+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 25
O/S Deployment Thread, PXE Boot security in Technical; This is probably a really silly question and the answer is staring me in the face but here goes ; ...
  1. #1

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,123
    Thank Post
    416
    Thanked 313 Times in 264 Posts
    Rep Power
    152

    PXE Boot security

    This is probably a really silly question and the answer is staring me in the face but here goes ;

    Just got MDT working and using WDS PXE boot to get the clients to network boot. I have set it so that I have to press F12 on the client to get it to PXE boot. Once the machine is built what do you do about the PXE boot and the F12 option? What is to stop students pressing F12 on boot up? Is there a way to secure the PXE boot so only authorised people can use it?
    Is there a tick box somewhere which would require a password to be input before it goes off looking for the server?

  2. #2
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,320
    Thank Post
    54
    Thanked 295 Times in 231 Posts
    Blog Entries
    6
    Rep Power
    116
    I don't know about MDT so much but with raw WDS, you can put an ACL on the operating system that you're deploying so that only certain users can see it. With SCCM, you can put a password on the Windows PE Image itself so that while you can boot it, you won't be able to deploy anything without the password. I'd be surprised if there isn't something similar in MDT!

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    Setup your BIOS on your machines so it requires a password to network boot.

    Can be done on Toshiba, Dell, HP, Intel motherboards etc. Can be done on loads of them.

  4. 2 Thanks to FN-GM:

    fiza (3rd May 2013), speckytecky (12th May 2013)

  5. #4

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,123
    Thank Post
    416
    Thanked 313 Times in 264 Posts
    Rep Power
    152
    Quote Originally Posted by FN-GM View Post
    Setup your BIOS on your machines so it requires a password to network boot.

    Can be done on Toshiba, Dell, HP, Intel motherboards etc. Can be done on loads of them.
    Just looking in thr BIOS and the only passwords I can find are System and Administrator. Dont want to set system as that asks for a password on every boot. I have set the Administrator one but it seems to still be able to get into the PXE boot.

    Its a Dell Optiplex 760. Any ideas how to set it so it asks for a password before initiating PXE boot?

  6. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,009
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    Replace the standard boot loader with a PXE linux one or similar. We have a full menu of applications such as memtest, DBAN and WDS and all need a password, once selected.

  7. Thanks to ChrisH from:

    plexer (3rd May 2013)

  8. #6

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,123
    Thank Post
    416
    Thanked 313 Times in 264 Posts
    Rep Power
    152
    Quote Originally Posted by ChrisH View Post
    Replace the standard boot loader with a PXE linux one or similar. We have a full menu of applications such as memtest, DBAN and WDS and all need a password, once selected.
    Ive got 450 machines to image. I need something simple to stop students using F12 once we are done.

  9. #7

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,094
    Thank Post
    592
    Thanked 1,953 Times in 1,351 Posts
    Blog Entries
    19
    Rep Power
    814
    I just turn off PxE boot when I'm done...

  10. #8

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,123
    Thank Post
    416
    Thanked 313 Times in 264 Posts
    Rep Power
    152
    Quote Originally Posted by X-13 View Post
    I just turn off PxE boot when I'm done...
    Yep i did think of that but what about the odd occasion when we need to reimage a machine or 2 and have to enable PXE boot. Students could then press F12 whilst they are booting.

  11. #9

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,094
    Thank Post
    592
    Thanked 1,953 Times in 1,351 Posts
    Blog Entries
    19
    Rep Power
    814
    Quote Originally Posted by fiza View Post
    Yep i did think of that but what about the odd occasion when we need to reimage a machine or 2 and have to enable PXE boot. Students could then press F12 whilst they are booting.
    Ours have the option to select a one-time boot option in the bios. I just pop in and use PxE as and when I need it.

    It makes the computers boot faster.

  12. Thanks to X-13 from:

    fiza (3rd May 2013)

  13. #10

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,123
    Thank Post
    416
    Thanked 313 Times in 264 Posts
    Rep Power
    152
    Quote Originally Posted by X-13 View Post
    Ours have the option to select a one-time boot option in the bios. I just pop in and use PxE as and when I need it.

    It makes the computers boot faster.
    Good point

  14. #11

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,094
    Thank Post
    592
    Thanked 1,953 Times in 1,351 Posts
    Blog Entries
    19
    Rep Power
    814
    Quote Originally Posted by fiza View Post
    Good point
    A phrase very rarely heard in response to one of my posts...

  15. #12

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,611
    Thank Post
    647
    Thanked 1,617 Times in 1,447 Posts
    Rep Power
    421
    Quote Originally Posted by fiza View Post
    Ive got 450 machines to image. I need something simple to stop students using F12 once we are done.
    We also boot into pxe Linux and display a menu, the default option is to boot the hard drive which is does after a short delay otherwise the other boot options windows deployment, memtest86+ etc... all require a password to access them.

    Ben

  16. #13

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,123
    Thank Post
    416
    Thanked 313 Times in 264 Posts
    Rep Power
    152
    Quote Originally Posted by X-13 View Post
    A phrase very rarely heard in response to one of my posts...
    Another valid point

  17. #14
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,009
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    WDSLINUX - Syslinux Wiki Your only replacing a few files its worth the effort. The only thing was I had to use a linux machine to produce the password hash for the menus.

  18. #15
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    804
    Thank Post
    82
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    Quote Originally Posted by ChrisH View Post
    Replace the standard boot loader with a PXE linux one or similar. We have a full menu of applications such as memtest, DBAN and WDS and all need a password, once selected.
    This is the route I took with WDS; PXE Linux gets passed out first and WDS is an option in its menu along with various other utilities. Getting it all setup is a PITA though. It was easier with WDS on 2003 and 2008 since the boot program could be changed in the management snap-in, but starting with 2008 R2 it needs to be done at the command line. Even though you can use an ACL to stop the kids from being able to deploy images in WDS, they can still boot the PE images I have in the list and access command lines. PXE Linux at least enables me to put the WDS option behind a password.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 8
    Last Post: 8th June 2007, 09:32 PM
  2. PXE boot / RIS problem
    By Face-Man in forum Windows
    Replies: 5
    Last Post: 11th July 2006, 01:36 PM
  3. PXE Boot
    By richard in forum Wireless Networks
    Replies: 12
    Last Post: 20th May 2006, 04:37 PM
  4. LTSP Problems with TFTP and PXE boot
    By Joedetic in forum Thin Client and Virtual Machines
    Replies: 3
    Last Post: 18th May 2006, 04:40 PM
  5. Ghost 8 +PXE boot into ghost console
    By Inox in forum How do you do....it?
    Replies: 4
    Last Post: 9th August 2005, 11:19 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •