Understanding potential security risks helps you set up your environment in a secure manner.

Secure your network as you would for any other PXE-based deployment method. Auto Deploy transfers data over SSL to prevent casual interference and snooping. However, the authenticity of the client or of the Auto Deploy server is not checked during a PXE boot.

The boot image that the Auto Deploy server downloads to a machine can have the following components.
  • The VIB packages that the image profile consists of are always included in the boot image.
  • The host profile and host customization are included in the boot image if Auto Deploy rules are set up to provision the host with a host profile or a host customization setting.
    • The administrator (root) password and user passwords that are included with host profile and host customization are MD5 encrypted.
    • Any other passwords associated with profiles are in the clear. If you set up Active Directory by using host profiles, the passwords are not protected.

      Use the vSphere Authentication Service for setting up Active Directory to avoid exposing the Active Directory passwords.

  • The host's public and private SSL key and certificate are included in the boot image.

You can greatly reduce the security risk of Auto Deploy by completely isolating the network where Auto Deploy is used.