2 Replies Latest reply on Oct 30, 2012 3:58 AM by MarXtar

    Restricting access to OSD

    jabramson Apprentice

      Here is the situation. I am using LD9 SP3. Someone "accidentally" booted their PC to PXE, although we aren't sure if he hit the function key to do it or perhaps the hard drive wasn't responding so it defaulted to this choice via BIOS settings. He then managed to get himself all the way to the OSD menu, choose a script and then proceded to image his system.

       

      So now I have people asking me is there someone way to insert some kind of false gate like a password to be input to prevent this from reocurring. I thought about it from several perspectives such as is there something that could be added before diskpart occurs but I haven't come up with a solution yet.

       

      Has anyone else run into this type of issue and managed to resolve it from a technical point of view?

       

      Thanks in advance.

       

      -Jonathan

        • 1. Re: Restricting access to OSD
          jabramson Apprentice

          I opened up a ticket with LANDesk engineering and they explained the Secured PXE as a resolution to the problem I was having. This may be the way I have to resolve this.

           

          Response from support:

           

          This is possible. Under OSD Scripts if you select "All Other Scripts" you will see your PXE rep deployment scripts. You will then have the option in the top menu to "Build Secure PXE Rep deployment". This will allow you to enter a password that will need to be used every time an individual PXE boots. You will need to redeploy all of your PXE reps with the secure script in order for this to take affect.

           

          I am currently testing this in one of my sites and if it works I will have to deploy it to about 75 other PXE Reps. Only downside I see is that the password can't contain special characters like the $ sign and it has to be the same on each one unless you want to create multiple scripts and deploy to different servers.

           

          -Jonathan

          • 2. Re: Restricting access to OSD
            MarXtar ITSMMVPGroup

            Hi, this doesn't help you with how you are using things today, but if you make the switch over to using Provisioning scripts, then there isn't really a PXE Menu as such anymore. The Provisioning menu requires you to log in using your standard credentials (what you log into the LANDesk console with) and then you can see the provisioning templates that your account has access to. This allows you to be far more secure than the Secure PXE Rep model you are looking at now since every LANDesk Operator uses their own credentials rather than a common password and there is no need to redeploy the reps if you need to change passwords.

             

            Downside is that you will need to move your imaging processes over to provisioning to take advantage of it.

             

            Mark McGinn

            MarXtar Ltd

            http://landesk.marxtar.co.uk

            LANDesk Silver ESP

             

            The One-Stop Shop for LANDesk Enhancements

            - Wake-On-WAN - Distributed Wake-On-LAN, Scheduled Power Down, and SWDist Sequencing

            - State Notifier - Real-Time Device & User State Inventory Updating & Alerting

            Update - WoW & State Notifier now integrate for even more functionality

            Update - State Notifier now detects machine and user Idle states