The Security Munger

The Security Munger runs more frequently when a change to the registry occurs through Client Component Installation Manager (CCIM). This does not mean every registry change on the client registry, but rather every SMS-related registry change pushed down to the client through CCIM.

The Security Munger is responsible for managing all client-side security settings. You configure these settings in the first four tabs (General, Security, Policy, and Notification) of the Remote Tools Client Agent Properties dialog box. This includes lock-down mode (which prevents clients from changing their settings), the Windows NT Permitted Viewers list, all visual and audible indicators, request for permission dialog boxes, and the level of Remote Control allowed for each client in the site.

The Security Munger places values from either the Combined Sites or User Settings registry keys into the base Remote Control registry key, from which the client-side Remote Control Agent operates (for more information, see “Registry Keys and Client Settings”).

In its simplest state, the Security Munger passes settings from the Combined Sites registry key into the base Remote Control key and confirms that no additional transactions need to take place (that is, no new setting changes have been passed down from a site administrator).

In its more complex state, the Security Munger determines that new values have been passed down from at least one of the sites of which the client is a member. It then initiates a reconciliation of all settings across the multiple sites. The reconciliation is a set of AND and OR comparisons to determine the most secure combinations of settings from multiple sites.

For example, site ABC might dictate that the user must grant permission before an administrator can take remote control of a client. Site XYZ has no such requirement. The Security Munger must resolve this difference in security settings. In this case, the Security Munger will reconcile the conflicting requirements to the most secure setting. The client’s Combined Sites key will reflect the change to Permission Required as being enabled for the client.

Similarly, if a client is a member of 10 sites, all but one of which permit File Transfer to the client, File Transfer will not be permitted on the client. Although the majority dictates File Transfer should be allowed, the Security Munger reconciles the conflicting settings in favor of the most secure policy.

Tip   To run the Security Munger manually, run

%Windir%\MS\SMS\Clicomp\Remctrl\Rcclicfg

from the command line or from Windows Explorer. If site-wide changes do not seem to take effect, reset the value in the Last Changed At key in the client registry for each site you want to refresh the site settings from. For example: examine the

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control\Combined Sites\<Site_code>

registry node and reset the Last Changed At value to 0. Run the Security Munger again. A Last Changed At value of 0 will force a full security reconciliation to take place.

Note   The Security Munger performs an additional function for Japanese Remote Control clients. Every time the Security Munger runs on a Japanese Windows NT client, regardless of the operating system version, it runs an added check to determine if Input Method Editors (IME) is installed (which is reported to the Remctrl.log). This “IME check” logic checks the computer system, the operating system, the Japanese code page, and the default language for JAPANESE (00000411). If JAPANESE is found, it checks the version of the MSime97d.dll file in the System32 directory. (If the language is not JAPANESE or if the MSime97d.dll file is missing from the System32 directory, the only action taken is the creation of log file entries). If the version of the MSime97d.dll file is 5.03, the Allow Chat registry value is unilaterally set to 0 (not allowed), regardless of the site-wide settings on the SMS site.