Managing Windows Installer with Policies

Managing Windows Installer with Policies

Windows Installer provides a number of policies for managing how it installs applications and interacts with users. Some policies are more important and more useful than others; I'll get to that in just a bit. First here's the complete list of policies provided by Windows Installer. (The parentheses contain the policies' registry values.)

• User Configuration\Administrative Templates\Windows Components\Windows Installer (HKCU\Software\Policies\Microsoft\Windows\Installer)

  • Always install with elevated privileges (AlwaysInstallElevated).

    Directs Windows Installer to use system permissions when it installs any program on the system. For this policy to work, you must also set its per-computer version.

  • Search order (SearchOrder).

    Specifies the order in which Windows Installer searches for installation files. In other words, you can specify the order in which it checks network, local media, and Web locations for installation files.

  • Prohibit rollback (DisableRollback).

    Prohibits Windows Installer from generating and saving the files that it needs to reverse an interrupted or unsuccessful installation. This is useful when you know that the disks won't have enough space to hold the rollback files. However, it's also dangerous because if the installation fails, Windows Installer won't be able to restore the computer.

  • Prevent removable media source for any install (DisableMedia).

    Prevents users from installing programs from removable media. Using this policy is a great way to prevent users from circumventing IT policies and installing applications themselves. This controls only Windows Installer–based applications, though.

• Computer Configuration\Administrative Templates\Windows Components\ Windows Installer (HKLM\Software\Policies\Microsoft\Windows\Installer)

  • Disable Windows Installer (DisableMSI).

    Disables or restricts the use of Windows Installer. Use this policy to limit Windows Installer to only managed applications. Your choices are to allow users to install Windows Installer–based applications, never to allow users to install, or to allow them to install only managed applications.

  • Always install with elevated privileges (AlwaysInstallElevated).

    Directs Windows Installer to use system permissions when it installs any program on the system. For this policy to work, you must also set its per-user version.

  • Prohibit rollback (DisableRollback).

    Prohibits Windows Installer from generating and saving the files that it needs in order to reverse an interrupted or unsuccessful installation. This is useful when you know that the user's hard disk doesn't have enough space to hold the rollback files. However, it's also dangerous because if the installation fails, Windows Installer won't be able to restore the installation.

  • Remove browse dialog box for new source (DisableBrowse).

    Prevents users from searching for installation files when they add features or components to an installed program. By default, if Windows Installer can't find the application's source files, it displays a dialog box allowing users to browse for the files.

  • Prohibit patching (DisablePatch).

    Prevents users from using Windows Installer to install patches. You prevent users from patching their applications to protect them from malicious code.

  • Disable IE security prompt for Windows Installer scripts (SafeForScripting).

    Allows Web-based programs to install software on the computer without notifying the user.

  • Enable user control over installs (EnableUserControl).

    Permits users to change installation options that typically are available to system administrators only. Use this policy only in environments that don't lock down and carefully control configurations because it bypasses some of the security features built into Windows Installer.

  • Enable user to browse for source while elevated (AllowLockdownBrowse).

    Allows users to search for installation files during privileged installations. By default, when it's running with elevated privileges, Windows Installer doesn't allow users to browse for installation source files.

  • Enable user to use media source while elevated (AllowLockdownMedia).

    Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during privileged installations. By default, when it's running with elevated privileges, Windows Installer doesn't allow users to install applications from local media.

  • Enable user to patch elevated products (AllowLockdownPatch).

    Allows users to upgrade programs during privileged installations. By default, when the installation program is running with elevated privileges, Windows Installer doesn't allow users to patch applications.

  • Allow admin to install from Terminal Services session (EnableAdminTSRemote).

    Allows Terminal Services administrators to install and configure programs remotely. Windows Installer allows administrators to install applications only when they are console users. This policy allows users to install applications using Terminal Services.

  • Cache transforms in secure location on workstation (TransformsSecure).

    Saves copies of transform files in a secure location on the local computer. Windows Installer stores transforms in users' profile folders so that transforms follow users from computer to computer. Users can change the transforms, however. This policy causes Windows Installer to store transforms in a secure location, preventing users from changing them, but the transforms don't follow users.

  • Logging (Logging).

    Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.

  • Prohibit user installs (DisableUserInstalls).

    Allows IT professionals to prevent user installs. This policy has three choices. You can allow per-user installations, which is the default, and Windows Installer favors per-user installations over per-computer installations. You can hide per-user installations, and Windows Installer favors per-computer installations over per-user installations. You can prohibit user installations, and Windows Installer prevents applications from performing per-user installations. The last option is desirable to ensure a standard configuration that's available to all users on all computers.

  • Turn off creation of System Restore checkpoints (LimitSystemRestoreCheckpointing).

    Prevents Windows Installer from creating System Restore checkpoints. In the event of a problem, System Restore enables users to restore their computers to a previous state without losing personal data files. By default, Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state that it was in before installing the application.

Of all these policies, the most useful are AlwaysInstallElevated, which loosens up security enough to allow restricted users to install applications; TransformsSecure, which stores transforms to prevent tampering; and the other policies that you can use to significantly restrict use of Windows Installer. Both ends of the spectrum–low and high security–are available to you.

Installing with Elevated Privileges

The policy InstallAlwaysElevated installs Windows Installer–based applications with elevated privileges. Microsoft documentation often calls this a privileged installation. This policy is one way to enable users to install applications that they couldn't otherwise install either because they're in restricted groups or you've locked down the desktops in your enterprise. Using Active Directory or something like Microsoft SMS (Systems Management Server) is a better way to deploy those applications. If neither product is available to you, consider using this policy, but keep in mind that the consequences of doing so can be severe.

These consequences can potentially result from the fact that users can take advantage of this policy to gain full control of their computers. Users could permanently change their privileges and circumvent your ability to manage their accounts and computers. In addition, using this policy can be an opportunity for viruses disguised as Windows Installer package files. For these reasons, this isn't a setting that I recommend in any but the most dire situations, in which there's no method available other than placing users into the local Administrators group.

For this policy to be effective, you must enable both the per-computer and per-user versions of it at the same time. In other words, enable it in Computer Configuration as well as in User Configuration.

TIP
Deploying applications to locked-down desktops is a common and tricky scenario. Using the AlwaysInstallElevated policy isn't the best solution, either. Other than the typical fare, such as Active Directory and SMS, elegant solutions do exist for this problem. Chapter 8, “Configuring Windows Security,” describes many of these solutions, including using Security Templates and Security Configuration And Analysis to mitigate security just enough to allow legacy programs to run in Windows. Chapter 18, “Fixing Common IT Problems,” shows you a few techniques for launching setup programs with elevated privileges.

Caching Transforms in a Secure Location

Transforms are essentially answer files for Windows Installer–based applications. Chapter 17, “Deploying Office 2003 Settings,” describes transforms, but chances are good that you already know all about them. Transforms, which you can build using the Custom Installation Wizard in the Microsoft Office 2003 Editions Resource Kit, customize the way in which an application installs.

When you install an application using a transform, Windows Installer stores the transform with an .mst extension in the Application Data folder of the user profile. Windows Installer needs this file to reinstall, remove, or repair the application. Keeping this file in the user profile ensures that the file is always available. For example, if users have roaming user profiles, the transform follows them from computer to computer. This is not secure, however. When you set the TransformsSecure policy, Windows Installer instead saves transforms in %SystemRoot%, where users don't have permissions to change files. But because Windows Installer requires access to the transform used to install an application, the user must use the same computer on which he or she installed the application or must have access to the original installation source to install, remove, or repair the software. The idea behind this policy is to secure transforms in enterprises when IT professionals can't risk users maliciously changing the files.

Locking Down Windows Installer

Table 13-1 describes the policies that provide the most security for Windows Installer–based applications and for Windows in general. The first part of the table contains per-user policies, and the second part contains per-computer policies. In the Setting column, “Not Configured” means that you don't define the policy. “Enabled” is self-explanatory.

You can configure these policies directly in the registry. I gave you the key and value names earlier in this chapter. To enable a policy, add it to the appropriate key as a REG_DWORD value, and set it to 0x01. To disable the policy, set it to 0x00. Delete the value to remove the policy. These policies are typical of enterprise-style deployments, however, so I don't configure them in the registry, which is totally unmanaged. Instead, configure them using Group Policy locally or on the network so that you can manage them properly.