- windows installer security and policies helps in addressing many of the significant risks.
- windows installer policies are mostly registries based.
- Registries tweaking tools can be used to configure MSI policies.
Before get into this policy let see what is meant by elevated privileges.
What is Elevated Priviledges?
An elevated installation is one that uses administrative rights for a portion of the installation. If elevated privileges are requested and approved, an inter-process communication occurs between the instance of msiexec.exe that is started in the user context and the instance running as aWindows service. If elevated privileges are granted, the security rights of the system account are utilized for the activities performed by the service. Windows Installer enforces strict rules about the data that is allowed to cross the IPC connection and what types of commands can be performed on the service instance of MSIEXEC.EXE.
- This policy must be set to 1 (Enabled) for the computer AND the user to be completely enabled. This policy allows all packages and installation activities to occur with elevated privileges regardless of their source or the user account that starts them.
- The registry locations are
• 0 (Default) = Always Enabled
• 1 = For Non-Managed Packages
• 2 = Always Disabled
The value 0 means MSI is always enabled. The value 2 means that it is always disabled. There are very few circumstances in which completely disabling MSI is desirable. The value 1 restricts package installs to only be allowed from three sources: Group Policy, SMS 2003, or assignment by an administrator.
- Setting the TransformsSecure policy to 1 informs the installer that transforms are to be cached locally on the user's computer in a location where the user does not have write access. Setting this property is the same as setting the TRANSFORMSSECURE property except the scope is different.
- Setting TransformsSecure policy applies to all packages installed to a given computer.
- Registry Key is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
- Whenever transforms are used for an installation, Windows Installer caches them on the computer. This allows them to be applied to all subsequent installation activities. If a transform can be replaced by an end-user or IT personnel, their copy will be executed during any local transforms are always cached in a secure location If the application has Managed Application status, replacing cached transforms can allow malicious code to take advantage of local administrative rights.
- For packages that are installed for users, transforms are cached in the user profile to support roaming profiles. When the TransformsSecure policy is used, it ensures that transforms are placed in a secure location regardless of whether a user or computer performs the installation.
If this per-user system policy is set to "1", users and administrators running a maintenance installation of one product are prevented from using the Browse Dialog to browse media sources, such as CD-ROM, for the sources of other installable products. Browsing for other products is prevented regardless of whether the installation is done with elevated privileges. It is still possible for the user to reinstall the product from media if the user has a correctly labeled media source.
Setting system policy specifies the order in which the installer searches three types of sources. The types of sources are:
"u" – Uniform Resource Locator (URL)
For example, to search network sources first, media sources second, and URL sources last set this policy to a value of "nmu". To omit searching for a particular source type, leave out the corresponding letter from the value.
If SearchOrder is not set, the default search order is network, media, and then URL.
Excess Recovery Options
- There are two policies that deal with how Windows Installer ensures that failed installation changes are backed out completely. Windows Installer has built-in support called rollback. This support is built-in to Windows Installer and works on all versions of Windows. Windows Installer also interfaces with system restore services on OS versions that have system restore.When system restore is present, Windows Installer requests a restore
- point before performing installation activities.
- There is one key difference between these two recovery technologies: The native rollback support is only used during an installation; if an installation completes normally,all roll back data is deleted. System restore allows the system to be arbitrarily returned to any restore point that is still in the system restore cache this could be days after an installation.
- Other policies such as
safeForScripting are also available and for complete refrence refer MSI SDK.
- Windows Installer’s use of system restore is disabled using the LimitSystemRestoreCheckpointing computer policy. Setting it to 1 prevents Windows Installer from requesting a system restore checkpoint during installations.
- Windows Installer rollback is disabled using the DisableRollback policy. It is configurable for both the computer or user—setting it to 1 in either location will cause rollback to be disabled.
- In order to do detail analysis of the MSI installation,uninstalltion and repair process the windows installer provides logging policy whic can be set to switches 'voicewarmup' as per your debugging requirement.
- All Windows Installer log file names have the following naming convention: “MSI<randomcharacters>.LOG”
- The registry hive is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
Software Restriction Policies
- Software restriction policies are a new addition for Windows XP and .NET Server. Software restriction policies can enable or prevent execution of many types of files in Windows, including .MSIs and .MSTs. Because these policies are processed before Windows Installer is started, they are a very effective way of preventing unauthorized software installations.
- Software restriction policies have four types of rules, discussed in the following sections. Each of these has different implementation considerations when used with Windows Installer.