Software Engineering Institute

According to Dell KACE's knowledge base article: "The Dell KACE K2000 Systems Deployment Appliance version 3.3.36822 and earlier uses a read-only CIFS fileshare named "peinst" to facilitate Windows deployments. This hidden, read-only fileshare is populated with pre- and post-installation tasks as well as deployment bootfiles and media used for Windows network operating system installs (called "Scripted Installs") and imaging (called "K-images"). This fileshare is hidden. It provides anonymous read-only access because of limitations with Windows PE 2005 and earlier in accessing a password-protected share as a root drive."

A remote unauthenticated attacker may be able to retrieve the device's administrator password and device system information.

Dell KACE has plans to provide authentication for these fileshares in a future release, as earlier versions of Windows PE are phased out of its user base.

Encrypt Account Credentials and Limit Account Access

According to Dell KACE's knowledge base article: Dell KACE has recommended in its training and documentation that:

• Account credentials used in Windows unattend.xml and sysprep.inf to join computers to a domain be encrypted using Microsofts tools.
• The rights of accounts used in unattend.xml, sysprep.inf and any post-install script be assigned using the principle of least privilege. For example, accounts used to add a computer to a domain only have that right, restricted by container, and no other.