I'm getting ready to setup a "Build and Capture a reference operating system image" (Win7) task sequence process for our system center configuration environment (2007, R2, mixed mode). I've been successfully using the manual build image and then use the capture media process, but want to get it automated. However, our network administrator believes that the Build and Capture process may put our environment at risk. According to him, he believes that it would be possible for computer to get infected during the process because the OS will not be fully patched and the computer will not have our anti-virus program installed. So, his suggested solution is to put the computer that the image will be built on behind a router. This will, to the best of my knowledge, cause some serious problems with SCCM attempting to communicate with the computer (which will be behind the router) during the build and capture sequence. How do other organizations deal with this issue? I've done some extensive searching and find absolutely no mention of this issue whatsoever? The following appear to be my options. I'd like to know which ones Microsoft (and others) suggests is the most cost efficient way that minimizes the risk. No, I'm not asking for a guarantee : ) Just what do others do about it? Option 1. Ignore the "risk." The time that the computer will be "at risk" due to the OS not being fully patched and/or the anti-virus software not being active is so small as to be not worth the effort to worry about. Mitigate the risk by adding (as early as possible) a step to install all priority OS patches. Make the next step after that the one that installs the anti-virus solution. Option 2. Put the computer that the image is being built (as part of the build and capture) behind a router that will only allow traffic from the SCCM server to get to the computer that the image is being built on. Leave the SCCM server out in the normal network environment. Recommendations for a router to use? Option 3. Only do build and capture processes in a test environment that contains both the SCCM server and the computer. Once built, move (can this be done?) the image out onto the SCCM "in production" server. Option 4. Never do builds on your own. Always let Dell build your machines and send any and all back to Dell when they need to be rebuilt. (Okay, just kidding : ) Really appreciate any feedback on this. Kinda strange that I can't find any information about this issue. Maybe that means it's not an issue? Thanks, Geoff Weatherford CVMBS CSU

The concern is conceptually valid IMO. The best mitigation technique that comes to mind though is the Windows firewall which is on by default; this will prevent anything from actually being able to attack the system being built. The other factor mitigating any risk though is that nearly all exploits of systems these days come from user initiated exploits. Because no users are actually logged into the system doing what users do best (clicking on anything that pops up and says click me), none of those exploits are valid. These two factors, plus any border protection that you have reduces the risk to negligible IMO. The idea of creating a build subnet using a router or vlan and then implementing networl level ACLs to prevent any traffic to that subnet except from and to your ConfigMgr systems is another valid layer for ultra-paranoid organizations. This will have zero impact on the functionality of ConfigMgr. Any network with more than a trivial number of clients has clients separated by layer 3 devices such as routers. What you cannot do is manage NATed clients. You could achieve this same result with the Windows Firewall in Win7 also. Lastly, if there is concern of something inside your border attacking a system being built, then I would submit that you have bigger issues to deal with anyway.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

Jason, Appreciate the response. All of what you said makes sense and I agree with it. I'm making sure that I have some type of arguments available to me (other than not ever experiencing such an exploit ourselves even when not using a router) when I make the proposal to our IT department of not worrying about the need for another layer of security. Basically that the possibility of such an event (image being compromised) is very low and that we do not need to go through the cost and time of setting up a super secure process. From the sound of it, setting up a secure environment does not sound as something that is "commonly" done. At least at our level and for use with a modern OS such as Windows 7. I'll go ahead and mark your reply as "Mark as Answer". Looks like there were quite a few people that viewed the question. Since it did not get many replies, I'll assume that most people would agree with your statement (which is what my original thinking was also). As I stated in my original question, I have spent quite a bit of time searching for any information and actually got zero hits. Which would seem to reinforce what you have stated. Thanks, Geoff Weatherford