PDQ Deployment User
Thomas Gutshall II
Hello,
We noticed on our web filter that the users on the computer while the deployment happens gets the deployment user rights. We're looking into the filter information also while I ask this. We just want to know if the deployment user is logged out once the deployment is done or are they still logged in till the computer is rebooted?
Thank You
0
Comments
Hey Thomas,
The deployment user is never really "logged in" to the machine. What happens is the deployment opens a connection to the \\target\ADMIN$ share as the user account specified for the deployment. This allows the PDQDeployRunner Service to talk to the PDQ Console to report step status information to the console, copy files to the machine, and execute the code in the steps. When the Deployment ends, the PDQDeployRunner Service is terminated, and the connection terminated. There is a small remnant left behind in the form of a log file in ADMIN$\AdminArsenal\PDQDeployRunnerService, but for all intents and purposes from a security standpoint, the deployment user is vamoosed. The communications are encrypted between the Console and the target, and the deployment credentials are hashed on top of that, so any nafarious person would first have to crack the tunnel encryption, and then figure out the salt on the credentials. Given that a deployment only lasts on average I'd say about 30 seconds, you would have to have a fleet of computers with power akin to the entirety of AWS compute possibility to get past that within that time frame.
Safe to say, I don't have any security related concerns with PDQ Deploy in my environment, and I have a team of VERY VERY anal Security Engineers.