ALTE DOCUMENTE
|
||||||||
As part of planning RIS installation security, you need to evaluate how you intend to control which operating system images you make available to specific RIS clients. If you want to control which clients can access a particular operating system image, plan to do the following:
Configure user permissions on each image you create, to define which users can install a particular image from the RIS server.
Remove specific users from the access control list (ACL) on the operating system image folder on your RIS server to prevent these users from viewing (and therefore accessing) the image.
By setting permissions in the ACL of the answer file associated with an operating system image, you can preven 23123y245x t certain users from installing the image. By this means, you can also configure which users can install the image. If you do not set specific permissions on the answer file, then all users can install the image. If you remove a user account (or the group account to which it belongs) from the ACL on the operating system image folder, you disable a user's ability to view an image.
If you intend to use the default answer file with your Riprep or Risetup images, you need to set permissions on the Ristndrd.sif file. Otherwise, you need to set permissions on any custom answer files you create and associate with operating system images you want to configure for access control.
|
|
|
Note To enable a RIS user to view and subsequently install an operating system image from the CIW, you need to provide Read permission on both the answer file and the operating system image folder on your RIS server. |
For more information about making images available to RIS clients, click the Index button in Help and Support for Windows Server 2003 and in the keyword box type Remote Installation Services, then select Best Practices.
For this part of your security planning process, use the "Operating System Image Security" section of job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to indicate your decision to control access to operating system images by modifying the ACLs of the default or custom answer files. Also indicate whether you want to disable the user capability of viewing and installing an image and the users/groups to which this decision applies.
When a RIS server attempts to start on the network, Active Directory checks the RIS servers IP address against a list of authorized RIS servers. If a match is found, the RIS server is authorized to provide service on the network, otherwise, the RIS server is not authorized and cannot answer client service requests.
Part of your planning process for RIS server security involves assessing how you plan to authorize RIS servers on your network. You must authorize every RIS server in Active Directory to prevent unauthorized servers from servicing RIS clients on your network. The factors to consider when assessing the means for authorizing your RIS servers include:
Who you designate to perform RIS server authorizations.
Which computer you use to perform authorizations.
How you perform the authorization of RIS servers.
The person who authorizes RIS servers must be logged on as a member of the Enterprise Admins group. You can perform this task as an Administrator, but you might also consider delegating this task to qualified personnel to whom you give Administrative credentials. You might create a special security group to handle this task and add it to the Enterprise Admins group.
For this part of your security planning process, use the "RIS Server Authorization" section in job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to indicate your decision to assign the task of authorization to specific personnel. Also record whether you plan to create a special security group for RIS server authorizers or add the user accounts of authorization personnel to the Enterprise Admins group.
You can authorize a RIS server from Active Directory Users and Computers MMC snap-in extension (Dsa.msc) on the RIS server itself or you can do so through a server running Windows Server 2003 or Windows XP Professional Remote Desktop session to the RIS server. All the RIS administrative tools, such as the Active Directory extension, are included when you create a RIS server on a computer running Windows Server 2003.
|
|
|
Note In Windows 2000, you can administer a RIS server remotely using a Terminal Session in administration mode. |
Alternatively, you can authorize a RIS server from a computer running Windows XP Professional. However, to do this you will need to install the Administrative Tools package on the computer running Windows XP Professional. You can install this package using the adminpak.msi application which is located in the System32 directory of computers running Windows Server 2003.
For this part of your security planning process, use the "RIS Server Authorization" section in job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to indicate the authorization location for your RIS servers.
The methods you can use to perform authorization of a RIS server include using the Verify function in RIS server Properties, running Risetup at the command line with the /Check argument, or using the DHCP snap-in on a computer running Windows XP Professional. To use the Verify function or Risetup at the command line, you must be logged on at the RIS server and belong to the Enterprise Admins group. To use the DHCP snap-in on a computer running Windows XP Professional, you need to install the Administrative Tools package on that computer using the adminpak.msi application.
Note that you use this same DHCP snap-in to authorize DHCP servers. Therefore, if you install RIS on a DHCP server, which is already authorized in Active Directory, it is unnecessary to re-authorize the RIS server.
|
|
|
Note The authorization process does not depend on how you combine or separate RIS and DHCP, nor on whether or not you use Windows Server 2003 DHCP. |
For this part of your security planning process, use the "RIS Server Authorization" section in job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to indicate the authorization method you plan to use for your RIS servers.
|
