[REVS] Security Deficiencies of Automated Windows Installations

From: SecuriTeam (support_at_securiteam.com)
Date: 12/16/04

  • Next message: SecuriTeam: "[EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)"
    To: list@securiteam.com
    Date: 16 Dec 2004 11:19:11 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Security Deficiencies of Automated Windows Installations


    In larger environments Windows workstations are usually installed in an
    automated manner using a so-called unattended setup. Serious weaknesses
    concerning the sources of these installations have frequently been
    identified by Compass Security during internal penetrations tests. Such
    weaknesses can enable an internal hacker to gain high-privileged (Domain
    Administrator) access in a short time. The aim of this article is to point
    out the problems in detail and to give suggestions in order to protect
    your installation sources properly.


    In order to remove the weaknesses mentioned and to provide secure
    installation sources Compass Security offers the following suggestions:

     * Use a low privileged user for the installation (boot diskette).

     * Protect your installation network shares adequately. Only installation
    users as well as administrators should have access to these resources.

     * Do not save credentials on boot diskettes or boot images. Some third
    party setup software provides encryption.

     * Use a normal user to join workstations to the domain. You have to
    extend the particular user with just one privilege called "Add Computers
    to the Domain". This can be done using Group Policy on the domain level in
    the Computer Configuration-Windows Settings-Security Settings-Security
    Options. functionality in this area.

     * Encrypt the passwords inside unattended files if possible. Microsoft
    provides a mechanism to encrypt the password for the local administrator
    but not for the user required for the domain join. Some third party
    software supports extended functionality in this area.

     * Delete all Restore Points created after the installation. To do so
    disable and re-enable system restore on the system.

     * Make sure that the sensitive files get deleted on the freshly installed
    computer. The safest way is to overwrite the empty space on the hard disk,
    since deleted but not overwritten files can be recovered. A tool called
    cipher (native tool in Win2000 and XP) exists that can do this:

    The following command will overwrite the whole empty space on c:
    cipher /w:c:\


    The information has been provided by <mailto:christoph.schnidrig@csnc.ch>
    Christoph Schnidrig.
    The original article can be found at:


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Linux Kernel Multiple Local DoS (vc_resize, ip_options_get)"