Regarding security best practice, there are a few checkpoints you will want to think through and make sure you have covered.

We have been through most of these in various aspects and how to setup and configure based on Microsoft best practice as well as my experience over the years of implementation and customer practice from real life.

I see it like this, you have Microsoft, the developer of the product that makes guidelines and best practice for how to setup and configure the solutions. This is based on mostly how the product works with a typical infrastructure and typical users. And then, you have the real life situation for business where you want to adapt this knowledge into a working solution securely. You have to know what settings and changes you need to do to make the solution work in your environment.

Now, the headlines and topics you need to check of are Automatic Deployment Rules (ADR). This is to make sure definition updates are automatically downloaded and approved for deployment to clients. Within this topic you have a bunch of settings both on the server side as well as on the client side. I call it server side and client side even though you configure it all on the Configuration Manager server. But configuring this poorly or misconfiguring it may lead to clients not getting daily definition updates and possible saturation of the WAN link. Now, definition updates are not huge; you can expect around 1MB a day per client. But the problem starts if you have low bandwidth connections, metered networks or a very slow satellite connections, or thousands of clients in a branch location, just to mention a few examples. So make sure you have this properly setup and configured to work in your environment, because there are very little automatic sensing in this.

Meaning the clients doesn't know how much they actually have in available total bandwidth speed to nearest Distribution Point or Internet.

Automatic Deployment Rules in SCCM

Consider configuring All Management Points for HTTPS encrypted communication. Now, this is something I have not addressed particularly because you want to consider this thoroughly. This requires quite a lot of planning and thoughts regarding PKI certificates and so on.

But why do we need encrypted communication between our clients and server infrastructure? All communication floating over the Internet today should be secured with certificate encryption. You will see this more and more in the future, but today we see it for the most part on VPNs, email, bank accounts, and websites where we need to type our login and password. So basically, it means that all communication running over port 80 HTTP is wide open for hackers and thieves to steel whatever information they could use.

The Configuration Manager client that System Center Endpoint Protection uses are mentioned in previous chapters, for deployment, policy configuration, compliance, health check, update and status reporting. All this communication will flow unencrypted on port 80 HTTP if not configured for HTTPS. Now, this is alright when the client is on LAN which is usually secured well with Firewalls and often intrusion detection. When the client computer travels home or on the Internet there is no longer any communication with the System Center Configuration Manager infrastructure. So there is basically no risk there, and this is the most common configuration in my experience. But some choose the configuration with setting up HTTPS, also called Internet-Based Client Management (IBCM).

There is a new feature that was released with version SCCM 1610 called Client Management Gateway, that works in the Azure Cloud and allows clients to communicate with SCCM while they are using public Internet. This of course requires PKI Certificates as well as an Microsoft Azure subscription. But this is a very cool feature, and will increase the security of clients.

So what kind of communication are we talking about regarding security aspects of SCEP? This will be status messages sending information about any detected malware. If you want to council this information and are running clients in unsecure network environments you would want to consider setting up HTTPS mode for you SCCM infrastructure.

HTTPS configuration in Site Settings in the Administration pane in SCCM

Email notification: I'm sure what you would want to know immediately is whether there was an outbreak or mass spreading malware attack on your computers or servers in your business. We usually have email on our computers, phones, tablets and so on.

You should consider using a Mail Server that supports authenticated access by using the SCCM site servers computer account as authentication. If this is not possible, you should use an domain account that has the least privileges.

Avoid having users with local administrative rights as much as possible. This is something everyone struggles with, the paradox is that the larger the business is, the stricter policy they have managed to see this through and enforce it. The smaller the business is, the less strict security they have. I guess the natural explanation would be that in larger companies with thousands or maybe hundreds of thousands of users it would mean chaos and a huge security risk if every user would be allowed local administrative rights.

Even though, without administrative rights, we see that some malware like Ransomeware crypto viruses that we will discuss more in the following chapters slips through and manages to do harm. A good policy is to always grant end users the least privileges needed.

This is especially important when we are using Endpoint Protection, because with local administrative access the end users have the ability to do a much more, obviously. But to be more specific, they can delete reported instances of malware before it's sent to the Configuration Manager, this is done every five minutes by default. But the even more important aspect, from a security perspective, is that they can actually manage to uninstall the Endpoint Protection client and stop dependent services. Now, this is something the Microsoft Team is working on improving, called Tamper protection that many of its competitors have had for years. This will simply prevent others or malware from performing these kinds of harmful actions. That said, the Configuration Manager Client health check and compliance check would force the installation Endpoint Protection, but not instantly, so this is an important security aspect to think of and an improvement of this, called Tamper protection, would be very welcome in the near future.