This is a quick guide how to set up a password protected network boot menu without using windows RIS. This is handy for booting various network boot disks for machine imaging and maintenance.

First off you’ll need the following:

1. A copy of PXELinux
2. Some floppy disk images (or winimage to create some)
3. A bit of time and patience

Now First you have to configure your DHCP server:

1. Open the DHCP control panel from administrative tools.
2. Expand the server you are wanting to configure. Expand the “Scope” folder. Right click on “Scope Options” and select “Configure Options”.
3. Put a check mark in “013 Boot File Size” and enter the file size in 512 octet blocks. Example, your boot image file is 12.8 KB (kilobytes) or 13204 bytes. Divide the file size in bytes by 512 (13204 / 512). And round the number up. Enter the resulting number (26) in the text dialog that is enabled when you put a check in 013. If your using the pxelinux downloaded off this page then 26 is the correct value to enter.
4. Put a check mark in “043 Vendor Specific Info” and enter the following binary value: 01 04 00 00 00 00 ff.
5. Open a command window and type the following:
   c:\>netsh
netsh>dhcp
netsh dhcp>server \\server_name
netsh dhcp server>add optiondef 60 ClassID String 0
netsh dhcp server>set optionvalue 60 STRING PXEClient
6. Put a check mark in “066 Boot Server Host Name” and enter the IP address of the server.
7. Put a check mark in “067 Bootfile Name” and enter the name of the boot image file /tftpboot/pxelinux.0.

8. Right click on the server name in the DHCP control panel, go to all tasks, and select “restart”.
9. Go back to scope options and verify that all the information is there. You should see the five entries on the right. They should look like this:013 Boot File Size Standard 0x18
043 Vendor Specific Info Standard 01 04 00 00 00 00 ff
060 ClassID Standard PXEClient
066 Boot Server Host Name Standard Server IP address
067 Bootfile Name Standard /tftpboot/pxelinux.0

If any of the options do not match these, double-click on the option and change the value. More than likely option 060 will be wrong. Change it so it looks like above.

Now configure the TFTP Server as I outlined in the previous post.

You can now finally set up the acutal boot process:

1. Extract the contents of the pxelinux arcive into c:\windows\tftpd\tftpboot\
2. tftpd\tftpboot\
3. In c:\windows\tftpd\tftpboot\pxelinux.cfg\ tftpd\tftpboot\netboot.img on the server once the password password has been entered. More menu items can easily be added by adding more blocks and changing the label and the image filename.

Once all this has been done its time to test it out, if you have everything set up correctly when you network boot a machine on your lan your should be presented with a small password protected menu that lets you boot your floppy disk images quickly and easily!

If you have only the occasional requirement for a TFTP server or a simple requirement that will require little ongoing administration and you’re running Windows, it’s most likely Microsoft have already provided you with all you need - they’ve just hidden it from you. This how-to guide explains how to get your free TFTP Server up and running.

Take a look at Wikipedia’s article on TFTP for more information.

Remember that TFTP is simple protocol and insecure protocol. If you have sensitive information or configurations to move across your network you should look at a more appropriate mechanism, such as SSH.

Finding the TFTP server daemon

The file you need, “tftpd.exe“, may already be installed on your system in the “%SystemRoot%\system32\dllcache” directory.

If it’s not already there Windows 2000 Professional, Windows XP, Windows 2000 Server and Windows Server 2003 (and perhaps some others) all come with the software. You’ll find a file called “tftpd.ex_” in the “i386” directory on the installation CD, a compressed version of what you need. You can use the command “expand D:\I386\TFTPD.EX_ %SystemRoot%\system32\dllcache” to extract the file to its usual home.

Installing the TFTP service

The following script uses the native XP/2003 “sc.exe” and “reg.exe” commands to install the TFTP Server as a Windows Service.

If you’re running Windows 2000 you’ll need to get the same commands from the Windows 2000 Resource Kit (see Q251192) and the Windows 2000 Support Tools (see Q301423) or use “instsrv.exe” command (see Q137890) and “regedit.exe” tools instead.

mkdir “C:\windows\tftpd\tftpboot”
copy “%SystemRoot%\system32\dllcache\tftpd.exe” “c:\windows\system32\tftpd.exe”
sc create TFTPd binPath= “%SystemRoot%\system32\tftpd.exe” start= auto DisplayName= “TFTP Server”
reg add HKLM\SYSTEM\CurrentControlSet\Services\TFTPd\Parameters /v “Directory” /d “C:\Windows\tftpd”

Configuring the TFTP service

The TFTP Server takes its configuration from the Windows Registry. There are five keys you need to worry about, one of which (”Directory”) was created above and specifies the where the TFTP Server finds its files on disk. The remaining four keys are listed here.

• The “Masters” key contains a list of client IP addresses that are permitted to write files.
• The “Clients” key contains a list of client IP address that are permitted to read files.
• The “Readable” key contains a mask of acceptable filenames that can be read.
• The “Writable” key contains a mask of acceptable filenames that can be written.

The following script configures a read-only TFTP server that will serve any filename to clients with IPs in the
 192.168.110.* range.

reg add HKLM\SYSTEM\CurrentControlSet\Services\TFTPd\Parameters /v "Masters" /d ""
reg add HKLM\SYSTEM\CurrentControlSet\Services\TFTPd\Parameters /v "Clients" /d "192.168.110.*"
reg add HKLM\SYSTEM\CurrentControlSet\Services\TFTPd\Parameters /v "Readable" /d "*"
reg add HKLM\SYSTEM\CurrentControlSet\Services\TFTPd\Parameters /v "Writable" /d ""

And the Regedit script here does exactly the same thing.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFTPd\Parameters]
“Masters”=”"
“Clients”=”192.168.0.*”
“Readable”=”*”
“Writable”=”"

Managing the TFTP service

The TFTP Server can be started and controlled just like any other Windows Service - from the MMC Services GUI, using “sc start TFTPd”, “sc stop TFTPd”, “net start TFTPd”, “net stop TFTPd” and so on.

If the machine hosting the TFTP Server has a local firewall you might need to add the appropriate rule to allow inbound UDP connections to port 69 (see IANA Well Known Ports).

It’s been extremely busy in both secular and personal life. Finishing a college course, budget time, moving to Hyper-V and virtualization.

I’ll get back to posting though, I miss the therapeutic effect!

TLC