Best Practices for Server Purposing

Network administrators should turn off the DHCP service and DHCP relay on firewalls to prevent an unauthorized server from spoofing as a device.

ADS should be used on a secure network, especially when using the imaging features.

• Ensure encryption is enabled when deploying or capturing images remotely. You should only disable encryption if your network is secure.
• Use a local administrator password in the master image instead of encrypting the password in the Sysprep.inf file. Do not use unencrypted passwords in the Sysprep.inf file.

• When images are mounted, they inherit the file-system privilege. Be sure to set file permissions for images to the least privilege to prevent unauthorized access.
• Restrict access to the image store to prevent unauthorized users from reading and mounting images.

• Disable tracing after debugging a problem because the trace files are readable by any authenticated user.
• The administrator should evaluate and restrict the access control list (ACL) permissions to the \\server\Root\MicrosoftADS namespace using the Windows Management Instrumentation (WMI) snap-in, Wmimgmt.msc.
• Be aware that any member of the Administrators group can read any encrypted variable in the Controller database.
• Do not run programs that permit arbitrary output or output strings specified by the operator to be sent back to the Controller.

When granting permissions to run a job, do not grant full control to any users. A user with full control can use that template to elevate the credentials of any user to those of an administrator.

• Certificates are dependent on accurate time and date settings in a system's basic input/output system (BIOS). Some BIOS flash programs, including those that run as a part of an ADS virtual floppy disk, might change the BIOS date. Ensure that the system BIOS date and time is accurate so that the certificates that you use with ADS are considered valid.
• The Controller's private key should be kept in the certificate store at all times and protected from attack. When creating certificates and key pairs, the system should be offline. Certificates generated by the ADS Setup wizard or the adskey command expire after 10 years.

• If you select the Create a self-signed certificate option during ADS Setup, ADS Setup creates a private root key. After setup is complete, you should disconnect the system from the network and export the private root key to a secure offline location. You should remove the private root key from the certificate store and destroy any file copies. You must keep the public root certificate in the Controller's certificate store. A copy of the public root certificate is available on the file system for agent installs.

  Warning

  If the Controller private key is compromised, all device agents and services will be accessible to an unauthorized Controller. You must issue a new root key pair, sign a new Controller certificate, and install new trusted root certificates in agents in services.

• An unauthorized Controller can spoof as an ADS Controller if the unauthorized Controller has a private key pair that is signed from the same root of trust as the ADS Controller. You can mitigate this attack. If you are using the default ADS-generated certificates, do not permit the ADS root private key to be exposed to an unauthorized Controller. In addition, the private root should sign only legitimate ADS Controllers. If you are issuing certificates from a certification authority (CA), you should issue an ADS private key that is then used to sign ADS Controller keys. The ADS private root should be secured offline.

• Format all volumes where you plan to install any of the ADS components with the NTFS file system.
• Use a separate disk and disk controller for the Image Distribution service.
• For best performance, when colocating the Controller service with the Image Distribution service, install the image store on a separate high-speed disk controlled by a separate disk controller.

If you turn on tracing for any of the ADS services, including those running on devices, the tracing log files are generated and stored in the %systemroot%\Tracing directory, which has read permissions for everyone. For maximum security you should restrict access to this directory to the Administrator account only, which prevents non-administrators from viewing the tracing log files. For more information about tracing, see Using tracing.

For best performance, disable PXE and use static IP addresses on the servers that host the Controller service, Network Boot Services (NBS), and the Image Distribution service. Otherwise, when the ADS services are installed on separate servers and the Controller is restarted, the Controller will continuously try to receive boot instructions from the NBS, and therefore never boot to its own hard disk.

Changing the Controller service's IP address can lead to loss of device control. The Controller service's network adapter must use a statically allocated IP address. If you change the network adapter's IP address, you should check all ADS network connections, including the connections to NBS, IDS, and to the Administration Agent. Devices running the Deployment Agent will most likely need to be rebooted so that their connections and sequences can be restarted.

To help recover from a software or hardware failure on the computer running the Controller service, it is recommended that you back up the Controller on a regular basis. Should your Controller fail, a backup is the only way to restore functionality without resorting to a reinstallation and reconfiguring of ADS. In particular, be sure to back up the Controller certificates and the Controller database.

If you are using the Microsoft SQL Server Desktop Engine (MSDE) for the Controller database, you must use Transact-SQL to perform a database backup. If you are using Microsoft SQL Server 2005 for the Controller database, you must use either the SQL Server Enterprise Manager or Transact-SQL supplied with SQL Server to perform database backups.

For more information about how to back up a Microsoft SQL Server Desktop Engine (MSDE) using Transact-SQL, see Microsoft Knowledge Base Article - 241397,HOW TO: Back Up a Microsoft Data Engine Database with Transact-SQL.. There are two parts to keeping your Controller backed up. The first is a complete system backup using Windows Backup. The second is maintaining a secure copy of your Controller certificates.

If you decide to use discovery to automatically add records for new devices in your data center, ensure that all new devices are offline before changing the settings. Otherwise, new records could be created for the devices before you configure settings that automatically insert information for new device records, such as a description and default job template. As a result, these new records would lack the information you intend to use for new devices. The recommended procedure is to configure all appropriate settings, then bring the computers online.

You can personalize a device name using the Sysprep.exe System Preparation tool when deploying an operating system image to it. You do this by creating a device variable to store a short name for a device. If the device will join a domain, create a second device variable to store the domain name. The Da-deploy-image-domain.xml sequence sample provided with ADS includes steps that use these variables. There are reasons to follow this recommendation:

• The device name property of a device record stores the fully qualified domain name (FQDN); however, the System Preparation tool cannot use the FQDN.
• Device records created automatically when a device PXE boots will use the hardware identifier as the name of the device.

You can avoid this situation by configuring ADS to create a record when a new device boots to the Deployment Agent instead of PXE. Then, create a device variable to store a short, friendly name for the new device. You can use a task sequence and the System Preparation tool to personalize the device with the friendly name when you deploy an image to the new device.

ADS includes sample task sequences that are appropriate for different scenarios, such as when a device has no operating system or when it is ready to run a full operating system. You can assign a task sequence to a device by linking the task sequence to a job template and assigning the job template to the device. For example, the boot-to-da sample is intended for devices without an operating system, and the boot-to-hd sample is intended for devices on which a full operating system is running.

For more information about job templates, see Jobs and job templates.

If you turn on tracing for any of the ADS services, including those running on devices, the tracing log files are generated and stored in the systemroot\Tracing directory, which has read permissions for everyone. For maximum security you should restrict access to this directory to the Administrator account only, which prevents non-administrators from viewing the traces.

For more information about tracing, see Using tracing.

Creating and working with certificates containing private keys should be performed in a known secure environment, preferably on a system disconnected from the network.

For more information ADS certificates, see ADS certificates overview.

NBS requires PXE version 0.99c or later. You can determine the PXE version by restarting your computer. The PXE version is displayed as the PXE read-only memory (ROM) is loaded. You cannot use remote boot floppy disks to run a virtual floppy disk image.

Always run antivirus software to scan for viruses on floppy disks used as the image source in the virtual floppy disk image process. In addition, you should scan any computers where you plan to store and use the virtual floppy disk images.

Avoid storing confidential information in a virtual floppy disk because the contents are transmitted in plain text prior to running the virtual floppy disk on the device.

Enabling the TFTP upload option is a security risk. By not enabling the TFTP upload option, you prevent unauthorized devices from uploading malicious files to the TFTP directory.

Configure PXE to Ignore on the Controller to prevent unauthorized devices from joining sets and to prevent unauthorized access to information stored on the Controller.

Keep the ADS PXE service configuration state variable, PXEUseDHCPPort, consistent with the state of the system. If the DHCP service and ADS PXE service are installed on the same server, set PXEUseDHCPPort to 0. If not, set PXEUseDHCPPort to 1.

Provide access to the systemdrive\Program Files\Microsoft ADS\Tftproot directory to specific user accounts to write virtual floppy disk images. Do not configure TFTP to enable TFTP-put operations, in which the device sends files to the TFTP server. Hosted Messaging and Collaboration recommends that you create and use relative paths to the tftproot directory, for example,

\FLOPPY\, \FLOPPY\CUSTOMER\*.
				

If you later decide to move the systemdrive\Program Files\Microsoft ADS\Tftproot directory, you must update the following registry entries with the full path to the \Tftproot directory:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADSBUILDER\
Parameters\TftpRoot
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFTPD\Parameters\
Directory
				

In addition, you must copy the NBS files in the existing \Tftproot directory to the new \Tftproot directory, and then in Control Panel, use Services to restart the ADS PXE, Deployment Agent Builder, and TFTPD services.

The server hosting NBS must use a static IP address. Otherwise, the IP address might change while the device is communicating with the ADS PXE service or Deployment Agent Builder service, which would result in a dropped connection.

Many OEMs preconfigure servers with an OEM partition. Images that are captured from a server with an OEM partition should not be deployed to a server without an OEM partition, and vice versa.

Before capturing and deploying images, review the partition configuration of the servers from which you are capturing and deploying images. For example, images captured from a server with an OEM partition should only be deployed to another server with an OEM partition. Otherwise, the image might become unusable due to inconsistencies in partition number in the Boot.ini file. The Diskinfo tool can help you analyze the master destination device and determine if an OEM partition exists. Diskinfo is located in the Server Purposing directory. Copy this file to the C:\Program Files\Microsoft ADS\Samples\Sequences directory on Controller.

If you have servers in your data center with and without OEM partitions, consider creating two sets of images: one for servers with an OEM partition and one for servers without an OEM partition. Otherwise, you must modify the Boot.ini file after deploying the image to compensate for the different boot partition.

The samples included with ADS are designed for servers without OEM partitions. To use the samples on a server that has an OEM partition, you must edit the sample and update the partition numbers.

When preparing an image for varied hardware systems, you might need to include drivers for mass storage controllers, display devices, and other hardware. In addition, you might need to accommodate a mix of multiprocessor and uniprocessor systems, as well as systems that are Advanced Configuration and Power Interface (ACPI) - compliant and not ACPI-compliant.

If you are preparing a Windows Server 2003 image, you can find information about accommodating varied hardware systems in the Deploy.chm and Ref.chm Help files, located within the Deploy.cab file in the \Support\Tools\Directory of your Windows Server 2003 family CD. The Unattended Installations topic also describes a method of deploying an operating system to devices that have varied hardware.

If you are preparing a Windows 2000 Server family image, you can find information about accommodating varied hardware systems in the Unattended.doc file, located within the Deploy.cab file in the \Support\Tools\Directory of your Windows 2000 Server family CD.