Transcript Document
© 2012 Microsoft Corporation. All rights reserved. Microsoft Confidential System Center 2012 Configuration Manager Concepts & Administration Module 9: Console Security Your Name Premier Field Engineer Microsoft Conditions and Terms of Use Microsoft Confidential This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited. The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and noninfringement. Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Copyright and Trademarks © 2012 Microsoft Corporation. All rights reserved. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content at http://www.microsoft.com/about/legal/permissions/ Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Objective In this lesson you will learn about the following: • Security in Layers • Role-based administration • Roles • Scopes Security in Layers • SMS Admins group • Local group on site server • Users automatically added when using “administrative users” in the UI • DCOM • Need remote activation on server • DComcnfg • Roles • What the user is allowed to do • Scopes • What objects the user is allowed to work with • Collections • Limits the resources to be managed Role-based Administration Collections All Systems Finance Sales S. America N. America Configuration Items Standard Desktop HR Systems Assign AssignSecurity role: Advertisements Datacenter Assign Security Servers Scope: OS Images Software DEP5678 DEP1234 Scope: DEP5678 Sales & Distribution DEP9246 DEP8787 DEP1234 Windows DEP5678 South America Windows 7 Marketing DEP5678 Administrator Vista DEP5678 HR EMEA Windows Server 2008 Packages Office – MUI (Japanese) Time Card SAP - HR Billing Tool Office – MUI (Spanish) SAP - Sales Software Updates Update for Update for Update for Office 2007for Update Update for Office 2007for Office 2007for Update Update Office 2007 Office 2007for Update for Update Office 2007 Office 2007for Update for Update Office 2007 Office 2007 Update for Office 2007 Windows Office 2007 Role-based Administration (continued) • • • • Roles Scopes Collections Role-based administration provides the following benefits: • Sites are no longer administrative boundaries. • You create administrative users for the hierarchy and assign security to • • • • • them one time only. You create content for the hierarchy and assign security to that content one time only. All security assignments are replicated and available throughout the hierarchy. There are built-in security roles to assign the typical administration tasks and you can create your own custom security roles. Administrative users see only the objects that they have permissions to manage. You can audit administrative security actions. RBA in Configuration Manager 2012 - Refresher What actions? • Role • Object + Permissions Who? • “Application Admin” • Object: Package • Permissions: • Read • Modify • Delete 7 Which objects? • Scope (Group) • Permissions to specific instances • SECDesktopAdmins • Role: Application Administrator • Scope: Desktop Where? Collection Which Resources? “Desktop Machines” 7 RBA in Configuration Manager 2012 - Refresher Roles • 14 Built-in Roles • CopyWho? existing roles and modify • Import roles from another hierarchy Scope (mandatory) • 2 Built-in Scopes: • All (all securable objects) • Default (all objects assigned on install) • One object can have multiple scopes Collection (Optional) • Permissions apply to root and child collections • Cannot modify Root Collection 8 8 Roles • • • • Groups of permissions that allow users to perform tasks Defines the actions a user can take Best practice, provide least privilege necessary How to use roles: • Identify group of tasks a user will need to perform • Map tasks to built-in security roles • Assign to multiple roles if necessary • Create additional roles if needed Roles (continued) Creating custom roles Import or copy • XML files can be imported and exported between sites Scopes • A named set of securable objects • • • • • • • Applications Packages Boot images Sites Custom client settings Distribution points and distribution point groups Software update groups • All objects must be assigned to one or more security scopes • Two built-in security scopes • All – Can’t assign objects to this scope (grants access to all scopes) • Default – All objects assigned to this at install time Unsecured Objects (Secured by Role) • Active Directory Forests • Administrative users Who? • Alerts • Boundaries • Computer Associations • Default Client Settings 12 • Deployment templates • Device drivers • Exchange Server connector • Migration siteto-site mappings • Mobile device enrollment profiles • Security roles • Security scopes • Site addresses • Site system roles • Software titles • Software updates • Status messages • User device affinities 12 Scopes Creating Custom Scopes Scopes can contain many objects • • • • • • • Applications Packages Boot images Sites Custom Client Settings Distribution points and distribution point groups Software update groups Create in scope node, then add to objects Scopes Creating Custom Scopes Scopes can contain many objects • • • • • • • Applications Packages Boot images Sites Custom Client Settings Distribution points and distribution point groups Software update groups Create in scope node, then add to objects 14 Microsoft Confidential Collections Grouping of objects Create for various reasons: • • • • Functional – Servers and workstations Geographic – North America and Europe Security and business process – Production and test Organizational alignment – HR, finance, sales. etc. Users can be limited to certain collections through security/administrative users RBAC Scenarios – Cumulative Rights Administrative Users Security Scope Collections Appl. Deployment Manager - 1 Scope a, Scope b Collection Y Appl. Deployment Manager - 2 Scope a, Scope b Collection Y Security Role Create, Read, Modify Apps, Deploy Apps User A Create, Read, Modify Apps, Delete Apps Appl. Deployment Manager – 1, 2 User A Create, Read, Modify Apps Deploy Apps, Delete Apps Scope a, Scope b Collection Y RBAC Scenarios – Cumulative Rights Administrative Users Security Role Security Scope Collections Appl. Deployment Manager - 1 Scope a (Package 1) Collection Y Appl. Deployment Manager - 2 Scope b (Package 1) Collection Y Appl. Deployment Manager – 1, 2 Package 1 Collection Y Create, Read, Modify Apps, Deploy Apps User A Create, Read, Modify Apps, Delete Apps User A Create, Read, Modify Apps Deploy Apps, Delete Apps RBAC Scenarios – Cumulative Rights Administrative Users Security Scope Collections Appl. Deployment Manager - 1 Scope a, Scope b Collection X (Machine 1) Appl. Deployment Manager - 2 Scope a, Scope b Collection Y (Machine 1) Security Role Create, Read, Modify Apps, Deploy Apps User A Create, Read, Modify Apps, Delete Apps Appl. Deployment Manager – 1, 2 User A Create, Read, Modify Apps Deploy Apps, Delete Apps Scope a, Scope b Machine 1 RBAC Scenarios – Conflict Resolution Administrative Users Security Role Security Scope Appl. Deployment Manager Scope a, Scope b SWD_Master Collection (Machine 1) Software Update Manager Scope a, Scope b Patch_Master Collection (Machine 1, 2, 3) Create, Read, Modify Apps, Deploy Apps User A Collections Create, Read, Modify Updates, Deploy Updates Appl. Deployment Manager Create, Read, Modify Apps, Deploy Apps User A Software Update Manager Scope a, Scope b Machine 1 Scope a, Scope b Machine 2,3 Create, Read, Modify Updates, Deploy Updates Software Update Manager Create, Read, Modify Updates, Deploy Updates Client Settings Object - CAS Scenario: Primary Site Admin • Full Admin, access to Primary Site via “PRI Scope” • No Access to the CAS Result: No ability to view Default Client Settings Explanation: Unsecured Object, owned by CAS, hence Site “Read” rights required Solution: • Custom Role to allow Site “Read” rights • Combine this Role with “CAS Scope” OSD Manager/Import Systems Scenario: Machine Import with restricted rights • Requires access to All Systems collection Result: • Default OSD Manager role is excessive • Install Client/Block actions on Servers Workarounds: • Unknown Computer Support • Provide an out-of-console option for addition Delete Unprovisioned Computers Scenario: Task Sequence error leads to orphaned “Unknown” object existing in All Systems Result: Machine cannot be PXE Booted again as it is not Unknown anymore Solution: • Create collection of Unprovisioned Computers • Custom Role to Delete Resources Report Security • Security Rights based on Role Assignment rights to the “Site” object • Security Policies set every 10 min on Report Folders in SSRS by the • “Read” RBA Viewer • Requires Configuration Manager Console • Use has to be a Full Administrator, Read-only Analyst, or Security Administrator. • User has to be assigned to All security scope and All collections. • To analyze report folder security, user must have SQL access. • To analyze report drill through, user must run this tool on the site with reporting services point installed. Lab Configuring Security for Desktop Administrators Access Lesson Review What is RBA and what does it contain? What is a Role? What is a Scope? What tool can you use to test and check permissions you are granting to the users/groups? 26 Microsoft Confidential Module Summary In this lesson you learned about the following: • Security in Layers • Role-based administration • Roles • Scopes For More Information • How do I get the right permissions in Configuration Manager 2012? (Michael Griswold) • Managing Unprovisioned Computers in System Center 2012 Configuration Manager (Inside OSD Blog) • Custom Role Based Administration for Importing Computers (Inside OSD Blog) • Implementing Packaging and Testing work flows in Configuration Manager 2012 using Role Based Access (MSIT) • Configuration Manager 2012: Maximizing Security (Aaron Czechowski)