With a default installation of Microsoft Deployment Toolkit (MDT) the Deployment Share is not secure. All users are allowed to read / write which makes it vulnerable to unauthorized access and possibly exposes access to (installation) passwords.

The default permissions on a folder are:

  • Administrators – Full Control
  • CREATOR OWNER – Full Control
  • SYSTEM – Full Control
  • Users – Read & Execute + Create file / write data + Create Folders / append data

Active Directory Groups

It is recommended to change the ACL of the Deployment Share to limit access for a selection of users. The easiest way to achieve this is to create Active Director groups. Access to the MDT Deployment Share is then maintained via Active Directory, which is managed centrally, instead of each object individually.

For example the following groups can be used:

Group name Description
MDT01_DeploymentShare_Administrators Members of this group are MDT administrators on the server “MDT01”,.
MDT01_DeploymentShare_Deploy Members of this group are allowed to execute task sequences to deploy machines (either unattended or image deployments)
MDT01_DeploymentShare_ImageCapture Members of this group are allowed to capture images

 

Permissions

Permissions on the Deployment Share can be granted to Active Directory groups, below you will find an example based on the example groups.

I’m assuming the Deployment Share is stored in the root of drive D:.

 

Block inheritance

First start with disabling inheritance to avoid permissions from parent objects to propagate to the Deployment Share folders.
Block Inheritance

The screenshot if of a Windows Server 2012 machine, but the same applies to other Windows operating systems.

 

D:\DeploymentShare
Group or user name Permission Inherited from
Administrators Full control None
SYSTEM Full control None
MDT01_DeploymentShare_Administrators Full control None
MDT01_DeploymentShare_Deploy Read & execute None
MDT01_DeploymentShare_ImageCapture Read & execute None
D:\DeploymentShare\Capture
Group or user name Permission Inherited from
Administrators Full control D:\DeploymentShare
SYSTEM Full control D:\DeploymentShare
MDT01_DeploymentShare_Administrators Full control D:\DeploymentShare
MDT01_DeploymentShare_Deploy Read & execute D:\DeploymentShare
MDT01_DeploymentShare_ImageCapture Modify None
MDT01_DeploymentShare_ImageCapture Read & execute D:\DeploymentShare

The ImageCapture group needs sufficient privileges to create a new image capture.

 

D:\DeploymentShare\Logs
Group or user name Permission Inherited from
Administrators Full control D:\DeploymentShare
SYSTEM Full control D:\DeploymentShare
MDT01_DeploymentShare_Administrators Full control D:\DeploymentShare
MDT01_DeploymentShare_Deploy Read & execute D:\DeploymentShare
MDT01_DeploymentShare_Deploy Modify None
MDT01_DeploymentShare_ImageCapture Read & execute D:\DeploymentShare
MDT01_DeploymentShare_ImageCapture Modify None

Both the Deploy and ImageCapture groups require write access to the log files. Without write access the deployment will fail.

 

 

Disclaimer

I’m pretty sure the permissions can be more tight then the example I provided in this article. However, it is more secure then a default installation without any modification. Feel free to provide me with detailed privileges and I’m more then happy to update the article.

 

 

 

.

6 Comments

  1. Thanks a million!! This caught us unexpectedly and was exactly what I was looking for. This way if a machine somehow boots unexpectedly into PXE, an “ordinary” user can’t reimage their machine!

  2. Is your D:\deploymentshare\capture example correct? Shouldn’t the imagecapture group have the modify rights rather than the deploy group?
    Good article though, looking at deploying MDT and being able to secure it is a pre-req

  3. this creates an unsupported configuration. so don’t follow the steps in this blog post as the author has simply guessed.

  4. Well built critisism “D” You’re a great help…
    Enough of the sarcasm…
    I like to clear the “Users” and “creator Owner” from the root. Should anybody mess with the inherritance you’ll be a little safer.

  5. Pingback: gadai bpkb mobil

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

en_USEnglish