Wednesday, November 09, 2011

Windows Installer Policies

  1. windows installer security and policies helps in addressing many of the significant risks.
  2. windows installer policies are mostly registries based.
  3. Registries tweaking tools can be used to configure MSI policies.
Always Install with Elevated Privileges (AlwaysInstallElevated) Policy

Before get into this policy let see what is meant by elevated privileges.

What is Elevated Priviledges?

An elevated installation is one that uses administrative rights for a portion of the installation. If elevated privileges are requested and approved, an inter-process communication occurs between the instance of msiexec.exe that is started in the user context and the instance running as aWindows service. If elevated privileges are granted, the security rights of the system account are utilized for the activities performed by the service. Windows Installer enforces strict rules about the data that is allowed to cross the IPC connection and what types of commands can be performed on the service instance of MSIEXEC.EXE.

AlwaysInstallElevated Policy
  1. This policy must be set to 1 (Enabled) for the computer AND the user to be completely enabled. This policy allows all packages and installation activities to occur with elevated privileges regardless of their source or the user account that starts them.
  2. The registry locations are

Disable Windows Installer (DisableMSI) Policy
The DisableMSI policy has three settings:
• 0 (Default) = Always Enabled
• 1 = For Non-Managed Packages
• 2 = Always Disabled
The value 0 means MSI is always enabled. The value 2 means that it is always disabled. There are very few circumstances in which completely disabling MSI is desirable. The value 1 restricts package installs to only be allowed from three sources: Group Policy, SMS 2003, or assignment by an administrator.

The registry hive is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
TransformsSecure Policy
  1. Setting the TransformsSecure policy to 1 informs the installer that transforms are to be cached locally on the user's computer in a location where the user does not have write access. Setting this property is the same as setting the TRANSFORMSSECURE property except the scope is different.
  2. Setting TransformsSecure policy applies to all packages installed to a given computer.
  3. Registry Key  is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  4. Whenever transforms are used for an installation, Windows Installer caches them on the computer. This allows them to be applied to all subsequent installation activities. If a transform can be replaced by an end-user or IT personnel, their copy will be executed during any local transforms are always cached in a secure location  If the application has Managed Application status, replacing cached transforms can allow malicious code to take advantage of local administrative rights.
  5. For packages that are installed for users, transforms are cached in the user profile to support roaming profiles. When the TransformsSecure policy is used, it ensures that transforms are placed in a secure location regardless of whether a user  or computer performs the installation.
If this per-user system policy is set to "1", users and administrators running a maintenance installation of one product are prevented from using the Browse Dialog to browse media sources, such as CD-ROM, for the sources of other installable products. Browsing for other products is prevented  regardless of whether the installation is done with elevated privileges. It is still possible for the user to reinstall the product from media if the user has a correctly labeled media source.

Setting system policy specifies the order in which the installer searches three types of sources. The types of sources are:

"n" – network
"m" – media (CD-ROM or DVD)
"u" – Uniform Resource Locator (URL)

For example, to search network sources first, media sources second, and URL sources last set this policy to a value of "nmu". To omit searching for a particular source type, leave out the corresponding letter from the value.
If SearchOrder is not set, the default search order is network, media, and then URL.

Registry Key is HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

Excess Recovery Options

  1. There are two policies that deal with how Windows Installer ensures that failed installation changes are backed out completely. Windows Installer has built-in support called rollback. This support is built-in to Windows Installer and works on all versions of Windows. Windows Installer also interfaces with system restore services on OS versions that have system restore.When system restore is present, Windows Installer requests a restore
  2. point before performing installation activities.
  3. There is one key difference between these two recovery technologies: The native rollback support is only used during an installation; if an installation completes normally,all roll back data is deleted. System restore allows the system to be arbitrarily returned to any restore point that is still in the system restore cache this could be days after an installation.
  4. Other policies such as
safeForScripting are also available and for complete refrence refer MSI SDK.
  1. Windows Installer’s use of system restore is disabled using the LimitSystemRestoreCheckpointing computer policy. Setting it to 1 prevents Windows Installer from requesting a system restore checkpoint during installations.
  2. Windows Installer rollback is disabled using the DisableRollback policy. It is configurable for both the computer or user—setting it to 1 in either location will cause rollback to be disabled.
Logging Policy
  1. In order to do detail analysis of the MSI installation,uninstalltion and repair process the windows installer provides logging policy whic can be set to switches 'voicewarmup' as per your debugging requirement.
  2. All Windows Installer log file names have the following naming convention: “MSI<randomcharacters>.LOG”
  3. The registry hive is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Software Restriction Policies
  1. Software restriction policies are a new addition for Windows XP and .NET Server. Software restriction policies can enable or prevent execution of  many types of files in Windows, including .MSIs and .MSTs. Because these policies are processed before Windows Installer is started, they are a very effective way of preventing unauthorized software installations.
  2. Software restriction policies have four types of rules, discussed in the following sections. Each of these has different implementation considerations when used with Windows Installer.
Certificate rules
Certificate rules allow restriction of software installations by requiring that MSI files and MST files are code signed with the specified certificate. If  they are not signed, Windows will not allow them to be passed to Windows Installer for processing.
Hash rules
Hash rules are very similar to certificate rules, except that hash rules do not alter the original file and they do not require a certificate to generate the cryptographic key used by the policies. Hashes can make it easier for administrators to restrict MSI execution without the elaboration of certificates and they may be just as effective at preventing users from installing unauthorized software. The MD5 hashes required for this type of restriction can be easily generated within the Group Policy interface. Hash rules would have the same limitations as certificate rules, except for the possible process bottlenecking. Hash rules would also leave vendor signed packages unchanged.

Path rules
Path rules allow restriction of software installations by requiring that MSIs and MSTs run only from specific path locations. At first, this sounds limiting, however, path rules can be defined using wildcard characters, environment variables, and DFS share names, making this rule type very flexible.
Zone rules
Zone rules are only used for MSI files. They permit or restrict browser-based software installations from occurring based on the Internet zones in IE.The default zones include Internet, Intranet, Restricted Sites, Trusted Sites, and My Computer. These rules can be helpful for building a Web-based, self-service installation system.