The key steps to this are,

1. Creating a service account (temporarily making it a member of the administrators group)
2. Installing Deployment Solution
3. Granting the service account full NTFS permissions over the express program folder, enabling us to remove the service account from the administrators group
4. Demoting the service from being sysadmin over the SQL instance, granting it instead dbowner rights over the express database.

Security: Creating an Altiris Service Account

One oddity in the Deployment Solution (DS) installation wizard is that it asks you to provide an administrative account for running the DS services. This is misleading -it incorrectly implies that the Altiris services must run under an account which has elevated rights. Furthermore, the wizard suggests you use the local adminstrator account.

The truth is these rights are only required for the duration of the product installation. When the services are up and running, only limited rights are actually required for Deployment Solution to run.

Our first task then is to configure a new account specifically for the Altiris services. We'll need to temporarily grant this account admin rights for the product installation, but we will remove these rights afterward,leaving DS to run under a restricted account.

One further consideration is SQL rights, as the credentials we use for the Altiris services will be used to authenticate to the SQL database. We need to ensure that this account has SysAdmin rights over the SQL instance so it can create the express database and setup the tables.

To create the service account, follow these steps,

1. Create a local administrator account called altservice, this will be the DS service account. Set it a nice, long password to replace the password marker in the text below,

   C:\> net user /add altservice password
   The Command Completed Successfully
   
   C:\> net localgroup /add administrators altservice
   The Command Completed Successfully
   

2. Start up the local user manager (lusrmgr.msc) and set the altservice account to never expire. If you don't do this, in 42 days the default group policy will automatically expire the account password which will prevent the Altiris services from starting,
   

   Click to view.

Now, lets give this account full rights to the SQL Express database. To do this, we will need to run up the SQL Express Surface Area Configuration MMC snap-in,

1. To grant the Altiris Service SysAdmin rights over the SQL Express database, open the Microsoft Management Console (MMC) for the SQL Express Surface Area Configuration, 'Start Menu' > 'Programs' > 'Microsoft SQL Server 2005' > 'Configuration Tools' > 'SQL Server Surface Area Configuration'
2. Select 'Add a new Administrator' to open the user provisioning tool (although designed primarily for Vista, this works fine in XP/2003 too).
3. In the 'User to Provision' text box, enter altservice
4. From the 'Available Privileges' window, select the SysAdmin role and click the right arrow to move this to the granted privileges pane
   

   Click to view.

5. Click OK.

Installing DS6.8SP2

Now we've got MS SQL Server and IIS up and running, we can proceed to installing Deployment Solution (Deployment solution can be downloaded from http://www.altiris.com/Download.aspx)

To install,

1. Double-click the Altiris package, Altirs_DeploymentSolutionWin_6_8.exe to begin unpacking the archive to C:\DSSetup. This will automatically launch setup.exe on completion.

Screen 1: Selecting the Install Type

For the purposes of these notes (and in fact for most real-life scenarios) you will want to install all of Deployment Solution components on one server. The installation screen (shown below) has three options: Simple, Custom or Component Install.

Install all Altiris components on your server, and include the PXE option as this allows us to image our computers by booting them off their NICs.

1. Select the 'Simple Install' option
2. Check the 'Include PXE Server checkbox, and click 'Install'
   

   Click to view.

The other install options here are worth a mention.

Install Helper

This will prompt you to download MSDE 2000 SP3 if its check for a MS SQL server fails.

Simple

This is a 'minimum questions asked' installation which assumes all DS components will be installed the local server. For small and medium DS installations, this is generally the sensible route.

Custom Install

An installer designed for large environments where you might want to split off the Console, SQL engine, PXE components or even the DS share to other servers.

Thin Client Install

This installs DS with an additional viewing mode in the console for displaying information pertinent to thin clients (you'll need to purchase thin-client licenses to make use of this).

Screen 2: Configuring the Deployment Share

Altiris Deployment Solution makes the entirety of its directory structure available as a network share. This share is called the express share and holds the Deployment Solution program files as well as any images, software packages and client OS install files we make available.

Installation wizard screen detailing the location of the Deployment Solution network share, the Deployment Solution service credentials and the licensing.

Click to view.

1. Select your license type If you don't have any DS licence files to hand, you can use the 7-day free license. Be aware this temporary license only entitles you to manage 10 clients.
2. The Service Account Configure Altiris services to run under the altservice account you created earlier, and click 'Next'

Installing Pre-Boot Operating Systems

In order to image a computer, Altiris requires your target system to load an automation operating system (OS). Deployment Solution has, since version 6.5, supported Linux and Windows PE as pre-boot OSs in addition to good old DOS.

When you download Deployment Solution from the Altiris website, you are also offered the option to download the 'Linux and Free DOS Automation Environment for Deployment Solution 6.8 SP2'. This comes down as a file with a .frm extension.

1. Add the Linux automation options by pointing these to the frm file you downloaded. Your Pre-boot OS window should look similar to the one below. As an aside, avoid FreeDoS automation like the plague -if you want to use DOS hunt down the Win98 DOS files.
   

   Click to view.

2. Click Next. (We can only select one automation option in the Simple Install)

Screen 3: Installation Components

This screen is a review of all the components scheduled for installation. Pay particular attention to whether the entry for 'Installing Deployment Web Console' exists. If it does not, it indicates that IIS is not yet installed, or not yet running.

Screen showing all the tasks for the DS Installation.

Note that the installer has detected that IIS is running and has automatically added the Web Console to the install list.

Click to view.

Screen 4: Installation Information Summary

If you've reached here without incident, then well done. Deployment has now installed. Here you are presented with the option of installing Sysprep support and Remote Installing your clients. We don't need these options for now, so click finish.

Securing DS –Reducing the Altiris Service account rights

Now Altiris Deployment Solution is installed, its quite simple to get it to run under a restricted account. All we need to do, is give the Altiris service full NTFS permissions over the express folder. Once this has been done, we can safely remove the Altiris Service from the local Administrators group.

1. In windows explorer, navigate to C:\Program Files\Altiris
2. Right-click the express folder, and select properties
3. In the security tab, grant the altservice account full rights
   

   Click to view.

4. Click Apply, the OK.
5. In a command prompt, type:

   net localgroup /delete administrators altservice
   The Command Completed Successfully
   
   net localgroup /delete users altservice
   The Command Completed Successfully
   

   This removes this account from both the users and the administrators groups.
6. Reboot server to confirm all is well (check event logs and confirm that the Altiris services have started without issue)

SQL Security: Demoting Altservice from sysadmin to dbowner

At the beginning of this article, we saw how to provision a user with full sysadmin rights over the SQL instance using the 'SQL Server Surface Area Configuration Manager'. In order grant more granular and less god-like power over an instance, we need to fire up the Studio Express management tool for SQL Express.

1. Download and install the SQL Server Management Studio Express tool from Microsoft.com. The package will download with the catchy name, SQLServer2005_SSMSEE.msi
2. Double-click on the package to begin installation. Accept the license, and default settings until you hit the finish button. Fire up Management Studio from the Start Menu, 'Start Menu' > 'Programs' > 'Microsoft SQL Server 2005' > 'SQL Server Management Studio Express'
3. On the 'Connect to Server' dialog, click 'Connect'.

Once connected, you'll be presented with the Studio Express explorer, an interface based on the Windows Explorer UI –the left hand pane allows you to explore various items under your SQL instance such as your databases, roles and security. The right-hand pane will generally attempt to give you a drill-down view of the object you've selected.

Click to view.

There are two things to notice here,

1. In addition to the system databases, you have a database called eXpress. This is the Altiris Deployment Solution database and was created during the DS Install.
2. You have a login created for the Deployment Solution service, altservice. This was created when we granted the altservice sysadmin access to the instance using the SQL Server Surface Area Configuration tool.

To demote the altservice account do the following,

1. Double-click the altservice account login under Security->Logins
2. In the 'General' page, set the default database to express
3. In the 'Server Roles' page, uncheck sysadmin leaving the altservice with the public role only (this is role has the lowest privileges on a SQL Server)
4. In the 'User Mapping' page, ensure the only database checked is the express database, and give this the dbowner role.
5. Click OK

So that's it, you can now take a well earned rest. You have just managed to install Deployment Solution using a least-privileges service account. Reboot the server, and again check that all is well.

Summary

In this article, we have moved away from the standard practice of installing Deployment Solution under a local administrator account.

In a default installation, the Altiris Sevices not only run as a full local administrator (with full rights to the Windows system), but they will also access the Microsoft SQL instance as a SysAdmin.

Graphical depiction of the security model used in most standard installations of Deployment Solution. Notice the local administrator account is used which has full access across the system. This account, by virtue of being in the local administrators group, also has the sysadmin role of the SQL instance.

Click to view.

In order to lockdown our installation, in this article I demonstrate Altiris Best Practice by utilising a service account to install DS. By using a service account (which we created here as the altservice account), we drastically reduced the exposure this account has across the Windows and MS SQL system. This approach is standard practice for installing any services, on any operating system, as it limits system damage in the event of a service compromise.

Graphical depiction of the security model used in Best Practive installations of Deployment Solution. Notice the service account is not a member of any local groups, and has dbowner rights only over the express database within the MS SQL application.

Click to view.