What alternatives exist to using TFTP in setupHow do you find what process is holding a file open in...

Why does Kotter return in Welcome Back Kotter

prove that the matrix A is diagonalizable

Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?

Does a druid starting with a bow start with no arrows?

Western buddy movie with a supernatural twist where a woman turns into an eagle at the end

Why is the 'in' operator throwing an error with a string literal instead of logging false?

Combinations of multiple lists

Brothers & sisters

Is it possible to download Internet Explorer on my Mac running OS X El Capitan?

Fully-Firstable Anagram Sets

Neighboring nodes in the network

Is it unprofessional to ask if a job posting on GlassDoor is real?

Arrow those variables!

What is the PIE reconstruction for word-initial alpha with rough breathing?

Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?

Why does Arabsat 6A need a Falcon Heavy to launch

How to prevent "they're falling in love" trope

Alternative to sending password over mail?

Etiquette around loan refinance - decision is going to cost first broker a lot of money

What does it mean to describe someone as a butt steak?

What exploit are these user agents trying to use?

Blender 2.8 I can't see vertices, edges or faces in edit mode

How much of data wrangling is a data scientist's job?

What killed these X2 caps?



What alternatives exist to using TFTP in setup


How do you find what process is holding a file open in Windows?Reasonably Secure Alternative to Poptop PPTP Server for Ubuntu server and Windows clients?Windows TFTP Server Recomendations?Windows Filtering Platform blocking packets from workstations on a Domain ControllerPXE-E32 TFTP Open Timeout While Attempting to PXE Boot from Windows Deployment ServicesBoot and/or synchronise linux image from networkTFTP/PXE with the foremanConfigMgr - Really really slow PXE boot between Hyper-V machinesDownloading with U-Boot's tftp randomly times outWDS 2012 R2 Server






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?










share|improve this question
















bumped to the homepage by Community 9 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?

    – replay
    Feb 22 '13 at 8:50













  • If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)

    – user857990
    Feb 22 '13 at 9:04











  • What are the assets you are trying to protect, and what are the threats you are trying to protect them from?

    – Michael Hampton
    Feb 22 '13 at 11:27











  • @MichaelHampton Just commented on the answer below.

    – user857990
    Feb 22 '13 at 11:40






  • 1





    Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.

    – Michael Hampton
    Feb 22 '13 at 11:43




















0















I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?










share|improve this question
















bumped to the homepage by Community 9 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?

    – replay
    Feb 22 '13 at 8:50













  • If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)

    – user857990
    Feb 22 '13 at 9:04











  • What are the assets you are trying to protect, and what are the threats you are trying to protect them from?

    – Michael Hampton
    Feb 22 '13 at 11:27











  • @MichaelHampton Just commented on the answer below.

    – user857990
    Feb 22 '13 at 11:40






  • 1





    Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.

    – Michael Hampton
    Feb 22 '13 at 11:43
















0












0








0








I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?










share|improve this question
















I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?







windows tftp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 22 '13 at 12:09







user857990

















asked Feb 22 '13 at 8:13









user857990user857990

187211




187211





bumped to the homepage by Community 9 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 9 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?

    – replay
    Feb 22 '13 at 8:50













  • If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)

    – user857990
    Feb 22 '13 at 9:04











  • What are the assets you are trying to protect, and what are the threats you are trying to protect them from?

    – Michael Hampton
    Feb 22 '13 at 11:27











  • @MichaelHampton Just commented on the answer below.

    – user857990
    Feb 22 '13 at 11:40






  • 1





    Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.

    – Michael Hampton
    Feb 22 '13 at 11:43





















  • In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?

    – replay
    Feb 22 '13 at 8:50













  • If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)

    – user857990
    Feb 22 '13 at 9:04











  • What are the assets you are trying to protect, and what are the threats you are trying to protect them from?

    – Michael Hampton
    Feb 22 '13 at 11:27











  • @MichaelHampton Just commented on the answer below.

    – user857990
    Feb 22 '13 at 11:40






  • 1





    Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.

    – Michael Hampton
    Feb 22 '13 at 11:43



















In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?

– replay
Feb 22 '13 at 8:50







In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?

– replay
Feb 22 '13 at 8:50















If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)

– user857990
Feb 22 '13 at 9:04





If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)

– user857990
Feb 22 '13 at 9:04













What are the assets you are trying to protect, and what are the threats you are trying to protect them from?

– Michael Hampton
Feb 22 '13 at 11:27





What are the assets you are trying to protect, and what are the threats you are trying to protect them from?

– Michael Hampton
Feb 22 '13 at 11:27













@MichaelHampton Just commented on the answer below.

– user857990
Feb 22 '13 at 11:40





@MichaelHampton Just commented on the answer below.

– user857990
Feb 22 '13 at 11:40




1




1





Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.

– Michael Hampton
Feb 22 '13 at 11:43







Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.

– Michael Hampton
Feb 22 '13 at 11:43












1 Answer
1






active

oldest

votes


















0














what is the security concern?



Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.



Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.



Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.



You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.






share|improve this answer
























  • read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.

    – user857990
    Feb 22 '13 at 11:38











  • It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.

    – replay
    Feb 22 '13 at 11:52











  • I edited my orginal question. Hope it makes things clearer.

    – user857990
    Feb 22 '13 at 12:13












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f481399%2fwhat-alternatives-exist-to-using-tftp-in-setup%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














what is the security concern?



Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.



Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.



Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.



You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.






share|improve this answer
























  • read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.

    – user857990
    Feb 22 '13 at 11:38











  • It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.

    – replay
    Feb 22 '13 at 11:52











  • I edited my orginal question. Hope it makes things clearer.

    – user857990
    Feb 22 '13 at 12:13
















0














what is the security concern?



Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.



Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.



Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.



You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.






share|improve this answer
























  • read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.

    – user857990
    Feb 22 '13 at 11:38











  • It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.

    – replay
    Feb 22 '13 at 11:52











  • I edited my orginal question. Hope it makes things clearer.

    – user857990
    Feb 22 '13 at 12:13














0












0








0







what is the security concern?



Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.



Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.



Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.



You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.






share|improve this answer













what is the security concern?



Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.



Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.



Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.



You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 22 '13 at 9:16









replayreplay

2,712915




2,712915













  • read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.

    – user857990
    Feb 22 '13 at 11:38











  • It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.

    – replay
    Feb 22 '13 at 11:52











  • I edited my orginal question. Hope it makes things clearer.

    – user857990
    Feb 22 '13 at 12:13



















  • read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.

    – user857990
    Feb 22 '13 at 11:38











  • It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.

    – replay
    Feb 22 '13 at 11:52











  • I edited my orginal question. Hope it makes things clearer.

    – user857990
    Feb 22 '13 at 12:13

















read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.

– user857990
Feb 22 '13 at 11:38





read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.

– user857990
Feb 22 '13 at 11:38













It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.

– replay
Feb 22 '13 at 11:52





It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.

– replay
Feb 22 '13 at 11:52













I edited my orginal question. Hope it makes things clearer.

– user857990
Feb 22 '13 at 12:13





I edited my orginal question. Hope it makes things clearer.

– user857990
Feb 22 '13 at 12:13


















draft saved

draft discarded




















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f481399%2fwhat-alternatives-exist-to-using-tftp-in-setup%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

Список ссавців Італії Природоохоронні статуси | Список |...

Маріан Котлеба Зміст Життєпис | Політичні погляди |...