close

Crypto-virus Ransomware Puzzle

Here in Part V we’ll be performing more configuration of our SCCM 2012 environment. We’ll pick back up where we left off in Part IV, on the Administration tab of the SCCM console.

Before we continue with the configuration of the site and adding new roles, we need to configure the Security section. By default, just like with System Center Virtual Machine Manager, only the installation user can login to console and has permissions, so we need to change this. Navigate to Security and right-click on Administrative Users and select Add User or Group. You will be prompted with the wizard. Click Browse… I am going to select Domain Admins user group and click OK. Then click Add… then select Full Administrator then click OK. Then select the All instances of the objects that are related to the assigned security roles then click OK.

The wizard will close and you will see the group added to the list. This will ensure that all Domain Administrators will have full access to your SCCM environment now. Add any other users/groups with permissions as may be necessary to your environment and then proceed.

Next, click on Security Roles. Here you will see all of the 14 built-in roles available in SCCM. Next, click on Security Scopes. There are two scopes defined by default, the All and Default scopes. You can also create custom security scopes. By default, Full Administrators are in the All scope, which means that you will have permissions of their role for every object in the Configuration Manager environment. This is another way of assigning granular permissions if you would like to protect applications and packages. At this point in the installation, and in most cases, leaving the default is ok here.

The Accounts and Certificates sections we will not be addressing at this point. We’ll be moving on to the Site Configuration, where the first thing we will do is configure a security related item, the SCCM Agent account.

Navigate to Site Configuration > Sites. Right-click on the name of your site and select Client Installation Settings > Client Push Installation. On the General tab leave the defaults.

I highly recommend that you do not enable the “Enable automatic site-wide client push installation” checkbox.

The reason for this is that if you set certain properties on your Client Settings section, covered later in this guide, you could cause reboots of all of your production servers once the agent is pushed (or pulled via Group Policy, depending on your configuration). In almost every case, you will be integrating SCCM into your existing production environment, not vice-versa. Therefore we want to avoid any unintended consequences of this option. We System Administrators like our jobs and want to keep them, right?

Click on the Accounts tab. Click the starburst and select New user account. Here you will enter in the AD user account domain\sccm.agent in Part I. It should be a Domain Admin or a user account with local admin permissions on all servers, where SCCM agent will be installed. It is a good idea to use the Verify test option to confirm your UN/PW combination and permissions. Click Apply and close the Client Push Installation Properties.

As a reminder, I highly recommend you have this password documented in a secure place. For enterprise secret management, I use Secret Server by Thycotic. It is a great product worth checking out, and they’ll enjoy some free product placement for me I suppose!

For personal or small business, you can not go wrong with Keepass password management. I use this everyday:

Next, right-click on your site again and click Properties.

We will not be changing anything here, but here is a breakdown of the options, as you may or may not need to make some updates here depending on your configuration:

– General tab – Most of the important information about your Site. It includes the Type (Primary), the Parent site (if you are running a multi-site configuration), Version of SCCM, Build number, the Site Server name, the Installation directory for SCCM, the SQL Server Computer and the SMS Provider location.

– Wake On Lan tab– Here is where you can enable the WoL feature for your site.

– Ports tab – Here is where you can set custom ports for your HTTP, HTTPS, and WoL services. By default, 80, 443, and 9 are defined respectively.

–Sender tab – This is a feature of multiple sites.

– Publishing tab – Here is where, if you have multiple domains in your forest, you can choose which domains you will and will not Publish to.

– Client Computer Configuration tab – On this page you configure any SCCM site IIS server communications with clients, HTTPS only, or HTTPS and HTTP. Further, you can change the Trusted Root Certification Authority (or add another RootCA) and set advanced features on SCCM client certificates and toggle CRL checks on and off.

– Alerts tab – You can generate an alert when free disk space on the DB server is low. I have monitoring outside of SCCM that is already doing this. You may want to enable this if you do not have a similar service in place.

– Security tab – This is where we can see a list of Administrative users. By default, the only user added to SCCM is the user who installed the site server and is the only user who can login. You’ll also see the Domain Admin account we added earlier if you are following along.

– Signing and Encryption tab – Here you configure signing and encryption requirements for clients. You can require signing, Require SHA-256, and Use encryption (3DES to encrypt inventory information sent to SCCM server). By default, none of these are checked and I will not be enabling these options. Depending on your environment, you may need to enable one or more of these options. Consult your IT Security Department if this is outside of your scope.

Before we configure the roles, there is one other item we need to address. Navigate to the Distribution Points object. Right-click on your SCCM server in the list and click Properties. You will need to select the Import certificate radio button. We exported this certificate in Part II. Browse to the cert and select it and enter the password and click Apply. Now our Distribution Point has the proper certificate associated within SCCM.

Next we’ll move on to Servers and Site System Roles. Here you will see both your SCCM and SQL servers. Before we begin this section, I’d like to reference the TechNet documentation on SCCM 2012 Roles. You can find what roles are allowed in any scenario:

At this point, by default, your SCCM Primary Standalone configured server will have the following roles:

– Component Server – Distribution Point – Management Point – Site Server – Site System

Your SQL server will have the following roles:

– Component Server – Site Database Server – Site System

We will be adding more roles to each of these servers.

To the SCCM server we will be adding the following roles, for a total of 11 roles:

– Application Catalog Web Service Point – Application Catalog Website Point – Asset Intelligence Synchronization Point – Endpoint Protection Point – Fallback Status Point – Software Update Point

To the SQL server we will be adding just the Reporting Services Point, for a total of 4 roles.

Let’s start with adding the roles to the SCCM server. First we will need to remove Configuration Manager from the Antimalware Policy Sources (otherwise this will be flagged during the Endpoint Protection Role installation). Navigate to the Assets and Compliance tab, then navigate to Endpoint Protection > Antimalware Policies. Right-click on the Default Client Antimalware Policy, and click Properties. Select Definition Updates section and then click the Set Source button, and then uncheck the Updates distributed from Configuration Manager option. We will change this later, but for now we only want to pull Endpoint Protection Updates from WSUS, MS Update, and MS MPC.

Head back over to Administration > Site Configuration > Servers and Site System Roles. Right-click on the SCCM server under the Servers and Site System Roles section and click Add Site System Roles. You’ll be prompted with the Add roles wizard:

Select the roles we discussed above for installation.

Leave default here.

Click the checkbox here, as this will be the active software update point. Also select the second radio button, as WSUS is on a custom site.

Synchronize from Microsoft, default.

Enable synchronization, every day.

Immediately expire superseded updates, default.

Make sure to select Definition Updates, if you are installing Endpoint Protection Manager.

Select the Products you need here.

Choose languages.

Leave default for FSP settings.

Leave defaults for Asset Intelligence.

Enter Proxy, if applicable.

Specify how often Asset Intelligence synchronization occurs.

Select HTTPS radio button, and leave other defaults as Application Catalog website will run under the default site.

Leave the defaults here, ensure you site server is selected, the NetBIOS name is the hostname of your SCCM server, and that HTTPS is selected.

Name your catalog and select a color.

Endpoint Protection, Accept the license agreement.

Choose your Microsoft Active Protection Service Membership.

Review the Summary and click Next for the installation of the roles to begin.

It should complete successfully.

Now if you right-click on the SCCM and click Refresh, you will see all 11 roles installed. Next we will move on to installing the Reporting Services Point role on the SQL server.

Before we add the Reporting Services Point to our SQL server, we’ll need to configure the Report Services on our SQL server. RDP to the SQL Server, and click Start > Microsoft SQL Server 2008 R2 > Configuration Tools > Reporting Services Configuration Manager. At the Reporting Services Configuration Connection page click Connect.

Select the Service Account tab and enter the domain\sccm.service user account we created in Part I. Click Apply.

The click the Web Service URL option, and set it like this:

Click the Database tab, and Change Database:

I changed the Report Server, but the default is fine.

Make sure to use the sccm.service account here.

Confirm all settings and finish out the wizard.

Now you’ll be back at the Database tab with your Report Database configured.

Confirm settings for Report Manager URL.

Set the SMTP settings.

Set the account settings as the sccm.service in the Execution Account tab. Apply the changes, go up to the top tab and STOP and then START the Report server. Then close Reporting Services Configuration Manager.

Now head back over to your SCCM server and we can install the Reporting Services Point for our SQL server. Go to the Administration tab, then navigate to Site Configuration > Servers and Site System Roles and then right-click the SQL Server and select Add Roles.

On the Add Site Systems Roles Wizard, select Reporting Services Point, and it should auto-fill everything you need, you’ll need to click Verify and once that completes, you’ll need to click the Set… button to set a user to connect to the Report Server. Use the domain\sccm.service account for this connection.

Once that is complete, navigate to the Monitoring tab. Then navigate to Overview > Reporting > Reports. After you click Reports wait for a bit as all the report templates are populated in the console:

At this point we have all of the roles that we need for our Configuration Manager environment installed. In the next part we will configure a few remaining pieces of the site, the SC Endpoint Protection Policy, and the SC Agent Policy.

Thanks for reading, hopefully you find this information helpful as you deploy your Configuration Manager environment.

Share this:
Like this: Like Loading...

endpoint security comparison chart     endpoint security console

TAGS

CATEGORIES