First we boot into a network aware DOS, and mount a samba share which has all the files needed for a windows install, some additional utilities and a winsetup.bat, which drives the entire installation procedure. We assume that we have already partitioned the hard disk and formatted all the partitions (see prep.html), and we also have a C:\wininfo.bat, which has all the OS configuration options like hostname and networking information i.e. dhcp/static and if static the IP address, in it.
The winsetup.bat first executes the C:\wininfo.bat, to import the configuration information. Then depending on whether we are using dhcp/static ip addresses, it copies a template file (located at the samba share) to C:\u.txt. This template file is in the same format which windows expects an "unattended answer file" to be, except that some values have been replaced by placeholders. Then we replace the placeholders which values we imported from wininfo.bat, using the gsar utility (find and replace), and hence create a valid "unattended answer file".
All the template files have options, which instruct windows to run C:\Setup2.cmd as soon as the windows installation is complete. So winsetup.bat also copies a Setup2.cmd from the samba share, to the C drive, so that Windows can find it when needed. Finally, we set up hard disk write caching (i.e. run smartdrv.exe), and then run winnt.exe with command line arguments, asking it to read all the answers fom the "unattended answer file" we just created.
Once the windows installation completes (during which the machine has been rebooted about twice), C:\Setup2.cmd is executed by Windows, and we once again have control. This file, mounts the samba share again (now under windows), and executes a PostInst.cmd on the samba share. This file overlooks the postinstallation process.
The PostInst.cmd starts out by installing, Windows Scripting Host and configures it to run in console mode. This enables us to write scripts using Visual Basic as well. Then we install Python as well. We use python scripts, when we wish to talk to other machines on the network. Next, we copy over a whole bunch of files from the network to the hard disk (simple useful utilities like awk,cabarc,...), and setup our path to include the location of these utilities. This finishes, the boot strapping stage.
Then in the software install stage, it looks at a predetermined text file which determines the list of software install scripts to be run. Each such script will install some software, and configure it.
This stage is followed by printer installations, securing the machine, and finally setting up system monitoring scripts.
The postinstall script looks at a "printcap.txt" file which lists the names and the model of all the printers to install. Then for each such printer, it installs the drivers for a "local printer" of the specified model, and sets up port forwarding so that requests go to the real printer. The main batch file shown below uses the vb scripts inst_lpr_port and inst_local_printer.
@echo off rem -- Usage:rem -- This reads each line of in the current directory rem -- which is of the form "Queue","Driver Name",PortNumber rem -- and install the drivers and printer for these rem -- Assumed that all the drivers are in ntprint.inf rem -- or is already installed in the system for /f "eol=; tokens=1,2,3 delims=," %%i in (%1) do ( call inst_lpr_port %%i %%k call inst_local_printer %%i %%j )
Cleaning up the registry is done by creating our own .inf file and asking windows to "install" it. This .inf does not install any files at all. It just cleans up the registry.
To install an inf file:
start/wait rundll32.exe setupapi,InstallHinfSection DefaultInstall 4 INFFILENAME
An inf file, usually instructs windows to make changes to the registry, copy files into certain directories and other things. We dont need to copy files, we will just change the registry to suit our needs. This is better than having to use Visual Basic and do the changes our self. The registry.inf file we use has been inspired by many sources including Harden-NT and winguides.com. The next part is to ensure that these changes to the registry cannot be undone. This is accomplished by restricting access to the registry, and is done by the regperms script, which inturn reads information from RegPublicNull, RegPublicRead and RegPublicRW.
This is accomplished by another script, which changes the permissions on a lot of files. Some windows utilities which have the potential to be used for attacks, are moved to a different directory, which is accessible only to administrators. Some other windows system files which are not necessary are delted. Since all machines on our network use WinXP, and all software we install work with WinXP, we dont need files, which handle execution of 16-bit code. Similarly files which allow compatibility with OS/2... are all deleted. They are already disabled in the registry, so these files can be safely deleted.
This installs some python scripts, and schedules them to be run every so often. Some of these scripts, gather some vital statistics (processor speed, memory, disk usage...) and store it in a central database. Others look for specific anomalies, and report them via email. E.g. not enough disk space, or too many processes are running or CPU load is very high. Similar information is gathered on Linux/SunOS machines using PIKT and stored on a central database using Python. This database has a web front end. This apache web server, uses mod_python for everything it does.