Security concerns of unattended, automatic installations

Automatic, unattended installations are a necessity for any Windows administrator supporting a large organization. Keep these security concerns in mind to protect the integrity of the image source, the administrator password and the newly installed system.

Unattended installations are a fact of life for many Windows administrators. With all that is going on in any given day, an admin can't be bothered with something as mundane and procedural as a new installation. There is, however, a certain level of vigilance required to make sure these automatic installations are done securely.

We polled some of our contributors here at SearchWindowsSecurity.com to find out what the experts say about their biggest unattended installation security concerns.

The consensus

Each contributor mentioned the integrity of the installation image. "I would scrutinize the machine that I was basing the image file off of very thoroughly prior to making the image file," said Microsoft MVP Brien Posey. But the integrity of the image doesn't just have to do with checking that it doesn't include some hidden virus or rootkit. Patching, said our contributors, is also a primary concern.

"The most vulnerable time of a Windows machine's life is just after installation but before security patches are installed," said Windows hardening expert Jonathan Hassell. He recommends having the network on which the installation is occurring disconnected from the Internet, but if that isn't possible, he recommends the following steps to mitigate risk:

  • Use a Group Policy Object to enable the Windows Firewall or ICF (Internet Connection Firewall) after installation.
  • Use Software Update Services (SUS) or Windows Server Update Services (WSUS) to automatically install at least some of the patches right after installation.
  • Don't leave newly installed machines alone for any more time than required. Have someone help you visit Windows Update on each machine and patch them.

Normally, an admin would like to have an up-to-date system image that includes hotfixes and service packs to perform the setup. But Windows expert Serdar Yegulalp cautions that even this intuitive solution might not work. "This in itself has pitfalls. For instance, update 824146 for MS03-042 on Windows 2000 doesn't really work too well in a slipstreamed environment, so [patching] might be something best done after the fact using SUS or something similar," he said.

Sounding the Administrator account alarm

Another prominent concern is the integrity of the administrator password. "The first thing I would worry about," said Yegulalp, "is leaving the Administrator password blank or the main Administrator account otherwise unsecured."

Hassell agreed. "[The Administrator account] is a serious hole in that anyone who can open the text file containing the parameters for the installation can see the administrator password you're assigning to any machine using that file." He also offered this cure: "The solution can be found in the Encrypt Administrator Password option within Setup Manager in Windows Server 2003."

Let us know if you have run into any other issues with unattended setups and we will append them to this article. Send your comments to bvigil@techtarget.com.


More information from SearchWindowsSecurity.com

  • Checklist: Deploy Windows Server 2003 SP1 with Remote Installation Services (RIS)
  • Book Excerpt: Troubleshooting Service Packs and Security Updates
  • Ask the Experts Configuring automatic logon


  • This was first published in September 2005

    Dig deeper on Windows legacy operating systems

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchVirtualDesktop

    SearchWindowsServer

    SearchExchange

    Close