Software Installation is the process through which a program is installed on a computer system, typically resulting in shortcuts being created on the desktop, Start menu, and quick launch toolbar. When a user double-clicks on a file, a hidden link file is generated in the Recent folder within Documents and Settings.
Nearly every software installation will offer to drop one on your desktop, in your Start menu, and on your quick launch tool bar at the time of program installation. Whenever a user double-clicks on a file, a link file is created in the Recent folder located at the root of Documents and Settings. This is a hidden file.
Understanding Group Policy Software Installation Terminology and Concepts
☑
Software Installation uses Windows Installer Packages (.msi files).
☑
Publishing an application allows the user to install the application from Add/Remove Programs if desired.
☑
Assigning an application causes that application to be installed on first use, or when the computer reboots.
☑
Transforms are used to make modifications to an existing package. Modifications can only added when initially setting up the package.
☑
Document invocation is the process of installing the software based on clicking on a file with an associated extension to the package.
☑
Application categories can be set up to better organize your applications if you have a large number of them. This is especially helpful with published applications; they can be viewed by category, which makes them easier to locate.
Most of the same rules discussed in regard to deploying software to users also apply to deploying software to computer objects in Active Directory. However, you need to remember that you can only assign software to computers; there is no publishing to computer objects. Software installation policies can be applied like any group policy to sites, domains, or OUs. In Active Directory, by default each computer object is added to the Computers container in the root domain. You will most likely want to set up software deployment to computers by creating an OU, but this depends on your Active Directory design.
When software is deployed to computer objects, the installation generally takes place when the computer boots, prior to the appearance of the Ctrl + Alt + Del screen. This means the user cannot log on until all of the software has been installed. This must be considered prior to designing or assigning software installation packages. Assigning too many applications at the same time can cause the workstation to take a long time to start up.
Test Day Tip
Be sure you are comfortable with the differences and similarities between assigning versus publishing applications with the Software Installation component of Group Policy.
Creating an Assigned Software Package Installation in the Computer Configuration Node
1
Right-click the Software Installation node under the Computer Configuration node and select New Package as shown in Figure 6.24.
Figure 6.24. Creating a New Installation Package
2
Browse to the network share in which the desired software installation package is stored and select the package as shown in Figure 6.25.
Figure 6.25. Selecting Installation Package
3
Click OK on the Deployment Method window that appears.
4
Click OK on the next window that displays the package properties to accept the defaults. A software installation package has been created. The same process is followed for the published software installation package
Installation and start-up involves the delivery to site of all necessary computer hardware, software and peripheral equipment, installed into its final position and started up. The following steps are executed during start-up and commissioning:
•
Physical installation of computer hardware and related peripherals
•
Network connections with the existing plant network(s)
•
Software installation
•
Software configuration of the actual peripherals
•
Integration testing.
All the software required for the operation of the system is generally installed on the computer systems by the developer prior to shipment to site. It includes packaged software as well as bespoke software developed for the project by the project team. Source code and development/configuration tools are removed from the computer systems before commissioning, and delivered to the client on removable magnetic media. Configuration management of the completed software is very important at this stage of the project, and all changes required are to be made under formal configuration control procedures. Formal configuration control procedures should also be applied to the ‘as-built’ system documentation.
While documentation around how to install software seems like it would exist more in the realm of system or application administrators, it plays an important part in the penetration test lab as well. You will be dealing with a substantial number of software installations within your test lab. It is important to make sure that each time you install a particular piece of software, you do it in the exact same way or automate the process to guarantee this consistency. Differing choices made during installation can have a tremendous impact on the final result of the install including specific vulnerabilities which may exist in one installation type but not another. For example, if there is a vulnerability in an SSL library and you install a web server in two ways, one with SSL and one without, it is very likely that you will only find the vulnerability in one of the installations.
Even if your documentation is as light as a checklist of options selected during install, it is critical to keep and maintain this documentation. You can choose to store it with the media in some cases or keep it with other important system documentation. You should ensure that all members of the penetration test team use the same documented procedure as well so that there are no differences between installations depending on who performed the install.
Another tool that you can use comes from the Resource Kit. This tool is Software Installation Diagnostics and can be used to gain additional insight into problems you may be experiencing. This tool is also a command-line tool; you have to open a command prompt to run it.
The file is called addiag.exe. You can type addiag.exe /? and receive a list of commands to become familiar with the tool. You can use this tool to print out information possibly related to problem deployments. It will also generate Event Log entries related to software installation.
Using Group Policy Software Installation, applications can be assigned to users or computers, or published to users. When software is assigned to a user, it will be deployed the first time a user tries to launch that application by clicking the desktop or Start menu shortcut that is installed when you assign the application. Software can also be installed by clicking on a document that has a file extension recognized by Active Directory as being part of an application. This is known as document invocation. When software is assigned to computers, it is installed the next time the computer is rebooted, prior to logon. Large software deployments can cause a user to have to wait to log on.
When you publish software, the system advertises the software to be installed but does not install it automatically. The advertisement shows up in the Add/Remove Programs applet in Control Panel. This gives the user the ability to install the appropriate software if he or she chooses to do so. You can set up categories to organize the applications so they will be easier for users to find and install.
Software Installation uses the Windows Installer technology. This technology uses Windows Installer Packages or .msi files, which are databases that contain all the information needed to install the software in different scenarios. Software can be customized with configuration changes using an .mst file, also called a transform or modification. Software Installation uses .msp files to apply patches, updates, and service packs. Assignment scripts are files with an .aas extension that contain information about how the software is advertised on the network and other optional information such as file extension associations.
Deployment, maintenance, and updating of the organization's software infrastructure is an important task for network administrators, and Group Policy Software Installation makes it easier by automating much of the process. A mastery of the concepts and procedures involved in managing applications via Group Policy will serve you well both on the exam and on the job.
Determining which applications you plan to distribute with Group Policy Software Installation is an important first step in the deployment process. Because the GPOs used to deploy software can be linked to a site, domain, or OU, some planning is required. You must take into consideration your Active Directory design and the application needs of your organization.
Some departments will require a particular application, whereas there is no need for that application in other departments. For example, the Financial department may need accounting software that is not used elsewhere. In other cases, an application is required for all those in a particular job function. For example, all project managers may need a particular project management application, regardless of department. There are also times when an application must be distributed throughout the entire enterprise. For example, the software that is used to open and read personnel policies or security policies that apply to all employees will be needed by everyone, regardless of department or job function. Your Active Directory design and organizational needs will ultimately determine your plans for where you will configure Software Installation within Group Policy.
Understanding Group Policy Software Installation Terminology and Concepts
☑
Software Installation uses Windows Installer Packages (.msi files).
☑
Publishing an application allows the user to install the application from Add/Remove Programs if desired.
☑
Assigning an application causes that application to be installed on first use, or when the computer reboots.
☑
Transforms are used to make modifications to an existing package. Modifications can only added when initially setting up the package.
☑
Document invocation is the process of installing the software based on clicking on a file with an associated extension to the package.
☑
Application categories can be set up to better organize your applications if you have a large number of them. This is especially helpful with published applications; they can be viewed by category, which makes them easier to locate.
Using Group Policy Software Installation to Deploy Applications
☑
You can deploy software to either users or to computers.
☑
Applications can be assigned to either users or computers, but can be published only to users.
☑
A distribution point should be set up to hold the various application packages. This is a shared folder on the network, and users must have the appropriate permissions of Read and Execute to the folder hierarchy.
☑
Use the GPO Editor to maintain what packages are related to what group policy.
☑
Users must have Read and Apply Group Policy permissions to use the GPO to take advantage of software installation.
☑
You can set up categories by right-clicking on the Software Installation node and selecting Properties. The Categories tab is where you can add custom categories.
☑
Upgrades can be set up for existing packages and can be forced to install on users' workstations.
☑
Software Installation can be used to install and uninstall software .
Troubleshooting Software Deployment
☑
All the users associated with a group policy must have permission to the GPO for the settings to take effect.
☑
The distribution point can be a problem if NTFS permissions are not set properly.
☑
Ensure that name resolution is working so all necessary files can be located during the deployment process.
☑
Use the Application log in the Event Viewer to look for MsiInstaller, UserEnv, or Application Management messages and software deployment related messages.
☑
If you are in a mixed environment, make sure that your distribution point is not on a Windows NT4.0. Windows 2000 and Server 2003 have this fix already.
☑
You can turn on verbose logging for either Software Installation or the Windows Installer services by making a Registry change.
☑
The Resource Kit contains a diagnostics tool called Software Installation Diagnostics. It is a command-line tool.
