|< Day Day Up >|| |
The setup process is a very vulnerable time for new computers. Updates can fix the vast majority of vulnerabilities for computers running Microsoft Windows, but if you install a computer using the original distribution of Windows, those vulnerabilities will be present during the setup process. Fortunately, there are steps you can take to limit the risk of having those vulnerabilities exploited. First, you should leave new computers disconnected from the network during the setup process, or use a firewall to block traffic from potentially dangerous networks. Second, you can integrate as many of the updates as possible into the Windows setup files, so that the updates are present even during the setup process.
After this lesson, you will be able to
Design a dedicated network for installing new computers one at a time, with minimal infrastructure.
Design a dedicated network for installing new computers in assembly-line fashion.
Integrate service packs into Windows setup files.
Automatically install updates after an automated installation.
Estimated lesson time: 30 minutes
Computers are under attack from the moment they connect to the Internet. Worms and viruses are constantly active, probing every IP address for vulnerabilities. Microsoft Windows Server 2003 is much more resilient to attacks that might occur during the installation process than earlier versions of Windows because it adheres to the “secure by default” ideal. However, vulnerabilities have been discovered in unpatched computers running Windows Server 2003, and these vulnerabilities might be exploited during the setup process.
Although it is possible to update and secure a computer running Windows so that it can be connected directly to the Internet without becoming infected by a worm or a virus, a computer does not have the benefit of updates or security hardening during the installation process. If you attempt to install Windows on a computer while it is connected to the Internet, there is a high probability that it will be attacked, and possibly exploited.
|Security Alert|| |
Earlier versions of Windows have several widely exploited vulnerabilities, and will almost certainly be exploited during the setup process if connected to the Internet.
|Security Alert|| |
Not all attacks originate from the Internet. Worms and viruses might have infected computers on the local area network, and will be scanning computers inside the firewall for vulnerabilities. Therefore, you must still take measures to protect computers while installing the operating system, even if they are only connected to a private network.
Ideally, you would eliminate the possibility of being attacked across the network by installing the computer without connecting it to a network. First, place all service packs and security updates that have been released for the operating system onto removable media, such as a CD-ROM. Then install the operating system by using the CD-ROM, and install the necessary service packs and security updates. Harden the computer’s security configuration, as described in Chapter 4 of this book. Connect the computer to the network only after the computer has been updated and hardened.
If you must perform the installation of the operating system or updates by using the network, create a separate network segment dedicated to the installation process. Connect as few computers to this network segment as possible: the file server containing the operating system installation files, and a Software Update Services (SUS) server that can be used to retrieve the latest updates. After the installation has completed, connect the newly installed computer to the production network. Figure 6.3 illustrates a typical installation network used for installing multiple computers simultaneously.
Figure 6.3: A private installation network for multiple computers
Creating a separate network segment for installing new computers has benefits other than improved security. Installing an operating system across a network is extremely bandwidth intensive, and, depending on your network configuration, the bandwidth consumed while installing a computer can negatively impact the network performance of other computers on the network. Additionally, you can significantly reduce the time required to install a new computer by using a higher-speed network for installations. For example, if your production network segment is 100 megabits per second Ethernet and you can’t justify the cost of upgrading all computers to gigabit Ethernet, you might be able to justify the cost of a small gigabit Ethernet network switch, and gigabit network interface cards, to be used only during the installation process.
If you are installing only one computer at a time, you do not need dedicated network hardware to create a separate installation network. Simply add an additional network interface card to your SUS server, and connect the new computer directly to the SUS server by using a crossover network cable, as shown in Figure 6.4. A crossover cable is a special type of network cable used to connect two network interface cards directly to each other. This architecture dramatically reduces the risk of the new computer becoming infected during the installation process, because only the SUS server could possibly infect the new computer. Additionally, there is no impact on network performance, because installation traffic does not traverse the production network.
Figure 6.4: A private installation network for a single computer
If you do not maintain an SUS server, and you do not want to download updates to removable media before building a computer, you can use the Windows Update servers to update the computer. Proper network configuration can minimize the risk to which the new computer is exposed during the installation process. To allow a new computer to be installed and retrieve updates directly from Windows Update while minimizing the risk of exposing vulnerabilities, connect the computer directly to a firewall or proxy server, as shown in Figure 6.5. It is important that the new computer never have an unfiltered connection to the Internet or even to a private network.
Figure 6.5: A private installation network allowing for access to Windows Update
You can apply service packs, but not necessarily other types of updates, directly to Windows 2000, Windows XP, and Windows Server 2003 installation files. The process of integrating a service pack into the original setup files for an operating system is called slipstreaming. Slipstreaming creates an integrated installation—including the latest service pack—that can be used when installing the operating system on new computers. Using this process improves the security of new computers, and reduces the time required to apply updates after completing the initial installation. You can either perform the installation from a shared folder or create a CD with the integrated setup files.
Because the integrated installation replaces individual files, the space requirements for this installation type are almost identical to the space requirements for the base operating system. After you slipstream a service pack into the operating system setup files, you cannot remove the service pack.
To create a shared folder containing Windows setup files with an integrated service pack:
Connect to the network or computer on which you want to create the distribution folder.
Configure the permissions on the folder so that Everyone has Read and Execute permissions, and so that only the users responsible for managing the distribution files can make changes.
Insert your Windows installation CD into your computer’s CD-ROM drive, and then copy the entire contents of the CD to the distribution folder.
After the copy operation has completed, open a command prompt. Switch to the folder containing the service pack network installation executable file.
Slipstream the service pack into the Windows installation files by executing a command with the following syntax: servicepack.exe –s:network_drive:\. For example, if the service pack is named server2003_sp1.exe, and you have copied the Windows Server 2003 files to drive Z, you would execute the command server2003_sp1.exe –s:Z:\.
The service pack will overwrite installation files with updated versions, as shown in Figure 6.6.
Figure 6.6: Slipstreaming a service pack
When prompted with a dialog box indicating that the integrated installation has successfully completed, click OK.
Windows Server 2003 Service Pack 1 has not been released at the time of this writing, so the actual file name will be different.
You can now install Windows directly from the shared folder. Alternatively, you can use the integrated installation to create a bootable CD-ROM. Building a new computer from an integrated installation does reduce your vulnerability to network-borne security attacks. However, it does not eliminate the risk of being attacked during the installation process. Therefore, you should still perform the installation while the computer is disconnected from the network.
Critical updates, and other types of updates other than service packs, cannot be directly integrated into installation files. Instead, you can follow these steps to automatically apply critical updates to a newly installed computer:
Open the \i386\dosnet.inf file, and add svcpack to the [OptionalSrcDirs] section. For example, this section will now contain:
[OptionalSrcDirs] uniproc svcpack
The Dosnet.inf file included with Windows 2000 already contains the [OptionalSrcDirs] section, but you might have to create the section for Windows XP and Windows Server 2003.
Create a \i386\svcpack\ folder.
Copy the update packages that you want to integrate, such as WindowsServer2003-KB999997-x86-ENU.exe, to the \i386\svcpack\ folder.
Rename the packages to fit the 8.3 naming convention using the format KB######.exe, where ###### is the Microsoft Knowledge Base article number associated with the update.
Open a command prompt, and extract each of the update packages to a unique temporary folder. For example, to extract the files for an update package to a folder named C:\ExtractedUpdates\KB824145\, type the following command at a command prompt:
From the Update subfolder of the folder you extracted the update to, copy the catalog file, KB######.cat, to the \i386\svcpack\ folder.
Locate the binary files included with the update.
Before Service Pack 1, security updates, critical updates, update rollups, drivers, and feature packs for Windows Server 2003 contained two copies of the same files in the RTMGDR and RTMQFE folders, which were created when you extracted the update. After Service Pack 1 is released, extracted updates might contain copies of the same files in the RTMGDR and RTMQFE folders and the SP1GDR and SP1QFE folders. Files in the xxxGDR folders contain only general distribution release (GDR) class fixes. Files in the xxxQFE folders are cumulative and contain both the GDR-class fixes and all previous hotfixes that affect the included binaries, and they should generally be used for integrated installations. Some updates include different versions of files to be applied to computers with different service pack levels. These files will be placed in a folder named after the next sequential service pack. For example, if your installation source is Windows Server 2003 Service Pack 1, you must use the files from the SP2QFE directory.
For each binary file (such as .exe, .dll, or .sys files) included in the folder you extracted the update to, determine whether the same file exists in the \i386 folder. The files in the \i386 folder might have an underscore for the last character in the file’s extension. For example, Rpcss.dll is named Rpcss.dl_ in the \i386 folder. If there are two copies of a file, delete the original file from the \i386 folder.
Look in the folder into which you extracted the update for any subfolders that have the same name as a subfolder of the \i386 installation folder. If a folder contains any such subfolders, copy the updated binary files to the appropriate subfolder of \i386. For example, if the update included a subfolder named Uniproc, copy the files in the Uniproc folder to \i386\Uniproc.
For each file that you copied, except for KB######.cat, look in the \i386\Dosnet.inf file to determine if the file name is listed in the [Files] section. All the files that are listed in the [Files] section are preceded by “d1,”. If a file is not listed, add an entry using the format d1,filename. For example, if the update contains Win32k.sys, add d1,win32k.sys to the [Files] section of \i386\Dosnet.inf. This addition ensures that the updated versions of the files are copied during Windows setup.
Delete the \i386\Svcpack.in_ file.
Use Notepad to create a Svcpack.inf text file in the \i386 folder. To do so, use the appropriate following content, depending on whether you want to deploy a single update or multiple updates. Replace ###### with the Knowledge Base article numbers for your update .cat file:
For Windows 2000 installations:
[Version] Signature="$Windows NT$" MajorVersion=5 MinorVersion=0 BuildNumber=2195 [SetupData] CatalogSubDir="\i386\svcpack" [ProductCatalogsToInstall] KB######.cat [SetupHotfixesToRun] KB######.exe /Z /M
For Windows XP installations:
[Version] Signature="$Windows NT$" MajorVersion=5 MinorVersion=1 BuildNumber=2600 [SetupData] CatalogSubDir="\i386\svcpack" [ProductCatalogsToInstall] KB######.cat [SetupHotfixesToRun] KB######.exe /Z /M
For Windows Server 2003 installations:
[Version] Signature="$Windows NT$" MajorVersion=5 MinorVersion=2 BuildNumber=3790 [SetupData] CatalogSubDir="\i386\svcpack" [ProductCatalogsToInstall] KB######.cat [SetupHotfixesToRun] KB######.exe /Z /M
Although updates released by Microsoft can be integrated into the operating system installation, you might have custom, non-Microsoft updates or applications that you need to automatically install after setup has completed to further improve the security of the new computer. Fortunately, it is possible to script the installation of updates, and to run this script automatically after completing an automated installation.
|Exam Tip|| |
This book will not discuss every step involved in creating an automated installation of Windows. However, you should understand how to integrate the application of both Microsoft and non-Microsoft updates into a new installation.
One way to apply non-Microsoft updates is to call each of the updates that needs to be applied directly from the answer file. Answer files are files that provide information— without prompting the user—that all recent versions of Windows setup use to configure the system. Answer files contain a section titled [GuiRunOnce] that can include a list of commands to be run after the setup process has completed. The following is a valid section of an answer file that installs updates located in the \\server\updates shared folder:
[GuiRunOnce] "\\server\updates\update1.exe /Z /M" "\\server\updates\update2.exe /Z /M" "\\server\updates\update3.exe /Z /M"
You can use the answer file to install updates automatically after completing the operating system installation, but you shouldn’t. Instead, integrate them into the setup as described in the previous section. This ensures that the updates are applied during the setup process itself.
The applications listed in the [GuiRunOnce] section are executed in sequence, one after another. As the name indicates, the applications listed will only run once. If any of the updates called cause the computer to restart, the updates listed after that update will never be applied. Therefore, it is critical to use both the /M parameter, which causes the update to run in unattended mode, and the /Z parameter, which prevents the computer from restarting. If you use this technique to automate the application of updates, you must remember to add new updates to the answer file as they are released.
A more efficient way to install updates from the answer file is to place a batch file on a shared folder and call the updates from that batch file. If you use this technique, you can use the same answer file indefinitely. You still have to update the batch file when new updates are released, but new computers can continue to use the same answer file without modification. The following is an example of a batch file that would install three Windows Server 2003 security updates:
"\\server\updates\update1.exe /Z /M" "\\server\updates\update2.exe /Z /M" "\\server\updates\update3.exe /Z /M"
If you were to save this batch file as \\server\updates\post-install-updates.bat, you could automatically install those updates by using the following [GuiRunOnce] section in your answer file:
In this practice, you will create an integrated installation for building new computers with a service pack already applied.
In this exercise, you will create a shared folder that you can use to build new Windows 2000 Server–based computers that are pre-installed with Service Pack 4.
This exercise uses Windows 2000 Server Service Pack 4 because a service pack has not been released for Windows Server 2003 at the time of this writing.
Log on to the cohowinery.com domain on Computer1 using the Administrator account.
Start Windows Explorer. At the root of drive C, create a new folder named Install.
Within the Install folder, create two new folders named Windows2000Server and Windows2000ServerSP4.
Right-click the C:\Install\ folder, and then click Sharing And Security.
Click Share This Folder. Accept the default settings by clicking OK.
Retrieve the English version of Service Pack 4 for Windows 2000 Server as described in Chapter 5, “Planning a Patch Management Infrastructure.” Store the Service Pack 4 executable file in C:\Install\Windows2000ServerSP4\.
Copy the Windows 2000 Server installation files from the Windows 2000 Server CD-ROM to the C:\Install\Windows2000Server\ folder.
You cannot use an evaluation copy of Windows 2000 Server for this exercise. If you do not have Windows 2000 Server, you can use Windows 2000 Professional, or even Windows XP and the latest Windows XP service pack.
Open a command prompt, and execute the following commands:
CD \Install\Windows2000ServerSP4\ W2ksp4_en.exe –s:C:\Install\Windows2000Server\
Service pack 4 will extract files to a temporary directory and then slipstream the updated service pack files into the specified Windows 2000 Server installation directory.
After the integration installation has successfully completed, click OK.
If you were to install a computer using the files located in C:\Install\ Windows2000Server\, that computer would report Service Pack 4 being installed at the moment the installation completed.
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.
Which of the following commands would slipstream a service pack named sp1.exe into an installation folder named D:\W2003\ that had been created by copying the contents of the Windows Server 2003 installation CD?
Which section of an answer file would you modify to automatically run updates after the installation completed?
Computers should not be connected to the Internet or even to a private network with other hosts, until after the operating system and all updates have been installed.
Computers can be built while connected to the network if you create an isolated network segment with a minimal number of trusted computers that have been scanned for worms, viruses, and other malicious software.
You can reduce the time required to install new updates by slipstreaming a service pack into operating system installation files and configuring other updates to be automatically applied.
|< Day Day Up >|| |