Unattended installations are a fact of life for many Windows administrators. With all that is going on in any given day, an admin can't be bothered with something as mundane and procedural as a new installation. There is, however, a certain level of vigilance required to make sure these automatic installations are done securely.
We polled some of our contributors here at SearchWindowsSecurity.com to find out what the experts say about their biggest unattended installation security concerns.
Each contributor mentioned the integrity of the installation image. "I would scrutinize the machine that I was basing the image file off of very thoroughly prior to making the image file," said Microsoft MVP Brien Posey. But the integrity of the image doesn't just have to do with checking that it doesn't include some hidden virus or rootkit. Patching, said our contributors, is also a primary concern.
"The most vulnerable time of a Windows machine's life is just after installation but before security patches are installed," said Windows hardening expert Jonathan Hassell. He recommends having the network on which the installation is occurring disconnected from the Internet, but if that isn't possible, he recommends the following steps to mitigate risk:
- Use a Group Policy Object to enable the Windows Firewall or ICF (Internet Connection Firewall) after installation.
- Use Software Update Services (SUS) or Windows Server Update Services (WSUS) to automatically install at least some of the patches right after installation.
- Don't leave newly installed machines alone for any more time than required. Have someone help you visit Windows Update on each machine and patch them.
Normally, an admin would like to have an up-to-date system image that includes hotfixes and service packs to perform the setup. But Windows expert Serdar Yegulalp cautions that even this intuitive solution might not work. "This in itself has pitfalls. For instance, update 824146 for MS03-042 on Windows 2000 doesn't really work too well in a slipstreamed environment, so [patching] might be something best done after the fact using SUS or something similar," he said.
Sounding the Administrator account alarm
Another prominent concern is the integrity of the administrator password. "The first thing I would worry about," said Yegulalp, "is leaving the Administrator password blank or the main Administrator account otherwise unsecured."
Hassell agreed. "[The Administrator account] is a serious hole in that anyone who can open the text file containing the parameters for the installation can see the administrator password you're assigning to any machine using that file." He also offered this cure: "The solution can be found in the Encrypt Administrator Password option within Setup Manager in Windows Server 2003."
Let us know if you have run into any other issues with unattended setups and we will append them to this article. Send your comments to firstname.lastname@example.org.
More information from SearchWindowsSecurity.com
This was first published in September 2005