Posted by Jim Hartnett on March 13, 2017
Planning an IT initiative can present many challenges, one of which being the choice of software in the organization’s base computer images. When starting out small, it may make sense to buy machines off the shelf if expansion is not anticipated in the near future. However, choosing to do so often includes unwanted programs that add performance issues, as well as attack surface area. The problem? Bloatware.
The common scenario for bloatware pre-installations is to subsidize the cost of the machines. The average laptop sold to consumers and “prosumers” is well below that of the cost to manufacture it. To mitigate this revenue loss, vendors often include bundled software paid for by the respective developers. The developers pay the hardware vendors for the exposure to consumers and businesses. Regardless of the merits of installing items such as Vendor X’s imaging utilities on consumer machinery, businesses often have little to no reason to maintain such software.
Bloatware often causes performance and security concerns. Recent attacks against vendor “convenience” utilities such as driver managers, or printer assistance tools, have taken advantage of improperly built system images. Bloatware often executes code in the context of the organization domain, using weak network protocols as they reach out to their home servers.
More recently there was a scenario where every machine from a vendor had to have the same root certificate authority installed on every machine with a private key. This requirement allowed an attacker to conduct a man in the middle (MitM) attack on the hardware from that vendor. The utility that opened the attack surface? Vendor bloatware for installing “convenient” utilities.
For this guide, we will assume a Windows-based organization. Linux or OS X organizations will generally not have to handle bloatware pre-installed on machines. Canonical machines should follow a similar set of guidelines. However, mileage may vary on various imaging utilities once items such as Unity Amazon integration have been stripped out.
The solution used by most enterprises is to build a custom windows image using Sysprep utilities from Microsoft, as well as the Windows Automated Installation Kit. This allows an enterprise to build a standard, clean installation of Windows and push it to fresh hardware. Planning this image is important. Every machine should be consistent and start with only the bare essentials:
Once the ideal image is created, it is generalized to create installation media. This can then be deployed to hardware using the IT team’s preferred method of installing a new operating system.
After the initial hardware rollout, maintain the image to ensure it operates efficiently and securely. An unmaintained image can be even worse than the bloat-laden OS originally on the hardware. There are a few considerations to keep in mind when updating the base images:
While changing the images to include basic operating system updates may seem obvious, there are often new features and changes in the core OS to consider. If a new feature is included with an update, the organization must ascertain whether it needs the feature, and whether it opens an attack area. With the change to Windows 10, many organizations found features enabled by default that could cause serious concerns for compliance and security. Keeping tabs on these changes is paramount to maintaining a secure and stable image.
As the organization matures, another issue creeps into images: hardware changes. Base images created for deployments need to include the drivers for the hardware they are installed on. Yet, over time the hardware itself may change and have new drivers, or worse–conflicting drivers. With conflicting drivers, the machines may become unstable.
As hardware changes, the image must change to accommodate the newer machines. However, don’t forget the old image. Legacy machines have a bad habit of sticking around. Given the relatively small footprint of an old machine image it can be quite handy for mitigating operational availability risk should those legacy systems need to keep humming.
With any operating system, there are many intricacies that are difficult to understand. What is the risk of using NetBIOS or LLMNR on the network? Have we configured this right?
Synopsys performs assessments on organizational images and deployments. Get started on the ground floor before the network starts spreading. This allows an enterprise to root out bad designs and bugs before they are distributed throughout the organization. A clean and secure base system for users is a start to defending data and business capabilities. Don’t neglect it, or that vendor-sponsored browser toolbar may end up being the death of your systems.