Deployment Solutions Best Practices for PXE and Pre-boot OS Security
|Article:TECH206830|||||Created: 2013-06-03|||||Updated: 2013-06-06|||||Article URL http://www.symantec.com/docs/TECH206830|
Symantec Deployment Solutions is dependent on the use of pre-boot op
When using Symantec Deployment Solutions to manage network computers, the targeted delivery of pre-boot operating systems is required to perform many tasks. When initiated from the Deployment Server console, DS administrators can boot a computer into a pre-boot environment for the purpose of remotely creating or deploying hard drive images, installing or removing software or updating computer settings. As a target computer is booted through a pre-boot environment (usually either Windows PE or Linux) network drive(s) can be mapped to provide access for necessary files.
This pre-boot process can also be initiated by a user from a workstation or server computer, allowing the computer to automatically boot and map any network drives that have been pre-set by Deployment Server administrators. The computer user will then have access to information on the mapped network drives including disk images. One possible security concern would allow a person to then upload their own arbitrary images or files to be distributed during normal Deployment Server operations.
The primary barrier for any security concern is always initial access to the network and network systems. The following recommendations should be followed to minimize the use of the Deployment Solutions pre-boot automation in further potential network intrusion should initial security measures fail.
Potential security concerns when using Deployment Server 6.9 and Deployment Solutions 7.x pre-boot processes, can be reasonably mitigated with careful consideration of network configurations and user access controls.
Article URL http://www.symantec.com/docs/TECH206830