Windows Installer Provider Security
Considerations
The Windows
Installer Provider allows remote installation of a user
specified Installer Package or a Microsoft Windows Installer
package file. Improper or unauthorized use of this provider could
result in remote execution of code, leaking of high privileged
credentials, compromise or damage to the remote or local server.
MPF Developers and Administrators should take special care when
using or exposing this API through higher level namespaces or user
interfaces. Here are a few key considerations:
- Both the Install and Uninstall methods accept the following
parameters installedServer, msiInstallHelper,
msiPackage. Each of these input parameters must be
validated:
- installedServer should be sourced from a known
location.
- installedServer should never be based directly on user
input.
- both msiInstallHelper and msiPackage should be
sourced from a list of known good values and should never be based
directly on user input.
- all MSIs in the list of known good MSI's should be stored in a
secure location, tested and checked for malicious code
regularly.
- Firewall rules should be configured such that the MPF Engine
servers can only establish RPC connections to a list of known valid
installedServer servers.
- Both the Install and Uninstall methods accept a userName
and userPassword. These are presumably high privileged
credentials in that they have the right to install applications.
You should take the following precautions:
- Credentials should be Stored in a secure and encrypted
location
- A strong password policy should be in force
- Password should be changed regularly
- Should not be a well known account such as "administrator"
For more general content about input sources and effective data
validation for MPS, see
Input Validation and Protection against Injection Attacks.