SCCM 2007 has two security modes. SCCM 2007 Native Moode is for organizations that need the highest level of SCCM 2007 security. Native Mode requires an existing PKI (public-key infrastructure) and site server signing certificate. Internet-based clients can be managed only in SCCM 2007 Native Mode.Agents of Change SCCM 2007 agents are enabled after the initial SCCM 2007 setup process. At installation of SCCM 2007, default settings for client agents are selected. Agents can currently perform eight functions, including software and hardware inventory, advertisement of programs, network access control (via NAP), software updates, software metering, desired configuration management and remote management. NAP is currently deselected by default because the functionality requires components that wont be available until the next version of Windows server, code-named Longhorn, is released. However, the presence of the NAP agent ties directly to the new Desired Configuration Management capability in SCCM 2007. Desired Configuration Management enables IT managers to check the compliance of computers against a baseline. During tests, we configured the Desired Configuration Management agent to check for the operating system version, as well as the presence of applications such as Word and various software updates. For IT managers in the midst of NAC (network access control) projects, these checks will sound quite familiar. The main difference between Desired Configuration State and NAC applications on the market is that Desired Configuration State doesnt check for the presence of malware. However, we would be surprised if the agent, especially after Longhorn is released and NAP becomes more widespread, starts to take on these tasks, too. Next Page: Evaluation Shortlist.
We used the other, less-stringent security mode, SCCM 2007 Mixed Mode, to support SMS 2003 sites in our test hierarchy. Mixed Mode security does not require a PKI, but dont think you can get away from PKI that easily: Microsofts NAP (Network Access Pro-tection) scheme, for which SCCM 2007 includes an agent, requires PKI. Indeed, it seems as though PKI is going to be a prerequisite for a secure Windows environment moving forward.