Security and Privacy for Deploying Operating Systems in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.
This topic contains security and privacy information for operating system deployment in System Center 2012 Configuration Manager.
Use the following security best practices for when you deploy operating systems with Configuration Manager:
Security best practice
Implement access controls to protect bootable media
When you create bootable media, always assign a password to help secure the media. However, even with a password, only files that contain sensitive information are encrypted and all files can be overwritten.
Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate.
Use a secured location when you create media for operating system images
If unauthorized users have access to the location, they can tamper with the files that you create and also use all the available disk space so that the media creation fails.
Protect certificate files (.pfx) with a strong password and if you store them on the network, secure the network channel when you import them into Configuration Manager
When you require a password to import the client authentication certificate that you use for bootable media, this helps to protect the certificate from an attacker.
Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file.
If the client certificate is compromised, block the certificate from Configuration Manager and revoke it if it is a PKI certificate
To deploy an operating system by using bootable media and PXE boot, you must have a client authentication certificate with a private key. If that certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.
For more information about the difference between blocking a certificate and revoking it, see Comparing Blocking Clients and Revoking Client Certificates.
When the SMS Provider is on a computer or computers other than the site server, secure the communication channel to protect boot images
When boot images are modified and the SMS Provider is running on a server that is not the site server, the boot images are vulnerable to attack. Protect the network channel between these computers by using SMB signing or IPsec.
Enable distribution points for PXE client communication only on secure network segments
When a client sends a PXE boot request, you have no way to ensure that the request is serviced by a valid PXE-enabled distribution point. This scenario has the following security risks:
Use defense in depth to protect the network segments where clients will access distribution points for PXE requests.
Configure PXE-enabled distribution points to respond to PXE requests only on specified network interfaces
If you allow the distribution point to respond to PXE requests on all network interfaces, this configuration might expose the PXE service to untrusted networks
Require a password to PXE boot
When you require a password for PXE boot, this configuration adds an extra level of security to the PXE boot process, to help safeguard against rogue clients joining the Configuration Manager hierarchy.
Do not include line of business applications or software that contains sensitive data into an image that will be used for PXE boot or multicast
Because of the inherent security risks involved with PXE boot and multicast, reduce the risks if rogue computer downloads the operating system image.
Do not include line of business applications or software that contains sensitive data in software packages that are installed by using task sequences variables
When you deploy software packages by using task sequences variables, software might be installed on computers and to users who are not authorized to receive that software.
When you migrate user state, secure the network channel between the client and the state migration point by using SMB signing or IPsec
After the initial connection over HTTP, user state migration data is transferred by using SMB. If you do not secure the network channel, an attacker can read and modify this data.
Use the latest version of the User State Migration Tool (USMT) that Configuration Manager supports
The latest version of USMT provides security enhancements and greater control for when you migrate user state data.
Manually delete folders on state migration point when they are decommissioned
When you remove a state migration point folder in the Configuration Manager console on the state migration point properties, the physical folder is not deleted. To protect the user state migration data from information disclosure, you must manually remove the network share and delete the folder.
Do not configure the deletion policy to delete user state immediately
If you configure the deletion policy on the state migration point to remove data that is marked for deletion immediately, and if an attacker manages to retrieve the user state data before the valid computer does, the user state data would be deleted immediately. Set the Delete after interval to be long enough to verify the successful restore of user state data.
Manually delete computer associations when the user state migration data restore is complete and verified
Configuration Manager does not automatically remove computer associations. Help to protect the identify of user state data by manually deleting computer associations that are no longer required.
Manually back up the user state migration data on the state migration point
Configuration Manager Backup does not include the user state migration data.
Remember to enable BitLocker after the operating system is installed
If a computer supports BitLocker, you must disable it by using a task sequence step if you want to install the operating system unattended. Configuration Manager does not enable BitLocker after the operating system is installed, so you must manually re-enable BitLocker.
Implement access controls to protect the prestaged media
Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate and sensitive data.
Implement access controls to protect the reference computer imaging process
Ensure that the reference computer that you use to capture operating system images is in a secure environment with appropriate access controls so that unexpected or malicious software cannot be installed and inadvertently included in the captured image. When you capture the image, ensure that the destination network file share location is secure so that the image cannot be tampered with after it is captured.
Always install the most recent security updates on the reference computer
When the reference computer has current security updates, it helps to reduce the window of vulnerability for new computers when they first start up.
If you must deploy operating systems to an unknown computer, implement access controls to prevent unauthorized computers from connecting to the network
Although provisioning unknown computers provides a convenient method to deploy new computers on demand, it can also allow an attacker to efficiently become a trusted client on your network. Restrict physical access to the network, and monitor clients to detect unauthorized computers. Also, computers responding to PXE-initiated operating system deployment might have all data destroyed during the operating system deployment, which could result in a loss of availability of systems that are inadvertently reformatted.
Enable encryption for multicast packages
For every operating system deployment package, you have the option to enable encryption when Configuration Manager transfers the package by using multicast. This configuration helps prevent rogue computers from joining the multicast session and helps prevent attackers from tampering with the transmission.
Monitor for unauthorized multicast-enabled distribution points
If attackers can gain access to your network, they can configure rogue multicast servers to spoof operating system deployment.
When you export task sequences to a network location, secure the location and secure the network channel
Restrict who can access the network folder.
Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the exported task sequence.
For System Center 2012 R2 Configuration Manager and later:
Secure the communication channel when you upload a virtual hard disk to Virtual Machine Manager.
To prevent tampering of the data when it is transferred over the network, use Internet Protocol security (IPsec) or server message block (SMB) between the computer that runs the Configuration Manager console and the computer running Virtual Machine Manager.
If you must use the Task Sequence Run As Account, take additional security precautions
Take the following precautionary steps if you use the Task Sequence Run As Account:
Restrict and monitor the administrative users who are granted the Operating System Deployment Manager security role
Administrative users who are granted the Operating System Deployment Manager security role can create self-signed certificates that can then be used to impersonate a client and obtain client policy from Configuration Manager.
Although operating system deployment can be a convenient way to deploy the most secure operating systems and configurations for computers on your network, it does have the following security risks:
Information disclosure and denial of service
If an attacker can obtain control of your Configuration Manager infrastructure, she could run any task sequences, which might include formatting the hard drives of all client computers. Task sequences can be configured to contain sensitive information, such as accounts that have permissions to join the domain and volume licensing keys.
Impersonation and elevation of privileges
Task sequences can join a computer to domain, which can provide a rogue computer with authenticated network access. Another important security consideration for operating system deployment is to protect the client authentication certificate that is used for bootable task sequence media and for PXE boot deployment. When you capture a client authentication certificate, this gives an attacker an opportunity to obtain the private key in the certificate and then impersonate a valid client on the network.
If an attacker obtains the client certificate that is used for bootable task sequence media and for PXE boot deployment, this certificate can be used to impersonate a valid client to Configuration Manager. In this scenario, the rogue computer can download policy, which can contain sensitive data.
If clients use the Network Access Account to access data stored on the state migration point, these clients effectively share the same identity and could access state migration data from another client that uses the Network Access Account. The data is encrypted so only the original client can read it, but the data could be tampered with or deleted.
The state migration point does not use authentication in Configuration Manager with no service pack
In Configuration Manager with no service pack, the state migration point does not authenticate connections, so anybody can send data to the state migration point and anybody can retrieve data that is stored on there. Although only the original computer can read the retrieved user state data, do not consider this data secured.
In Configuration Manager SP1, client authentication to the state migration point is achieved by using a Configuration Manager token that is issued by the management point.
In addition, Configuration Manager does not limit or manage the amount of data that is stored on the state migration point and an attacker could fill up the available disk space and cause a denial of service.
If you use collection variables, local administrators can read potentially sensitive information
Although collection variables offer a flexible method to deploy operating systems, this might result in information disclosure.
In addition to deploying operating systems to computers with no operating system, Configuration Manager can be used to migrate users’ files and settings from one computer to another. The administrator configures which information to transfer, including personal data files, configuration settings, and browser cookies.
The information is stored on a state migration point and is encrypted during transmission and storage. The information is allowed to be retrieved by the new computer associated with the state information. If the new computer loses the key to retrieve the information, a Configuration Manager administrator with the View Recovery Information right on computer association instance objects can access the information and associate it with a new computer. After the new computer restores the state information, it deletes the data after one day by default. You can configure when the state migration point removes data marked for deletion. The state migration information is not stored in the site database and is not sent to Microsoft.
If you use boot media to deploy operating system images, always use the default option to password-protect the boot media. The password encrypts any variables stored in the task sequence, but any information not stored in a variable might be vulnerable to disclosure.
Operating system deployment can use task sequences to perform many different tasks during the deployment process, which includes installing applications and software updates. When you configure task sequences, you should also be aware of the privacy implications of installing software.
If you upload a virtual hard disk to Virtual Machine Manager without first using Sysprep to clean the image, the uploaded virtual hard disk could contain personal data from the original image.
Configuration Manager does not implement operating system deployment by default and requires several configuration steps before you collect user state information or create task sequences or boot images.
Before you configure operating system deployment, consider your privacy requirements.