Huntland Services Ltd

Tel: +44 (0)1392-490518
Fax: +44 (0)1392-428003
Enquiries@huntland.co.uk

Digest of Advanced Security Features in SMS Topaz

Based on Microsoft Support WebCast 05-02-02
Back Download This Article

Topaz provides two security models for site systems; Standard Security and Advanced Security.

Topaz Standard Security model is the same as for SMS 2.0 with minor UI changes, some new security settings and bug fixes.

Topaz Advanced Security Model

  • Requires Active Directory (machine$ accounts are full security principals in AD and can be granted group membership and Access Control Entries)
  • Can be implemented during or after install
  • Administrator has control of all accounts
  • SMS Services run under Local System account and use machine$ accounts for over the wire connections.
  • Only effects server site systems.  The Client models (standard and mobile) remain unchanged.

Accounts/Groups created

  • The Site Server Access Group - (SMS_SiteSystemToSiteSeverConnection_S00)
  • The Site Address Access Group - (SMS_SiteToSiteConnection_S00)
  • The Database Access Group - (not decided yet)
  • The SMS Provider Group - SMS Admins (as per SMS 2.0 for controlling Admin Console access to WMI)
  • These groups are created regardless of the security model so that mixed security model sites can exist in the same hierarchy.
  • Currently (pre-release) SMS_SQL_RX_S00 account is created on the SQL Server machine hosting the Site Database.  This allows Management Points, Server Locator Points and Reporting Points to connect to the Db.  This should be eliminated by RTM as access will be granted through membership of the The Database Access Group.

Manually created optional Accounts

  • Standard Client - remote installation account.  SMSAdmin is no longer created so an alternative must be provided.
  • Standard Client - client connection account for communicating with CAP servers.  SMSClient_S00 is no longer created so an alternative must be provided.
  • Standard Client - Software installation account as per SMS 2.0 if required.
  • Mobile Clients - Mobile Client Network Access account used when mobile clients roam and need access for Software Distribution to read advertisements and download from Distribution Points, where the servers are not in an Active Directory domain and cannot authenticate the machine$ account.
  • Network Discovery - to query the O/S of a remote system that is not part of an Active Directory domain so the machine$ account used by NetDisc cannot be authenticated.  This may be solved in RTM by using the mobile client network access account.

Accounts no longer required

  • The SMS Service account - (smsAdmin)
  • The SMS Site System Connection Account - (SMSServer_S00)
  • The SMS Server Connection Account - (administrator created)
  • The SMS Sender Address Account - (domain\remotesite)
  • The SMS Client Connection Account - (SMSClient_S00) only if using the mobile client
  • The Client Service Account - (SMSCliSvcAcct&) only if using the mobile client
  • The Client Token Account - (SMSCliToknAcct&) only if using the mobile client

Horizontal Site Communication

  • The Site Server machine account must be made a member of the local administrator group on any potential remote site system.  This account is used to connect to the remote system, install the folders and components and configure services to run with the local system account.  The remote systems machine account is automatically granted the correct authority and privileges to connect back to the Site Server by being made a member of  SMS_SiteSystemToSiteSeverConnection_S00.  Administrators may elect to use a different group if required.

Vertical Communications

  • The Child Site Server machine account is made a member of the Parent SMS_SiteToSiteConnection_S00 group which automatically grants correct authority and privileges to the despoolr\receive location on the Parent.  The converse is configured for the Parent to Child communication.
  • This is automatically implemented from Primary to Secondary but must be manually configured from Secondary back to Primary.
  • Win2k cross Forest authentication required Lan Manager type Trusts which do not support machine$ account security principals.  Intersite communications will not work across Win2k Forest boundaries unless using standard security model or Dot Net servers.
  • Topaz site hierarchies can support sites using different security models but all sites must be in Active Directory domains so that machine$ accounts can be used.  If the child site uses the Advanced Security model it can still have its machine$ account in the Parent's SMS_SiteToSiteConnection_S00 group because these groups are created now in all types of site.

Conversion

  • Use the Admin Console, Site Reset or configure it at installation time
  • All services are de-installed and reinstalled to use the local system account to start up.
  • All previous (standard security) accounts  are left behind and must be manually cleaned by the administrator having checked they are no longer in use.