[wpkg-users] Computer account

le dahut le.dahut at laposte.net
Fri Nov 20 14:35:28 CET 2009 


Falko Trojahn wrote :
> le dahut ecrit:
>> I hope there will be a way to use computer account because I can't let
>> a share writeable to "nobody" nor I can use a domain account for WPKG
>> client. Those 2 solutions are not secure enough.
> I use log- and status-writing to samba share without problems, running
> wpkg client as system account as usual.
> 
> We have:
> 
> - a share writeable for admins and for "wpkg" user
> - all folders within this share readable for wpkg user and writeable to
> admins
> - folders "status" and "logs" writeable for wpkg user
> 
> Since wpkg user and password are only known to admins, I think this
> could be a possible solution
> for you, too.
> 
> 
> Regards,
> Falko
> 
> 

The problem is that a workstation can be compromised. If a compromising 
occurs, the wpkg user's password will be know and thus will have to be 
changed and updated on all workstations.

Having a different password for every workstation increases security and 
shorts the administration tasks by not having to maintain a special 
account for WPKG and not having to update every workstation when wpkg 
user's password has been discovered.

The configuration file "settings.xml" must contain the password to 
permit an easy installation of WPKG client and so cannot be copied in a 
public share/web Web, FTP, etc. repository.

This points the massive deployment of WPKG where administrators of 
multiple sites (each sites has it own PDC) who want a centralised WPKG 
management. They could copy "config.xml" and "settings.xml" (and other 
WPKG .xml files hosts/packages/profiles) in a public share and write a 
scheduled script that downloads it and so thousands workstations could 
be updated like this.
But this can work only with computer account or another authentication 
method using a different password for each computer.
This could also work with no write access to a "guest = ok" WPKG share. 
But this implies that all the .exe .msi would be accessible for everyone...

Of course one would answer me : Or, more easy, some people have their 
own laptop which they use at work, which can log on the domain at 
work... At home, users are "Administrator" on their computers... ;-)



This is not a critique. It are only some points of view that I have from 
my position and which, I think, could help for futur reflection about 
WPKG improvement.
I understand also that WPKG is conceived to work with SMB/CIFS protocol 
with the restriction that it imposes.

K.

More information about the wpkg-users mailing list