K-003: Windows NT 4.0 does not delete Unattended Installation File

PROBLEM:       When an unattended installation of Microsoft® Windows NT® 4.0
               completes, a copy of the file that contains installation
               parameters remains on the hard drive. Depending on the method
               that was used to perform the installation and the specific
               installation parameters that were selected, the file could
               contain sensitive information, potentially including the local
               Administrator password.
PLATFORM:      Windows NT 4.0
DAMAGE:        It depends on the information provided by the installation
               parameter file. If sensitive information such as account names
               and passwords are provided, it could allow the accounts to be
               compromised. By default, any user who can interactively log
               onto the machine can read the installation parameters file.
SOLUTION:      Anyone performing an unattended installation should review the
               installation parameter file and erase any sensitive information
               contained in it or delete the file after the installation
               completes.
VULNERABILITY  The risk is low. An administrator would have to install Windows
ASSESSMENT:    NT in unattended mode and include sensitive information, such
               as passwords and account names in the parameter file.


[  Start Microsoft Advisory  ]

Microsoft Security Bulletin (MS99-036)
--------------------------------------

Windows NT 4.0 Does Not Delete Unattended Installation File
Originally Posted: September 10, 1999

Summary
=======
When an unattended installation of Windows NT 4.0 completes, a copy of the
file that contains  installation parameters remains on the hard drive.
Depending on the method that was to perform  the installation and the
specific installation parameters that were selected, the file could  contain
sensitive information, potentially including the local Administrator
password.

Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-036faq.asp

Issue
=====
When an unattended installation of Windows NT 4.0 is performed, the
installation parameters are  included in a file named Unattend.txt. A
vulnerability exists because the installation process  copies the parameter
file to a file in %windir%\system32 ($winnt$.inf for a normal unattended
installation, or $nt4pre$.inf if Sysprep was used) but does not delete it
when the installation  completes. By default, this file can be read by any
user who can perform an interactive logon. If  sensitive information such as
account passwords were provided in the installation parameters  file, the
information could be compromised.

As discussed in the FAQ, the degree of risk from this vulnerability varies
depending on the  particular installation. However, in general, workstations
and terminal servers deployed using  the Sysprep tool would be at greatest
risk from it.

Affected Software Versions
==========================
 - Microsoft Windows NT Workstation 4.0
 - Microsoft Windows NT Server 4.0
 - Microsoft Windows NT Server 4.0, Enterprise Edition
 - Microsoft Windows NT Server 4.0, Terminal Server Edition

Resolution
==========
Customers performing unattended installations of Windows NT 4.0 should
ensure that they either  review the file and erase any sensitive information
such as account information and passwords, or  delete the file altogether.
Knowledge Base article Q241048 discusses one way to delete the file,  via
the RunOnce registry key.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin MS99-036: Frequently Asked Questions,
   http://www.microsoft.com/security/bulletins/MS99-036faq.asp.
 - Microsoft Knowledge Base (KB) article Q241048,
   Answer file for System Preperation Tool is not removed after completion,
   http://support.microsoft.com/support/kb/articles/q241/0/48.asp.
 - System Preparation Tool,
   http://www.microsoft.com/ntworkstation/deploy/DeployTools/SysPrep.asp
 - Microsoft Knowledge Base (KB) article Q173039,
   Unattended Setup Parameters for Unattend.txt File,
   http://support.microsoft.com/support/kb/articles/q155/1/97.asp.
 - Microsoft Knowledge Base (KB) article Q158484,
   INFO: How to Set the Administrator Password During Unattended Setup,
   http://support.microsoft.com/support/kb/articles/q158/4/84.asp.
 - Microsoft Security Advisor web site,
   http://www.microsoft.com/security/default.asp.

   NOTE: It may take 24 hours from the original posting of this
   bulletin for the KB articles to be visible.

Obtaining Support on this Issue
===============================
Information on contacting Microsoft Technical Support is available
at http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges Nets & Webs, Brisbane, Australia, for bringing this
issue to our  attention.

Revisions
=========
 - September 10, 1999: Bulletin Created.

--------------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.

   *******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service.  You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.


[  End Microsoft Advisory  ]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)