SCCM - Basics
Basic information about SCCM hierarchy and credentials
Securing SCCM: An Inside Look at Distributing Credentials Securely
What is SCCM?
System Center Configuration Manager (SCCM) is a management tool from Microsoft that helps IT administrators deploy, manage, and secure devices across an organization. It enables tasks like software deployment, patch management, operating system imaging, and endpoint protection, ensuring devices stay updated.
SCCM was originally called SMS and is now known as MECM, but it's essentially the same. Intune serves a similar purpose.
What is PXE and how does it differ from SCCM?
PXE (Preboot Execution Environment) is a way for a computer to boot up using a network connection instead of a hard drive or USB. It's mostly used to load an operating system image from a server, often during large-scale OS deployments.
SCCM can handle OS deployments using PXE, but also does a lot more like software updates, application installs, and system monitoring. It is also possible to have PXE without SCCM.
Basic SCCM Infrastructure
SCCM environments can be much larger, but the basic hierarchy includes:
- Site Database: Central database (MSSQL) that stores all SCCM configuration and management data.
- Site Server: The primary server that controls all SCCM operations and coordinates communication between components.
- Management Point: Where clients retrieve policies from that define needed resources.
- Distribution Point: Hosts resources (scripts, software etc) for SCCM clients.
- SCCM Clients: Enrolled devices that receive and execute policies from the SCCM infrastructure.
Understanding SCCM Collections
Collections are logical containers grouping client devices. Administrators use collections to define which policies apply to which client devices. A device can belong to multiple collections.
Think of it as:
- Collection ≈ Organizational Unit (OU)
- Policy ≈ Group Policy Object (GPO)
- SCCM clients ≈ Computers/servers
Credential Retrieval Methods
1. Policies
If it is possible to create a computer account (Authenticated Users can by default), you can pull policies which may contain credentials. Other clients may have access to different policies because they can be in different collections. It is therefore a good idea to perform the attack again from newly compromised SCCM clients.
2. NAA Account
The Network Access Account (NAA) is a domain account whose credentials are transmitted to registered SCCM devices through a secret policy called NAAConfig. An SCCM client can be registered, approved, and configured to apply policies that reference external resources, using the NAA account to authenticate to the distribution point.
There are also other interesting accounts in SCCM such as the Push account and forest discovery account.
3. Task Sequences
Task sequences are exactly what the name suggests, they automate various tasks on the client. For example, they can connect to a network folder, join a computer to the domain, set a local administrator, and more. As a result, they often contain domain credentials. However, task sequences are usually not part of the default collections.
4. Collection Variables
In SCCM, it is possible to associate variables to specific collections of devices. Collection variables are transmitted to the collection devices as a secret policy called CollectionSettings. The variables can be usernames, passwords etc.
5. Distribution Point Resources
Resources are stored in C:\SCCMContentLib and accessible via:
SMB Access
- Shared as
SCCMContentLib$ - Accessible to Domain Users/Computers
HTTP Access
- Via IIS web server
- Virtual directory:
SMS_DP_SMSPKG$which maps toC:\SCCMContentLib
URL Formats:
- List contents:
http://<DP>/sms_dp_smspkg$/<PackageID>/ - Retrieve file:
http://<DP>/sms_dp_smspkg$/<PackageID>/<filename>