Securing SCCM in the network- design decisions RRS feed

  • Question

  • Hi everyone

    Not sure how easy is to discuss this on a single post, but let me try, at least to share experience.

    we currently have a SCCM 1902 infrastructure managing our client fleet. The company I work for has several production sites with 600 (more or less) additional Microsoft OS computers (both server and clients) that are not managed by SCCM and are in a separate network with a firewall protecting our corporate network from it (we do not trust - yet - what's happening there). Those clients are very critical, they are managing production lines operating 24x7, and we have been asked to bring some governance in that area as well.  As a first step to bring some more governance in that area we would like to add those client to SCCM so we can get immediately patch management / hw inventory and create a sort of "baseline".

    From a technical point of view it's not a big deal - we'll just extend current infrastructure if required (internet connectivity is not allowed there) and allow proper ports.

    Our internal infosecurity team challenged us on this topic and asked us to put all SCCM roles in a secure network (firewall protected), including an additional secure network for every remote site we want to install a DP to and a secure network for the datacenter.

    From a security perspective we were only thiking about RBAC to delegate properly access to those clients (we have separate admins for those) and we now have to face this additional requirement.

    There's already a firewall protecting the corporate network

    CORP Clients and all SCCM ROLES - FW - PROD Clients

    Our security dept would like to change it in this way:

    • in the datacenter

    CORP CLIENTS - Firewall - SCCM Primary

    PROD CLIENTS - Firewall - SCCM Primary

    SCCM PRIMARY - Firewall - SCCM DP in the remote site

     In the remote site

    CORP CLIENTS - Firewall - PROD Clients (this stays as is)

    CORP CLIENTS - Firewall - SCCM Distribution Point

    SCCM DP - Firewall - SCCM Primary (in the datacenter)

    The reason for this configuration is to "protect" the CORP network for any compromised system, SCCM is at risk since they are communicating with the PROD client and they must be isolated in a protected zone.

    Agree adding more firewall is good  (it's adding more control on the traffic even if it's adding more management overhead).

    Assuming a SCCM DP or Primary is well configured and maintained (hardened, minimizing admin account, complex passwords changed regularly, and in general all guidance I see here ), which other risks do see if we do not deploy the recommended configuration?

    thanks for any comment

    Friday, September 20, 2019 4:01 PM