Ping a Specific Port

Question

eXe

Asked: 2017-03-23 04:18:32 +0800 CST2017-03-23 04:18:32 +0800 CST 2017-03-23 04:18:32 +0800 CST

Secure WDS Unattended Access / Unattended.xml

772

Windows Server 2012 - WDS installed and configured to deploy Windows Server 2012 on several Clients.

We will depoly several Windows Server 2012 Clients, each of the Clients should NOT know the initial Password of the other Clients.

The WDS Server stores each image_unattended.xml assigned to an image in following way:

{WDSRoot}/Images/{ImageGroupName}/{ImageName}/Unattend/ImageUnattend.xml

This Folder and containing files are readyble for all Users which authenticated via the client_unattended.xml:

<WindowsDeploymentServices>
  <Login>
    <WillShowUI>OnError</WillShowUI>
    <Credentials>
      <Username>Unattended</Username>
      <Domain>WORKGROUP</Domain>
      <Password>{Password}</Password>
    </Credentials>

Is there a way to Limit the access to only one desired user?

On the other side it would be fine if there would be a secure mechanism to encrypt the Administrator password in the image_unattended.xml, but as far as i know, it can only encoded base64 with the addition of "AdministratorPassword":

So, mystrongpassword becomes bXlzdHJvbmdwYXNzd29yZEFkbWluaXN0cmF0b3JQYXNzd29yZA==, which can be decoded every time *rolleyes

Is there another way to (really) encrypt / hash the password in the xml?

If not, is it possible to set user permissions to the image_unattended.xml files?

Edit: maybe netsh advfirewall is the way to go, to not let other (already installed) clients browse all data on the WDS Server?

2 Answers

Voted

Cory Knutson · Answer 1 · 2017-03-23T14:08:21+08:00

Cory Knutson

2017-03-23T14:08:21+08:002017-03-23T14:08:21+08:00

I am not sure if what you are looking for is possible with just the deployment tools, but you should look into LAPS (Local Admin Password Solution). This automates changing the local admin passwords to something unique, and stores them in Active Directory.

https://technet.microsoft.com/en-us/mt227395.aspx

It is configurable via group policy to manage or unmanage based on OU. It also allows you to set the frequency and complexity. You could add it as a step or task in the deployment sequence.

0

Erik Duensing · Answer 2 · 2020-06-27T06:37:57+08:00

Erik Duensing

2020-06-27T06:37:57+08:002020-06-27T06:37:57+08:00

Way old topic but if you happen to come across this. I think this is more obfuscation than actual security but you should check out. https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/hide-sensitive-data-in-an-answer-file

0

Secure WDS Unattended Access / Unattended.xml

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?