Your choice depends
largely on the way you’ve implemented your network Windows servers. If
your network still consists of some Windows NT 4.0 servers or hasn’t
been upgraded to Active Directory directory service native mode, or if
you’re upgrading an existing SMS 2.0 site, your choice will be standard
security, and the installation of SMS will effectively result in an SMS
site that functions not much differently from the way SMS 2.0 sites did.
In short, it will create many user accounts that it will use to carry
out various SMS-related tasks on SMS servers and SMS clients.
If your network is a fully implemented native
mode Active Directory network or if all your SMS component servers are
running Windows 2000 or later and are registered in Active Directory (a
requirement for advanced security), you can choose advanced security.
To be more specific, advanced security requires
that the SMS site server and all SMS site systems are running Windows
2000 Service Pack 4 (SP4) or later (or have Windows Quick Fix
Engineering (QFE) update 325804 applied) or an operating system in the
Windows Server 2003 family in an Active Directory domain. The SMS site
database servers must be running SQL Server 2000 SP3 or later, and they
must be run in Windows authentication–only mode.
The main advantage of
using advanced security mode is that it’s certainly the more secure of
the two security modes. As we’ve said, advanced security doesn’t require
nor rely on the great number of user accounts that standard security
needs to carry out SMS-related tasks. In contrast, advanced security
uses two security accounts: the local system account and the computer
account. Advanced security uses the local system account on SMS servers
to run SMS services and make changes on the server and uses computer
accounts (rather than user accounts) to connect to other computers and
to make changes on other computers. Because only services running in the
local system account context can use computer accounts and only
administrators can configure services, advanced security is a highly
secure mode and therefore the preferred and recommended security mode.
Note
A central site can’t run standard security if any other site in that hierarchy is running advanced security. |
You can choose advanced security mode during SMS
setup, or you can install your SMS site server with standard mode and
then upgrade to advanced security later. To upgrade your site to
advanced security, complete the following steps:
1. | Navigate to the site entry under the Site Hierarchy node in the SMS Administrator Console.
|
2. | Right-click the site entry and select Properties from the context menu.
|
3. | Click Set Security in the General tab shown in Figure 1.
|
4. | Click Yes when prompted to turn on advanced security mode as shown in Figure 2.
|
I
make it a practice to always read the prompts that SMS shows me, and I
highly recommend it to you as well. For example, in the prompt that
displays in Figure 17-2, SMS is clearly stating several things that you must be aware of:
Once you make this change, you can’t go back.
There are several server requirements that must be confirmed to support advanced security.
A service (Windows Management Instrumentation) is stopped and restarted.
You might have a problem with the SMS Administrator Console that requires you to restart it.
The first point is obvious, although, technically, you could
revert your site to standard security if you had backed up your site
server and its registry and could restore the system state to its
previous settings. However, let’s just stick with standard procedures
and say this: don’t upgrade to advanced security unless you’re sure you
want to do it and you’re ready to do it. It’s hard to go back.
The second point is perhaps not as obvious, so
let’s take some time and discuss it. Let’s begin with the fact that in
advanced security mode, SMS 2003 relies on the local system account
mainly to run service-related tasks and on computer accounts mainly to
maintain communications. This oversimplifies the case somewhat, but
still this is a good rule of thumb to keep in mind.
So with this rule of thumb in mind, note well
what the Set Security Mode prompt is telling you to do. The site system
requires Administrator access on its site
systems and permissions on any parent or child sites that it must
communicate with in an SMS hierarchy. You can accomplish the former by
adding the SMS site server computer account to the Administrator’s group
on each site system in the site. Computer accounts are created as
hidden accounts, so you can’t add the account the way you’d ordinarily
do. You need to add the account from a command line. You can add the
site server’s computer account to the site system’s local
Administrator’s group using the following command line command at the
site system:
Net localgroup Administrators /domain\siteservercomputername$/ADD
Similarly, you’ll need to
add the computer account of each site system to the site server’s
Site_System_to_Site_Server_Connection group. SMS will automatically do
this for the client access point (CAP) and management point site systems
to the Site System to Site Server Connection group and will do so for
any new site system you add. When you upgrade to advanced security mode,
the site server’s computer account is automatically added to the
Site_to_Site_Connection group on the parent and child sites, allowing
communications and the appropriate level of access between sites in the
hierarchy. Although this all happens automatically, as a point of
troubleshooting, you should, of course, verify that the computer
accounts have been given the appropriate level of access they require.
