{"id":1321,"date":"2014-12-31T10:58:20","date_gmt":"2014-12-31T10:58:20","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2014\/12\/31\/securely-allocating-guids-in-powershell-desired-state-configuration-pull-mode\/"},"modified":"2019-02-18T12:38:44","modified_gmt":"2019-02-18T19:38:44","slug":"securely-allocating-guids-in-powershell-desired-state-configuration-pull-mode","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/securely-allocating-guids-in-powershell-desired-state-configuration-pull-mode\/","title":{"rendered":"Securely allocating GUIDs in PowerShell Desired State Configuration Pull Mode"},"content":{"rendered":"<p>Nicholas Dille recently posted a <a href=\"http:\/\/dille.name\/blog\/2014\/12\/25\/approaches-to-guid-management-in-psdsc-pull-mode\/?utm_content=bufferb0dbe&amp;utm_medium=social&amp;utm_source=twitter.com&amp;utm_campaign=buffer\">good blog<\/a> on GUID management in PowerShell Desired State Configuration. In that blog, he goes through several approaches to GUID management and talks about the pros and cons of each.<\/p>\n<p>When you are deciding how to allocate GUIDs in DSC\u2019s Pull Mode here are the three things you should keep in mind:<\/p>\n<ul>\n<li>The configuration data for a computer is sensitive information, and is valuable to an attacker. If an attacker knows exactly how a machine is configured, they can likely leverage that information to compromise it.<\/li>\n<li>If you know the DSC GUID for a machine, you can ask the pull server for its configuration. The DSC GUID acts much like an API Key does for authentication with Azure, Amazon, and many other online services.<\/li>\n<li>Therefore, you should treat DSC GUIDs as sensitive information.<\/li>\n<\/ul>\n<p>When we designed this feature, we initially wanted to use the computer \/ SMBIOS GUID for this identifier and be done with it. However these GUIDs are not generally treated as sensitive data. They get littered in event logs everywhere, fly across the network unencrypted during PXE boots, DHCP discovery, and more. They are frequently <a href=\"http:\/\/blogs.technet.com\/b\/configurationmgr\/archive\/2010\/04\/12\/osd-task-sequence-fails-with-there-are-no-task-sequences-available-for-this-computer-if-multiple-machines-have-the-same-smbios-guid.aspx\">duplicated or missing<\/a>, even.<\/p>\n<p>Now, one source of a GUID that Nicholas mentions (by way of Joe Thompson\u2019s <a href=\"http:\/\/www.systemcentercentral.com\/using-active-directory-target-endpoints-powershell-dsc\/\">blog on the topic<\/a>) is the computer\u2019s Active Directory GUID. Nicholas doesn\u2019t like this idea due to its reliance on being domain joined.<\/p>\n<p>However, the biggest problem with this approach is that these GUIDs are not secret. Here\u2019s an example, in PowerShell, of getting the GUID for the Domain Controller. This does not require Domain Administrator privileges:<\/p>\n<blockquote>\n<pre style=\"color: #eeedf0;background-color: #012456\">                                                                                                       \n6 [C:\\temp]                                                                                                             \n&gt;&gt; <span style=\"color: #0f0;background-color: #012456\">$searcher<\/span> <span style=\"color: #888;background-color: #012456\">=<\/span> [<span style=\"color: #ccc;background-color: #012456\">ADSISearcher<\/span>] <span style=\"color: #088;background-color: #012456\">&quot;&quot;<\/span>                                                                                        \n                                                                                                                        \n7 [C:\\temp]                                                                                                             \n&gt;&gt; <span style=\"color: #0f0;background-color: #012456\">$searcher<\/span>.<span style=\"color: #fff;background-color: #012456\">Filter<\/span> <span style=\"color: #888;background-color: #012456\">=<\/span> <span style=\"color: #088;background-color: #012456\">&quot;name=contoso&quot;<\/span>                                                                                    \n                                                                                                                        \n8 [C:\\temp]                                                                                                             \n&gt;&gt; <span style=\"color: #0f0;background-color: #012456\">$searcher<\/span>.<span style=\"color: #fff;background-color: #012456\">FindOne<\/span>().<span style=\"color: #fff;background-color: #012456\">GetDirectoryEntry<\/span>().<span style=\"color: #fff;background-color: #012456\">Guid<\/span>                                                                         \n860a8b9a306d498bb9323cc6ffd4794a                                                                                        \n                                                                                                                        \n9 [C:\\temp]                                                                                                             <\/pre>\n<\/blockquote>\n<p>VM GUIDs might be a good approach if those are treated as sensitive data (unlike the computer \/ SMBIOS GUID), but you would want to validate that and be very careful.<\/p>\n<p>So \u2013 when deciding on how to allocate GUIDs to DSC nodes, be very careful to pick a scheme that an attacker on your network would not have access to.<\/p>\n<p>&#160;<\/p>\n<p>Lee Holmes [MSFT]\n  <br \/>Windows PowerShell Development<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nicholas Dille recently posted a good blog on GUID management in PowerShell Desired State Configuration. In that blog, he goes through several approaches to GUID management and talks about the pros and cons of each. When you are deciding how to allocate GUIDs in DSC\u2019s Pull Mode here are the three things you should keep [&hellip;]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1321","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell"],"acf":[],"blog_post_summary":"<p>Nicholas Dille recently posted a good blog on GUID management in PowerShell Desired State Configuration. In that blog, he goes through several approaches to GUID management and talks about the pros and cons of each. When you are deciding how to allocate GUIDs in DSC\u2019s Pull Mode here are the three things you should keep [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/1321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=1321"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/1321\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=1321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=1321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=1321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}