Securely allocating GUIDs in PowerShell Desired State Configuration Pull Mode

Nicholas Dille recently posted a good blog on GUID management in PowerShell Desired State Configuration. In that blog, he goes through several approaches to GUID management and talks about the pros and cons of each.

When you are deciding how to allocate GUIDs in DSC’s Pull Mode here are the three things you should keep in mind:

  • The configuration data for a computer is sensitive information, and is valuable to an attacker. If an attacker knows exactly how a machine is configured, they can likely leverage that information to compromise it.
  • If you know the DSC GUID for a machine, you can ask the pull server for its configuration. The DSC GUID acts much like an API Key does for authentication with Azure, Amazon, and many other online services.
  • Therefore, you should treat DSC GUIDs as sensitive information.

When we designed this feature, we initially wanted to use the computer / SMBIOS GUID for this identifier and be done with it. However these GUIDs are not generally treated as sensitive data. They get littered in event logs everywhere, fly across the network unencrypted during PXE boots, DHCP discovery, and more. They are frequently duplicated or missing, even.

Now, one source of a GUID that Nicholas mentions (by way of Joe Thompson’s blog on the topic) is the computer’s Active Directory GUID. Nicholas doesn’t like this idea due to its reliance on being domain joined.

However, the biggest problem with this approach is that these GUIDs are not secret. Here’s an example, in PowerShell, of getting the GUID for the Domain Controller. This does not require Domain Administrator privileges:

                                                                                                       
6 [C:\temp]                                                                                                             
>> $searcher = [ADSISearcher] ""                                                                                        
                                                                                                                        
7 [C:\temp]                                                                                                             
>> $searcher.Filter = "name=contoso"                                                                                    
                                                                                                                        
8 [C:\temp]                                                                                                             
>> $searcher.FindOne().GetDirectoryEntry().Guid                                                                         
860a8b9a306d498bb9323cc6ffd4794a                                                                                        
                                                                                                                        
9 [C:\temp]                                                                                                             

VM GUIDs might be a good approach if those are treated as sensitive data (unlike the computer / SMBIOS GUID), but you would want to validate that and be very careful.

So – when deciding on how to allocate GUIDs to DSC nodes, be very careful to pick a scheme that an attacker on your network would not have access to.

 

Lee Holmes [MSFT]

Windows PowerShell Development