At my former employer, none of my ConfigMgr stuff was "in-scope" once I showed what the clients send back up.
Of course I already had to go through the pain of firewall rules for our "Gaming System" vlan, so it would have just been a request to the network guys to copy the rules..... Christopher Catlett Consultant | Detroit Office 248-876-9738 |Fax 877.406.9647 Sogeti USA 26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456 www.us.sogeti.com <http://www.us.sogeti.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Barnes,Chris Sent: Monday, July 22, 2013 10:34 AM To: [email protected] Subject: RE: [mssms] Securing data from Distribution Points 2012 SP1. We are not actually touching any card holder data with SCCM, this is just in scope due to the patching aspect of it. Chris Barnes Senior Technical Specialist - Penske Automotive Group [email protected] <mailto:[email protected]> Desk: (248) 648-2528 Cell: (248) 767-4415 From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, July 22, 2013 10:28 AM To: [email protected] Subject: RE: [mssms] Securing data from Distribution Points Yes, that is correct. Don't actually do this, unless its in a lab. :) Just replace some source files on that DP and watch the clients. They will see they can't get proper source and fallback. Are you running 2007 or 2012? Are you actually moving pci data down to machines with ConfigMgr? The only thing that should be under the looking glass should be the info the client is sending back up. Christopher Catlett Consultant | Detroit Office 248-876-9738 |Fax 877.406.9647 Sogeti USA 26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456 www.us.sogeti.com <http://www.us.sogeti.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Barnes,Chris Sent: Monday, July 22, 2013 10:11 AM To: [email protected] Subject: [mssms] Securing data from Distribution Points Hey guys - Question for you. My SCCM environment is undergoing additional scrutiny from our Security and Compliance department due to our business requirement of being PCI complaint. Long story short, I am trying to argue that the content that the clients pull down from the Distribution Point is secure because the client will be able to compare the expected hash of the content vs. the actual hash of the content. This would apply both to software distribution packages, as well as software update packages. So if the distribution point was compromised, and the package data was altered, the client would reject the content as it does not match the expected hash that the clients would obtain from the MP, as long as the MP was not compromised as well. Is this correct? I am attempting to keep my 90 DPs from having to whitelist every port and IP that they need to talk to. Chris Barnes Senior Technical Specialist - Penske Automotive Group [email protected] <mailto:[email protected]> Desk: (248) 648-2528 Cell: (248) 767-4415 ________________________________ Penske Automotive Group and its affiliates will never sell or rent your email address in violation of applicable law. This email and any files transmitted with it are confidential and intended solely for use of the individual or entity to whom they are addressed. Please delete all copies if you are not the intended recipient.
