0

Windows Server 2012 - WDS installed and configured to deploy Windows Server 2012 on several Clients.

We will depoly several Windows Server 2012 Clients, each of the Clients should NOT know the initial Password of the other Clients.

The WDS Server stores each image_unattended.xml assigned to an image in following way:

{WDSRoot}/Images/{ImageGroupName}/{ImageName}/Unattend/ImageUnattend.xml

This Folder and containing files are readyble for all Users which authenticated via the client_unattended.xml:

<WindowsDeploymentServices>
  <Login>
    <WillShowUI>OnError</WillShowUI>
    <Credentials>
      <Username>Unattended</Username>
      <Domain>WORKGROUP</Domain>
      <Password>{Password}</Password>
    </Credentials>

Is there a way to Limit the access to only one desired user?

On the other side it would be fine if there would be a secure mechanism to encrypt the Administrator password in the image_unattended.xml, but as far as i know, it can only encoded base64 with the addition of "AdministratorPassword":

So, mystrongpassword becomes bXlzdHJvbmdwYXNzd29yZEFkbWluaXN0cmF0b3JQYXNzd29yZA==, which can be decoded every time *rolleyes

Is there another way to (really) encrypt / hash the password in the xml?

If not, is it possible to set user permissions to the image_unattended.xml files?

Edit: maybe netsh advfirewall is the way to go, to not let other (already installed) clients browse all data on the WDS Server?

eXe
  • 235
  • 3
  • 13

2 Answers2

0

Way old topic but if you happen to come across this. I think this is more obfuscation than actual security but you should check out. https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/hide-sensitive-data-in-an-answer-file

Erik Duensing
  • 1
  • Link-only answers are only minimally useful (link-rot is a definite problem when we have questions going back to 2009), please at least add some context or bullet-points about what the link points to so this answer can stand alone. – sysadmin1138 Jun 26 '20 at 18:00
0

I am not sure if what you are looking for is possible with just the deployment tools, but you should look into LAPS (Local Admin Password Solution). This automates changing the local admin passwords to something unique, and stores them in Active Directory.

https://technet.microsoft.com/en-us/mt227395.aspx

It is configurable via group policy to manage or unmanage based on OU. It also allows you to set the frequency and complexity. You could add it as a step or task in the deployment sequence.

Cory Knutson
  • 1,866
  • 12
  • 20