How to securely install Windows executables across the network using SCCM?

Question

We would like to install various Windows software (.exe) using SCCM but have noticed that SCCM uses a domain admin account when pushing executables. Thus, we are concerned that the account's password hashes and Windows Access Tokens will be left-over on all of our servers and workstations after the installation process - which could obviously be stolen and used to compromise our entire network using pass-the-hash or token impersonation.

What is the safest way to push Windows executables across our network using SCCM without the risks outlined above? If you would be kind enough to provide us with a methodology and process in bullet point format along with URLs to additional instructional content to help us that would be much appreciated.

Thank you in advance.

F0n.

Answer 1

There are a few (ha!) service accounts in use by SCCM. None of "daily operation" accounts needs to be a domain admin that I can remember (except perhaps during setup and AD schema extension). See the description of roles here: https://technet.microsoft.com/en-us/library/hh427337.aspx

Executable installs are either performed on endpoints using the local SYSTEM account or the logged in user (Install for System, Install for User). It sounds like what you are taking issue with is the Network Access Account, which the client uses to access the package repository.

Long story short, you have an inappropriately high-permission account doing tasks (network access account) that do not require any significant level of permission.

Lucky for you, you can specify many service accounts in a list here so you won't break functionality by starting to propagate a low risk account to the client base.