Remove passwords from client side logs

[MANAtea]

Hello,

 

Is there any way to remove/hide/encrypt passwords appearing in clear text in the client-side logs during OSD?

During OSD, i can read out domian, useraccount and password for the Client Network Access Account.

 

This account have read on the packages share,and i dont want people deploying computers all over the world beeing able to read from the share.

 

I think i read something about this in the realease notes for 1511, but i cant find it again.

 

Hope someone else have done this, and can spare the time to give me the solution

 

Best Regards

Marius

Senior IT-Consultant

[MANAtea]

Bump

[surfincow]

Hmm.. I've not heard of this before and I just checked my smsts log from a newly imaged machine and do not see my network accounts there nor the accounts used to join machines to the domain.

 

Are you somehow using some sort of script that contains the username and password of the network account? If so, that could be why they show in the log. Noticed that issue a few years ago trying to configure the BIOS on some dell workstations. One of the parameters is what we want the password to be. Since that's part of the command string it gets logged. Not very good security wise so we ended up using a different approach that didn't involve passing the password as a command.

[YPCC]

Heres a potential workaround, though not a great one.

 

Identify the file(s) you want to be "unreadable". Add a step in your TS that set permissions on this file so it can only be accessed by sccm(system account) for example. Not sure if that would work.

 

Or you could add a step in the TS to delete the file? At least it doesnt get stored on the machine.

 

I guess it would take someone with some reasonable knowledge of sccm to actually find the user/pwd as theyd need to target the correct log file. Tricky one but thankfully in our case our users and support teams have no idea on where to find stuff like this.