Ryfujk

Why does Kotter return in Welcome Back Kotter

prove that the matrix A is diagonalizable

Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?

Does a druid starting with a bow start with no arrows?

Western buddy movie with a supernatural twist where a woman turns into an eagle at the end

Why is the 'in' operator throwing an error with a string literal instead of logging false?

Combinations of multiple lists

Brothers & sisters

Is it possible to download Internet Explorer on my Mac running OS X El Capitan?

Fully-Firstable Anagram Sets

Neighboring nodes in the network

Is it unprofessional to ask if a job posting on GlassDoor is real?

Arrow those variables!

What is the PIE reconstruction for word-initial alpha with rough breathing?

Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?

Why does Arabsat 6A need a Falcon Heavy to launch

How to prevent "they're falling in love" trope

Alternative to sending password over mail?

Etiquette around loan refinance - decision is going to cost first broker a lot of money

What does it mean to describe someone as a butt steak?

What exploit are these user agents trying to use?

Blender 2.8 I can't see vertices, edges or faces in edit mode

How much of data wrangling is a data scientist's job?

What killed these X2 caps?

What alternatives exist to using TFTP in setup

How do you find what process is holding a file open in Windows?Reasonably Secure Alternative to Poptop PPTP Server for Ubuntu server and Windows clients?Windows TFTP Server Recomendations?Windows Filtering Platform blocking packets from workstations on a Domain ControllerPXE-E32 TFTP Open Timeout While Attempting to PXE Boot from Windows Deployment ServicesBoot and/or synchronise linux image from networkTFTP/PXE with the foremanConfigMgr - Really really slow PXE boot between Hyper-V machinesDownloading with U-Boot's tftp randomly times outWDS 2012 R2 Server

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

0

I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?

windows tftp

share|improve this question

edited Feb 22 '13 at 12:09

user857990

asked Feb 22 '13 at 8:13

user857990user857990

187211

bumped to the homepage by Community♦ 9 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?
  
  – replay
  Feb 22 '13 at 8:50
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
  
  – user857990
  Feb 22 '13 at 9:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
  
  – Michael Hampton♦
  Feb 22 '13 at 11:27
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @MichaelHampton Just commented on the answer below.
  
  – user857990
  Feb 22 '13 at 11:40
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
  
  – Michael Hampton♦
  Feb 22 '13 at 11:43
  
  
  

  
  
  
  

add a comment | 

0

I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?

windows tftp

share|improve this question

edited Feb 22 '13 at 12:09

user857990

asked Feb 22 '13 at 8:13

user857990user857990

187211

bumped to the homepage by Community♦ 9 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  In the beginning of your post you sound like you want to exchange the TFTP protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP without replacing it. What do you want to do?
  
  – replay
  Feb 22 '13 at 8:50
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If there is a solution that I can make TFTP more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
  
  – user857990
  Feb 22 '13 at 9:04
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
  
  – Michael Hampton♦
  Feb 22 '13 at 11:27
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @MichaelHampton Just commented on the answer below.
  
  – user857990
  Feb 22 '13 at 11:40
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
  
  – Michael Hampton♦
  Feb 22 '13 at 11:43
  
  
  

  
  
  
  

add a comment | 

I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?

windows tftp

share|improve this question

edited Feb 22 '13 at 12:09

user857990

asked Feb 22 '13 at 8:13

user857990user857990

187211

share|improve this question

edited Feb 22 '13 at 12:09

user857990

asked Feb 22 '13 at 8:13

user857990user857990

187211

share|improve this question

edited Feb 22 '13 at 12:09

user857990

asked Feb 22 '13 at 8:13

user857990user857990

187211

asked Feb 22 '13 at 8:13

user857990user857990

187211

asked Feb 22 '13 at 8:13

user857990user857990

187211

1 Answer
1

active

oldest

votes

0

what is the security concern?

Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.

Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.

Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.

You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.

share|improve this answer

answered Feb 22 '13 at 9:16

replayreplay

2,712915

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
  
  – user857990
  Feb 22 '13 at 11:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
  
  – replay
  Feb 22 '13 at 11:52
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I edited my orginal question. Hope it makes things clearer.
  
  – user857990
  Feb 22 '13 at 12:13
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f481399%2fwhat-alternatives-exist-to-using-tftp-in-setup%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

what is the security concern?

Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.

Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.

Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.

You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.

share|improve this answer

answered Feb 22 '13 at 9:16

replayreplay

2,712915

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
  
  – user857990
  Feb 22 '13 at 11:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
  
  – replay
  Feb 22 '13 at 11:52
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I edited my orginal question. Hope it makes things clearer.
  
  – user857990
  Feb 22 '13 at 12:13
  

  
  
  
  

add a comment | 

0

what is the security concern?

Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.

Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.

Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.

You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.

share|improve this answer

answered Feb 22 '13 at 9:16

replayreplay

2,712915

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini, which is actually my concern and what I would like to prevent.
  
  – user857990
  Feb 22 '13 at 11:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
  
  – replay
  Feb 22 '13 at 11:52
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I edited my orginal question. Hope it makes things clearer.
  
  – user857990
  Feb 22 '13 at 12:13
  

  
  
  
  

add a comment | 

what is the security concern?

Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot solution would make the most sense.

Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.

Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.

You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.

share|improve this answer

answered Feb 22 '13 at 9:16

replayreplay

2,712915

share|improve this answer

answered Feb 22 '13 at 9:16

replayreplay

2,712915

answered Feb 22 '13 at 9:16

replayreplay

2,712915

answered Feb 22 '13 at 9:16

replayreplay

2,712915