+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 25 of 25
O/S Deployment Thread, PXE Boot security in Technical; Here is what we do. we have an extra flag in wds that if isn't greater then one it won't ...
  1. #16
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    424
    Thank Post
    43
    Thanked 68 Times in 63 Posts
    Rep Power
    19
    Here is what we do. we have an extra flag in wds that if isn't greater then one it won't image. Each MAC address is in a list.

  2. #17


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,579
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294
    could you just disable wds service or the boot image(s) on the server unless your using it?

  3. #18
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    908
    Thank Post
    41
    Thanked 69 Times in 66 Posts
    Rep Power
    18
    You could disable f8 in mdt boot. Require credentials in the wizard. Disable the command prompt when you click cancel. The reason why f12 isn't password protected is so users can ininnate a rebuild. If using sccm pxe password the image and disable f8.

  4. #19

    Join Date
    Aug 2008
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    there's a small pxe bootstrap @
    http://www.clod.pwp.blueyonder.co.uk/nbp.zip
    that you can use to access a secondary pxe nbp with a simple password.
    run the binary and save the patched nbp.0, boot this pxe (rename it to suit if need be).
    if left-alt and shift are held down at boot, it asks for a pass then boots secondary nbp,
    otherwise the default nbp is loaded.
    it was written in a hurry nearly 10 years ago for use in a school, and not touched since.
    (worked ok with zfd 4-7)

  5. #20

    Join Date
    Nov 2011
    Posts
    608
    Thank Post
    84
    Thanked 21 Times in 19 Posts
    Rep Power
    10
    I do two things.

    First as mentioned use a menu, i used step 2 of this to figure it out,
    deployvista.com > Home - Deploying Ubuntu 8.04.1 using WDS (Windows Deployment Services)
    (Works for 2008r2 and win 7)

    and the second thing is deny pupil account access to the MDT folder using the normal folder permissions.

    If they then get past the menu and login to MDT they dont have any windows options so cant continue.

  6. #21
    steewy's Avatar
    Join Date
    Jan 2013
    Location
    Guildford
    Posts
    47
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    If you don't want to change the BIOS settings, simply change the rules of you MDT server. Go to option of you deploymentshare. Edit boostrap.ini and make sure that you have something like that. If student press F12 the PXE will load but ask for password to reimage. If they don't have it the computer will restart


    UserDomain=your domain
    UserID=Administrator
    UserPassword= leave it empty

  7. #22
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    908
    Thank Post
    41
    Thanked 69 Times in 66 Posts
    Rep Power
    18
    Wont stop them hitting f8 and typing diskpart, sel disk 0,clean.

  8. #23
    steewy's Avatar
    Join Date
    Jan 2013
    Location
    Guildford
    Posts
    47
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    True. It took me quite a while, but every time I re image a computer I change the BIOS settings...
    After less than 3 months I managed to secure the all school system.

  9. #24

    Join Date
    Nov 2010
    Location
    leeds
    Posts
    30
    Thank Post
    2
    Thanked 7 Times in 5 Posts
    Rep Power
    9
    We had the same problem at our Academy (we've been using WDS \PXE Booting for over 3 years and some clever d1ck had spotted how we did it, so we had to lock it down somehow), the easiest way I found was to open WDS right click on the server node \properties\PXE Response and select the following Require administrator approval......

    WDS Properties.JPG

    You can then go to the machine that you want to reimage, select F12 and get it to PXE Boot
    Pop back onto the server console, open WDS, go to the Pending Devices node (hit refresh) and you'll see your machine there waiting to be approved, right click approve and the image will continue.

    Mike

  10. 2 Thanks to DellOughta:

    MYK-IT (17th May 2013), steewy (17th May 2013)

  11. #25

    Join Date
    Dec 2007
    Posts
    864
    Thank Post
    90
    Thanked 164 Times in 139 Posts
    Rep Power
    49
    If Dell BIOS;

    Within Security set an [Administrator] password
    Ensure [Onboard NIC] is not selected as a device within [Boot Sequence]
    Ensure [Integrated NIC] is [Enabled w/PXE]

    When F12 is pressed, to boot via NIC the Administrator Password has to be entered.

    As also mentioned, you can omit the credential details/password for the Deployment Share so that an image cannot be selected.

    The next step would be ACL based on MAC Addresses via RADIUS etc. but I have not gone that far yet! but would stop users plugging in their own laptops and getting a nice new licensed image onto their own computer!

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 8
    Last Post: 8th June 2007, 09:32 PM
  2. PXE boot / RIS problem
    By Face-Man in forum Windows
    Replies: 5
    Last Post: 11th July 2006, 01:36 PM
  3. PXE Boot
    By richard in forum Wireless Networks
    Replies: 12
    Last Post: 20th May 2006, 04:37 PM
  4. LTSP Problems with TFTP and PXE boot
    By Joedetic in forum Thin Client and Virtual Machines
    Replies: 3
    Last Post: 18th May 2006, 04:40 PM
  5. Ghost 8 +PXE boot into ghost console
    By Inox in forum How do you do....it?
    Replies: 4
    Last Post: 9th August 2005, 11:19 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •