When you develop your deployment scenarios, consider how your images will be maintained, how your images will be deployed, and the security threats in your scenarios.
It is imperative to take safety measures to guard against network risks, as well as local risks, such as unauthorized access. Configuring security mechanisms can increase your protection against such risks.
The files used to set up and deploy Windows® contain sensitive data. Unattended installation answer files contain passwords and product keys. Distribution shares contain intellectual property, licensed applications, custom applications, and other data. Windows images can contain an aggregate of this sensitive data. It is important to review safety measures to improve the security of your deployment infrastructure.
The following sections describe the possible security threats and recommended precautionary measures to improve security.
Keep up with the latest threats and updates that affect not only the Windows images that you deploy, but also the computers that comprise your operating environment. You can keep up with the latest Microsoft security updates and tips at the Microsoft Security Web site.
You can review new Windows Client security features and configuration options at this Microsoft TechNet Web site.
Improving Security for Answer Files
Answer files store sensitive data, including product keys, passwords, and other account information.
- Restrict access to answer files. Depending on
your environment, you can edit the access control lists (ACLs) or
permissions on a file. Only approved accounts can have access to
- To improve the security in answer files, you
can hide the passwords for local accounts by using Windows System
Image Manager (Windows SIM). For more information, see
Data in an Answer File.
- During unattended Windows installation,
answer files are cached to the computer. For each configuration
pass, sensitive information such as domain passwords and product
keys are deleted in the cached answer file. However, other
information is still readable in the answer file. Before you
deliver the computer to a customer, delete the cached answer file
Delete the answer file only if there are no settings to be processed during the oobeSystem pass. The oobeSystem configuration pass is processed immediately before Windows Welcome begins. This is typically the first time a customer turns on the computer. If you delete the answer file from this directory, those settings will not be processed.
Improving Security for Windows Images
Your Windows images contain custom configuration data, custom applications, and other intellectual property. There are several ways to improve the security of your Windows images, both online and offline.
- Restrict access to Windows images.
Depending on your environment, you can edit the access control
lists (ACLs) or permissions on a file. Only approved accounts can
have access to Windows images.
- Update your Windows images with the latest
fixes and software updates. There are many ways you can service
a Windows image. For more information, see Phase 5: Managing and
Servicing Your Windows Image. After servicing your Windows
image, test the validity and stability of the computer.
- During Windows installation, configure the
computer to automatically download and install Windows updates.
This extends installation time, but ensures that the Windows image
that you are installing contains the latest updates. For more
information, see the
DynamicUpdatesetting in the Microsoft-Windows-Setup component in the Unattended Windows Setup Reference.
Improving Security for Distribution Shares and Configuration Sets
Your distribution shares and configuration sets contain private data that only a few members of your organization can access. The following are recommendations for improving security for distribution shares and configuration sets.
- Restrict access to distribution share
contents. Depending on your environment, you can edit the access
control lists (ACLs) or permissions on a distribution share. Only
approved accounts must have access to distribution shares.
- Keep applications and device drivers updated
with the latest fixes and patches.
Improving Security for Windows PE and Network Boot Scenarios
The following recommendations apply to Windows PE or network boot scenarios.
- Review the documentation for your network
boot tools for information about how to improve the security for
your network boot infrastructure.
- Use a wired network. Wireless networks are a
You cannot use a wireless network to boot to Windows PE
- For additional information about improving
security with Windows PE, see the Windows PE Technical