image

System Center Configuration Manager 2007 features a new security model with more restrictive permissions on the client cache folder. While this provides a lower threat profile, it does require some special considerations when deploying software to users that are not administrators. We have identified two scenarios involving low rights users and package access when programs are advertised to run in the user context:

SCENARIO 1:

A low-rights user attempts to run a package from a bits-enabled distribution point and no Network Access Account is set. The BITS transfer fails and the client switches to an SMB transfer. The content is acquired but not using the preferred BITS method. A review of the DataTransferService.log shows entries similar to:

Error getting network access account credentials. Code 0x80040215

DTSJob {59CAC552-66E8-4272-9647-68FC52ECF70F} encountered error setting BITS job to use Network Access Account (0x00000000)

DTSJob {59CAC552-66E8-4272-9647-68FC52ECF70F} switched to location 'SMB share’.

SCENARIO 2:

A low-rights user attempts to run a package from a standard or branch distribution point. The download appears to proceed but the progress bar stops before completion. A review of the FileBITS.log shows entries similar to:

Copied file ‘SMB Source Location’ to 'C:\WINDOWS\system32\CCM\Cache\<cache directory>

FileCopyJob {96893617-AC76-4E7C-9C56-37FA5E929A65} encountered error while copying files (0x80070002).

Using the sysinternals streams tool (located here) reveals that Alternate Data Streams exist on the package files. Alternate Data Streams can be added to a file in many ways, but is most often associated with download of content from non-trusted sites in Internet Explorer. A zone identifier is added to such files and is used to warn users of potential unsafe content.

RESOLUTION:

Both issues are caused by the interaction of the low-rights user and the heightened security permissions on the SCCM Client Cache. To resolve these issues you can set a Network Access Account and configure the access accounts on your packages to explicitly allow read access to that account, and remove the generic user permission on your packages. This will create a condition in which the Network Access Account is used for content access and the computer localsystem account is used to manipulate the client cache. In this scenario, the Network Access Account does not need to be an administrator.

You can configure a Network Access Account, you can use the process outlined here. You can read an overview of package access accounts here. To remove the Users Generic Access Account follow the steps here. To add the Windows User Account for your Network Access Account, follow the guidance here. If you plan on deploying content in the logged on user context, proactive implementation of these measures will ensure consistent operations while adding an additional measure of security from tighter access restrictions.

ADDITIONAL INFORMATION:

For Scenario 2, you can also proactively remove Alternate Data Streams from package content using the streams tool located here. Below is a sample command line to view streams on a file called download.exe:

streams download.exe

To remove the streams from that file:

streams -d download.exe

To remove the streams from all files in a directory

streams -d *.*

To remove the streams from all files in a directory and all subdirectories

streams -s -d *.*

Best regards,

Jason Adams | Senior Support Escalation Engineer