unattendedxml Posted August 11, 2011 Posted August 11, 2011 Hi,when deploying Windows 2008 R2 through WDS, a unattend.xml file is left. This exposes login to the WDS server: <component name="Microsoft-Windows-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86"> <WindowsDeploymentServices> <Login> <WillShowUI>Never</WillShowUI> <Credentials> <Username>Administrator</Username> <Domain>domain.local</Domain> <Password>password</Password> </Credentials> </Login> <ImageSelection> <InstallImage> <ImageName>win7</ImageName> <ImageGroup>win7</ImageGroup> <Filename>win7std.wim</Filename> </InstallImage> <WillShowUI>Never</WillShowUI> <InstallTo> <DiskID>0</DiskID> <PartitionID>1</PartitionID> </InstallTo> </ImageSelection> </WindowsDeploymentServices>Is there an option to hide the WDS server login info?Does the login info have to be an administrator of the WDS server/domain?Even after deleting the unattend.xml in C:\Windows\Panther\ I do not trust the login info to be safe
Tripredacus Posted August 11, 2011 Posted August 11, 2011 The user account only needs to have read permissions to the server. I know this is also a concern for internal use but while I leave no trace of a username/password on the system you cannot ever be too careful. Even in an enterprise environment, you don't want any curious employees logging in and start clicking buttons.... so here is what I do.I create an account in AD, and leave it assigned to the Users group. Of course make a password.Then give it read permissions on any file share or the Reminst folder. It doesn't need anything else.This way if people get the password it won't matter because that account can't do anything, and it can only access the deployment shares you specify. You NEVER need the Domain Admin account for anything. Work with users and OUs to handle anything you need to do. Create an account that can only do Domain Joins, create one that can only be used for RDP, etc.Otherwise, you can try using a FirstLogonCmds that deletes that XML file.
unattendedxml Posted August 13, 2011 Author Posted August 13, 2011 Thank you - I have created a user with access to only this share. It works. I find this user/password in the XML file to be a design flaw.THANK YOU!
maxXPsoft Posted August 15, 2011 Posted August 15, 2011 Thank you - I have created a user with access to only this share. It works. I find this user/password in the XML file to be a design flaw.THANK YOU!removes it from installed xml found in Panther folder after install <Password>*SENSITIVE*DATA*DELETED*</Password>just delete original xml
unattendedxml Posted August 16, 2011 Author Posted August 16, 2011 Well the XML does not contain SENSITIVE*DATA*DELETED for this user. Should it be like that? It only hides the domain logon password, if I would use that.Deleting the XML is part of the solution. However, it is still not save since you can restore the XML after deletion with the help of a couple tools.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now