Deployment Solutions Best Practices for PXE and Pre-boot OS Security

Products

Deployment Solution

Issue/Introduction

Introduction

Symantec Deployment Solutions is dependent on the use of pre-boot operating systems in the management of workstation and server systems. The pre-boot environment is delivered to target workstation and server systems via network PXE servers or through the use of physical devices and media. This process has the potential for exposure to possible malicious activity from a person who may have already breached network security, either physically or through a remote network connection, or from a malicious but authorized network user. This paper will address these types of secondary security exposures.

The Pre-Boot Automation Process

When using Symantec Deployment Solutions to manage network computers, the targeted delivery of pre-boot operating systems is required to perform many tasks. When initiated from the Deployment Server console, DS administrators can boot a computer into a pre-boot environment for the purpose of remotely creating or deploying hard drive images, installing or removing software or updating computer settings. As a target computer is booted through a pre-boot environment (usually either Windows PE or Linux) network drive(s) can be mapped to provide access for necessary files.

Possible Security Concerns

This pre-boot process can also be initiated by a user from a workstation or server computer, allowing the computer to automatically boot and map any network drives that have been pre-set by Deployment Server administrators. The computer user will then have access to information on the mapped network drives including disk images. One possible security concern would allow a person to then upload their own arbitrary images or files to be distributed during normal Deployment Server operations.

Cause

Resolution

Minimizing Security Concerns

The primary barrier for any security concern is always initial access to the network and network systems. The following recommendations should be followed to minimize the use of the Deployment Solutions pre-boot automation in further potential network intrusion should initial security measures fail.

- During the creation of the pre-boot automation environment, a user name and password is defined to provide access to shared network directories and locations, including access to the Deployment Server ‘eXpress’ share point as well as the network location of stored image files. It is highly recommended that this user account never be a domain account. Create a single local user account on each shared network location and provide this user account with the minimum of user rights (usually just Read/Write permissions) and only for specific directories within the share (usually the images directory and any required Temp or file directories). Note: Particular attention should be paid to security for the location and protection of stored images to prevent unauthorized tampering with the computer images files.

- On the Deployment Solutions management console or the Deployment Server 6.9 console, maintain task-specific user security allowing access to only specified technicians according to their roles and job requirements.

- Limit PXE services availability by utilizing MAC Address Filtering through the PXE Configuration Utility.

- Limit network communication port availability to UDP ports 67, 68, 69 and 4011 which are used in the PXE server boot process.

- To prevent the introduction of rouge PXE servers, a technique called “PXE Forced Mode” can be implemented on DHCP servers which will designate only specific PXE servers for the PXE boot process. (Additional information on PXE Forced Mode can be found at http://www.symantec.com/business/support/index?page=content&id=HOWTO7071&actp=search&viewlocale=en_US&searchid=1369165396347)

Conclusion

Potential security concerns when using Deployment Server 6.9 and Deployment Solutions 7.x pre-boot processes, can be reasonably mitigated with careful consideration of network configurations and user access controls.