Answer files store sensitive data, including product keys, passwords, and other account information.

• Restrict access to answer files. Depending on your environment, you can edit the access control lists (ACLs) or permissions on a file. Only approved accounts can have access to answer files.
  
  
• To improve the security in answer files, you can hide the passwords for local accounts by using Windows System Image Manager (Windows SIM). For more information, see Hide Sensitive Data in an Answer File.
  
  
• During unattended Windows installation, answer files are cached to the computer. For each configuration pass, sensitive information such as domain passwords and product keys are deleted in the cached answer file. However, other information is still readable in the answer file. Before you deliver the computer to a customer, delete the cached answer file in %WINDIR%\panther.
  
  Delete the answer file only if there are no settings to be processed during the oobeSystem pass. The oobeSystem configuration pass is processed immediately before Windows Welcome begins. This is typically the first time a customer turns on the computer. If you delete the answer file from this directory, those settings will not be processed.
  
  

Your Windows images contain custom configuration data, custom applications, and other intellectual property. There are several ways to improve the security of your Windows images, both online and offline.

• Restrict access to Windows images. Depending on your environment, you can edit the access control lists (ACLs) or permissions on a file. Only approved accounts can have access to Windows images.
  
  
• Update your Windows images with the latest fixes and software updates. There are many ways you can service a Windows image. For more information, see Phase 5: Managing and Servicing Your Windows Image. After servicing your Windows image, test the validity and stability of the computer.
  
  
• During Windows installation, configure the computer to automatically download and install Windows updates. This extends installation time, but ensures that the Windows image that you are installing contains the latest updates. For more information, see the DynamicUpdate setting in the Microsoft-Windows-Setup component in the Unattended Windows Setup Reference.
  
  

Your distribution shares and configuration sets contain private data that only a few members of your organization can access. The following are recommendations for improving security for distribution shares and configuration sets.

• Restrict access to distribution share contents. Depending on your environment, you can edit the access control lists (ACLs) or permissions on a distribution share. Only approved accounts must have access to distribution shares.
  
  
• Keep applications and device drivers updated with the latest fixes and patches.
  
  

The following recommendations apply to Windows PE or network boot scenarios.

• Review the documentation for your network boot tools for information about how to improve the security for your network boot infrastructure.
  
  
• Use a wired network. Wireless networks are a security risk.
  
  

  	Note:
  	You cannot use a wireless network to boot to Windows PE

• For additional information about improving security with Windows PE, see the Windows PE Technical Reference.
  
  

• Phase 5: Managing and Servicing Your Windows Image