Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-036)
What's this bulletin about?
Microsoft Security Bulletin MS99-036 discusses a security vulnerability in the unattended installation feature of Microsoft® Windows NT 4.0 Workstation and Server that could cause sensitive information to be exposed. Microsoft takes security seriously, and is providing this bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could allow users to view the parameters that were used to install Windows NT on the machine. Depending on the specific installation method that was used and the parameters that were specified, this could include such sensitive information, potentially including the Local Administrator password.
What is the vulnerability?
The vulnerability has to do with how Windows NT 4.0 performs unattended installations. When installing Windows NT 4.0, the user has the option of either being queried for installation parameters via the GUI or providing them via a file. If they choose the latter option, the installation can proceed without any further input from them. This is especially useful when deploying large numbers of Windows NT systems. In addition, a tool is available called Sysprep that makes unattended installations even simpler.
The vulnerability results because the unattended installation process copies the installation parameter file to the machine's hard drive but does not erase it when the installation is complete. This would allow any user who can interactively log onto the machine to read the installation parameters. Most of these parameters are benign, and only specify information such as what type of file system to use and what protocols to install. However, the person performing the installation can also specify sensitive information such as the machine account password or, if the Sysprep tool is used, a Local Administrator password. If this were done, this information would also be present in the file.
It is important to note that there is no inherent security risk in performing unattended installations. The vulnerability exists only because administrators may not be aware that a copy of the parameter file will be copied to disk. Neither the documentation on unattended installations nor the Sysprep documentation make it clear that the file will be created. The purpose of this bulletin is to clarify that the file is created and discuss steps for removing the potentially sensitive information from the machine.
What is the name of the file that's created?
It depends on how the installation was performed. A normal unattended installation will create %windir%\system32\$winnt$.inf. If Sysprep was used, it will create %windir%\system32\$nt4pre$.inf. The default permissions for both files are the same, and allow anyone user who can interactively log onto the machine to access them.
What could someone do with the information?
It depends on the information that was provided via the installation parameter file. If only benign information was included in the file, there could be little or no risk associated with leaving it on the hard drive. However, if sensitive information like account names and passwords were provided, it could allow the accounts to be compromised.
Why couldn't the person doing the installation just delete the sensitive information?
They could. In fact, our recommendation is that the installer always take steps to ensure that any sensitive information is removed. However, the documentation on unattended installations does not discuss the fact that the file is created, and as result, the person performing the installation might not know that it had been created.
The simplest way to ensure that there is no sensitive information left on the drive is simply to delete the file after the installation completes. However, there may be cases in which it is preferable to leave the file but purge all sensitive information from it. The installation files provide a record of exactly how the machine was initially configured, and this information can be useful for troubleshooting.
Why is Sysprep specifically mentioned?
Sysprep is a special case for two reasons. First, it creates a different file than a normal unattended installation. (It creates %windir%\system32\$nt4pre$.inf where a normal unattended installation creates %windir%\system32\$winnt$.inf). Second, it's possible to set the Local Administrator password when performing an unattended installation via Sysprep. If this is done, the password, like all of the other installation parameters, will remain in the $nt4pre$.inf file.
I read a Knowledge Base article that discussed how to set the Local Administrator password without using Sysprep. Why isn't this a problem?
Knowledge Base article 158484 discusses how to set the Local Administrator password during a normal unattended installation. However, the specific procedure relies on a file that is stored on a file share and whose contents are not incorporated into the $winnt$.inf file.
What information besides the Local Administrator password could be in the file?
Unattended installations allow a machine account to be established; if this is done, the machine account name and password could be included in the file. In addition, information regarding the hardware that is installed, as well as the protocols and other configuration information, could be included. A complete list of parameters is available in Knowledge Base article 155197
Are servers and workstations equally at risk from this vulnerability?
No. The machines primarily at risk are workstations and Terminal Servers, because they allow normal users to interactively log onto them, thereby allowing them to access the parameter file. If best practices are followed, Windows NT servers will be at much less risk, because typically only administrators will be allowed to interactively log onto them.
I performed an interactive installation of my workstations and servers. Do I need to do anything?
No. This vulnerability only affects unattended installations.
I performed an unattended installation but didn't set up any accounts. Do I need to do anything?
You should review the installation file to ensure that there is no sensitive information. However, the parameters that are of greatest concern are account passwords, and if you didn't set up any accounts, they will not be present in the file.
I performed an unattended installation and did include sensitive information in the parameter file. What should I do?
You should either remove the sensitive information from the file (%windir%\system32\$winnt$.inf if a normal unattended installation was performed or %windir%\system32\$nt4pre$.inf if Sysprep was used) or delete the file altogether. There are many ways to do delete the file, but one way is to write a script that deletes the file and cause it to automatically execute the first time a user logs onto the machine.
Does this vulnerability exist in Windows 2000?
No. The Windows 2000 unattended installation process deletes all sensitive information from the parameter file upon successful completion. This is true regardless of whether a normal unattended installation is performed or Sysprep is used.
If Windows 2000 only deletes the information upon successful installation, doesn't this pose a risk?
No. By definition, a failed installation will require that the installer correct the error and re-run the installation. When it successfully completes, it will delete the sensitive information. The file is not at risk in the meantime, because the failed installation would prevent users from logging onto the machine and reading the file.
What is Microsoft doing about this issue?
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft will provide technical details about the vulnerability to the International Computer Security Association's Intrusion Detection Consortium, to ensure that security vendors can incorporate this information into their products. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
"Securing Windows NT Installation" provides security best practices for Windows NT. ("Securing Windows NT Installation" can be found in the Security section of the TechNet web site).
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
