Not sure you can according to this
Windows Deployment Services - how to Password
But I would go with protecting the BIOS and being prompted for password that way
Hi Guys, just moved to WDS from Ghost and am a bit concerned that students can F12 right to drive management (and therefore delete partitions etc). The only way around this is to stop the WDS service when we're not using it, but that seems incredibly clunky. Is there an inbuilt way to secure it a bit more? Sorry if this has been asked, but I couldn't find it on the tips section.
The BIOS route is pretty neat if you can bring up a password protected boot menu but most motherboards won't do this, depends if you want to network boot a lot of stuff in a hurry. I'm using MDT2010 and if you don't put a password in bootstrap file it prompts for it. Depending on your DHCP setup you might find it easier to make an alternate DHCP group that does PXE booting and add/delete MAC addresses as you need to.
I have been thinking about this too.
Not a problem at the moment as the students are out but the best I can up with for term time is to stop the WDS service at the server and start it only when I need it.
Still looking for better ideas...
Don't have your MDT password entered automatically and/or use a vlan for imaging (perhaps just term time)?
Out of all the threads i have read about WDS on various forums you are the only person i have ever seen that has asked about security. so top bloke for thinking about it
For our current desktop setup we have dell optiplex 960 which you are able to password protect when booting from anything other than the hard drive. but this doesnt help if someone forgets to set a password or when using a none dell machine.
So we have the wds server set to only accept known clients and prompt for approval for unknown client.
The boot image has SHIFT F10 disabled, so no access to the command prompt.
Permissions on the images in the Reminst/deployment share are set so only the Domain admins and a special wds user can read them, this means no else can see any images if the log into WDS when pxe booting.
The special wds user has rights only to modify certain parts of the computer object in AD and only in the OU's where our computer objects are
i am sure we did a few other things as well but i cant remember them of the top of my head its been about 4 years since we set it up
My boot image is pxelinux default is to boot hard drive, all the other options require a password.
Last edited by ChrisH; 15th November 2011 at 10:36 PM.
I just went to image another room and remembered then that the admin password has to be entered before they can get to the point where they can delete partitions.
Will still be stopping the WDS service when we are not imaging.
Feel really rude here as I thought I would get an email when people replied, so I didn't check, but I didn't so missed all the replies. Sorry and hello!
We did have it set up (by a clever student of all people) to boot to a splash screen on F12, which needed a password. Then there were a load of options, one of which was Ghost (which we were using). Think it was called tftpd32.exe.
But we couldn't do Win 7 on our version of Ghost, so switched to WDS. Now I'm thinking that WDS could have been run from that app, keeping it behind the security, but the config for this stuff really confuses me.
Look at the wdslinux guide linked to earlier and if you get stuck give me a shout.
There are currently 1 users browsing this thread. (0 members and 1 guests)