Thursday, December 15, 2011

Handle your SCCM more secure!



Have you ever experienced deploying applications or even Operating Systems to the wrong machines or servers for that matter ?      ... And with all the power in the world you could not make it right again. Perhaps then you should wish you had done some of these steps below.

Even if you didnt, it's time to make some adjustments just incase.

SCCM is a powerfull tool, and quite comprehensive in it's way of working.
But mostly all because of a reason, and usually a good one when thinking about it.

Allright, lets get crackin!

  • Who has full admin right to your SCCM site.
  • Do they need it.
  • And have they been given proper training.

Avoid changing a hot Collection query!
Meaning, dont change a query to a collection with advertisements deployed to it, unless you are 120% sure that the query is tested and working before doing so.

Never use Allways Rerun on a OS Deploymen Task Sequence!
It will run the Task Sequence over and over again in a endless loop.

Protecting the Servers

Set Maintenance Windows to the Server Collection regarding OSD.
This will prevent servers from accidently getting ie Windows 7 to them. Nice to have.
But remember to not checkmark the "ignore maintenance windows" on the Advertisements :)

Right Click the All Windows Server Systems Collection

Scope the SCCM admin access account down to the OU of machines you need to handle.
It does not need Domain Admins right. Use AD Preferences to add the SCCMadmin account to the Local administrators groups on the client machines on that OU. This way will prevent it from running on Servers.

Set OS restrictions on the Task Seqences.

Right Click the Task Sequence - Properties

Set OS restrictions on the programs on all applications.

Right click and choose properties on the programs inside the packages.

In SCCM 2012 you have to set Collection Limiting, so why not get use to it right away.
Sub collections will be gone.
Set Collection Limiting to the Querys of the Collections.
ie Limit the Collection to All Workstations and Professionals or All Windows 7 Systems. In that way Servers wount accidentially be added to that Collection.

Other than that... allways ...TEST TEST TEST! :-)

Performing these steps should increase the operation of SCCM a bit more.

No comments:

Post a Comment