6.0 Performing the Management Service Installation

The Management Service should be installed on a secure server behind the firewall, and it cannot share the same server as the Policy Distribution Service (with the exception of a single server installation, see Section 3.0, Performing a Single-Server Installation). The Management Service should not be installed outside the network firewall, for security reasons. After the server is selected, note the server name, both the NETBIOS and Fully Qualified Domain Name (FQDN). Deployment of the Management Service on a Primary Domain Controller (PDC) is not supported for both security and functionality reasons.

NOTE:It is recommended that the SSI Server be configured (hardened) so as to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment, and so cannot be described in advance. Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage. Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide.

To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs. Reference the articles below:

For security purposes, it is highly recommended that the following default folders be removed from any IIS installation:

  • IISHelp

  • IISAdmin

  • Scripts

  • Printers

We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com.

Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If in doubt, the Dynamic Web server template is recommended.

Ensure that the following prerequisites are in place prior to beginning the installation: