Blog Posts tagged with K2000 RSA

Ask a question

Samba CVE-2012-1182, the K1000 and the K2000

On April 10, 2012, the developers of Samba revealed a remote code execution vulnerability with potentially serious security consequences.  The vulnerability is described in detail at https://www.samba.org/samba/security/CVE-2012-1182. The version of Samba used in KACE K-Series appliances contains the vulnerability.

The Dell KACE team is preparing an update to each appliance that will upgrade Samba to a compatible version which does not contain the vulnerability.  We hope to have that update ready soon.

In the meantime, there are precautions that can be taken to mitigate the potential vulnerability:

Dell KACE K1000 and VK1000 Systems Management Appliances, all versions:

Samba file shares are only necessary for provisioning the K1000 agent.  If your security team recommends the disablement of Samba until a patch is available, you can provision the agent through other mechanisms.  Samba can be disabled by logging into the web admin console and navigating to Settings/Control Panel/K1000 Security Settings and unchecking the box for "Enable File Sharing" under "Samba Share Settings".

Dell KACE K2000 and VK2000 Systems Deployment Appliances, all versions:

Samba shares are an integral part of K2000 and VK2000 functionality, and cannot be manually disabled.  Dell KACE recommends that access to appliance Samba shares be limited by means of physical and network security to mitigate this possible vulnerability until the security update is available from Dell KACE. 


Customers with questions or concerns may contact Dell KACE support or reply in this thread.  I'll do my best to answer your questions and update this thread as more information becomes available.
 

 

View comments (3)

I've upgraded to 3.4, now what?

So you have applied the 3.4 update, or are about to, and want to know what changes should be expected?

 

If you have not already installed the update we recommend you follow the procedure outlined here for a smooth update.

  1. Have a backup of your images, scripted installs, media, pre/mid/post install tasks, etc.
  2. Under Settings & Maintenance | Security, enable “Allow SSH Root Login (KACE Support).”  This will allow support to login the box should anything wrong happen.
  3. Reboot the K2000 prior to installing the update.
  4. Apply the update.

 

If your driver/restore share password is anything other than admin, you should start by creating a new KBE with the latest version of the KACE Media Manager, available for download from your k2000 library tab.  This update locks down the petemp and peinst shares that were open in the past and now require authentication to access them.
Also if you have any Mac NetBoot environments you will need to create new ones to access these shares, or if you want to add a Lion NetBoot environment. Again, the 3.4 media manager is required to build these environments.
For instructions on how to create a KBE refer to your admin guide, or this knowledgebase article.

 

The driverfeed has been updated to version 2. Drivers that have been downloaded them from the feed will automatically get installed on your scripted installs.
There are a few changes though that you should be aware.  If you had implemented driverfeed in the past then you should refer to this knowledgebase article [http://www.kace.com/support/resources/kb/article/K2000-3-4-Drivers-Postinstallation-Structure ] to straighten out your driver feed.
If you have models other than Dell, you can implement those into the drivers_postinstall directory manually, just follow this knowledgebase article [http://www.kace.com/support/resources/kb/article/K2000%20-Setting-up-Driver-Feed-with-non-Dell-Systems-in-3-4].
The driverfeed is not automatic with your images, but you can still use the driverfeed workaround with your images, look at this itninja post.

The drivers_postinstall directory now will automatically sync with your RSAs, so if you created this directory on petemp in the past, you can now remove them.  Don't forget to upgrade your RSAs though.  You can do this right from the K2000.  Browse to Deployments | Remote Sites.  Click on the detail page of an RSA, then click on "Check for Update." Once it reports an update is available, you can then click on "Apply Update."  Remember this will reboot the RSA.

 

If you've been waiting for SSL, then you’ll find the ability to add certificates under Settings & Maintenance | Security.

 

If you want to explore the KACE Native Imaging Toolkit, check out those videos to get started and implement the limited feature on your system.

 

Are you running out of space on your K2000? Or afraid you will after implementing the KACE Native Imaging Toolkit? Then you’ll be interested in using our offboard storage feature in 3.4.  Review this knowledgebase article for additional information.

 

Want to add features to KBE? Or upload a custom boot environment, check out the KBE Manipulator add-on application and videos on how to use it.

 

Unfortunately, we did find a bug or two with the 3.4 update, but they are minor, dealing only with sysprepped image, and we have fixes that you can implement if needed.

  1. KCleanup does not run in a 3.4 Sysprepped image
  2. K2000_deployment_info.conf file is not copied in a sys prepped image

 

What else is new with 3.4? Here is a mini video tour demonstrating the tweaks that we made to the K2000.

Be the first to comment

Optiplex 980 delay when PXE Booting

I have recently found that the Optiplex 980 with Bios A09 and A012 experience a extremely delay when PXE booting.  The delay was anywhere between 1-2 hours but it would eventually boot the KBE Main Menu. 

I believe there are other Bios versions effected due to my research on it from other users but for sure what I tested was A09 and A012.  

The newest revision of the BIOS A13 release Feb. 1, 2013 fixes this issue.

Flash the bios to A13 and this will fix the issue.

http://www.dell.com/support/drivers/us/en/04/DriverDetails/Product/optiplex-980?driverId=MMTX7&osCode=W764&fileId=3114093175

Also this link is to flash a bios without having the OS on it.

http://ubuntuforums.org/showthread.php?t=1901977

Be the first to comment

Capturing WIM images locally with custom KBE

Since K2 v3.5 takes away the ability to capture WIM images to the RSA (which was made available with the 3.4 KNIT) I have been searching for a good method to restore this ability.  A helpful KACE support rep showed me how to incorporate GimageX, which is a third party tool that is basically a graphical shell of imagex, into my KBE.  But it requires opening a command prompt and calling a batch file to start the tool up.  Not the most user-friendly process for people who were used to pointing and clicking to start a capture.

Also, imagex is technically not supported with Windows 8 or Server 2012, and I didn't have much success capturing a Windows 8 image using GimageX as a result.  The remaining option is to use the /Capture-Image command with DISM, which was made available in WinPE 4.  Except...the K2 doesn't use WinPE 4 yet.  So, what is the solution?

I am experimenting with a custom KBE using the WinPE boot.wim from the ADK (which is WinPE 4) with custom commands added to the startnet.cmd file.  If you don't know how to manipulate boot.wim, research "custom WinPE" to get started, it's not very difficult.  You upload your finished boot.wim with the KBE Manipulator using the "Custom .iso" option.

I decided to post this experiment here for feedback, and to see if anyone else could benefit from this in some way.  It may seem like a lot of work when I could just capture to the K2 using the existing method, but in my environment that is not a good solution because we have 80+ locations and I can't manage separate images for each one.

Here is the basic example of my startnet.cmd:

@echo off

title Follow the prompts to capture your image

wpeinit

SET /P School=What is your school number?:

net use t: \\%School%m\%School%m\image password /user:dsdut\image

SET /P Name=What would you like to name your image?:

Dism /Capture-Image /ImageFile:T:\ImageStore\%Name%.wim /CaptureDir:C:\ /Name:"%Name%"

echo Finished.

Exit

As you can see, after the "wpeinit" command the user will be prompted to provide input that will be used as a parameter for the "net use" command.  That line maps the T: drive to a server share that is named according to school number.  For instance, typing "402" at the prompt will turn "\\%School%m\%School%m\image" into "\\402m\402m\image", where the ImageStore folder resides.

The next line asks for input again, and uses it to supply the name of the .wim file in the same basic fashion.  With the "@echo off" statement, all the user will see in this KBE is an empty command prompt window as WinPE is initializing, then it will display each question along with the user-inputted response, and finally the capture progress.  After the capture is complete it will exit the KBE and the computer will reboot automatically (which doesn't happen in the official KBE, and if desired you can eliminate the "Exit" command to stop this from happening).

I have a second custom KBE that's slightly more in-depth:

 @echo off

 title Follow the prompts to capture your image

 wpeinit

 SET /P School=What is your school number?:

 IF /I "%School%" == "cts" GOTO Image1

IF "%School%" GEQ "146" GOTO Image2

 :Image1

net use t: \\image1\image1\%School% password /user:dsdut\image
GOTO End

 :Image2

net use t: \\image2\image2\%School% password /user:dsdut\image

 :End

 SET /P Name=What would you like to name your image?:

 Dism /Capture-Image /ImageFile:T:\ImageStore\%Name%.wim /CaptureDir:C:\ /Name:"%Name%"

 echo Finished.

 Exit

In this case, we have two separate servers setup as image shares, and certain schools are assigned to each one.  I didn't want to build two separate KBEs if I could use the school number parameter to determine which share to map.  Using the GEQ (greater than or equal) variable or any of its counterparts appropriately, I can tell it to map T: to \\image2 if the school number was 146 or higher, and if 145 or lower it will automatically use \\image1 by default.  I even have a little caveat in there for our tech department, so if I type "cts" it will also map to \\image1 since we use that server also (and since I can't use "cts" along with the GEQ variable).

This is the only method I can think of for capturing Windows 8 images directly to the RSA.  If someone has a different method I would be interested in knowing about it.  I've noticed that hardly anyone is very interested in capturing directly to the RSA (and apparently KACE saw this too and thus nixed the ability in 3.5) and I wish we didn't need to, but our structure dictates it.  Plus, I like having the raw WIM files to mount and edit.

Thanks for reading!

 
Be the first to comment

K2000 Deployment Workbench

K2 Advisor

  • An .html overview of your SDA (version 3.6 and higher) that can identify issues and link to appropriate KB articles.

KBE Manipulator

  • Allows for manipulation of KBE that is uploaded to your K2000, including assigning static IP, adding ADSI, ODBC, DCCTK, Command | Configure, .Net4, Powershell, adding custom DOS commands, or uploading custom .wim/.iso's.

Sysprep Creator Wizard

  • Walks user through creating an unattend file for Windows 7/8/10

Driver Feed Builder

  • Harvest or extract executible drivers and upload to the K2000.

Get/Set ComputerName

  • Allows saving of computername from workstations or apply new names.
Kace Streaming WIM Toolkit
  • Toolkit that allows deployment of K2000 captured wims to be streamed
Default Deploy
  • Script that allows deployment of a default image/scripted install to machines
Export Wi-Fi Profiles
  • Script that will export profiles and .zip them up with a script to deploy them with a K1 or K2
Driver Feed Advisor
  • Script to show the driver feed path of a workstation, via the K1000 or K2000
Upgrading to Windows 10
  • Tasks that provide a solution to upgrading a workstation to Windows 10 using the K2000
USMT 10 loadstate fails when deploying Windows 7
  • A script that will copy the files necessary into USMT so that a Windows 7 deployment is successful with loadstate

Set Autologon Count

  • Change the autologon count in an unattend file of a sysprepped image

Task Timeout Modification Script

  • Modify the task timeout period of each task on version 3.6 or higher.
Using the K2000 UltraVNC during Windows Post Install Tasks - See more at: http://www.itninja.com/blog/view/using-the-k2000-ultravnc-during-windows-post-install-tasks#sthash.ZdF4KBXW.dpuf

Using the K2000 UltraVNC during Windows Post Install Tasks

  • Be able to remote into Windows during Windows PO Tasks
Dismiss Windows 7 Scripted Install Error in WinPE4 and WinPE5
  • Pre Installation task that will dismiss the errors when deploying a Windows 7 SI with WinPE4/5

Disable the DPInst Reboot for Windows 7 or higher Images that use driverfeed

  • disables the reboot for dpinst since it is not needed for Windows 7 or higher
Using the K2000 UltraVNC during Windows Post Install Tasks - See more at: http://www.itninja.com/blog/view/using-the-k2000-ultravnc-during-windows-post-install-tasks#sthash.ZdF4KBXW.dpuf

Kace Appliance Package Export Report

  • Creates an .html report of exported packages.

Linux Deployment Toolkit for 3.5 SP1 and 3.6

  • Allows for the deployment of linux kickstart

Automatically Naming a Macintosh Computer using the K2000

  • A script that behaves similarly to wsname for Windows.

Maintain KUID of a Macintosh System using the K2000.

  • capture the kuid of a Macintosh system and put it back to the workstation as a midlevel task.

Screen Resolution Changer

  • A script to either maintain screen resolution from each workstation, or assign a new one.
View comments (1)
Showing 1 - 5 of 16 results

Top Contributors

Talk About Mac OS X