read, Modify Apps, Deploy Apps Scope a, Scope b User A Machine 1 Appl. Deployment Manager Create, Read, Modify Apps, Deploy Apps Scope a, Scope b Software Update Manager Create, Read, Modify Updates, Deploy Updates Software Update Manager Create, Read, Modify Updates, Deploy Updates Scope a, Scope b Machine 2,3

21 Client Settings Object - CAS Scenario: Primary Site Admin Full Admin, access to Primary Site via “PRI Scope” No Access to the CAS Result: No ability to view Default Client Settings Explanation: Unsecured Object, owned by CAS, hence Site “Read” rights required Solution: Custom Role to allow Site “Read” rights Combine this Role with “CAS Scope”

22 OSD Manager/Import Systems Scenario: Machine Import with restricted rights Requires access to All Systems collection Result: Default OSD Manager role is excessive Install Client/Block actions on Servers Workarounds: Unknown Computer Support Provide an out-of-console option for addition

23 Delete Unprovisioned Computers Scenario: Task Sequence error leads to orphaned “Unknown” object existing in All Systems Result: Machine cannot be PXE Booted again as it is not Unknown anymore Solution: Create collection of Unprovisioned Computers Custom Role to Delete Resources

24 Report Security Security Rights based on Role Assignment “ Read” rights to the “Site” object Security Policies set every 10 min on Report Folders in SSRS by the

25 RBA Viewer Requires Configuration Manager Console Use has to be a Full Administrator, Read-only Analyst, or Security Administrator. User has to be assigned to All security scope and All collections. To analyze report folder security, user must have SQL access. To analyze report drill through, user must run this tool on the site with reporting services point installed.

26 Lab Configuring Security for Desktop Administrators Access

27 Lesson Review What is RBA and what does it contain? What is a Role? What is a Scope? What tool can you use to test and check permissions you are granting to the users/groups? Microsoft Confidential 26

28 Module Summary In this lesson you learned about the following: Security in Layers Role-based administration Roles Scopes

29 For More Information How do I get the right permissions in Configuration Manager 2012? (Michael Griswold) How do I get the right permissions in Configuration Manager 2012? Managing Unprovisioned Computers in System Center 2012 Configuration Manager (Inside OSD Blog) Managing Unprovisioned Computers in System Center 2012 Configuration Manager Custom Role Based Administration for Importing Computers (Inside OSD Blog) Custom Role Based Administration for Importing Computers Implementing Packaging and Testing work flows in Configuration Manager 2012 using Role Based Access (MSIT) Implementing Packaging and Testing work flows in Configuration Manager 2012 using Role Based Access Configuration Manager 2012: Maximizing Security (Aaron Czechowski) Configuration Manager 2012: Maximizing Security

Download ppt "Microsoft Confidential © 2012 Microsoft Corporation. All rights reserved."

Similar presentations

The following 10 questions test your knowledge of client site assignment in Configuration Manager 2007. Configuration Manager 2007 Client Site Assignment.

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Service Manager for MSPs

Service Manager for MSPs
Open XML Developer Workshop DrawingML Basics. Open XML Developer Workshop Disclaimer The information contained in this slide deck represents the current.

Open XML Developer Workshop DrawingML Basics. Open XML Developer Workshop Disclaimer The information contained in this slide deck represents the current.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
SpreadsheetML Advanced

SpreadsheetML Advanced
SpreadsheetML Basics.

SpreadsheetML Basics.
DrawingML Basics.

DrawingML Basics.
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
System Center 2012 Configuration Manager Concepts & Administration

System Center 2012 Configuration Manager Concepts & Administration
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
System Center 2012 Configuration Manager Concepts & Administration

System Center 2012 Configuration Manager Concepts & Administration
Open XML Developer Workshop SpreadsheetML Advanced.

Open XML Developer Workshop SpreadsheetML Advanced.
4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

Similar presentations

Ads by Google