PREVENT-10

​

Summary

Overprivileged accounts and unnecessary permissions are common misconfigurations in Configuration Manager. It is paramount to ensure the various accounts in use are assigned only the necessary permissions to perform their function. This article does not cover every account. Do not use these accounts for multiple purposes. Note that using accounts from different Active Directory forests or domains will allow an attacker who has compromised the SCCM hierarchy to cross forest boundaries after dumping and decrypting the credentials (CRED-5). See PREVENT-22 for more information. As always, test these configurations in a lower environment before implementing in production to ensure there are no issues.

​

Active Directory forest account

The site uses the Active Directory forest account to discover network infrastructure from Active Directory forests. Central administration sites and primary sites also use it to publish site data to Active Directory Domain Services for a forest.

​

Capture OS image account

This account is used as part of task sequences. If configured, it may be deployed to various systems and recoverable as admininstrator on those systems.

• Do NOT assign interactive logon permissions
• Do NOT use the network access account

​

Client push installation account

This account is used to connect to computers and install the SCCM client software. Under certain conditions, attackers can coerce authentication from this account and potentially perform NTLM relay attacks (ELEVATE-2).

• Must be a member of the local Administrators group on target computers
• Do NOT use a domain administrator account
• Use domain or local group policy to Deny log on locally

​

Enrollment point connection account

This account is used for an MDM enrollment point to connect to the SCCM site database. If this is not configured, the computer account will be used.

• Required when the enrollment point is in an untrusted domain
• Requires Read and Write access to the site database

​

Exchange Server connection account

This account is used to establish a connection to an Exchange Server. This connection is used to find and manage mobile devices that connect to the Exchange Server.

• Requires Exchange PowerShell cmdlets

​

Management point connection account

This account is used by management points to connect to the site database for the purpose of sending and receiving client information. If this is not configured, the management point’s computer account will be used.

• Required when the management point is in an untrusted domain
• Do NOT add this account to Administrators on the MSSQL server
• Do NOT assign interactive logon permissions

​

Multicast connection account

This account is used to read multicast information from the site database. If this is not a configured, the computer account will be used.

• Required when the site database is in an untrusted domain
• Do NOT add this account to Administrators on the MSSQL server
• Do NOT assign interactive logon permissions

​

Network access account

This account is used to access content on distribution points when the computer account cannot be used (e.g., not domain joined). There are several scenarios where this account is required. Please refer to the documentation.

• Requires the Access this computer from the network right on the distribution point
• Do NOT grant interactive logon permissions
• Do NOT grant administrative rights to any systems

​

Package access account

This account enables custom, granular permissions on content and packages on a distribution point.

​

Reporting services point account

This account is used to retrieve report data from the site database

• Requires the Log on locally permission on the MSSQL server hosting SQL Server Reporting Services

​

Site installation account

This account is used to install a new site.

• Requires membership in the local Administrators group on the site server, each site database server, each SMS provider instance
• Requires Sysadmin on the site database

​

Site system installation account

This account is used to install, reinstall, uninstall, and configure site systems.

• Requires membership in the local Administrators group on the target site system
• Requires Access this computer from the network right on the target site system

​

SMTP server connection account

This account is used to send email alerts.

• Requires ONLY ability to send emails, nothing more

​

Software update point connection account

This account is used for Windows Server Update Services (WSUS) functionality.

• Required if the software update point is in an untrusted forest
• Requires membership in the local Administrators group on the computer where WSUS is installed
• Requires membership in the local WSUS Administrators group on the computer where WSUS is installed

​

Task sequence domain join account

This account is used by task sequences to join a computer to the domain. Note: When this account joins computers to the domain, it will be become the owner of those computer objects, effectively having full control. Remove this ownership after joining the computer to the domain (PREVENT-17).

• Requires permissions to add a computer to the domain
• Do NOT assign interactive sign-in permissions
• Do NOT use the network access account

​

Task sequence network folder connection account

This account is used by task sequences to connect to a network share.

• Requires access to the target network share
• Do NOT assign interactive sign-in permissions
• Do NOT use the network access account

​

Task sequence run as account

This account is used in task sequences to execute commands or scripts as an account other than the Local System account. This account should be configured with the minimum permissions necessary to complete the associated task sequence step. Create multiple run as accounts, each with tightly-scoped permissions for its specific task sequence step.

• Requires interactive sign-in permissions
• Do NOT use the network access account
• Do NOT use a domain administrator

​

Collection Variables

One of the configuration settings that can be applied to collections are custom environment variable, called collection variables, that are exposed to members of the collection. Nothing specifically requires that these variables be credentials, but they can be used for this purpose. In transit and on disk, they are encrypted by SCCM in the same way as credentials and can be recovered using the same techniques as for the network access account (CRED-1 through CRED-4).

​

Linked Defensive IDs

• PREVENT-3: Harden or disable network access accounts
• PREVENT-4: Enable Enhanced HTTP
• PREVENT-15: Disable and change passwords of legacy NAAs and collection variables/task sequence secrets in Active Directory
• PREVENT-17: Remove Extended Rights assignment from accounts that do not require it
• PREVENT-22: Do not manage assets in two or more segmented forests, domains, networks, or security tiers

​

Associated Offensive IDs

• CRED-1: Retrieve secrets from PXE boot media
• CRED-2: Request and deobfuscate machine policy to retrieve credential material
• CRED-3: Dump currently deployed credentials via WMI
• CRED-4: Retrieve legacy network access account (NAA) credentials from the CIM Repository
• CRED-5: Dump SCCM credentials from site database

​

References

• Microsoft, Accounts used in Configuration Manager
• Christopher Panayi, An inside look: How to distribute credentials securely in SCCM