Managing Windows Installer with Policies | Microsoft Windows XP Registry Guide (Bpg-Other)

Windows Installer provides a number of policies for managing how it installs applications and interacts with users. Some policies are more important and more useful than others; I'll get to that in just a bit. First here's the lineup (the parentheses contain the policies' registry values):

User Configuration\Administrative Templates\Windows Components \Windows Installer (HKCU\Software\Policies\Microsoft\Windows\Installer)
- Always install with elevated privileges (AlwaysInstallElevated). Directs Windows Installer to use system permissions when it installs any program on the system. You must also set the per-computer version of this policy for it to work.
- Search order (SearchOrder). Specifies the order in which Windows Installer searches for installation files. In other words, you can specify the order in which it looks at network, local media, and Web locations for installation files.
- Prohibit rollback (DisableRollback). Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This is useful when you know that the disks won't have enough space to hold the rollback files. However, it's dangerous because Windows Installer won't be able to restore the computer if the installation fails.
- Prevent removable media source for any install (DisableMedia). Prevents users from installing programs from removable media. Using this policy is a nifty way to prevent users from installing applications themselves, circumventing IT policies. This controls only Windows Installer-based applications, though.
Computer Configuration\Administrative Templates\Windows Components \Windows Installer (HKLM\Software\Policies\Microsoft\Windows\Installer)
- Disable Windows Installer (DisableMSI). Disables or restricts the use of Windows Installer. Use this policy to limit Windows Installer to managed applications. Your choices are to allow users to install Windows Installer-based applications, never allow them, or allow them to install only managed applications.
- Always install with elevated privileges (AlwaysInstallElevated). Directs Windows Installer to use system permissions when it installs any program on the system. You must also set the per-user version of this policy for it to work.
- Prohibit rollback (DisableRollback). Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This is useful when you know that the user's hard disk doesn't have enough space to hold the rollback files. However, it's dangerous because Windows Installer won't be able to restore the computer if the installation fails.
- Remove browse dialog box for new source (DisableBrowse). Prevents users from searching for installation files when they add features or components to an installed program. By default, if Windows Installer can't find the application's source files, it displays a dialog box allowing users to browse for the files.
- Prohibit patching (DisablePatch). Prevents users from using Windows Installer to install patches. Prevent users from patching their applications to protect them from malicious code.
- Disable IE security prompt for Windows Installer scripts (SafeForScripting). Allows Web-based programs to install software on the computer without notifying the user.
- Enable user control over installs (EnableUserControl). Permits users to change installation options that typically are available only to system administrators. Use this policy only in environments that don't lock down and carefully control configurations because it bypasses some of the security features built into Windows Installer.
- Enable user to browse for source while elevated (AllowLockdownBrowse). Allows users to search for installation files during privileged installations. By default, Windows Installer doesn't allow users to browse for installation source files when it's running with elevated privileges.
- Enable user to use media source while elevated (AllowLockdownMedia). Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during privileged installations. By default, Windows Installer doesn't allow users to install applications from local media when it's running with elevated privileges.
- Enable user to patch elevated products (AllowLockdownPatch). Allows users to upgrade programs during privileged installations. By default, Windows Installer doesn't allow users to patch applications when the installation program is running with elevated privileges.
- Allow admin to install from Terminal Services session (EnableAdminTSRemote). Allows Terminal Services administrators to install and configure programs remotely. Windows Installer allows administrators to install applications only when they are console users. This policy allows them to install applications using Terminal Services.
- Cache transforms in secure location on workstation (TransformsSecure). Saves copies of transform files in a secure location on the local computer. Windows Installer stores transforms in users' profile folders so that transforms follow users from computer to computer. Users can change the transforms, however. This policy causes Windows Installer to store transforms in a secure location, preventing users from changing them, but the transforms don't follow users.
- Logging (Logging). Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.
- Prohibit user installs (DisableUserInstalls). Allows IT professionals to prevent user installs. This policy has three choices. Allow per-user installations, which is the default, and Windows Installer favors per-user installations over per-computer. Hide per-user installations, and Windows Installer favors percomputer installations over per user. Prohibit user installations, and Windows Installer prevents applications from installing per user. The last option is desirable to ensure a standard configuration that's available to all users on all computers.
- Turn off creation of System Restore checkpoints (LimitSystemRestoreCheckpointing). Prevents Windows Install from creating System Restore check points. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed so that users can restore their computer to the state it was in before installing the application.

Of all the policies I just described, the most useful are AlwaysInstallElevated, which loosens up security enough to allow restricted users to install applications, TransformsSecure, which stores transforms to prevent tampering, and the other policies that you can use to significantly restrict Windows Installer. Both ends of the spectrum are available to you.

Installing with Elevated Privileges

The policy InstallAlwaysElevated installs Windows Installer-based applications with elevated privileges. Microsoft documentation often calls this a privileged installation. This policy is one way to enable users to install applications that they couldn't otherwise install because they're in restricted groups or you've locked down the desktops in your enterprise. A better way is to deploy those applications through Active Directory or by using something like SMS (Microsoft Systems Management Server). If neither product is available to you, consider using this policy, but keep in mind that the consequences of doing so can be severe.

These consequences are due to the fact that users can take advantage of this policy to gain full control of their computers. Potentially, users could permanently change their privileges and circumvent your ability to manage their accounts and computers. In addition, this policy opens the door to viruses disguised as Windows Installer package files. For these reasons, this isn't a setting that I recommend in any but the most dire situations in which there's no method available other than tossing users in the local Administrators group.

For this policy to be effective, you must enable both the per-computer and per-user versions of it at the same time. In other words, enable it in Computer Configuration as well as User Configuration.

Tip

Deploying applications to locked-down desktops is a common and sticky scenario. Using the AlwaysInstallElevated policy isn't the best solution, either. Other than the typical fare, such as Active Directory and SMS, elegant solutions do exist for this problem. Chapter 7, "Managing Registry Security," describes many of them, including using Security Templates and Security Configuration And Analysis to open up security just enough to allow legacy programs to run in Windows XP. Chapter 15, "Working Around IT Problems," shows you a few techniques for launching setup programs with elevated privileges.

Caching Transforms in Secure Location

Transforms are essentially answer files for Windows Installer-based applications. Chapter 14, "Deploying Office XP Settings," describes transforms, but chances are good that you already know all about them. Transforms, which you build using the Office XP Resource Kit's Custom Installation Wizard, customize the way an application installs.

When you install an application using a transform, Windows Installer stores the transform with a .mst extension in the Application Data folder of the user profile. Windows Installer needs this file to reinstall, remove, or repair the application. Keeping it in the user profile ensures that the file is always available. For example, if users have roaming user profiles, the transform follows them from computer to computer. This is not secure, however. When you set the TransformsSecure policy, Windows Installer saves transforms in %SYSTEMROOT%, instead, where users don't have permissions to change files. But because Windows Installer requires access to the transform used to install an application, the user must use the same computer on which he or she installed the application or have access to the original installation source to install, remove, or repair the software. The idea behind this policy is to secure transforms in enterprises when IT professionals can't risk users' maliciously changing the files.

Locking Down Windows Installer

Table 11-1 describes the policies that provide the most security for Windows Installer-based applications and Windows XP in general. The first part of the table contains per-user policies and the second part contains per-computer policies. In the Setting column, Not Configured means that you don't define the policy. Enabled speaks for itself.

Table 11-1: Secure Windows Installer Settings
Policy	Setting
User Configuration
Always install with elevated privileges	Not Configured
Prevent removable media source for any install	Enabled
Computer Configuration
Always install with elevated privileges	Not Configured
Enable user to browse for source while elevated	Not Configured
Enable user to use media source while elevated	Not Configured
Enable user to patch elevated products	Not Configured
Remove browse dialog box for new source	Enabled
Disable Windows Installer	Enabled for non-managed apps only
Prohibit patching	Enabled
Enable user control over installs	Not Configured
Disable IE security prompt for Windows Installer scripts	Not Configured
Cache transforms in secure location on workstation	Enabled

You can configure these policies directly in the registry. I gave you the key and value names earlier in this chapter. To enable a policy, add it to the appropriate key as a REG_DWORD value and set it to 0x01. To disable the policy, set it to 0x00. Delete the value to remove the policy. These policies are typical of enterprise-style deployments, however, so I wouldn't configure them in the registry, which is totally unmanaged. Instead, configure them using Group Policy locally or on the network so you can manage them properly.