Improved security

By Cameron Sturdevant  |  Posted 2007-04-25 Print this article Print

SCCM 2007 has two security modes.

SCCM 2007 Native Moode is for organizations that need the highest level of SCCM 2007 security. Native Mode requires an existing PKI (public-key infrastructure) and site server signing certificate. Internet-based clients can be managed only in SCCM 2007 Native Mode.

We used the other, less-stringent security mode, SCCM 2007 Mixed Mode, to support SMS 2003 sites in our test hierarchy. Mixed Mode security does not require a PKI, but dont think you can get away from PKI that easily: Microsofts NAP (Network Access Pro-tection) scheme, for which SCCM 2007 includes an agent, requires PKI. Indeed, it seems as though PKI is going to be a prerequisite for a secure Windows environment moving forward.

Agents of Change SCCM 2007 agents are enabled after the initial SCCM 2007 setup process. At installation of SCCM 2007, default settings for client agents are selected. Agents can currently perform eight functions, including software and hardware inventory, advertisement of programs, network access control (via NAP), software updates, software metering, desired configuration management and remote management.

NAP is currently deselected by default because the functionality requires components that wont be available until the next version of Windows server, code-named Longhorn, is released.

However, the presence of the NAP agent ties directly to the new Desired Configuration Management capability in SCCM 2007. Desired Configuration Management enables IT managers to check the compliance of computers against a baseline. During tests, we configured the Desired Configuration Management agent to check for the operating system version, as well as the presence of applications such as Word and various software updates.

For IT managers in the midst of NAC (network access control) projects, these checks will sound quite familiar. The main difference between Desired Configuration State and NAC applications on the market is that Desired Configuration State doesnt check for the presence of malware. However, we would be surprised if the agent, especially after Longhorn is released and NAP becomes more widespread, starts to take on these tasks, too.

Next Page: Evaluation Shortlist.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel