+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
O/S Deployment Thread, Deployment Security in Technical; Hi Guys, just moved to WDS from Ghost and am a bit concerned that students can F12 right to drive ...
  1. #1

    Join Date
    Dec 2007
    Posts
    51
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Deployment Security

    Hi Guys, just moved to WDS from Ghost and am a bit concerned that students can F12 right to drive management (and therefore delete partitions etc). The only way around this is to stop the WDS service when we're not using it, but that seems incredibly clunky. Is there an inbuilt way to secure it a bit more? Sorry if this has been asked, but I couldn't find it on the tips section.

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    Not sure you can according to this

    Windows Deployment Services - how to Password

    But I would go with protecting the BIOS and being prompted for password that way

  3. #3
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40
    The BIOS route is pretty neat if you can bring up a password protected boot menu but most motherboards won't do this, depends if you want to network boot a lot of stuff in a hurry. I'm using MDT2010 and if you don't put a password in bootstrap file it prompts for it. Depending on your DHCP setup you might find it easier to make an alternate DHCP group that does PXE booting and add/delete MAC addresses as you need to.

  4. #4

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,091
    Thank Post
    352
    Thanked 1,317 Times in 903 Posts
    Blog Entries
    4
    Rep Power
    1135
    I have been thinking about this too.

    Not a problem at the moment as the students are out but the best I can up with for term time is to stop the WDS service at the server and start it only when I need it.

    Still looking for better ideas...

  5. #5

    Join Date
    May 2008
    Posts
    213
    Thank Post
    2
    Thanked 27 Times in 27 Posts
    Rep Power
    18
    Don't have your MDT password entered automatically and/or use a vlan for imaging (perhaps just term time)?

  6. #6

    Join Date
    Jul 2010
    Posts
    106
    Thank Post
    0
    Thanked 14 Times in 14 Posts
    Rep Power
    11
    Out of all the threads i have read about WDS on various forums you are the only person i have ever seen that has asked about security. so top bloke for thinking about it

    For our current desktop setup we have dell optiplex 960 which you are able to password protect when booting from anything other than the hard drive. but this doesnt help if someone forgets to set a password or when using a none dell machine.

    So we have the wds server set to only accept known clients and prompt for approval for unknown client.
    The boot image has SHIFT F10 disabled, so no access to the command prompt.
    Permissions on the images in the Reminst/deployment share are set so only the Domain admins and a special wds user can read them, this means no else can see any images if the log into WDS when pxe booting.
    The special wds user has rights only to modify certain parts of the computer object in AD and only in the OU's where our computer objects are

    i am sure we did a few other things as well but i cant remember them of the top of my head its been about 4 years since we set it up

  7. #7

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,580
    Thank Post
    723
    Thanked 1,684 Times in 1,499 Posts
    Rep Power
    432
    My boot image is pxelinux default is to boot hard drive, all the other options require a password.

    Ben
    Last edited by ChrisH; 15th November 2011 at 10:36 PM.

  8. #8

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    Quote Originally Posted by plexer View Post
    My boot image is pxelinux default is to boot gard drive, all the other options require a password.

    Ben
    Using fog though?

  9. #9


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,388
    Thank Post
    241
    Thanked 2,815 Times in 2,077 Posts
    Rep Power
    813
    Quote Originally Posted by DaveP View Post
    Still looking for better ideas...
    WDSLinux? Since this is based on PXELinux, you can use the MASTER PASSWD or MENU PASSWD commands to password protect WDS and add other programs such as PartEd Magic too.

  10. #10

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,580
    Thank Post
    723
    Thanked 1,684 Times in 1,499 Posts
    Rep Power
    432
    Quote Originally Posted by glennda View Post
    Using fog though?
    Nope wds to boot pxelinux as the boot image and then a menu allows me to boot whatever I want the wds deployment image, memtest86+ iso image, ghost iso whatever I want.

    Ben

  11. #11

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,091
    Thank Post
    352
    Thanked 1,317 Times in 903 Posts
    Blog Entries
    4
    Rep Power
    1135
    I just went to image another room and remembered then that the admin password has to be entered before they can get to the point where they can delete partitions.

    Will still be stopping the WDS service when we are not imaging.

  12. #12

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,580
    Thank Post
    723
    Thanked 1,684 Times in 1,499 Posts
    Rep Power
    432
    Quote Originally Posted by Arthur View Post
    That's what I have running really simple and cool.

    Ben

  13. #13

    Join Date
    Dec 2007
    Posts
    51
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Feel really rude here as I thought I would get an email when people replied, so I didn't check, but I didn't so missed all the replies. Sorry and hello!

    We did have it set up (by a clever student of all people) to boot to a splash screen on F12, which needed a password. Then there were a load of options, one of which was Ghost (which we were using). Think it was called tftpd32.exe.

    But we couldn't do Win 7 on our version of Ghost, so switched to WDS. Now I'm thinking that WDS could have been run from that app, keeping it behind the security, but the config for this stuff really confuses me.

  14. #14

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,580
    Thank Post
    723
    Thanked 1,684 Times in 1,499 Posts
    Rep Power
    432
    Look at the wdslinux guide linked to earlier and if you get stuck give me a shout.

    Ben

  15. #15

    Join Date
    Jul 2010
    Posts
    106
    Thank Post
    0
    Thanked 14 Times in 14 Posts
    Rep Power
    11
    Quote Originally Posted by DaveP View Post
    I just went to image another room and remembered then that the admin password has to be entered before they can get to the point where they can delete partitions.

    Will still be stopping the WDS service when we are not imaging.
    This isnt true, once the boot image has loaded all the Student/Staff need to do is press SHIFT F10 and the get a unrestricted command prompt. which then all they need to type is format c:, hey presto one un-bootable machine.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Security Based Project Idea
    By RobC in forum Group Project
    Replies: 17
    Last Post: 18th January 2006, 07:15 PM
  2. NetOp - Deployment via AD
    By ajbritton in forum Educational Software
    Replies: 4
    Last Post: 13th October 2005, 09:09 PM
  3. Macro Security
    By Ric_ in forum Windows
    Replies: 4
    Last Post: 4th October 2005, 08:59 AM
  4. More focus on RIS and Software Deployment
    By ajbritton in forum Comments and Suggestions
    Replies: 4
    Last Post: 5th September 2005, 11:41 PM
  5. School security during holidays
    By nawbus in forum General Chat
    Replies: 4
    Last Post: 27th August 2005, 03:20 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •