Following is the draft of another article I have written and submitted to technet magazine for publication. This is not yet published so am including the draft here.
Understanding SMS Client Side Software Installation Security
When configuring a software package for distribution in SMS 2003 administrators must choose the user context under which the software will be installed – either the logged on user or administrative context. Choosing “local user” causes the software installation to be executed under the context of the user currently logged onto the computer. Because this option requires a user be logged onto the target computer, and is very limited if the local user does not have administrative rights to the computer, it is more common for software distributions to be sent under administrative credentials.
On an SMS 2003 advanced client, software distributions configured to install using administrative credentials causes the software program to be executed in the context of the local system account On legacy clients, selecting administrative installations causes the software installation to be executed under the context of the SMS Client Token local Account (smsclitoknlocalacct&). This account is created as a typical user account and elevated to have needed administrative credentials at the time of software install. For workstations and member servers, this account is unique to that particular system and is stored in the local SAM database. Domain controllers also use this account but share a domain copy of the account.
The choice to use the local system account for the advanced client allows for increased security and for those familiar with the legacy client or SMS 2.0, requires additional understanding to know what to expect. As an example, consider distribution of an MSI package. If this MSI package has been built to attempt a ‘per user’ install instead of ‘per system’ install – the installation may fail or the results may be unexpected. Commonly, MSI packages can be forced to ‘per computer’ installations by adding the ‘allusers = 2’ switch to the MSI command line through SMS. Consider further software distributions that are initiated from the SMS distribution points but during execution attempt to access network resources external to the SMS distribution point. The SMS advanced client and SMS legacy client handle this situation differently and without good understanding of these differences, software installations may be inconsistent between the two clients. More on this shortly.
When distributing software using administrative credentials, the local system account (advanced client) and SMS Client Token Local Account (legacy client) have full administrative privilege to the local computer but do not necessarily have access to network resources that might be needed during software execution.
When the SMS 2003 advanced client initiates software execution it will connect to the SMS Distribution Point to retrieve the package of interest. Assuming all required software files are available on the SMS distribution point the software installation proceeds. If the software being requested does not reside on an SMS distribution point or if during software installation references are made to a non-SMS share then SMS will attempt to connect to that share location under the context of the Advanced Client Network Access Account. If this account is not configured or does not have rights to the requested share, the software installation will fail and errors will be noted in the execution manager log (execmgr.log). Typically errors in this log will reflect an access denied when the SMS client attempts to access this non-SMS share. It should be noted, however, that even if the network access account is used, the actual installation of the software is still handled by the local system context. The Advanced Client Network Access Account is used strictly for network access.
In contrast to the advanced client, the SMS 2003 legacy client has the ability to use the Software Installation Account. Administrators familiar with an SMS 2.0 environment will also recognize this account. In contrast to the advanced client, when the software installation account is chosen this account is used to access non-SMS shares for software installation – just as the Advanced Client Network Access Account – but is also used to perform the actual software installation. At runtime this account is elevated (if necessary) to have administrative privilege and performs the software installation.
Having a good understanding of how network communication is facilitated for each client during software distribution can help pinpoint failures should they occur. Execmgr logging (advanced client) or SMSAPM32 logging (legacy client) is often useful to track the cause of errors. Knowledge base article 833417 may be helpful for further understanding SMS logging options