What alternatives exist to using TFTP in setupHow do you find what process is holding a file open in Windows?Reasonably Secure Alternative to Poptop PPTP Server for Ubuntu server and Windows clients?Windows TFTP Server Recomendations?Windows Filtering Platform blocking packets from workstations on a Domain ControllerPXE-E32 TFTP Open Timeout While Attempting to PXE Boot from Windows Deployment ServicesBoot and/or synchronise linux image from networkTFTP/PXE with the foremanConfigMgr - Really really slow PXE boot between Hyper-V machinesDownloading with U-Boot's tftp randomly times outWDS 2012 R2 Server
Eliminate empty elements from a list with a specific pattern
Shall I use personal or official e-mail account when registering to external websites for work purpose?
Is this food a bread or a loaf?
Email Account under attack (really) - anything I can do?
What is GPS' 19 year rollover and does it present a cybersecurity issue?
Is "plugging out" electronic devices an American expression?
Hosting Wordpress in a EC2 Load Balanced Instance
Why do we use polarized capacitors?
How can I add custom success page
Can a planet have a different gravitational pull depending on its location in orbit around its sun?
Pristine Bit Checking
What to wear for invited talk in Canada
Copycat chess is back
What happens when a metallic dragon and a chromatic dragon mate?
Denied boarding due to overcrowding, Sparpreis ticket. What are my rights?
COUNT(*) or MAX(id) - which is faster?
What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?
Are cabin dividers used to "hide" the flex of the airplane?
LWC and complex parameters
Is there a familial term for apples and pears?
Information to fellow intern about hiring?
Landlord wants to switch my lease to a "Land contract" to "get back at the city"
Is there a name of the flying bionic bird?
Re-submission of rejected manuscript without informing co-authors
What alternatives exist to using TFTP in setup
How do you find what process is holding a file open in Windows?Reasonably Secure Alternative to Poptop PPTP Server for Ubuntu server and Windows clients?Windows TFTP Server Recomendations?Windows Filtering Platform blocking packets from workstations on a Domain ControllerPXE-E32 TFTP Open Timeout While Attempting to PXE Boot from Windows Deployment ServicesBoot and/or synchronise linux image from networkTFTP/PXE with the foremanConfigMgr - Really really slow PXE boot between Hyper-V machinesDownloading with U-Boot's tftp randomly times outWDS 2012 R2 Server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
asked Feb 22 '13 at 8:13
user857990user857990
187211
add a comment |
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
asked Feb 22 '13 at 8:13
user857990user857990
187211
In the beginning of your post you sound like you want to exchange theTFTPprotocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTPwithout replacing it. What do you want to do?
– replay
Feb 22 '13 at 8:50
If there is a solution that I can makeTFTPmore secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
add a comment |
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
asked Feb 22 '13 at 8:13
user857990user857990
187211
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
windows tftp
asked Feb 22 '13 at 8:13
user857990user857990
187211
asked Feb 22 '13 at 8:13
user857990user857990
187211
edited Feb 22 '13 at 12:09
user857990
asked Feb 22 '13 at 8:13
user857990user857990
187211
asked Feb 22 '13 at 8:13
user857990user857990
187211
asked Feb 22 '13 at 8:13
user857990user857990
187211
187211
In the beginning of your post you sound like you want to exchange theTFTPprotocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTPwithout replacing it. What do you want to do?
– replay
Feb 22 '13 at 8:50
If there is a solution that I can makeTFTPmore secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
add a comment |
In the beginning of your post you sound like you want to exchange theTFTPprotocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTPwithout replacing it. What do you want to do?
– replay
Feb 22 '13 at 8:50
If there is a solution that I can makeTFTPmore secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
In the beginning of your post you sound like you want to exchange the
TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?– replay
Feb 22 '13 at 8:50
In the beginning of your post you sound like you want to exchange the
TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?– replay
Feb 22 '13 at 8:50
If there is a solution that I can make
TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)– user857990
Feb 22 '13 at 9:04
If there is a solution that I can make
TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
add a comment |
1 Answer
1
active
oldest
votes
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
answered Feb 22 '13 at 9:16
replayreplay
2,712915
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f481399%2fwhat-alternatives-exist-to-using-tftp-in-setup%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
answered Feb 22 '13 at 9:16
replayreplay
2,712915
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
answered Feb 22 '13 at 9:16
replayreplay
2,712915
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
answered Feb 22 '13 at 9:16
replayreplay
2,712915
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
answered Feb 22 '13 at 9:16
replayreplay
2,712915
answered Feb 22 '13 at 9:16
replayreplay
2,712915
answered Feb 22 '13 at 9:16
replayreplay
2,712915
answered Feb 22 '13 at 9:16
replayreplay
2,712915
2,712915
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like
GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.– user857990
Feb 22 '13 at 11:38
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like
GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f481399%2fwhat-alternatives-exist-to-using-tftp-in-setup%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
In the beginning of your post you sound like you want to exchange the
TFTPprotocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTPwithout replacing it. What do you want to do?– replay
Feb 22 '13 at 8:50
If there is a solution that I can make
TFTPmore secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43