Recently I had some time to build an SCCM 2012 SP1 Beta Site in my lab environment, I destroyed my existing environment to allow me to start again using Advanced Security.
I used Justin Gao’s excellent guide to build an environment using Advanced Security for client communications, many customers are not using Advanced Security with the RTM so I needed to familiarize myself with this approach. To me, it was a great eye opener.
In a nutshell, only HTTPS communications are allowed and you have to do something with certificates. You need to use HTTPS if you want to use mobile devices or access from the internet.
The guide is available at the following website: http://blogs.technet.com/b/justin_gao/archive/2012/09/22/system-center-2012-configuration-manager-sp1-beta-deployment.aspx
With this guide you should succeed in building the environment yourself, this blog is not going to discuss the deployment itself. As usual, SCCM 2012 SP1 is still in Beta so do not install this in a production environment.
One passage caught my attention. The guide explains that you need to configure all SQL services to run under the LOCAL SYSTEM account instead of a domain user account or the NETWORK SERVICE account or database replication will fail with certificate issues which is mentioned on page 7 of the guide.
This contradicts an SQL best practice which is mentioned at TechNet: http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig
Please understand that I’m not challenging Justin’s document at all, I’d like to thank Justin for writing this document in the first place. Challenging this document is completely up to yourself.
While the technical implications may not be a big deal, I expect many political challenges when offering organizations this solution. Many companies have DBA Admins. Not applying best practices might be very confronting to them and to other system administrators, security officers and even the CIO as well.
SCCM 2012 SP1 is still in Beta, however this feature is also available in the RTM. It makes me curious how security related specialists look into this issue. On the other hand, most organizations use a dedicated SQL instance for SCCM 2012 and no other databases are installed on that instance. To a certain point, I don’t think it’s really a big deal.