Security recommendations

Security hardening tips and recommendations

This document will help you harden the security of the OS Deployer server.

Update the latest security patches

At OS Deployer we are hyper focused on ensuring customer security. OS Deployer immediately releases security patches for all the identified issues. Follow the security group to stay updated on the security patches released. Also, ensure to upgrade to the latest service pack to avail the new features and enhancements and the issue fixes released.

Enable secured log-in.

To enable secure log-in, go to Admin tab -> click on Security Settings, and under Secure login perform the below steps,

1. Enable Secure Login (HTTPS).
2. Configure a complex password.
3. Configure Two factor authentication.
4. Disable default admin credentials.

Use third party trusted certificates

It is recommended to configure OS Deployer with a trusted third party certificate to ensure secured connections between the network computers and server. However, for secured communication using HTTPS, a default self-signed certificate will be provided along with the OS Deployer server.

Enable Secure agent server communication

To enable secure agent server communication, go to Admin tab and click on Security Settings, and under Secure agent server communication perform the below steps,

1. Enable secure communication for LAN, and WAN agents.
2. Enable certificate-based authentication agent-server communication. This will disable older versions of TLS.

Ensure to protect the following OS Deployer information

1. Do not share the following to anyone:
   
   • Image Creator Component binaries
   • The Bootable Media file
   • The Deployment Passcode (when configuring the Deployment Task)
   • The Image File
   • The User Profile Backup (USMT)
2. Place the Image and Driver repositories in a password-protected Network Share.
3. Use either the MAC Address of the target computer(s) or the authentication pass code to initiate deployment. This avoids sharing admin credentials.
4. Scan the installation files for malicious content when the post deployment activity involves installing applications.
5. When adding a new user during the Deployment Template creation, enable Complex Password and associate the local users to their respective target computers.
6. Under Settings, configure the passcode policy with a passcode length of 6 characters and an alphanumeric passcode pattern. This passcode will be used in deployment task, instant task, and standalone task.
7. Enable passcode lockout policy that will lock users out of deployment after the specified number of invalid passcode attempts.

General settings to ensure security

1. From your OS Deployer console, navigate to Admin tab -> Database Settings -> click on the Database Backup. You can now schedule a time at which the database should back up everyday. You can also set the number of backups to be stored, beyond which the backups will be deleted automatically. It is highly recommended to receive notifications about the database backup failure. Furthermore, secure the database backup using a password.
2. Under Security Settings, click Export Settings. While exporting any reports, you can:
   
   • Mask the personal Information
   • Remove personal Information
   • Retain Personal Information
   • Or let the Technician Decide

   It is recommended to Remove Personal Information while configuring exporting and scheduling reports.

Miscellaneous settings

1. Set the session timeout as minimum as possible
2. In the web console, click the user profile picture at the top right and click Personalize. Here, set a minimum possible period for Session Expiration.
3. Monitor the active sessions on the OS Deployer web console and close the stale sessions.
4. It is highly recommended to
   
   • change the passwords of all the technicians every 90 days.
   • not host the Distribution Server as an edge device.
   • not share the Desktop Central agent registry and logs to anyone except Desktop Central Support.