1. PDQ Deploy & Inventory Help Center
  2. Documentation
  3. Environmental
  4. How-to Guides

Database and Repository Security Best Practices

Background

In versions older than 19.6.10.0, PDQ Deploy and PDQ Inventory allowed the Package Repository folder and the database file to inherit default parent folder permissions.

In some environments, this means the NT AUTHORITY\INTERACTIVE group could have Modify rights to these locations, allowing any interactive user on the machine (not just administrators) to modify:

  • The Package Repository
  • The PDQ Deploy / PDQ Inventory database files

This is not recommended from a security standpoint. Only administrative users should be able to modify these assets.

Starting with fresh installs of 19.6.10.0 and later, PDQ products will, by default, remove NT AUTHORITY\INTERACTIVE from these locations.

However:

  • Upgrades from earlier versions
  • Fresh installs earlier than 19.6.10.0

may still have less secure defaults, and should be checked.

Goal

Ensure that the PDQ database files and Package Repository do not grant permissions to:

NT AUTHORITY\INTERACTIVE

Step 1 – Verify Permissions

Run the following commands in an elevated PowerShell window (Run as Administrator) on your PDQ server.

1.1 Check database permissions

Example: PDQ Deploy database path
(Adjust the path if your database is stored in a custom location.)

# Replace with your DB path if needed
$dbPath = "$env:ProgramData\Admin Arsenal\PDQ Deploy\Database.db"

if ((Get-Acl $dbPath -ErrorAction SilentlyContinue).Access |
    Where-Object { $_.IdentityReference -eq "NT AUTHORITY\INTERACTIVE" }) {

    Write-Host "DB INSECURE - NT AUTHORITY\INTERACTIVE has permissions" -ForegroundColor Red
}
else {
    Write-Host "DB SECURE - NT AUTHORITY\INTERACTIVE not found" -ForegroundColor Green
}

Repeat this check for PDQ Inventory by setting $dbPath to your Inventory database location (as shown in the product settings).

1.2 Check repository permissions

Example: default PDQ Deploy Repository path
(Adjust if you are using a custom repository location.)

# Replace with your DB path if needed
$repoPath = "C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository"

if ((Get-Acl $repoPath -ErrorAction SilentlyContinue).Access |
    Where-Object { $_.IdentityReference -eq "NT AUTHORITY\INTERACTIVE" }) {

    Write-Host "REPO INSECURE - NT AUTHORITY\INTERACTIVE has permissions" -ForegroundColor Red
}
else {
    Write-Host "REPO SECURE - NT AUTHORITY\INTERACTIVE not found" -ForegroundColor Green
}

If either check reports INSECURE, continue with the fix steps below.

Step 2 – Secure the Repository

Only applicable to the PDQ Deploy Repository (Inventory does not use a repository in the same way).

  1. In PDQ Deploy, open Options > Preferences > Repository and note the Repository path.
  2. Use that path for $repoPath in the script below.
  3. Run this in an elevated PowerShell session to remove NT AUTHORITY\INTERACTIVE access and disable inheritance if it's enabled:
# Replace with your repo path if needed
$repoPath = "C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository"

# Remove inherited NTFS permissions if they exist
$acl = Get-Acl $repoPath
$acl.SetAccessRuleProtection($true, $true)
Set-Acl $repoPath $acl

$acl = Get-Acl $repoPath

# Remove any NT AUTHORITY\INTERACTIVE access rules from the repository
$acl.Access |
    Where-Object { $_.IdentityReference -eq "NT AUTHORITY\INTERACTIVE" } |
    ForEach-Object { $acl.RemoveAccessRule($_) }

Set-Acl $repoPath $acl

Write-Host "Repository secured - removed NT AUTHORITY\INTERACTIVE permissions" -ForegroundColor Green
  1. Re-run the repository verification command from Step 1.2 to confirm it now reports REPO SECURE.

Step 3 – Secure the Database Files

You should secure the databases for both PDQ Deploy and PDQ Inventory.

  1. In each product, go to Options > Preferences > Database (or the relevant settings area) and note the database file path.
  2. Use that path for $dbPath in the script below.
  3. Run this in an elevated PowerShell session:
# Replace with your repo path if needed
$dbPath = "$env:ProgramData\Admin Arsenal\PDQ Deploy\Database.db"

# Remove inherited NTFS permissions if they exist
$acl = Get-Acl $dbPath
$acl.SetAccessRuleProtection($true, $true)
Set-Acl $dbPath $acl

$acl = Get-Acl $dbPath

# Remove any NT AUTHORITY\INTERACTIVE access rules from the database file
$acl.Access |
    Where-Object { $_.IdentityReference -eq "NT AUTHORITY\INTERACTIVE" } |
    ForEach-Object { $acl.RemoveAccessRule($_) }

Set-Acl $dbPath $acl

Write-Host "Database secured - removed NT AUTHORITY\INTERACTIVE permissions" -ForegroundColor Green
  1. Re-run the database verification command from Step 1.1 for each database to confirm they now report DB SECURE.

Summary

  • Versions prior to 19.6.10.0 may allow NT AUTHORITY\INTERACTIVE permissions on the PDQ Deploy repository and PDQ databases.
  • Use the verification scripts to check for NT AUTHORITY\INTERACTIVE access.
  • Use the fix scripts to remove that access from:
    • The PDQ Deploy Repository
    • The PDQ Deploy database
    • The PDQ Inventory database

This ensures that only authorized administrative users can modify critical PDQ data, aligning your environment with best security practices.

Michael Rice
Updated
Was this article helpful?

Related articles

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.