locked
IIS Security policies for SCCM 2012 with local WSUS and SUP role RRS feed

  • Question

  • Hi,

    I have a single SCCM 2012 server on Windows 2008 R2, running local WSUS and SUP role. My client has a set of security policies to be applied on IIS as follows, and we need to comply or justify for any exceptions.

    1. Ensure application pools run under unique identities. SCCM to run a different app pool and WSUS to run a different app pool
    current settings
    - "SMS Distribution Points Pool" has identity LocalService
    - "CCM Client Deployment Pool" has identity LocalService
    - "CCM Server Framework Pool" has identity LocalService
    - "CCM Windows Auth Server Framework Pool" has identity LocalService
    - "SMS Management Point Pool" has identity LocalService
    - "SMS Windows Auth Management Point Pool" has identity LocalService
    - "CCM Client Notification Proxy Pool" has identity LocalService
    - "WsusPool" has identity NetworkService

    Question - the default is LocalService, are we able to change to another identity to run the pool? if not, is there any documentation that states that the pool can only use LocalService?

    2. Configure Global .NET trust level to Medium
    Current setting - “Full”

    Question - any impact if the setting is changed from "Full"?

    thanks!

    regards,

    Richard

    Friday, December 13, 2013 2:17 AM

Answers

  • The settings that ConfigMgr installs with are the only supported settings. Changing anything probably will break everything.

    I highly recommend you *make* your client watch this TechEd session: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM304


    Jason | http://blog.configmgrftw.com

    Friday, December 13, 2013 3:16 PM