Security Issues with Remote Deployment
Security Issues with Remote Deployment
It is essential that you understand the security issues involved with user data and accounts when using the Remote Boot Services or Remote Installation Services to deploy Windows Embedded for Point of Service to multiple computers in your organization. Unattended installations have additional security considerations that you need to be aware of. When you install an operating system manually, you can have a user provide unique credentials which can then be used to secure resources so that other users cannot compromise them.
When deploying an operating system to large numbers of computers in the enterprise environment, it is undesirable and often impossible to require a user to interact with the installation process. In this scenario, the administrator must use pre-defined user accounts to carry out the tasks necessary to complete the installation, such as connecting to network resources, saving the user state on the network, or joining the destination computer to a domain.
Because pre-defined user accounts are used to perform these tasks, and because these credentials must be accessible by an intermediate operating system (Windows PE in the case of the Windows Embedded for Point of Service), it is not possible to secure those credentials. To reduce the likelihood that they can be used maliciously if compromised, limit the privileges of these accounts on your network to only their required functions. For example, frequently change the credentials for these accounts, and disable the accounts when not in use.
In addition, to help ensure that the security of the environment is not compromised, it is strongly recommended that users with sensitive or confidential data move this data to a secure network location before an image is deployed to their computers. While an image is being deployed to a destination computer, it is further recommended that you enable security auditing on the computer, and that you closely monitor the security logs on the servers that store user state data, as well as Active Directory servers where computer accounts are being added or migrated.