ALTE DOCUMENTE
|
|
You can enhance the security of a network that contains a RIS server by prestaging client computer accounts in Active Directory. By using client computer accounts prestaged in Active Directory and configuring your RIS server to respond only to these known clients, you ensure that unauthorized clients do not receive an operating system installation. You also make sure that the prestaged clients are serviced only by authorized RIS servers.
To prestage client computer accounts in Active Directory, you must obtain the UUID for the client computer and specify it when you create the client computer account. For more information about the requirements for prestaging client computers, see "Evaluating the RIS Client Prest 17117o1424r aging Process" earlier in this chapter. For more information about how to prestage client computers, see "Evaluating the RIS Client Prest 17117o1424r aging Process" earlier in this chapter and "Designing the Active Directory Infrastructure" later in this chapter.
If you want to optimize security using prestaged RIS clients, plan to do the following:
Obtain the UUIDs for client computers and prestage client computer accounts in Active Directory.
Configure users of prestaged client computers with read, write, and set or change password permissions on the prestaged computer account objects.
Configure your RIS server to only respond to known (prestaged) clients by setting options in RIS server Properties.
For more information about how RIS servers respond to prestaged clients, see "RIS Server Configuration Design Tasks" later in this chapter.
For this part of your security planning process, use job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to indicate your choices to:
Enhance security by prestaging client computers in Active Directory.
Obtain UUIDs for client computers.
Configure your RIS server to respond to known clients.
Set user permissions on prestaged computer accounts to enhance security.
Select the Active Directory domain or organizational unit to which these decisions apply.
To enhance security, you can place restrictions on the client installation process by modifying Group Policy with specific RIS installation options. Group Policy applies to sites, domains, and organizational units. If you have personnel designated to deal with Group Policy issues in your organization, you can flag this as a task they need to perform.
You can use the Group Policy Object Editor MMC snap-in to alter the choices the CIW displays to a particular user or user group. You can configure these choices in the Default Domain Policy or you can create new group policies for specific groups of users that require certain installation options.
If you want to enhance security using Group Policy to modify how the CIW displays installation options to the client, plan to use some of the following RIS-specific Group Policy options:
Automatic Setup. Accommodates an automatic setup process using predefined computer names and locations within Active Directory for client computer accounts. Include this option for client computers you are prestaging in Active Directory to enhance network security or for non-prestaged clients for which you predefine a computer naming format on your RIS server.
|
|
|
Note Under this option, if a UUID for a client is not found in Active Directory, the client computer receives a name based on the automatic computer naming format you configure in RIS server Properties. Also, the computer account is created in the location you specify in RIS server Properties. |
Custom Setup. Allows users to define a unique name for their computer and specify where to create the computer account within Active Directory. Include this option for clients you are not prestaging in Active Directory and for client computers that are to be set up by you or someone else during installation. This is a less secure configuration because the RIS server must be configured to recognize any client requesting service. For more information about defining CIW setup options in Group Policy, see "CIW Design Tasks" later in this chapter.
Restart Setup. Allows users to restart an operating system installation attempt if it fails prior to completion. It is best to include this option only with prestaged clients because it is less secure to make multiple installation attempts available to unknown clients.
Tools. Allows users to access tools, including the Recovery Console, from the CIW. Depending on which ISV and OEM tools are installed in your RIS server RemoteInstall share, you might want to limit which RIS clients can access them.
You also need to evaluate whether you want to apply the Group Policy as the default domain policy, or if you need to create new Group Policy objects for particular user groups. These choices are closely associated with how you configure the RIS deployment mode and the CIW. For more information about defining Group Policy, see "Designing for the RIS Deployment Mode" later in this chapter.
For this part of your security planning process, use the "Security Enhancement with Group Policy and User Interaction Level Control" section of job aid "Planning RIS Server Security" (ACIRIS_05.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Planning RIS Server Security" on the Web at https://www.microsoft.com/reskit) to record your decision to use Group Policy to enhance security. Also indicate if you want to use either the default domain policy or new Group Policy objects. If you plan to use new GPOs, then indicate the user groups where they apply.
|
