FriendsOfMDT / PSD

PowerShell Deployment
MIT License
524 stars 83 forks source link

Using interactive authentication in WinPE to restrict access #113

Closed JerichoJones closed 11 months ago

JerichoJones commented 11 months ago

It seems that hardcoding credentials in bootstrap works, but it's insecure. Despite setting up a group for deployment share access, when booting from WinPE and logging in with a group account or the server Administrator account results in a (403) Forbidden error. What could be the issue?

Thanks!

GeoSimos commented 11 months ago

Hi @JerichoJones,

Setting the username and password details in the bootstrap.ini is used to create an automated deployment without technician's action. It was always like that, that's why the recommendation is to use a low-privilege account that has read-only access ONLY to the specified deployment share. That can't be considered insecure, using administrative accounts for such operations though is not only insecure but dangerous and exploitable. If you want though to be asked for user credentials, then leave empty the username and password that are used to connect to the deployment share. I'm sorry but I didn't understand the group account you mentioned. Can you share more info please?

JerichoJones commented 11 months ago

We have people on the network that should not be imaging and would break their machines. Giving out flash drives in our environment is impractical as we image 10-100 machines concurrently on a regular basis so I am leveraging WDS to serve WinPE (for now). I created a local group on the PDS server and granted that group modify access to the deploymentshare. When I use the provided method to authenticate in PSDWinPE I get a forbidden error. After the error was thrown, I opened up a cmd prompt and used an authorized account to connect to the deploymentshare which does work. Thanks for the help!

GeoSimos commented 11 months ago

Just for clarification, you can't use a group's name to authenticate as it doesn't carry an authentication credentials, thus it can't be authorized for access on the deployment share. What I have answered before will most probably suit your needs (the one or the other method). One reason to use a domain account with the least privileges is that you can easily block it's access if it gets compromised or misused. For a local account that will not be easy to spot first. One reminder, any change to the bootstrap.ini file requires a rebuild of the boot image and replacement on a WDS server to apply.

GeoSimos commented 11 months ago

And something that you could use is this nice tool to password protect the Task Sequence Task Sequence Password Protect: GUI for SCCM and MDT. I haven't tested it but I don't see a reason of not working. At the same site, there is a PIN based solution as well.

JerichoJones commented 11 months ago

Thanks for the response. I am securing the imaging process currently in native MDT via Windows group membership so I thought it would work the same way with PSD.

The fact that I can connect the PSD UNC share as with account that is granted access via group membership tells me that the server is using the group for the lookup. I would expect the same behavior by IIS but I'm not an IIS guy.

In our environment we must restrict access to the deploymentshare by user via Windows/AD auth (through a group makes that easier). They should not be able to connect at all without auth.

JerichoJones commented 11 months ago

It appears to have been an issue with the server. I built a new one and auth is working as expected.