HOWTO: Configure Windows Installer for Maximum Security |
Q247528
The information in this article applies to:
- Microsoft Windows Installer, versions 1.0, 1.1, 1.2
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.
SUMMARY
This article describes the available system policies that can be configured to get the maximum security level for Windows Installer.
MORE INFORMATION
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).
The following tables list user and machine policies that can be configured to get the maximum security level for the Windows Installer.
The following machine policies are configured under HKEY_LOCAL_MACHINE\Software\Polices\Microsoft\Windows\Installer.
| Value name | Description | Maximum security setting |
|---|---|---|
| AlwaysInstallElevated (per-machine) | If this value is set to "1" and the corresponding user value is also set, the installer always installs with elevated privileges. Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for nonmanaged applications. | Do not set this value. |
| AllowLockdownBrowse | If this policy value is set to "1", nonadministrator users can browse for new sources while running an installation at elevated privileges. Otherwise only administrators can browse for sources during an elevated installation. | Do not set this value. |
| AllowLockdownMedia | If this policy value is set to "1", nonadministrator users can use media sources, such as a CD-ROM, while running an installation at elevated privileges. Otherwise only administrators can use media sources during an elevated installation. | Do not set this value. |
| AllowLockdownPatch | If this policy value is set to "1", nonadministrator users can apply Windows Installer patches to existing products while running an installation at elevated privileges. Otherwise only administrators can patch existing products that were installed at elevated privileges. | Do not set this value. |
| DisableBrowse | If this value exists and is set to "1", users are prevented from browsing to locate installer sources. The Use feature from: combo box for direct input is locked and the Browse button is disabled. | Set this value to "1". |
| DisableMSI | If this value is set to "1", the installer is disabled for nonmanaged applications but is still enabled for managed applications. If this value is set to "0", any other number, or is absent, the installer is always enabled. | Set this value to "1". |
| DisablePatch | If this value is set to "1" the installer does not apply patches. | Set this value to "1". |
| EnableUserControl | If this value is set to "1", then the installer can pass all public properties to the server side during a managed installation. | Do not set this value. |
| SafeForScripting | If this value is set to "1", users are not prompted when scripts use installer automation within a Web page. | Do not set this value. |
| TransformsSecure | Setting the TransformsSecure policy to 1 informs the installer that transforms are to be cached locally on the user's computer in a location where the user does not have write access. | Set this value to "1". |
The following user policies are configured under HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer.
| Value name | Description | Maximum security setting |
|---|---|---|
| AlwaysInstallElevated (per-user) | If this value is set to "1" and the corresponding machine value is also set, the installer always installs with elevated privileges. Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for nonmanaged applications. | Do not set this value. |
| DisableMedia | If this policy value is set to "1", users and administrators are prevented from using media sources, such as CD-ROMs, for installations regardless of whether the installation is with elevated privileges. | Set this value to "1". |
An administrator can also use the Group Policy Editor (GPR) on Windows 2000 or the System Policy Editor on Windows 95, Windows 98, and Windows NT to configure the installation behavior of the Windows Installer. An administrator can configure the policies for all users of a computer, or all members of a group on the computer.
Also the LockPermissions table can be used to secure individual portions of your application in a locked-down environment. It can be used with the installation of files, registry keys, and created folders. If the folder, file, or registry key already exists, any access control lists (ACLs) are replaced by the entries in this table.
NOTE: Machine information should be stored in HKLM, which is secure if good practices are followed. User information should be located in HKCU. The Windows Installer normally runs in the user context. The special case is managed/elevated installations that can run as "local system". The user context generally cannot modify keys in HKLM.
REFERENCES
For additional information on the LockPermission table and system policy, see Help in Windows Installer SDK:
Additional query words:
Keywords : kbMSI kbGrpDSTools kbMSIFAQ _IK
Issue type : kbhowto
Technology : kbWinISearch kbWinI100
Last Reviewed: June 18, 2001 |
