MDT: Secure the Deployment Share

With a default installation of Microsoft Deployment Toolkit (MDT) the Deployment Share is not secure. All users are allowed to read / write which makes it vulnerable to unauthorized access and possibly exposes access to (installation) passwords.

The default permissions on a folder are:

  • Administrators – Full Control
  • CREATOR OWNER – Full Control
  • SYSTEM – Full Control
  • Users – Read & Execute + Create file / write data + Create Folders / append data

Active Directory Groups

It is recommended to change the ACL of the Deployment Share to limit access for a selection of users. The easiest way to achieve this is to create Active Director groups. Access to the MDT Deployment Share is then maintained via Active Directory, which is managed centrally, instead of each object individually.

For example the following groups can be used:

Group name Description
MDT01_DeploymentShare_Administrators Members of this group are MDT administrators on the server “MDT01”,.
MDT01_DeploymentShare_Deploy Members of this group are allowed to execute task sequences to deploy machines (either unattended or image deployments)
MDT01_DeploymentShare_ImageCapture Members of this group are allowed to capture images

 

Permissions

Permissions on the Deployment Share can be granted to Active Directory groups, below you will find an example based on the example groups.

I’m assuming the Deployment Share is stored in the root of drive D:.

 

Block inheritance

First start with disabling inheritance to avoid permissions from parent objects to propagate to the Deployment Share folders.
Block Inheritance

The screenshot if of a Windows Server 2012 machine, but the same applies to other Windows operating systems.

 

D:\DeploymentShare
Group or user name Permission Inherited from
Administrators Full control None
SYSTEM Full control None
MDT01_DeploymentShare_Administrators Full control None
MDT01_DeploymentShare_Deploy Read & execute None
MDT01_DeploymentShare_ImageCapture Read & execute None
 
D:\DeploymentShare\Capture
Group or user name Permission Inherited from
Administrators Full control D:\DeploymentShare
SYSTEM Full control D:\DeploymentShare
MDT01_DeploymentShare_Administrators Full control D:\DeploymentShare
MDT01_DeploymentShare_Deploy Read & execute D:\DeploymentShare
MDT01_DeploymentShare_Deploy Modify None
MDT01_DeploymentShare_ImageCapture Read & execute D:\DeploymentShare

The ImageCapture group needs sufficient privileges to create a new image capture.

 

D:\DeploymentShare\Logs
Group or user name Permission Inherited from
Administrators Full control D:\DeploymentShare
SYSTEM Full control D:\DeploymentShare
MDT01_DeploymentShare_Administrators Full control D:\DeploymentShare
MDT01_DeploymentShare_Deploy Read & execute D:\DeploymentShare
MDT01_DeploymentShare_Deploy Modify None
MDT01_DeploymentShare_ImageCapture Read & execute D:\DeploymentShare
MDT01_DeploymentShare_ImageCapture Modify None

Both the Deploy and ImageCapture groups require write access to the log files. Without write access the deployment will fail.

 

 

Disclaimer

I’m pretty sure the permissions can be more tight then the example I provided in this article. However, it is more secure then a default installation without any modification. Feel free to provide me with detailed privileges and I’m more then happy to update the article.

 

 

 

.

Ingmar Verheij

Ingmar Verheij worked for PepperByte as a Senior Consultant (up to May 2014). His work consisted of designing, migrating and troubleshooting Microsoft and Citrix infrastructures. He worked with technologies like Microsoft RDS, user environment management and (performance) monitoring. RES Software named Ingmar RES Software Valued Professional in 2014.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle Plus

Comments are closed.