To simplify the deployment of Windows 2000 clients, many organizations use RIS to help deploy Windows 2000 Professional images to desktop computers. The risk in using RIS to deploy clients is that if RIS isn't configured securely, an unauthorized user might be able to install an unauthorized computer on the network.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
RIS is a collection of services that work together to allow remote installations of preconfigured Windows 2000 Professional desktop computers. The services that comprise RIS include the following, illustrated in Figure 9.7.
Figure 9.7 Components of remote installation services
NOTE
TFTP is used instead of File Transfer Protocol (FTP) because a TFTP file transfer involves less overhead. TFTP provides a connectionless transfer by using User Datagram Protocol (UDP).
You configure and start these services with the Remote Installation Setup Wizard, RISetup.
Consider the following practices whenever you implement RIS on your network:
Authorizing RIS Servers
The remote installation process requires the RIS server to be authorized in Active Directory. As with DHCP servers, only authorized RIS servers will respond to RIS clients requesting a RIS installation.
RIS servers are authorized in the DHCP console by members of the Enterprise Admins group. The RIS server will require authorization only if it doesn't have the DHCP Service installed. If the RIS server has already been authorized in Active Directory for the DHCP Service, there's no need to reauthorize the computer for RIS.
NOTE
When a PXE client is started on the network, the DHCP discover packet sent by the PXE client will request both an IP address for the client and the location of a PXE boot server, also known as the RIS server. The RIS installation can't proceed unless both the client IP address and the RIS server are provided.
Defining Which RIS Servers Will Respond to Client Requests
By default, RIS servers won't respond to client installation requests until you enable the ability to respond at the RIS server. For higher-security networks, you should not only enable the RIS server to respond to installation requests, but you should also restrict the responses to prestaged clients, as shown in Figure 9.8.
Figure 9.8 Configuring RIS to respond only to known client computers
Prestaged client computers are computers that have a computer account existing in Active Directory before RIS is installed. A common method of prestaging clients is to configure the globally unique identifier (GUID) attribute for the computer account in Active Directory, as shown in Figure 9.9.
Figure 9.9 Configuring the GUID for a computer account
TIP
If the client is a PC98 or NetPC-compliant computer, you can find the GUID either in the system BIOS or on the computer case.
In addition, the user account performing the installation must have read and write permissions for all properties of the prestaged computer object and rights to reset and change passwords for the computer account.
Restricting the Creation of Computer Accounts
In some cases you may want to grant network users the necessary permissions to create the computer account during the client installation. To do this, complete the following steps:
Figure 9.10 Configuring the directory service location for computer accounts
Once you complete these two steps, the users with the delegated permission can perform remote installation of the operating system.
Restricting Which RIS Images a User Can Load
If you plan for users to select from multiple RIS images, you can restrict which images are available to users by configuring DACLs to change the default permissions.
The default permissions for a RIS image allow all users to install the image. You can modify which groups can install a RIS image by defining the security on an image's Templates subfolder, as shown in Figure 9.11.
Figure 9.11 Changing NTFS permissions on the templates subfolder to restrict who can load a RIS image
By creating a custom domain local group that contains the user accounts that can install a specific RIS image, you can restrict who can install each image and show users only images they are allowed to see when they perform a remote installation.
Ensuring Proper Security Settings on the RIS Image Computer
Before using the RIPrep utility to prepare a RIS image, make sure that you've installed all necessary applications and have configured all required security settings. This includes registry, NTFS settings, and all other security template-related settings. When the RIPrep image is downloaded to destination RIS clients, your security settings will be maintained.
You can't include EFS encrypted files in the RIS image. Files encrypted with EFS will be unusable at any destination RIS client computers because the clients won't have the EFS private key required to decrypt the file encryption key.
Protecting Data Transmissions Between RIS Clients and RIS Servers
RIS uses TFTP for the initial transfer of data from the RIS server to the RIS client. TFTP doesn't encrypt data transmitted between the client and the server. Make sure that you're not using an account with Administrator rights on the network for the RIS process. A network sniffer could capture the credentials and use them to launch attacks against the network. Instead, configure an account that has only the permissions to install the RIS image to the client computer.
NOTE
Because you use RIS to install a client operating system, you can't implement IPSec to protect the TFTP data stream between the RIS server and the RIS client computers. Only the Windows 2000 operating system supports the use of IPSec.
When you use RIS to deploy client computers, use the decision matrix shown in Table 9.5 to ensure that security is maintained on your network.
Table 9.5 Securing RIS Deployments
To | Do the Following |
---|---|
Prevent deployment of unauthorized RIS servers | Restrict membership in the Enterprise Admins group because only members of this group can authorize RIS servers. Authorize only approved RIS servers. Restrict installation of RIS services on existing DHCP servers since they are already authorized in Active Directory. |
Restrict RIS-installed computer accounts to a specific OU | Allow only prestaged computer accounts to install RIS images. Create the prestaged computer accounts in the desired OU. Alternatively, configure a specific location in Active Directory where computer accounts will be created for remote installations. |
Restrict who can perform remote installations | Assign only approved users the permission to create computer accounts in the OU where remote installation computer accounts will be created. If using prestaged computer accounts, assign only approved users the permissions to modify the attributes of the prestaged computer accounts. |
Restrict which images a user can load using remote installation | Change the DACLs on the RIS image's Templates subfolder to only allow authorized security groups READ permissions. |
Maintain default security for RIS images | Preconfigure all security settings at the source computer before running the RIPrep utility to create the remote installation image. |
Protect administrative permissions during RIS installations | Delegate the permissions to create computer accounts in Active Directory and never use an Administrator account for the remote installation because the TFTP protocol doesn't encrypt network data transmissions. |
To meet their RIS security requirements, Lucerne Publishing can either prestage computer accounts for remote installation or change permissions to allow users to create the computer accounts. If Lucerne Publishing chooses to prestage the computer accounts, you must add the following tasks to the security plan:
If Lucerne Publishing decides to allow users to create the computer accounts in Active Directory, add the following tasks to the security plan:
The decision to use prestaged computers or grant users the ability to create computer accounts will depend largely on how many computers will be installed. The more computers, the less likely it will be that an administrator will want to precreate the computer accounts and manually enter GUID attribute information. Even using scripts will require the manual installation of each GUID.
RIS is a key component of change and configuration management within Windows 2000. You must design the ability to create and install RIS images carefully so that only authorized users can use this service.