[REVS] Security Deficiencies of Automated Windows Installations

From: SecuriTeam (support_at_securiteam.com)
Date: 12/16/04

  • Next message: SecuriTeam: "[EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)"
    To: list@securiteam.com
    Date: 16 Dec 2004 11:19:11 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Security Deficiencies of Automated Windows Installations
    ------------------------------------------------------------------------

    SUMMARY

    In larger environments Windows workstations are usually installed in an
    automated manner using a so-called unattended setup. Serious weaknesses
    concerning the sources of these installations have frequently been
    identified by Compass Security during internal penetrations tests. Such
    weaknesses can enable an internal hacker to gain high-privileged (Domain
    Administrator) access in a short time. The aim of this article is to point
    out the problems in detail and to give suggestions in order to protect
    your installation sources properly.

    DETAILS

    Countermeasures:
    In order to remove the weaknesses mentioned and to provide secure
    installation sources Compass Security offers the following suggestions:

     * Use a low privileged user for the installation (boot diskette).

     * Protect your installation network shares adequately. Only installation
    users as well as administrators should have access to these resources.

     * Do not save credentials on boot diskettes or boot images. Some third
    party setup software provides encryption.

     * Use a normal user to join workstations to the domain. You have to
    extend the particular user with just one privilege called "Add Computers
    to the Domain". This can be done using Group Policy on the domain level in
    the Computer Configuration-Windows Settings-Security Settings-Security
    Options. functionality in this area.

     * Encrypt the passwords inside unattended files if possible. Microsoft
    provides a mechanism to encrypt the password for the local administrator
    but not for the user required for the domain join. Some third party
    software supports extended functionality in this area.

     * Delete all Restore Points created after the installation. To do so
    disable and re-enable system restore on the system.

     * Make sure that the sensitive files get deleted on the freshly installed
    computer. The safest way is to overwrite the empty space on the hard disk,
    since deleted but not overwritten files can be recovered. A tool called
    cipher (native tool in Win2000 and XP) exists that can do this:

    The following command will overwrite the whole empty space on c:
    cipher /w:c:\

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:christoph.schnidrig@csnc.ch>
    Christoph Schnidrig.
    The original article can be found at:
    <http://www.csnc.ch/eng_unattendend_win_install.pdf>
    http://www.csnc.ch/eng_unattendend_win_install.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)"

    Relevant Pages

    • Re: Can extra processing threads help in this case?
      ... computers installed in the White House. ... after the installation, hordes of NSA-types descended on the White House to track down the ... This is yet a different form of physical security: the early "smart cards" had encryption ... Bandwidth for connected servers, the path of the data, ...
      (microsoft.public.vc.mfc)
    • Re: lighting---hacked!
      ... the only possible security measure one might take. ... I made to turn off ipchains which we have only been running for about ... Take, in particular, the installation of ipchains, which is what ... >From the GUI interface and what documentation I had ...
      (comp.os.linux.security)
    • Re: Software Distribution Service 3
      ... to a checkpoint prior to that installation. ... to restore prior to the checkpoint before this Windows Update was applied I ... your best bet would be to open a free support incident. ... security updates. ...
      (microsoft.public.windowsupdate)
    • Re: Idea to make package vulnerabilities not matter, along with third party software
      ... but they seem arrogant about security, ... FreeBSD contains such mechanisms, but as memory access ... The server doesn't run a GUI. ... installation won't continue. ...
      (freebsd-questions)
    • Macro security N Custom Maintenance wizard
      ... Then I try to figure out whether it is possible to enforce macro security ... Office Security Settings page of either the Custom Installation Wizard or the ... Custom Maintenance Wizard. ...
      (microsoft.public.office.misc)