Skip to main content

Posts

Showing posts from April, 2013

scep: tampering with anti-tampering

i understand both sides of why people believe this needs to be done. this article outlines a measure microsoft implemented to keep service controls outside of administrative fingers for endpoint protection to keep people from messing around with services. as you might know, this is very silly wall to put around a service. as an administrator, you own the box. if you understand how to read SDDLs and change them to suit your needs , then you can very easily modify it with your administrative credentials to remove that paper wall, -and- coincidentally, you might want to pick up this skill since in some scenarios (read as: mine) the very product that manages endpoint protection (system center configuration manager) fails to update to CU1 because of its inability to stop the microsoft antimalware service. <sigh> i guess you could uninstall the product. that seems safer. :/ this is akin to putting in safeguards such as making sure i am running an installation with my domain admin a

sccm: the required permissions for creating collections

i had modeled a concept for how i wanted to lay out permissions only to find out the permissions i created for managing collections was wrong – specifically, the creation of collections. after spending some time messing around with sccm 2012 (configmgr for you purists), i was able to work out the exact requirements for creating collections. what a pain since there is no documentation for what the permissions actually perform ! (admittedly, most of it is self-explanatory just by the permission name itself.) after doing a little digging (referred to some as trial and error), it turns out that a specific permission, modify folder , is required. by all appearances as blogged by others , it seems this is a bug. i didn’t bother to go into the bug tracker to figure out where this was in the development cycle. at any rate, keep that in mind. you’ll need it. so, with the following permission set: create read you basically get a slap across the face. there is no visible dialog to create a