MDT: Secure the Deployment Share

Written by Ingmar Verheij on December 19th, 2013. Posted in MDT

With a default installation of Microsoft Deployment Toolkit (MDT) the Deployment Share is not secure. All users are allowed to read / write which makes it vulnerable to unauthorized access and possibly exposes access to (installation) passwords.

The default permissions on a folder are:

  • Administrators – Full Control
  • CREATOR OWNER – Full Control
  • SYSTEM – Full Control
  • Users – Read & Execute + Create file / write data + Create Folders / append data

Active Directory Groups

It is recommended to change the ACL of the Deployment Share to limit access for a selection of users. The easiest way to achieve this is to create Active Director groups. Access to the MDT Deployment Share is then maintained via Active Directory, which is managed centrally, instead of each object individually.

For example the following groups can be used:

Group name Description
MDT01_DeploymentShare_Administrators Members of this group are MDT administrators on the server “MDT01”,.
MDT01_DeploymentShare_Deploy Members of this group are allowed to execute task sequences to deploy machines (either unattended or image deployments)
MDT01_DeploymentShare_ImageCapture Members of this group are allowed to capture images

 

Permissions

Permissions on the Deployment Share can be granted to Active Directory groups, below you will find an example based on the example groups.

I’m assuming the Deployment Share is stored in the root of drive D:.

 

Block inheritance

First start with disabling inheritance to avoid permissions from parent objects to propagate to the Deployment Share folders.
Block Inheritance

The screenshot if of a Windows Server 2012 machine, but the same applies to other Windows operating systems.

 

D:\DeploymentShare
Group or user name Permission Inherited from
Administrators Full control None
SYSTEM Full control None
MDT01_DeploymentShare_Administrators Full control None
MDT01_DeploymentShare_Deploy Read & execute None
MDT01_DeploymentShare_ImageCapture Read & execute None
D:\DeploymentShare\Capture
Group or user name Permission Inherited from
Administrators Full control D:\DeploymentShare
SYSTEM Full control D:\DeploymentShare
MDT01_DeploymentShare_Administrators Full control D:\DeploymentShare
MDT01_DeploymentShare_Deploy Read & execute D:\DeploymentShare
MDT01_DeploymentShare_ImageCapture Modify None
MDT01_DeploymentShare_ImageCapture Read & execute D:\DeploymentShare

The ImageCapture group needs sufficient privileges to create a new image capture.

 

D:\DeploymentShare\Logs
Group or user name Permission Inherited from
Administrators Full control D:\DeploymentShare
SYSTEM Full control D:\DeploymentShare
MDT01_DeploymentShare_Administrators Full control D:\DeploymentShare
MDT01_DeploymentShare_Deploy Read & execute D:\DeploymentShare
MDT01_DeploymentShare_Deploy Modify None
MDT01_DeploymentShare_ImageCapture Read & execute D:\DeploymentShare
MDT01_DeploymentShare_ImageCapture Modify None

Both the Deploy and ImageCapture groups require write access to the log files. Without write access the deployment will fail.

 

 

Disclaimer

I’m pretty sure the permissions can be more tight then the example I provided in this article. However, it is more secure then a default installation without any modification. Feel free to provide me with detailed privileges and I’m more then happy to update the article.

 

 

 

.

Ingmar Verheij

At the time Ingmar wrote this article he worked for PepperByte as a Senior Consultant (up to May 2014). His work consisted of designing, migrating and troubleshooting Microsoft and Citrix infrastructures. He was working with technologies like Microsoft RDS, user environment management and (performance) monitoring. Ingmar is User Group leader of the Dutch Citrix User Group (DuCUG). RES Software named Ingmar RES Software Valued Professional in 2014.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle Plus

Tags: , ,

Trackback from your site.

Comments (6)

  • Jeff
    6 February 2015 at 21:10 |

    Thanks a million!! This caught us unexpectedly and was exactly what I was looking for. This way if a machine somehow boots unexpectedly into PXE, an “ordinary” user can’t reimage their machine!

  • Nick
    21 May 2015 at 09:13 |

    Is your D:\deploymentshare\capture example correct? Shouldn’t the imagecapture group have the modify rights rather than the deploy group?
    Good article though, looking at deploying MDT and being able to secure it is a pre-req

    • 28 May 2015 at 21:03 |

      Yup I think you’re right! I updated the article 🙂

  • D
    8 November 2016 at 11:09 |

    this creates an unsupported configuration. so don’t follow the steps in this blog post as the author has simply guessed.

  • Paul
    22 December 2016 at 09:09 |

    Well built critisism “D” You’re a great help…
    Enough of the sarcasm…
    I like to clear the “Users” and “creator Owner” from the root. Should anybody mess with the inherritance you’ll be a little safer.

Leave a comment

*

Donate

%d bloggers like this: