Security concerns of unattended, automatic installations

Staff, SearchWindowsSecurity.com

Unattended installations are a fact of life for many Windows administrators. With all that is going on in any given day, an admin can't be bothered with something as mundane and procedural as a new installation. There is, however, a certain level of vigilance required to make sure these automatic installations are done securely.

We polled some of our contributors here at SearchWindowsSecurity.com to find out what the experts say about their biggest unattended installation security concerns.

The consensus

Each contributor mentioned the integrity of the installation image. "I would scrutinize the machine that I was basing the image file off of very thoroughly prior to making the image file," said Microsoft MVP Brien Posey. But the integrity of the image doesn't just have to do with checking that it doesn't include some hidden virus or rootkit. Patching, said our contributors, is also a primary concern.

"The most vulnerable time of a Windows machine's life is just after installation but before security patches are installed," said Windows hardening expert Jonathan Hassell. He recommends having the network on which the installation is occurring disconnected from the Internet, but if that isn't possible, he recommends the following steps to mitigate risk:

  • Use a Group Policy Object to enable the Windows Firewall or ICF (Internet Connection Firewall) after installation.
  • Use Software Update Services (SUS) or Windows Server Update Services (WSUS) to automatically install at least some of the patches right after installation.
  • Don't leave newly installed machines alone for any more time than required. Have someone help you visit Windows Update on each machine and patch them.

Normally, an admin would like to have an up-to-date system image that includes hotfixes and service packs to perform the setup. But Windows expert Serdar Yegulalp cautions that even this intuitive solution might not work. "This in itself has pitfalls. For instance, update 824146 for MS03-042 on Windows 2000 doesn't really work too well in a slipstreamed environment, so [patching] might be something best done after the fact using SUS or something similar," he said.

Sounding the Administrator account alarm

Another prominent concern is the integrity of the administrator password. "The first thing I would worry about," said Yegulalp, "is leaving the Administrator password blank or the main Administrator account otherwise unsecured."

Hassell agreed. "[The Administrator account] is a serious hole in that anyone who can open the text file containing the parameters for the installation can see the administrator password you're assigning to any machine using that file." He also offered this cure: "The solution can be found in the Encrypt Administrator Password option within Setup Manager in Windows Server 2003."

Let us know if you have run into any other issues with unattended setups and we will append them to this article. Send your comments to bvigil@techtarget.com.

More information from SearchWindowsSecurity.com

  • Checklist: Deploy Windows Server 2003 SP1 with Remote Installation Services (RIS)
  • Book Excerpt: Troubleshooting Service Packs and Security Updates
  • Ask the Experts Configuring automatic logon

  • This was first published in September 2005

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.