Securing the REIMNST share using Windows Deployment Services

sschmidlap

I have implemented WDS running on a Server 2003 R2 domain controller. It is running in mixed mode. Securing images was simple with RIS. Just remove Everyone and Authenticated Users from the share permissions and leave Read permissions for Domain Admins and Domain Computers. This prevents users from browsing the network and copying the answer files and image files.

Unfortunately, with WDS, I have discovered this won't work. All my experiments and research have shown that Authenticated Users MUST be granted Read access in order to select an OS image and install it. Even though I specifically granted Read to Administrator/Administrators/Domain Admins/Domain Computers, when I PXE boot and log into the WDS server as a domain administrator I get the message "error communicating with WDS server". As soon as I give Authenticated Users read share permission it works again.

As a result, all the image files, answer files, and the XP CD source files are open for anyone on the network to copy to their local machines. Surely there is a way to secure this? I would like to hear how others have addressed this glaring security issue. Thank you.

sschmidlap

I suppose I could hide the share using $, but that's not securing it. I don't want to assume people can't eventually figure it out and find it. Hiding the share won't stop people from browsing the share and copying files if they still have read permission, right?

sschmidlap

What the heck, people? Have I been blackballed or what? Starting to develop a complex here. Surely, there is SOMEBODY that has experienced or dealt with this issue, no? Maybe I should find a security forum? If nothing else, can somebody point me in a better direction for finding like minded people with the same concerns? Hey, if I posted in the wrong place, just tell me. Thank you.

Claymoore

I just hide the share with a $. What are you worried about them copying? WTF are they really going to do with your WIM file?

If you are worried about them reading the domain join password in an unattend file, then you need to secure that account. Create an account that only has rights to join workstations to a domain and remove the account's right to log on locally. If that password is compromised, all they can do is join workstations, and any user can join 10 workstations by default anyway.

Are you worried about them getting the local Administrator password? Change the local admin password using Group Policy Preferences after they join the domain.
Top 5 Security Settings in Group Policy for Windows Server 2008

Are you afraid that they will bring in their personal laptop and re-image it using your corporate image? Set PXE to respond only to known client computers.
PXE Response Tab

If you are still just worried, I suggest increasing your medication level.

earweed

sschmidlap wrote: »

What the heck, people? Have I been blackballed or what? Starting to develop a complex here. Surely, there is SOMEBODY that has experienced or dealt with this issue, no? Maybe I should find a security forum? If nothing else, can somebody point me in a better direction for finding like minded people with the same concerns? Hey, if I posted in the wrong place, just tell me. Thank you.

You've now heard from the TE resident expert on darn near anything (maybe not Cisco, though)

sschmidlap

Hey guys. Thanks for the feedback, smart aleck remarks and all. Not sure why you had to be such assholes about it, but you gave me some food for thought. Will look further now into taking care of what Microsoft should have done on their own. Thank you!

Bl8ckr0uter

sschmidlap wrote: »

Hey guys. Thanks for the feedback, smart aleck remarks and all. Not sure why you had to be such assholes about it, but you gave me some food for thought. Will look further now into taking care of what Microsoft should have done on their own. Thank you!

Why are you so angry man?