Remote Installation Services (RIS)

In scenarios where you don’t want unknown clients to be provided images by RIS, your best defense is to pre-stage client computers. This process pre-creates computer accounts in advance, and associates all computer accounts with a unique identifier referred to as a Globally Unique Identifier (GUID), a unique 128-bit number. By default, the GUID will be stored in the BIOS of a NetPC or PC98 computer. Prestaging the account (which stores the GUID along with the computer account in AD) ensures that only the system that has the associated GUID can use the account. This also helps circumvent having to give users the ability to create accounts in Active Directory. For maximum security, configure the RIS server to only respond to clients that have been pre-staged. The GUID for a client system can usually be found in the BIOS, but is sometimes found on a label on the case of a PC. If you cannot find the GUID, start a manual RIS installation and record the GUID that appears onscreen. You could also sniff the network for a DHCPDiscover packet from the client, which will also contain the GUID. If the system does not have a GUID, you can use the MAC address of the system padded with leading zeros as the GUID for prestaging purposes. The example below shows the screen you could expect when creating a new computer account in a RIS-based environment.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.