# Permissions

## Configuration Manager Permissions

### Distribution Point Package Share IIS Permissions

Please see [this link](https://documentation.2pintsoftware.com/2pxe-server/troubleshooting/dp-package-share-iis-permissions) which addresses a recent IIS permission issue which can result in access denied errors when a client attempts to download a boot image.

### **Allowing Access to the Configuration Manager SQL Database**

2PXE uses SQL as the fastest way to retrieve boot actions for a system. Add the service account (default the machine account of the Distribution Point) to the *ConfigMgr\_DViewAccess* local group on the Configuration Manager Site Server. Members in this group have the required access for using distributed views against the Configuration Manager database. The account only requires read rights and can be further locked down if necessary.

{% hint style="info" %}
Note: Make sure the 2PXE server can reach the Configuration Manager database server by ensuring the necessary firewall ports are open. This is typically port 1433, however, it is configurable per the Microsoft Configuration Manager documentation.
{% endhint %}

{% embed url="<https://files.gitbook.com/v0/b/gitbook-legacy-files/o/assets%2F2pint-doco%2F-LlHsjkqncdI9e2xyU2d%2F-LlIDfw_FAHy67Kf4n0m%2F12.png?alt=media&generation=1564764471578337>" %}

## Security without Configuration Manager

If you are not using Configuration Manager then the only security related issue is to ensure that the boot URL returned from the PowerShell command is accessible with anonymous security or by using an ACL and the iPXE Network Access Account.