Fix a Windows security risk

The password is applied in oobeSystem and RDP is enabled in a previous
pass. I Also did a cleanup on the windows tasks.

snf-image-helper/tasks/40AddDeleteUnattendScript.in

-#! /bin/bash
-
-### BEGIN TASK INFO
-# Provides:		AddDeleteUnattendScript
-# RunBefore:		UmountImage
-# RunAfter:		MountImage
-# Short-Description:	Script that removes Unattend.xml after setup has finished
-### END TASK INFO
-
-set -e
-. "@commondir@/common.sh"
-
-if [ ! -d "$SNF_IMAGE_TARGET" ]; then
-	log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing"	
-fi
-
-if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" = "windows" ]; then
-    # Make sure Unattend.xml is removed after setup has finished
-    mkdir -p "$SNF_IMAGE_TARGET/Windows/Setup/Scripts"
-    echo "del /Q /F C:\Unattend.xml" > "$SNF_IMAGE_TARGET/Windows/Setup/Scripts/SetupComplete.cmd"
-fi
-
-exit 0
-
-# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :

snf-image-helper/tasks/40FilesystemResizeMounted.in

@@ -25,7 +25,6 @@ ptype=$(echo "$last_partition" | cut -d: -f5)
 if [ "$ptype" = "ntfs" ]; then
     # Write a diskpart script to %SystemDrive%\Windows\SnfScripts. Sysprep will
     # try to execute this script during the specialize pass.
-    mkdir -p "$SNF_IMAGE_TARGET/Windows/SnfScripts"
     cat > "$SNF_IMAGE_TARGET/Windows/SnfScripts/ExtendFilesystem" <<EOF
 select disk 0
 select volume $id

snf-image-helper/tasks/40InstallUnattend.in

@@ -18,12 +18,34 @@ if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "windows" ]; then
     exit 0
 fi
 
-if [ -f "@commondir@/unattend.xml" ]; then
-    cat "@commondir@/unattend.xml" > "$SNF_IMAGE_TARGET/Unattend.xml"
-else
+if [ ! -f "@commondir@/unattend.xml" ]; then
     log_error "File \`@commondir@/unattend.xml' is missing."
 fi
 
+target=$SNF_IMAGE_TARGET
+mkdir -p "$target/Windows/Setup/Scripts"
+
+cat "@commondir@/unattend.xml" > "$target/Unattend.xml"
+echo "del /Q /F C:\Unattend.xml" > \
+        "$target/Windows/Setup/Scripts/SetupComplete.cmd"
+
+mkdir -p "$target/Windows/SnfScripts"
+
+echo "exit" > "$target/Windows/SnfScripts/ExtendFilesystem"
+echo "del /Q /F C:\Windows\SnfScripts\ExtendFilesystem" >> \
+        "$target/Windows/Setup/Scripts/SetupComplete.cmd"
+
+echo "@echo off" > "$target/Windows/SnfScripts/ChangeAdminPassword.cmd"
+# For security reasons, overwrite the file before deleting...
+spaces=$(printf "%200s");
+echo "echo ${spaces// /X} > C:\Windows\SnfScripts\ChangeAdminPassword.cmd" >> \
+        "$target/Windows/Setup/Scripts/SetupComplete.cmd"
+echo "del /Q /F C:\Windows\SnfScripts\ChangeAdminPassword.cmd" >> \
+        "$target/Windows/Setup/Scripts/SetupComplete.cmd"
+
+echo "rmdir C:\Windows\SnfScripts" >> \
+        "$target/Windows/Setup/Scripts/SetupComplete.cmd"
+
 exit 0
 
 # vim: set sta sts=4 shiftwidth=4 sw=4 et ai :

snf-image-helper/tasks/50ChangePassword.in

@@ -14,16 +14,11 @@ windows_password() {
     local target="$1"
     local password="$2"
 
-    local tmp_unattend="$(mktemp)"
-    add_cleanup rm "$tmp_unattend"
-
     echo -n "Installing new admin password..."
 
-    local namespace="urn:schemas-microsoft-com:unattend"
-    
-    "$XMLSTARLET" ed -N x=$namespace -u "/x:unattend/x:settings/x:component/x:UserAccounts/x:AdministratorPassword/x:Value" -v "$password" "$target/Unattend.xml" > "$tmp_unattend"
-
-    cat "$tmp_unattend" > "$target/Unattend.xml"
+    echo "@echo off" > "$target/Windows/SnfScripts/ChangeAdminPassword.cmd"
+    echo "net user Administrator $password" >> \
+        "$target/Windows/SnfScripts/ChangeAdminPassword.cmd"
     echo done
 }
 

snf-image-helper/unattend.xml

@@ -17,13 +17,23 @@
         <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <RunSynchronous>
                 <RunSynchronousCommand wcm:action="add">
-                    <Description>Extend the filesystem</Description>
+                    <Description>Enable Build-in Account</Description>
                     <Order>1</Order>
+                    <Path>net user administrator /ACTIVE:YES /LOGONPASSWORDCHG:NO /EXPIRES:NEVER /PASSWORDREQ:YES</Path>
+                </RunSynchronousCommand>
+                <RunSynchronousCommand wcm:action="add">
+                    <Description>Change Administrator Password</Description>
+                    <Order>2</Order>
+                    <Path>C:\Windows\SnfScripts\ChangeAdminPassword.cmd</Path>
+                </RunSynchronousCommand>
+                <RunSynchronousCommand wcm:action="add">
+                    <Description>Extend the filesystem</Description>
+                    <Order>3</Order>
                     <Path>diskpart.exe /s C:\Windows\SnfScripts\ExtendFilesystem</Path>
                 </RunSynchronousCommand>
                 <RunSynchronousCommand wcm:action="add">
                     <Description>Enable RDP</Description>
-                    <Order>2</Order>
+                    <Order>4</Order>
                     <Path>cmd /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f</Path>
                 </RunSynchronousCommand>
             </RunSynchronous>
@@ -46,12 +56,6 @@
             <OOBE>
                 <HideEULAPage>true</HideEULAPage>
             </OOBE>
-            <UserAccounts>
-                <AdministratorPassword>
-                    <Value>Admin1</Value>
-                    <PlainText>true</PlainText>
-                </AdministratorPassword>
-            </UserAccounts>
         </component>
     </settings>
     <cpi:offlineImage cpi:source="catalog:d:/sources/install_windows server 2008 r2 serverstandard.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />