{"id":6096,"date":"2013-12-19T09:00:17","date_gmt":"2013-12-19T08:00:17","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=6096"},"modified":"2015-05-28T20:58:43","modified_gmt":"2015-05-28T18:58:43","slug":"mdt-secure-deployment-share","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/mdt-secure-deployment-share\/","title":{"rendered":"MDT: Secure the Deployment Share"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; margin: 0px 0px 0px 5px; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/12\/Access-Denied.jpg\" alt=\"\" width=\"150\" height=\"161\" align=\"right\" border=\"0\" \/>With a default installation of <a href=\"https:\/\/technet.microsoft.com\/en-US\/windows\/dn475741.aspx\" target=\"_blank\">Microsoft Deployment Toolkit<\/a> (MDT) the Deployment Share is not secure. All users are allowed to read \/ write which makes it vulnerable to unauthorized access and possibly exposes access to (installation) passwords.<\/p>\n<p>The default permissions on a folder are:<\/p>\n<ul>\n<li><strong>Administrators<\/strong> &#8211; Full Control<\/li>\n<li><strong>CREATOR OWNER <\/strong>&#8211; Full Control<\/li>\n<li><strong>SYSTEM &#8211; <\/strong>Full Control<\/li>\n<li><strong>Users<\/strong> &#8211; Read &amp; Execute + Create file \/ write data + Create Folders \/ append data<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h1>Active Directory Groups<\/h1>\n<p>It is recommended to change the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Access_control_list\" target=\"_blank\">ACL<\/a> of the Deployment Share to limit access for a selection of users. The easiest way to achieve this is to create Active Director groups. Access to the MDT Deployment Share is then maintained via Active Directory, which is managed centrally, instead of each object individually.<\/p>\n<p>For example the following groups can be used:<\/p>\n<table style=\"width: 596px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"236\">Grou<strong>p name<\/strong><\/td>\n<td valign=\"top\" width=\"358\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"240\">MDT01_DeploymentShare_Administrators<\/td>\n<td valign=\"top\" width=\"355\">Members of this group are MDT administrators on the server \u201cMDT01\u201d,.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"243\">MDT01_DeploymentShare_Deploy<\/td>\n<td valign=\"top\" width=\"352\">Members of this group are allowed to execute task sequences to deploy machines (either unattended or image deployments)<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"246\">MDT01_DeploymentShare_ImageCapture<\/td>\n<td valign=\"top\" width=\"350\">Members of this group are allowed to capture images<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h1>Permissions<\/h1>\n<p>Permissions on the <strong>Deployment Share<\/strong> can be granted to Active Directory <strong>groups, <\/strong>below you will find an example based on the example groups.<\/p>\n<p><em>I\u2019m assuming the Deployment Share is stored in the root of drive D:.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h6>Block inheritance<\/h6>\n<p>First start with disabling <strong>inheritance<\/strong> to avoid permissions from parent objects to propagate to the Deployment Share folders. <br clear=\"all\" \/><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/12\/Block-Inheritance.png\"><img loading=\"lazy\" decoding=\"async\" style=\"border-width: 0px; padding-top: 0px; padding-right: 0px; padding-left: 0px; display: inline; background-image: none;\" title=\"Block Inheritance\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/12\/Block-Inheritance_thumb.png\" alt=\"Block Inheritance\" width=\"354\" height=\"191\" border=\"0\" \/><\/a><\/p>\n<p><em>The screenshot if of a Windows Server 2012 machine, but the same applies to other Windows operating systems.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h6>D:\\DeploymentShare<\/h6>\n<table style=\"width: 596px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"239\"><strong>Group or user name<\/strong><\/td>\n<td valign=\"top\" width=\"105\"><strong>Permission<\/strong><\/td>\n<td valign=\"top\" width=\"250\"><strong>Inherited from<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">Administrators<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">SYSTEM<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_Administrators<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_Deploy<\/td>\n<td valign=\"top\" width=\"105\">Read &amp; execute<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_ImageCapture<\/td>\n<td valign=\"top\" width=\"105\">Read &amp; execute<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h6><\/h6>\n<h6>D:\\DeploymentShare\\Capture<\/h6>\n<table style=\"width: 596px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"239\"><strong>Group or user name<\/strong><\/td>\n<td valign=\"top\" width=\"105\"><strong>Permission<\/strong><\/td>\n<td valign=\"top\" width=\"250\"><strong>Inherited from<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">Administrators<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">SYSTEM<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_Administrators<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_Deploy<\/td>\n<td valign=\"top\" width=\"105\">Read &amp; execute<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_ImageCapture<\/td>\n<td valign=\"top\" width=\"105\">Modify<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_ImageCapture<\/td>\n<td valign=\"top\" width=\"105\">Read &amp; execute<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The <em>ImageCapture <\/em>group needs sufficient privileges to create a new image capture.<\/p>\n<p>&nbsp;<\/p>\n<h6>D:\\DeploymentShare\\Logs<\/h6>\n<table style=\"width: 596px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"239\"><strong>Group or user name<\/strong><\/td>\n<td valign=\"top\" width=\"105\"><strong>Permission<\/strong><\/td>\n<td valign=\"top\" width=\"250\"><strong>Inherited from<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">Administrators<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">SYSTEM<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_Administrators<\/td>\n<td valign=\"top\" width=\"105\">Full control<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_Deploy<\/td>\n<td valign=\"top\" width=\"105\">Read &amp; execute<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_Deploy<\/td>\n<td valign=\"top\" width=\"105\">Modify<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_ImageCapture<\/td>\n<td valign=\"top\" width=\"105\">Read &amp; execute<\/td>\n<td valign=\"top\" width=\"250\">D:\\DeploymentShare<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"239\">MDT01_DeploymentShare_ImageCapture<\/td>\n<td valign=\"top\" width=\"105\">Modify<\/td>\n<td valign=\"top\" width=\"250\">None<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Both the Deploy and ImageCapture groups require write access to the log files. Without write access the deployment will fail.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h1>Disclaimer<\/h1>\n<p>I\u2019m pretty sure the permissions can be more tight then the example I provided in this article. However, it is more secure then a default installation without any modification. Feel free to provide me with detailed privileges and I\u2019m more then happy to update the article.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>.<\/p>","protected":false},"excerpt":{"rendered":"<p>With a default installation of Microsoft Deployment Toolkit (MDT) the Deployment Share is not secure. All users are allowed to read \/ write which makes it vulnerable to unauthorized access and possibly exposes access to (installation) passwords. The default permissions on a folder are: Administrators &#8211; Full Control CREATOR OWNER &#8211; Full Control SYSTEM &#8211; [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[619],"tags":[625,675,626],"class_list":["post-6096","post","type-post","status-publish","format-standard","hentry","category-mdt","tag-deployment-share","tag-mdt","tag-permissions"],"_links":{"self":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/6096","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/comments?post=6096"}],"version-history":[{"count":5,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/6096\/revisions"}],"predecessor-version":[{"id":6954,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/6096\/revisions\/6954"}],"wp:attachment":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/media?parent=6096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/categories?post=6096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/tags?post=6096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}