Brian
-----Original Message-----
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com]On
Behalf Of Chris Nackers
Sent: July 07, 2009 11:11 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SMS 2003 Security Question
Ah sorry... The site server computer account needs read access if I remember correctly...
-----Original Message-----
From: McDonald, Brian (Network Analyst) <Brian@ottawa.ca>
Sent: Tuesday, July 07, 2009 10:09 AM
To: mssms@lists.myitforum.com <mssms@lists.myitforum.com>
Subject: RE: [mssms] SMS 2003 Security Question
Thanks for the info BUT...
I'm inquiring specifically about the package *source* folder permissions as outlined on the Data Source tab of the package properties, and not the distribution point permissions.
See attached JPEG file.
Brian
-----Original Message-----
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com]On Behalf Of Chris Nackers
Sent: July 07, 2009 10:35 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SMS 2003 Security Question
suppose a link helps:
http://myitforum.com/cs2/blogs/cnackers/archive/2009/06/05/restricting-permissions-on-sms-sccm-software-distribution-share-smspkg-smssig.aspx
There was some further information that was in the email chain, but i don't have that available right now...
Thanks
Chris Nackers
Sub-Zero, Inc / Wolf Appliance, Inc
chris.nackers@subzero.com
p: 608-204-6429
c: 608-354-5693
_____
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Hemsell, Todd
Sent: Tuesday, July 07, 2009 9:25 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SMS 2003 Security Question
To add to this...
"Does only the SMS service account and software installation account need read/write access? "
There was a really good thread a few weeks ago where someone had worked out that Domain computers need read access, Network access accoutn needs read access
And the users need execute permissions, but not browse permissions.
That allows users to run self healing/repair on msi packages without being able to go nose around in the DP.
You have to set those NTFS [permissions on the package source before it is ever replicated around or sucked up into SMS.
_____
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Chris Nackers
Sent: Tuesday, July 07, 2009 9:17 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SMS 2003 Security Question
here we go:
http://www.myitforum.com/articles/8/view.asp?id=8834
SMSPKG{x}$ folder is created on drive with most free space, where {x} is the drive letter, e.g., F:\SMSPKGF$ (this example will be used through the rest of the document)
* Default NTFS permissions (not inherited)
Users: Read & Execute
Administrators: Full Control
Guests: Read & Execute
* Package directories (named with the package ID) do not inherit permissions. By default, same as above except no Guest access.
* Package contents inherit permissions from package directory.
- Share of the same name is created, e.g., \\SMS2003\SMSPKGF$.
Default share properties:
* Permissions: Everyone: Full Control
* Description: "SMS Site PS1 DP {datecreated}"
* User limit: Maximum allowed
Thanks
Chris Nackers
Sub-Zero, Inc / Wolf Appliance, Inc
chris.nackers@subzero.com
p: 608-204-6429
c: 608-354-5693
_____
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Chris Nackers
Sent: Tuesday, July 07, 2009 9:06 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SMS 2003 Security Question
there was an article on myitforum that detailed the default permissions, thought i had it bookmarked but can't seem to find it.. i'll keep looking
Thanks
Chris Nackers
Sub-Zero, Inc / Wolf Appliance, Inc
chris.nackers@subzero.com
p: 608-204-6429
c: 608-354-5693
_____
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of McDonald, Brian (Network Analyst)
Sent: Tuesday, July 07, 2009 8:11 AM
To: mssms@lists.myitforum.com
Subject: [mssms] SMS 2003 Security Question
Environment: SMS 2003 SP3 (Advanced security clients) running on Windows Server 2003 SP2
What should be the default folder permissions for the package source share, on an SMS 2003 SP3 central/primary server?
Does only the SMS service account and software installation account need read/write access?
I need to verify folder security here to limit user access to software package source files.
Brian
This e-mail originates from the City of Ottawa e-mail system. Any
distribution, use or copying of this e-mail or the information it
contains by other than the intended recipient(s) is unauthorized.
If you are not the intended recipient, please notify me at the
telephone number shown above or by return e-mail and delete
this communication and any copy immediately. Thank you.
Le présent courriel a été expédié par le système de courriels de
la Ville d'Ottawa. Toute distribution, utilisation ou
reproduction du courriel ou des renseignements qui s'y trouvent
par une personne autre que son destinataire prévu est interdite.
Si vous avez reçu le message par erreur, veuillez m'en aviser par
téléphone (au numéro précité) ou par courriel, puis supprimer
sans délai la version originale de la communication ainsi que
toutes ses copies. Je vous remercie de votre collaboration.
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
This e-mail originates from the City of Ottawa e-mail system. Any
distribution, use or copying of this e-mail or the information it
contains by other than the intended recipient(s) is unauthorized.
If you are not the intended recipient, please notify me at the
telephone number shown above or by return e-mail and delete
this communication and any copy immediately. Thank you.
Le présent courriel a été expédié par le système de courriels de
la Ville d'Ottawa. Toute distribution, utilisation ou
reproduction du courriel ou des renseignements qui s'y trouvent
par une personne autre que son destinataire prévu est interdite.
Si vous avez reçu le message par erreur, veuillez m'en aviser par
téléphone (au numéro précité) ou par courriel, puis supprimer
sans délai la version originale de la communication ainsi que
toutes ses copies. Je vous remercie de votre collaboration.
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
