The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Security Deficiencies of Automated Windows Installations
------------------------------------------------------------------------
SUMMARY
In larger environments Windows workstations are usually installed in an
automated manner using a so-called unattended setup. Serious weaknesses
concerning the sources of these installations have frequently been
identified by Compass Security during internal penetrations tests. Such
weaknesses can enable an internal hacker to gain high-privileged (Domain
Administrator) access in a short time. The aim of this article is to point
out the problems in detail and to give suggestions in order to protect
your installation sources properly.
DETAILS
Countermeasures:
In order to remove the weaknesses mentioned and to provide secure
installation sources Compass Security offers the following suggestions:
* Use a low privileged user for the installation (boot diskette).
* Protect your installation network shares adequately. Only installation
users as well as administrators should have access to these resources.
* Do not save credentials on boot diskettes or boot images. Some third
party setup software provides encryption.
* Use a normal user to join workstations to the domain. You have to
extend the particular user with just one privilege called "Add Computers
to the Domain". This can be done using Group Policy on the domain level in
the Computer Configuration-Windows Settings-Security Settings-Security
Options. functionality in this area.
* Encrypt the passwords inside unattended files if possible. Microsoft
provides a mechanism to encrypt the password for the local administrator
but not for the user required for the domain join. Some third party
software supports extended functionality in this area.
* Delete all Restore Points created after the installation. To do so
disable and re-enable system restore on the system.
* Make sure that the sensitive files get deleted on the freshly installed
computer. The safest way is to overwrite the empty space on the hard disk,
since deleted but not overwritten files can be recovered. A tool called
cipher (native tool in Win2000 and XP) exists that can do this:
The following command will overwrite the whole empty space on c:
cipher /w:c:\
ADDITIONAL INFORMATION
The information has been provided by <mailto:christoph.schnidrig@csnc.ch>
Christoph Schnidrig.
The original article can be found at:
<http://www.csnc.ch/eng_unattendend_win_install.pdf>
http://www.csnc.ch/eng_unattendend_win_install.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
