+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 25
O/S Deployment Thread, PXE Boot security in Technical; This is probably a really silly question and the answer is staring me in the face but here goes ; ...
  1. #1

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,361
    Thank Post
    472
    Thanked 336 Times in 284 Posts
    Rep Power
    157

    PXE Boot security

    This is probably a really silly question and the answer is staring me in the face but here goes ;

    Just got MDT working and using WDS PXE boot to get the clients to network boot. I have set it so that I have to press F12 on the client to get it to PXE boot. Once the machine is built what do you do about the PXE boot and the F12 option? What is to stop students pressing F12 on boot up? Is there a way to secure the PXE boot so only authorised people can use it?
    Is there a tick box somewhere which would require a password to be input before it goes off looking for the server?

  2. #2

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,580
    Thank Post
    59
    Thanked 370 Times in 286 Posts
    Blog Entries
    7
    Rep Power
    134
    I don't know about MDT so much but with raw WDS, you can put an ACL on the operating system that you're deploying so that only certain users can see it. With SCCM, you can put a password on the Windows PE Image itself so that while you can boot it, you won't be able to deploy anything without the password. I'd be surprised if there isn't something similar in MDT!

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,373
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Setup your BIOS on your machines so it requires a password to network boot.

    Can be done on Toshiba, Dell, HP, Intel motherboards etc. Can be done on loads of them.

  4. 2 Thanks to FN-GM:

    fiza (3rd May 2013), speckytecky (12th May 2013)

  5. #4

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,361
    Thank Post
    472
    Thanked 336 Times in 284 Posts
    Rep Power
    157
    Quote Originally Posted by FN-GM View Post
    Setup your BIOS on your machines so it requires a password to network boot.

    Can be done on Toshiba, Dell, HP, Intel motherboards etc. Can be done on loads of them.
    Just looking in thr BIOS and the only passwords I can find are System and Administrator. Dont want to set system as that asks for a password on every boot. I have set the Administrator one but it seems to still be able to get into the PXE boot.

    Its a Dell Optiplex 760. Any ideas how to set it so it asks for a password before initiating PXE boot?

  6. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,006
    Thank Post
    124
    Thanked 286 Times in 263 Posts
    Rep Power
    109
    Replace the standard boot loader with a PXE linux one or similar. We have a full menu of applications such as memtest, DBAN and WDS and all need a password, once selected.

  7. Thanks to ChrisH from:

    plexer (3rd May 2013)

  8. #6

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,361
    Thank Post
    472
    Thanked 336 Times in 284 Posts
    Rep Power
    157
    Quote Originally Posted by ChrisH View Post
    Replace the standard boot loader with a PXE linux one or similar. We have a full menu of applications such as memtest, DBAN and WDS and all need a password, once selected.
    Ive got 450 machines to image. I need something simple to stop students using F12 once we are done.

  9. #7

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,833
    Thank Post
    669
    Thanked 2,186 Times in 1,492 Posts
    Blog Entries
    19
    Rep Power
    900
    I just turn off PxE boot when I'm done...

  10. #8

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,361
    Thank Post
    472
    Thanked 336 Times in 284 Posts
    Rep Power
    157
    Quote Originally Posted by X-13 View Post
    I just turn off PxE boot when I'm done...
    Yep i did think of that but what about the odd occasion when we need to reimage a machine or 2 and have to enable PXE boot. Students could then press F12 whilst they are booting.

  11. #9

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,833
    Thank Post
    669
    Thanked 2,186 Times in 1,492 Posts
    Blog Entries
    19
    Rep Power
    900
    Quote Originally Posted by fiza View Post
    Yep i did think of that but what about the odd occasion when we need to reimage a machine or 2 and have to enable PXE boot. Students could then press F12 whilst they are booting.
    Ours have the option to select a one-time boot option in the bios. I just pop in and use PxE as and when I need it.

    It makes the computers boot faster.

  12. Thanks to X-13 from:

    fiza (3rd May 2013)

  13. #10

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,361
    Thank Post
    472
    Thanked 336 Times in 284 Posts
    Rep Power
    157
    Quote Originally Posted by X-13 View Post
    Ours have the option to select a one-time boot option in the bios. I just pop in and use PxE as and when I need it.

    It makes the computers boot faster.
    Good point

  14. #11

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,833
    Thank Post
    669
    Thanked 2,186 Times in 1,492 Posts
    Blog Entries
    19
    Rep Power
    900
    Quote Originally Posted by fiza View Post
    Good point
    A phrase very rarely heard in response to one of my posts...

  15. #12

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,683
    Thank Post
    755
    Thanked 1,715 Times in 1,526 Posts
    Rep Power
    438
    Quote Originally Posted by fiza View Post
    Ive got 450 machines to image. I need something simple to stop students using F12 once we are done.
    We also boot into pxe Linux and display a menu, the default option is to boot the hard drive which is does after a short delay otherwise the other boot options windows deployment, memtest86+ etc... all require a password to access them.

    Ben

  16. #13

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,361
    Thank Post
    472
    Thanked 336 Times in 284 Posts
    Rep Power
    157
    Quote Originally Posted by X-13 View Post
    A phrase very rarely heard in response to one of my posts...
    Another valid point

  17. #14
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,006
    Thank Post
    124
    Thanked 286 Times in 263 Posts
    Rep Power
    109
    WDSLINUX - Syslinux Wiki Your only replacing a few files its worth the effort. The only thing was I had to use a linux machine to produce the password hash for the menus.

  18. #15
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    856
    Thank Post
    88
    Thanked 148 Times in 122 Posts
    Blog Entries
    8
    Rep Power
    34
    Quote Originally Posted by ChrisH View Post
    Replace the standard boot loader with a PXE linux one or similar. We have a full menu of applications such as memtest, DBAN and WDS and all need a password, once selected.
    This is the route I took with WDS; PXE Linux gets passed out first and WDS is an option in its menu along with various other utilities. Getting it all setup is a PITA though. It was easier with WDS on 2003 and 2008 since the boot program could be changed in the management snap-in, but starting with 2008 R2 it needs to be done at the command line. Even though you can use an ACL to stop the kids from being able to deploy images in WDS, they can still boot the PE images I have in the list and access command lines. PXE Linux at least enables me to put the WDS option behind a password.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 8
    Last Post: 8th June 2007, 10:32 PM
  2. PXE boot / RIS problem
    By Face-Man in forum Windows
    Replies: 5
    Last Post: 11th July 2006, 02:36 PM
  3. PXE Boot
    By richard in forum Wireless Networks
    Replies: 12
    Last Post: 20th May 2006, 05:37 PM
  4. LTSP Problems with TFTP and PXE boot
    By Joedetic in forum Thin Client and Virtual Machines
    Replies: 3
    Last Post: 18th May 2006, 05:40 PM
  5. Ghost 8 +PXE boot into ghost console
    By Inox in forum How do you do....it?
    Replies: 4
    Last Post: 9th August 2005, 12:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •