Topic last updated—March 2008

Operating system deployment can be a convenient way to deploy your environment with the most secure operating systems and configurations. However, if an attacker can get control of your Microsoft System Center Configuration Manager 2007 site infrastructure, he could run the task sequence of his choice, including formatting the hard drives of all client computers. Task sequences can be configured to contain sensitive information, such as accounts with permissions to join the domain and volume licensing keys, presenting the risk of information disclosure.

Another important tenet of operating system deployment security is protecting the client authentication certificate used for bootable task sequence media and for PXE boot deployment. Capturing a client authentication certificate gives the attacker the private key to impersonate a valid client on the network.

Best Practices

Implement access controls to protect bootable media    When you create bootable media, you should always assign a password to help secure the media. However, even with a password, only files containing sensitive information are protected. You should also control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate.

If the client certificate is compromised, block the certificate    To deploy a client using bootable media and PXE service points, you must have a client authentication certificate with a private key. If that certificate is compromised, you should block the certificate under the Site Settings / Certificates / Boot Media node or PXE node.

Secure the communication channel between the site server and the PXE service point    When the PXE service point is being configured with the client authentication certificate by the site server, the certificate is vulnerable to capture on the network. Use Internet Protocol security (IPsec) or some other form of encryption between the site server and the PXE service point.

Use PXE service points only on secure network segments    When a client sends out a PXE boot request, there is no way to guarantee that the request is being serviced by a valid PXE service point. A rogue PXE service point could provide a tainted image to clients. An attacker could launch a man-in-the-middle attack against the TFTP protocol used by PXE and send malicious code with the operating system files, or she could create a rogue client to make TFTP requests directly to the PXE service point. An attacker could use a malicious client to launch a denial of service attack against the PXE service point. Use defense in depth to protect the network segments where clients will access PXE service points.

Although it is supported to configure the PXE service point in a perimeter network, it is not recommended.

Configure the PXE service point to respond to PXE requests only on specified network interfaces    Allowing the PXE service point to respond on all network interfaces could allow the PXE service point to respond to an unsecured network.

Require a password to PXE boot     Client identities have to be entered into the database so that completely unknown computers are not allowed to PXE boot. Requiring a password adds an extra level of security to the PXE boot process, which is inherently insecure.

Manually delete state migration point folders when they are decommissioned    When you remove a state migration point folder in the Configuration Manager 2007 console on the state migration point properties, the physical folder is not deleted. You must manually remove the network share and delete the folder.

Do not configure the deletion policy to delete user state immediately    If you set the deletion policy on the state migration point to remove data marked for deletion immediately, and if an attacker manages to retrieve the users state before the valid computer does, the user state data would be deleted immediately. Set the Delete after interval to be long enough to verify the successful restore of user state data.

Control physical access to computers using USB flash drives for task sequences    In an unattended installation using BitLocker to write to USB flash drives, a task sequence with the Disable BitLocker action stores the BitLocker key protectors in cleartext to allow access to the volume from Microsoft Windows PE and to disable boot integrity checking by the TPM. After this action has run, an attacker with physical access to the computer could gain access to the encrypted volume. Also, if the task sequence is using a USB flash drive, the attacker could just steal the USB drive.

Implement access controls to protect the reference computer imaging process    Ensure that the reference computer used to capture operating system images is in a secure environment with appropriate access controls so that unexpected or malicious software cannot be installed and inadvertently included in the captured image. When capturing the image, ensure that the destination network file share location is secure so that the image cannot be tampered with after it is captured.

Always install the most recent security updates on the reference computer    Starting with an up-to-date reference computer helps lessen the window of vulnerability for new computers coming online.

If you must deploy operating systems to an unknown computer, implement access controls to prevent unauthorized computers from connecting to the network    Although provisioning unknown computers can be a convenient way to bring up multiple computers on demand, it can also allow an attacker to efficiently become a trusted client on your network. Restrict physical access to the network, and monitor clients to detect unauthorized computers. Also, computers responding to PXE-initiated operating system deployment might have all data destroyed during the operating system deployment, which could result in a loss of availability of systems that are inadvertently reformatted.

Always configure task sequence advertisements to download content    Configuring to Download content locally when needed by running task sequence is more secure because Configuration Manager 2007 verifies the package hash after the task sequence is downloaded and discards the task sequences if the hash does not match the hash in the policy. If you configure the task sequences advertisement to Access content from a distribution point when needed by a running task sequence, no verification takes place and attackers can tamper with the content. If you must run the program from the distribution point, use NTFS least permissions on the packages on the distribution points and use Internet Protocol security (IPsec) to secure the channel between the client and the distribution point and between the distribution point and the site server.

Enable encryption for multicast packages    For every operating system deployment package, you have the option to enable encryption when transferring the package using multicast. Enabling encryption helps prevent rogue computers from joining the multicast session and helps prevent attackers from tampering with the transmission.

Monitor for unauthorized multicast-enabled distribution points    If attackers can gain access to your network, they can configure rogue multicast servers to spoof operating system deployment.

Privacy Information

In addition to deploying operating systems to computers with no operating system, Configuration Manager 2007 can be used to migrate users’ files and settings from one computer to another. The administrator configures which information to transfer, including personal data files, configuration settings, and browser cookies.

The information is stored on a state migration point and is encrypted during transmission and storage. The information is allowed to be retrieved by the new computer associated with the state information. If the new computer loses the key to retrieve the information, a Configuration Manager administrator with the View Recovery Information right on computer association instance objects can access the information and associate it with a new computer. After the new computer restores the state information, it deletes the data after one day by default. You can configure when the state migration point removes data marked for deletion. The state migration information is not stored in the site database and is not sent to Microsoft.

If you use boot media to deploy operating system images, you should always use the default option to password protect the boot media. The password encrypts any variables stored in the task sequence, but any information not stored in a variable might be vulnerable to disclosure.

Operating system deployment can use task sequences to perform many different tasks during the deployment process, including software distribution and software updates. When you configure task sequences, you should also be aware of the privacy implications of software distribution and software updates.

Configuration Manager 2007 does not implement operating system deployment by default and requires several configuration steps before you collect state information or create task sequences or boot images. Before configuring operating system deployment, consider your privacy requirements.

See Also