SecuriTeam - Security Deficiencies of Automated Windows Installations

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

In larger environments Windows workstations are usually installed in an automated manner using a so-called unattended setup. Serious weaknesses concerning the sources of these installations have frequently been identified by Compass Security during internal penetrations tests. Such weaknesses can enable an internal hacker to gain high-privileged (Domain Administrator) access in a short time. The aim of this article is to point out the problems in detail and to give suggestions in order to protect your installation sources properly.

Credit:
The information has been provided by Christoph Schnidrig.
The original article can be found at: http://www.csnc.ch/eng_unattendend_win_install.pdf

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Countermeasures:
In order to remove the weaknesses mentioned and to provide secure installation sources Compass Security offers the following suggestions:

* Use a low privileged user for the installation (boot diskette).

* Protect your installation network shares adequately. Only installation users as well as administrators should have access to these resources.

* Do not save credentials on boot diskettes or boot images. Some third party setup software provides encryption.

* Use a normal user to join workstations to the domain. You have to extend the particular user with just one privilege called "Add Computers to the Domain". This can be done using Group Policy on the domain level in the Computer Configuration-Windows Settings-Security Settings-Security Options. functionality in this area.

* Encrypt the passwords inside unattended files if possible. Microsoft provides a mechanism to encrypt the password for the local administrator but not for the user required for the domain join. Some third party software supports extended functionality in this area.

* Delete all Restore Points created after the installation. To do so disable and re-enable system restore on the system.

* Make sure that the sensitive files get deleted on the freshly installed computer. The safest way is to overwrite the empty space on the hard disk, since deleted but not overwritten files can be recovered. A tool called cipher (native tool in Win2000 and XP) exists that can do this:

The following command will overwrite the whole empty space on c:
cipher /w:c:\

	Why Silent Updates Boost Security
	PDF Silent HTTP Form Repurposing Attacks
	Frame Pointer Overwrite Demonstration (Linux)
	Format String Exploitation Demonstration (Linux)
	Hacking SOHO Routers
	Reflective Dll Injection
	Achieving Persistent HTML Injection via SNMP on Embedded Devices
	Lateral SQL Injection: a New Class of Vulnerability in Oracle
	Microsoft Windows DNS Stub Resolver Cache Poisoning (MS08-020)
	Cold Boot Attacks on Disk Encryption
	OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability
	Exploiting WDM Audio Drivers
	Securing and Hardening Linux Paper
	27Mhz Wireless Keyboard Analysis Report aka "We Know What You Typed Last Summer"
	Cryptanalysis of the Random Number Generator of the Windows Operating System