< Blog

The Four Files You Need to Remove from Configuration Manager’s Environment

By Garth Jones

Dana Epp (@DanaEpp) recently gave a fascinating presentation about the vulnerabilities facing Configuration Manager, from daily outside threats to the challenges confronting ConfigMgr administrators and Microsoft Deployment Toolkit (MDT) administrators to block these threats.

At the very least, Dana strongly recommends that you remove four specific files from all of your computers in order to make your environment more secure.

Do you need more convincing? Take the C:\sysprep.inf file. You may not be aware of it, but it has the Local Administrator’s password information contained within it as clear text. With this piece of intelligence a hacker can gain access to all workstations! If this is all a hacker needs to get a toe-hold within your environment, how long will it be until they have a Domain Administrator’s account username and password?

The four files that need to be removed are:

  • C:\sysprep.inf
  • C:\sysprep\sysprep.xml
  • %windir%\Panther\Unattend\Unattend.xml
  • %windir%\Panther\Unattend.xml

Below is a sample sysprep.inf file.

The Four Files You Need to Remove from Configuration Manager - Sample File

I will be encouraging all of my clients to follow Dana’s advice, and I agreed to help Dana get the word out by writing this blog post. If you want more information, you can review his presentation outline on the TASK website.

Keep in mind that this process involves a number of steps, so I will break this series into five blog posts.

Let’s get started by finding these problem computers.

In the ConfigMgr 2012 console, we’ll create one Configuration Item (CI) for each of the four files in order to detect them on any workstation. Although these steps are written for ConfigMgr 2012, they are basically the same for ConfigMgr 2007.

I will show the process for sysprep.inf and then you will need to repeat these steps for the remaining three files yourself.

The Four Files You Need to Remove from Configuration Manager - Step 1 

1. In the ConfigMgr 2012 console, go to Assets and Compliance | Overview | Compliance Settings | Configuration Items, and then click Create Configuration Item in the tool bar.

The Four Files You Need to Remove from Configuration Manager - Step 2 

2. Enter a Name for the Configuration Item, and then click Next.

Note: Remember this name because we will be needing it in my next blog post about how to create the Configuration Baseline.

The Four Files You Need to Remove from Configuration Manager - Step 3 

3. Click Next.

The Four Files You Need to Remove from Configuration Manager - Step 4 

4. Click New.

The Four Files You Need to Remove from Configuration Manager - Step 5 

5. In the Name field enter the setting friendly name. In my example I have used the file’s name, sysprep.inf in order to help with troubleshooting later.

Change the Setting type to File system.

Enter the Path to the file. C:\

Enter the File name. sysprep.inf

Note: If browsing for the file on this screen a compliance rule will be automatically created. If a compliance rule is created, you will still need to adjust this rule in the next step.

The Four Files You Need to Remove from Configuration Manager - Step 6

6. Click New or Edit (see note in previous step).

The Four Files You Need to Remove from Configuration Manager - Step 7 

7. Set the rule name to sysprep.inf must NOT exist

Change the Rule type to Existential.

Select File must not exist on client devices.

Change the Noncompliance severity for reports to Critical, and then click OK twice in order to return to the Wizard.

The Four Files You Need to Remove from Configuration Manager - Step 8

8. Click Summary.

The Four Files You Need to Remove from Configuration Manager - Step 9 

9. Click Next.

The Four Files You Need to Remove from Configuration Manager - Step 10 

10. Click Close.

Repeat the above steps in order to create three additional Configuration Items for each of the remaining files to be removed.

  • C:\sysprep\sysprep.xml
  • %windir%\Panther\Unattend\Unattend.xml
  • %windir%\Panther\Unattend.xml

In tomorrow’s blog post, I will show you how to create the Configuration Baseline in order to deploy these items.