Defining Access Accounts
By default, when SMS creates the SMSPKGx$
share, it grants Read access to the local Users group and Full Control
to the Administrators group. The default Users and Administrators
entries map to the local Users and Administrators groups for Windows
distribution points. These accounts are known as generic package access
accounts.
Since the default share is a hidden share, the
only way a client should know that a package is available to it is
through the package distribution process. In other words, the client
agent will see an advertisement for that package that targets a
collection the client is a member of. Bear in mind that users will be
users, and it’s possible that they will find the hidden share, navigate
to a package folder, and execute any programs they find there. This
could also happen if you create your own shares.
There are a couple of ways to deal with this
little breach of security. One would be for you to evaluate the share
(or NTFS) security for the SMS shares or for the package folders within
the share. This is a time-consuming and potentially destructive process
if you happen to lock out SMS from accessing the share. The other
solution is to define access accounts for the package through the SMS
Administrator Console. When you define an access account, you also
define the level of access or permission for the specified user or
group. This is much like creating ACLs in Windows.
To define an access account, follow these steps:
1. | Navigate to the Packages folder, find your package entry, and expand it.
|
2. | Right-click Access Accounts, choose New from the context menu, and then choose the type of access account you want to create.
|
3. | The two types of access accounts are listed here:
- Windows User Access Account —Defines a Windows user or group account and the level of permission to allow
- Generic Access Account
—Defines additional or replacement user, guest, or administrator
accounts and the level of permission to allow that maps to an operating
system–specific account
Select the appropriate option to display the Access Account Properties dialog box, shown in Figure 8.
|
4. | Click Set to specify the account information as follows:
For a Windows user account, the Windows User Account dialog box will appear, as shown in Figure 9. Enter the user or group account in \\Domain\user format, and select User or Group.
For a Generic account, the Generic Account dialog box will appear, as shown in Figure 10. Select the account type.
|
5. | Click
OK to return to the Access Account Properties dialog box. Select the
appropriate level of permissions from the Permissions drop-down list, as
shown in Figure 11.
For most applications, Read permission will be sufficient. However, if
the program requires any kind of writing back to the source directory,
you’ll need to assign at least Change permission.
|
6. | Click OK to create the account.
|
