Deployment Solution

Hello,

I would like to know if is it possible to protect WinPE environment (I'm using DS 6.9 SP4) so users can't stop jobs while in this environment (something like look the keyboard).

I've seen that an user can access some of the minimized command prompt in Windows PE during job execution and have access to the F:\ drive with WRITE access.

The user can DELETE all the eXpress share !!

Any idea about how to protect this?

Thanks.

Hallo ManeIR

Is it possible to protect the pc in WinPE, so that the user can't do anything:

Short answer, yes this is possible, don't know if you noticed it but you within the PXE, PE configuration can tick on so that it is locked.
If you need further direction on to where it is, lemme know and i'll find the screendump for you.

The default configuration on the express share is as you have found out, the user can delete it all... ;)

I have on installations where the admins has requested it, done some hardening.

What i normally do is i grant the user which runs the bootdisk (configured on the bootdisk itself) put "Read" access on the NTFS permissions on the express share, and ONLY on the \\servername\express\Temp put read\write permissions.

This does what you want to do, and makes sure your jobs doesn't fail, which they will do if you don't have the access on the temp folder.

/Morten

Hi Mortenleth,

In the bootdisk configurator (step 4 of 8) there is a tick (checked) that says "lock keyboard" (use this option to lock the keyboard when the WinPE 2.1 automation agent loads to prevent user access to the network)... but this doesn't seems to work because I can use the keyboard in the command prompts of Windows PE.

In the bootdisk configuration wizard too I've found that for WinPe-WMI it exists a file named "mapdrv.bat" that does this:

net use F: "\\LAGOS\eXpress" /yes <nul

and in the step 5 of 8 I've found the credentials. I'll try to create a new "winpeuser" as the one you created in your hardened environment.

I'll let you know.

Thanks.

Hello,

In my lab server I have a disk configuration for WinPE but I don't have any for my production server so the server is using the default environment ...

How can I know which options this environment has? (for example, drivers, optional components like HTA, MDAC, etc. or firewall settings)

Thanks.

Have a look at this article:

https://www-secure.symantec.com/connect/articles/readyadventures-winpe

This goes through the steps of creating a WinPE environment and also covers how to check what options are installed while the WinPE wim file is mounted.

I've found the "Edit boot image" in the PXE that can edit my "Menu Option" WinPe environment.

I've found there that it exists a file named "altirisu.pwl" that is encrypted. I suppose that inside are the credentials to connect to the share.

I'll try to generate a new environment (selecting the user I need) and copy this file from the new environment to the boot one.

I'll let you know if this works.

Thanks.