Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Developing ImageInvoker - Overview

Created: 14 Feb 2011 • Updated: 03 Mar 2011 | 2 comments
Language Translations
ianatkin's picture
+7 7 Votes
Login to vote

Back in 2009, I started work on a Deployment Server 6.x Imaging Add-on called ImageInvoker. This was to answer the need locally for IT staff to provision machines without prior training in using the Deployment Console. It provides a self-service imaging interface in automation, a deployment portal if you will, so that desk-side IT staff can schedule the immediate deployment of images without requiring the assistance of a DS administrator. 

By July in 2010, ImageInvoker had matured and was finally able to deliver images from both the Linux and WinPE automation environments. I had at that point intended to halt development. Within 6 months though, I decided to revisit that decision and to proceed with further development on 6.x branch. Simply put, I had an emerging need to provide a flavour of ImageInvoker which reflected security as seen through the DS console. Only through such security scoping could the ImageInvoker portal be opened up to the multitude of IT roles as required by our multi-departmental setup.

This is an on-going project, and as I write new 'chapters' they'll be added to the development path  summaries below. Feel free to comment with ideas, as once it goes public it will be purely bug-fixes from then on. Unless I deem the bugs to be 'By Design', naturally..... 

Part1: Introducing Improvements

In this chapter, I lay down the key improvements I intend to make, notably AD integration and in-the-fly menu creation. Work begins on the T-SQL side of the house as I tinker with the SQL required to generate the new menu-items.
 

Part 2: Console Security

Understanding Deployment Server console security is key to implementing the authorisation piece which goes hand-in-hand with AD authentication. After looking at how DS security works, work begins on looking at how we can establish the 'effective permissions' on our menu items.
    

Part 3: Console Security and Multiple Groups    

After some testing, this chapter was a quick return to base for the effective permissions code. The code from Part 2 failed to assess the effective permissions in the scenarios where the multiple group permissions were configured. This part tackles this problem, and provides the full T-SQL functions for the final code.
 

Part 4: Generating a Security-scoped ImageInvoker Menu

Using the effective permissions code from part 3, this part talks through how we can use this code to generate each user's own ImageInvoker menu. Quite simply put, it was not going to be a simple as I first imagined.
 

Part 5: NT Group Ennumeration

Now that we've got the engine able to authorise user's based on their group and user memberships, we now need some functions which can accurately ennumerate those memberships in the first place. Lots of VBScripts here
 

Part 6: AxSched and Launching tasks under alternate credentials

In this part, we get down to the nitty gritty of engine -the lauching of the axsched utility. Several flaws in the utility worked around, and several process spawning methods are discussed.
 

Part 7: The WinPE Client

Here I cover some of the upgrading steps involved in upgrading the WinPE client for authentication and menu navigation. The WinPE environment is also discussed from a programmers point of view.

Comments 2 CommentsJump to latest comment

jermaine-fj's picture

i would like assistance to confirm if a USB Scan feature is available on Symantec Endpoint 11.0.6 protection.

Ie. If Symantec scans USB/External Drives before being made available on the PC.

if so how can i verify that the drive is beign scanned. i would like it to complete the scan before beign made available to the pc or is there a feature that needs to be turned on.

0
Login to vote
ianatkin's picture

Hi,

Ahh..... and the first comment to these development notes is in error. Bless.

Unfortunately though, I can't help you on SEP. I accept that AV is crucial in managing endpoints, but SEP is such a brand is has it's own area under 'Security'. Try re-posting your question here,

https://www-secure.symantec.com/connect/ko/security/forums/endpoint-protection-antivirus

And hopefully someone who knows their SEP stuff will give you the response you need.

Kind Regards,
Ian./

Ian Atkin, IT Services, Oxford University, UK

Connect Etiquette: "Mark as Solution" those posts which assist you most in resolving your problem, and give a thumbs up to useful articles and downloads

0
Login to vote