When it comes to planning for Implementing SMS 2003 or SCCM 2007 in an organization, the biggest question comes in mind is "What Security mode should I select to suit by organizations environment" There are 2 security modes in SMS 2003, which is Standard Security mode and Advanced Security mode. But what is the different between this 2 security mode? Let us share on this.
Standard security uses user accounts to run services, configure computers, and connect between computers. Advanced security make use of Active Directory. It uses the Local System Account (which is computer account) to run services, configure computers, and connect between computers. It is more secure, but it requires Active Directory and it does not require the schema to be extended.
You can switch from standard security mode to advanced security mode, but it cannot change back to standard security mode once the security mode is switch over to advanced security mode.
Now lets look at SCCM 2007, what is the different between SCCM 2007 and SMS 2003 on security mode? well, SCCM 2007 also provided 2 types of security modes, which is SMS 2003 compatibility security mode (Mixed Mode) and another is SCCM 2007 security mode (Native Mode).
Native mode is a higher level of security mode by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. With this security mode enable, you are able to manage Internet-based client, which the client computer connect to your site server through public WAN connection. Thus, extra security is needed in order to implement this and you need to get a valid Certificate from certificate authority in order to accomplish this task.
Mixed mode provides backwards compatibility for hierarchies that have both SMS 2003 sites and Configuration Manager 2007 sites. With this security mode, you are unable to manage Internet-based client. You are allow to switch from Mixed mode to Native mode once all your site servers is migrated to SCCM 2007 and it is also possible to revert back to Mixed mode from Native mode. This is really a good fall back feature if you would like to perform a migration for your SMS 2003 to SCCM 2007. SCCM introduced the native security model. It's for client-server communications and provides a higher level of security through public key infrastructure (PKI) and Secure Sockets Layer (SSL) encryption for nearly all communications (except for certain distribution-point and fallback-status-point communications). Policies and other sensitive communications are signed using a PKI certificate. Microsoft Systems Management Server (SMS) 2003 mixed security mode uses a self-signed certificate.
It’s important to note that native mode affects only client-to-server communications and not server-to-server communications. To protect server-to-server communications, use IPsec. Also, a native-mode site can’t be a mixed-mode child site.
There are four native-mode requirements:
•You must have a deployed PKI infrastructure in the organization
•DNS must be available and configured for clients to locate management points
•All clients must run the SCCM 2007 client. Native-mode sites don’t support SMS 2003 clients
•Native-mode sites also don’t support Windows-2000-based clients
There are no SCCM 2007 native-mode Active Directory (AD) domain- or forest-mode requirements.
Standard security uses user accounts to run services, configure computers, and connect between computers. Advanced security make use of Active Directory. It uses the Local System Account (which is computer account) to run services, configure computers, and connect between computers. It is more secure, but it requires Active Directory and it does not require the schema to be extended.
You can switch from standard security mode to advanced security mode, but it cannot change back to standard security mode once the security mode is switch over to advanced security mode.
Now lets look at SCCM 2007, what is the different between SCCM 2007 and SMS 2003 on security mode? well, SCCM 2007 also provided 2 types of security modes, which is SMS 2003 compatibility security mode (Mixed Mode) and another is SCCM 2007 security mode (Native Mode).
Native mode is a higher level of security mode by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. With this security mode enable, you are able to manage Internet-based client, which the client computer connect to your site server through public WAN connection. Thus, extra security is needed in order to implement this and you need to get a valid Certificate from certificate authority in order to accomplish this task.
Mixed mode provides backwards compatibility for hierarchies that have both SMS 2003 sites and Configuration Manager 2007 sites. With this security mode, you are unable to manage Internet-based client. You are allow to switch from Mixed mode to Native mode once all your site servers is migrated to SCCM 2007 and it is also possible to revert back to Mixed mode from Native mode. This is really a good fall back feature if you would like to perform a migration for your SMS 2003 to SCCM 2007. SCCM introduced the native security model. It's for client-server communications and provides a higher level of security through public key infrastructure (PKI) and Secure Sockets Layer (SSL) encryption for nearly all communications (except for certain distribution-point and fallback-status-point communications). Policies and other sensitive communications are signed using a PKI certificate. Microsoft Systems Management Server (SMS) 2003 mixed security mode uses a self-signed certificate.
It’s important to note that native mode affects only client-to-server communications and not server-to-server communications. To protect server-to-server communications, use IPsec. Also, a native-mode site can’t be a mixed-mode child site.
There are four native-mode requirements:
•You must have a deployed PKI infrastructure in the organization
•DNS must be available and configured for clients to locate management points
•All clients must run the SCCM 2007 client. Native-mode sites don’t support SMS 2003 clients
•Native-mode sites also don’t support Windows-2000-based clients
There are no SCCM 2007 native-mode Active Directory (AD) domain- or forest-mode requirements.
0 comments:
Post a Comment