S 4.248 Secure installation of Windows client operating systems

Initiation responsibility: IT Security Officer

Implementation responsibility: Administrator

Fundamentally, the out-of-the-box installations of Windows Vista and Windows 7 do not always achieve a security level appropriate for professional use. Therefore, an individual setup must be planned and used.

A Windows system is not completely configured during the installation phase (see the planning measures), which means that some of the desired security settings may not be enabled yet. For this reason, the installation and initial configuration of a Windows system should be performed in a protected environment, if possible. Response files and policy templates should be used during initial installation, since manual installation is risky. The checklists in place should always be kept up to date. When this is not possible, for example when installing Windows on-site on a workstation computer (locally or over the network), a default configuration prepared (and preconfigured) in advance should be installed instead. In Windows 7 and higher, this type of installation should always be preferred. When using system images, the so-called image files, it must be ensured that all updates and patches available at the time of transferral are installed before transferring the IT system to production. A Windows system should be completely updated and equipped with all updates already released for the institution before transferring it to production - particularly before it is allowed to connect to the Internet or third party networks.

If a Windows system is not integrated into an Active Directory domain structure, the group policies also containing the security settings must be configured locally on the IT system. This should be performed manually or in a script-based manner for the Microsoft Windows Vista and Windows 7 operating systems. How the settings are actually performed must be decided in the planning phase.

The group policies mechanism allows a faster, more reliable, more complete, and more confidential initial configuration when the IT system is added to the domain. Once it has been added to the domain, the IT system object must be moved to the corresponding organisational unit (OU) in the Active Directory. If the IT system remains in the Active Directory container Computer assigned by default, only site and domain GPOs and no OU-GPOs are applied, since OU group policy objects cannot be attached to this Active Directory container. It must also be ensured that the IT system is restarted after moving to a new organisational unit. This way, the GPOs linked to this OU are loaded to the IT system and applied.

Upon completion of installation, it should be ensured that the corresponding security settings have actually been applied. In doing so, the components installed, policies applied, authorisations granted in the file system and registry, user rights assigned, and system services enabled should be examined.

Upon completion of installation of Windows Vista and Windows 7, it is also necessary to activate the operating system. A Windows Vista installation without Service Pack 1 (SP1) that is not activated becomes inoperable after expiration of a predefined grace period of 30 days. The Vista client is forced to enter the Reduced Functionality Mode (RFM), which only provides reduced functionality. Microsoft eliminated the RFM with the release of Windows Vista Service Pack 1. Instead of switching to the RFM mode, Windows Vista and Windows 7 now display corresponding warnings, but these warnings can also impede or delay critical tasks on a Windows Vista or Windows 7 system.

Further information on activation can be found in S 4.336 Activation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions and S 4.343 Reactivation of Windows systems from a volume licence contract in Vista or Server 2008 and higher versions.

Domain membership

To add an IT system to a domain, it is either necessary to prepare a corresponding computer account in the domain beforehand or the computer account is created when adding the IT system to the domain. For this, administrative authorisations are necessary, which require restrictive handling. Whether the computer account should be created prior to or during installation must be decided depending on the common practice of the company or government agency.

Future members of the domain should be added to the domain during installation and should not be installed as a stand-alone system first. For example, this guarantees that simple file sharing remains disabled and that no additional local users with administrative authorisations will be created.

Unattended installations

Windows offers a mechanism for the unattended installation of the operating system. In this, the installation is performed using a predefined response file and without requiring any interaction by the administrator. This response file, which contains the necessary installation input, is created in advance of a Windows XP installation using the Setup Manager installation management program.

Windows Vista and Windows 7 use the Unattend.xml response file for the unattended installation of the operating system. This response file can be created and edited with the Windows System Image Manager. The Windows System Image Manager is part of the Windows Automated Installation Kit (WAIK). The WAIK is not available on the Windows Vista and Windows 7 installation media, but it can be downloaded from the Microsoft website (). The WAIK is already part of the new Business Desktop Deployment (BDD) deployment tool for Windows Vista and Windows 7. The BDD comprises functions for planning, designing, testing, and allocating Windows Vista and Windows 7. The Microsoft Deployment Tool Kit 2010 (MDT 2010) replaces the already existing BDD 2010.

If Windows systems are installed unattended, the following must be taken into account:

• Sensitive information in response files such as passwords must be protected against unauthorised reading. The passwords used must be encrypted when creating the response file using the Setup Manager installation management program or, for Windows Vista and Windows 7, using the Windows System Image Manager.
• How to handle passwords stored in an installation script or a response file and used for admission to the domain must be defined. Since this function cannot be encrypted, an IT system should be added to the domain using the Windows Deployment Services (WDS).
• The administrator password must not be left blank during unattended installations in Windows XP, because otherwise the automatic login function is automatically enabled. In Windows Vista and Windows 7, automatic login is only enabled during unattended installation when the corresponding prepared response file defined for the installation is configured accordingly.
• After installation, the scripts as well as all files containing confidential information must be deleted immediately and securely (see also S 4.56 Secure deletion in Windows operating systems).

Customised installation media

If Windows is installed from possibly outdated original media, all patches, Service Packs, and updates available must be installed separately after installation. This increases the total installation time as well as the risk of a successful attack on the IT system, since it will not be up to date for a certain period of time. In order to install the updates during installation and to reduce the risk of a successful attack, you can use one of the two different installation functions introduced in Windows XP and higher:

• integrated installation (also called Slipstream installation) or
• combined installation.

In Windows Vista and Windows 7, updates can be installed during installation using the BDD deployment tool and/or MDT 2010. In an integrated installation, Windows is installed together with a Service Pack. A combined installation allows you to install the operating system together with hotfixes and additional applications in the unattended mode.

A new installation medium is created for an integrated installation. In this, the original files are overwritten by files in the Service Pack. Possible installation media include optical storage media such as CD-ROMs or DVDs, network distribution shares, or installation folders belonging to the Remote Installation Services (RIS) and/or the Windows Deployment Services (WDS). It must be ensured that a Service Pack installed using the integrated installation mode cannot be uninstalled.

A combined installation medium is created by integrating additional installation files into the original installation medium. The response file for the unattended installation (called Unattend.txt or, in Windows Vista and Windows 7, AutoUnattend.xml by default) and the cmdlines.txt file must be modified accordingly. The exact procedure to follow in each case can be found in the documentation provided by Microsoft.

As a rule, it is recommended to use customised installation media. Which of the two methods should be used in a given company or government agency must be decided on a case-by-case basis. When installing Windows XP, it is necessary to take M 2.329 Implementation of Windows XP SP2 into account.

In Windows Vista and Windows 7, only the WIM image must be adapted for distribution purposes. The WIM image is an operating system image with the WIM format. It is either made available on removable media or in the network. For prompt changes and updates, a server share or a WSUS server is queried during the installation process. However, this is not absolutely necessary.

System components

When installing the system, it must be guaranteed that only the system components needed are installed. Additional components can be installed depending on the existing business requirements of the institution. These components are marked in the tables in the Resources for IT-Grundschutz as Optional. From a security perspective, it is not recommended to install the Windows components marked with Disabled.

Review questions:

• Has it been ensured that systems are only transferred to production in the network after entirely completing the installation of the system, its configuration, and the installation of all patches and updates?
• Has it been guaranteed that only the system components needed are actually installed during the installation of Windows systems?
• Has it been ensured that the corresponding security settings have actually been applied after installation (the installed components, applied policies, authorisations in the file system/registry, assigned user rights, allowed system services, etc.)?
• Are passwords in installation scripts and configuration files protected and were these passwords deleted from the system after installation?
• Is an administrator password assigned during an unattended installation of Windows?