The Dell KACE K2000 Systems Deployment Appliance version 3.3.36822 and earlier uses a read-only CIFS fileshare named "peinst" to facilitate Windows deployments. This hidden, read-only fileshare is populated with pre- and post-installation tasks as well as deployment bootfiles and media used for Windows network operating system installs (called "Scripted Installs") and imaging (called "K-images").
This fileshare is hidden. It provides anonymous read-only access because of limitations with Windows PE 2005 and earlier in accessing a password-protected share as a root drive. Dell KACE has recommended in its training and documentation that
- account credentials used in Windows unattend.xml and sysprep.inf to join computers to a domain be encrypted using Microsofts tools
- the rights of accounts used in unattend.xml, sysprep.inf and any post-install script be assigned using the principle of least privilege. For example, accounts used to add a computer to a domain only have that right, restricted by container, and no other.
Dell KACE has plans to provide authentication for these fileshares in a future release, as earlier versions of Windows PE are phased out of its user base.
Note that requiring authentication of these shares will only provide protection against the inspection of deployment bootfiles and tasks using the CIFS protocol. Bootfiles containing credentials will necessarily be transmitted to PXE-booting workstations using TFTP, which has no data stream security. (TFTP is built into the PXE standard and has no substitute secure protocol.) Sites should still follow the encryption and least-privilege recommendations outlined above.
Some sites may not be able to conform to these recommended policies because of historical or administrative reasons. Sites with high security requirements may want to consider dedicated deployment-only networks.
Customers with questions or concerns may contact Dell KACE support.