SCCM Hierarchy Takeover
One Site to Rule Them Alltl;dr:There is no security boundary between sites in the same hierarchy.When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, in any primary site, the underlying database changes propagate upward to the central administration site (CAS) and then ... Read More
SCCM Site Takeover via Automatic Client Push Installation
tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation.While reading SCCM Current Branch Unleashed and stepping through the site installation process, I found something interesting — the primary site server’s domain computer account is required to be a member of the local Administrators group on the site database server.During site installation, ... Read More
Relaying NTLM Authentication from SCCM Clients
tl;dr: Seriously, please disable NTLMI recently learned that you can coerce NTLM authentication from SCCM servers using any Windows SCCM client when automatic site-wide client push installation is enabled and NTLM has not been explicitly disabled. During my research, I found out that if you have certain privileges in SCCM, you ... Read More
Coercing NTLM Authentication from SCCM
tl;dr: Disable NTLM for Client Push InstallationWhen SCCM automatic site assignment and automatic client push installation are enabled, and PKI certificates aren’t required for client authentication, it’s possible to coerce NTLM authentication from the management point’s installation and machine accounts to an arbitrary NetBIOS name, FQDN, or IP address, allowing ... Read More
