Commit 6196f457 authored by Nikos Skalkotos's avatar Nikos Skalkotos
Browse files

Fix a Windows security risk

The password is applied in oobeSystem and RDP is enabled in a previous
pass. I Also did a cleanup on the windows tasks.
parent ec728294
#! /bin/bash
### BEGIN TASK INFO
# Provides: AddDeleteUnattendScript
# RunBefore: UmountImage
# RunAfter: MountImage
# Short-Description: Script that removes Unattend.xml after setup has finished
### END TASK INFO
set -e
. "@commondir@/common.sh"
if [ ! -d "$SNF_IMAGE_TARGET" ]; then
log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing"
fi
if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" = "windows" ]; then
# Make sure Unattend.xml is removed after setup has finished
mkdir -p "$SNF_IMAGE_TARGET/Windows/Setup/Scripts"
echo "del /Q /F C:\Unattend.xml" > "$SNF_IMAGE_TARGET/Windows/Setup/Scripts/SetupComplete.cmd"
fi
exit 0
# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :
......@@ -25,7 +25,6 @@ ptype=$(echo "$last_partition" | cut -d: -f5)
if [ "$ptype" = "ntfs" ]; then
# Write a diskpart script to %SystemDrive%\Windows\SnfScripts. Sysprep will
# try to execute this script during the specialize pass.
mkdir -p "$SNF_IMAGE_TARGET/Windows/SnfScripts"
cat > "$SNF_IMAGE_TARGET/Windows/SnfScripts/ExtendFilesystem" <<EOF
select disk 0
select volume $id
......
......@@ -18,12 +18,34 @@ if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "windows" ]; then
exit 0
fi
if [ -f "@commondir@/unattend.xml" ]; then
cat "@commondir@/unattend.xml" > "$SNF_IMAGE_TARGET/Unattend.xml"
else
if [ ! -f "@commondir@/unattend.xml" ]; then
log_error "File \`@commondir@/unattend.xml' is missing."
fi
target=$SNF_IMAGE_TARGET
mkdir -p "$target/Windows/Setup/Scripts"
cat "@commondir@/unattend.xml" > "$target/Unattend.xml"
echo "del /Q /F C:\Unattend.xml" > \
"$target/Windows/Setup/Scripts/SetupComplete.cmd"
mkdir -p "$target/Windows/SnfScripts"
echo "exit" > "$target/Windows/SnfScripts/ExtendFilesystem"
echo "del /Q /F C:\Windows\SnfScripts\ExtendFilesystem" >> \
"$target/Windows/Setup/Scripts/SetupComplete.cmd"
echo "@echo off" > "$target/Windows/SnfScripts/ChangeAdminPassword.cmd"
# For security reasons, overwrite the file before deleting...
spaces=$(printf "%200s");
echo "echo ${spaces// /X} > C:\Windows\SnfScripts\ChangeAdminPassword.cmd" >> \
"$target/Windows/Setup/Scripts/SetupComplete.cmd"
echo "del /Q /F C:\Windows\SnfScripts\ChangeAdminPassword.cmd" >> \
"$target/Windows/Setup/Scripts/SetupComplete.cmd"
echo "rmdir C:\Windows\SnfScripts" >> \
"$target/Windows/Setup/Scripts/SetupComplete.cmd"
exit 0
# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :
......@@ -14,16 +14,11 @@ windows_password() {
local target="$1"
local password="$2"
local tmp_unattend="$(mktemp)"
add_cleanup rm "$tmp_unattend"
echo -n "Installing new admin password..."
local namespace="urn:schemas-microsoft-com:unattend"
"$XMLSTARLET" ed -N x=$namespace -u "/x:unattend/x:settings/x:component/x:UserAccounts/x:AdministratorPassword/x:Value" -v "$password" "$target/Unattend.xml" > "$tmp_unattend"
cat "$tmp_unattend" > "$target/Unattend.xml"
echo "@echo off" > "$target/Windows/SnfScripts/ChangeAdminPassword.cmd"
echo "net user Administrator $password" >> \
"$target/Windows/SnfScripts/ChangeAdminPassword.cmd"
echo done
}
......
......@@ -17,13 +17,23 @@
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Description>Extend the filesystem</Description>
<Description>Enable Build-in Account</Description>
<Order>1</Order>
<Path>net user administrator /ACTIVE:YES /LOGONPASSWORDCHG:NO /EXPIRES:NEVER /PASSWORDREQ:YES</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>Change Administrator Password</Description>
<Order>2</Order>
<Path>C:\Windows\SnfScripts\ChangeAdminPassword.cmd</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>Extend the filesystem</Description>
<Order>3</Order>
<Path>diskpart.exe /s C:\Windows\SnfScripts\ExtendFilesystem</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>Enable RDP</Description>
<Order>2</Order>
<Order>4</Order>
<Path>cmd /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f</Path>
</RunSynchronousCommand>
</RunSynchronous>
......@@ -46,12 +56,6 @@
<OOBE>
<HideEULAPage>true</HideEULAPage>
</OOBE>
<UserAccounts>
<AdministratorPassword>
<Value>Admin1</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog:d:/sources/install_windows server 2008 r2 serverstandard.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment