Analysis Summary

A recent report by researchers has brought attention to a critical yet often-overlooked vulnerability in enterprise IT environments, misconfigured Microsoft Deployment Toolkit (MDT) shares. Widely used for deploying operating systems without the complexity of System Center Configuration Manager (SCCM), MDT has become a common target for red teams due to its tendency to store plaintext credentials in easily accessible configuration files. Research, led by security expert Oddvar Moe, highlights that these insecure MDT setups can serve as a “quick ticket” for attackers to extract high-privilege domain credentials, sometimes leading to complete network compromise.

The report identifies two core files within MDT Bootstrap.ini and CustomSettings.ini, typically located in the DeploymentShare\Control directory, as particularly sensitive. These files frequently contain critical credential data such as DomainAdmin (used to join computers to the domain), UserID (for accessing network resources), AdminPassword (for local admin accounts), and DBPwd (for SQL server connections). Additionally, credentials may also be stored in task sequence files (ts.xml), unattend.xml, and various custom scripts throughout the deployment share, expanding the attack surface significantly.

A key concern is the widespread misconfiguration of MDT deployment shares, with Moe observing that these shares are often accessible to any Active Directory (AD) user. This lack of access control means that even low-privileged users could open the deployment share and access sensitive content, including domain-joining credentials. The threat becomes severe if the same credential is used across multiple servers, potentially handing over control of the entire Active Directory to attackers. This scenario emphasizes the danger of assuming deployment infrastructure is inherently secure.

To mitigate these risks, security professionals must adopt stronger protections for MDT environments. Recommendations include: restricting access to deployment shares, applying least privilege principles, auditing credentials stored in configuration files regularly, and using dedicated, low-permission accounts for deployment tasks. The Cloud Security Alliance’s recent guidance also warns that over 60% of breaches involve compromised credentials, underscoring the urgency of securing deployment infrastructures. For red teamers, this research opens up another effective vector for credential harvesting, while defenders are reminded that deployment tools require the same vigilance as other mission-critical systems.

Impact

• Sensitive Credential Theft
• Gain Access

Remediation

• Ensure that only authorized personnel or deployment systems can access the share.
• Avoid giving "Everyone" or "Authenticated Users" read access.
• Use service accounts with minimal permissions required for deployment tasks.
• Avoid using Domain Admin or high-privileged accounts unnecessarily.
• Create specific accounts for MDT tasks (e.g., domain join) with limited scope and no extra privileges.
• Do not reuse these credentials for other services or systems.
• Check Bootstrap.ini, CustomSettings.ini, Unattend.xml, and task sequences for hardcoded credentials.
• Remove or encrypt sensitive information where possible.
• If credentials must be stored, use encryption or secured mechanisms (e.g., credential providers or secrets vaults).
• Consider third-party tools or secure scripts for handling credentials.
• Enable auditing on the MDT share to detect unauthorized access attempts.
• Regularly review access logs for suspicious behavior.