unattended network install being infected by worms!!

  • Thread starter Thread starter Neal Vadekar
  • Start date Start date
N

Neal Vadekar

We have created an unattended network installation for XP,
but our machines are susceptible to worms before we even
finish installing all the security patches since you can't
slipstream the RPC patch. Does anyone know how to get
KB823980 slipstreamed, if not, is there a way I can get
windows to install with the firewall already on, so worms
cannot infect XP while it is still installing?

Thanks in advance.

Neal...
 
Hi Neal,

Here are some simple steps.

I have listed the following KB as a reference.

814847 How to Slipstream Hotfixes That Replace Pre-
Existing Driver Files
http://support.microsoft.com/?id=814847

The Jest of it is delete the following four files from
your I386 source.

ole32.dl_
rpcrt4.dl_
rpcss.dl_

Then extract the following three files from the Hot Fix
and copy them as they are into your I386 Source.

ole32.dll
rpcrt4.dll
rpcss.dll

You still need to run the actual Hot Fix so it gets
registered with the Operating System Properly either in
your GUIRunOnce or Svcpack.inf, but the above alone will
at least allow you to complete the install without
getting the virus.

If you have a single Network Adaptor the following can be
used to enable the firewall. Just add the following
information to your Unattend.txt The Firewall does get
disabled after running Sysprep though.

[Networking]

[Identification]
JoinWorkgroup = Workgroup

[NetAdapters]
Adapter1=Params.Adapter1

[Params.Adapter1]
InfID=*

[NetProtocols]
MS_TCPIP=Params.MS_TCPIP

[Params.MS_TCPIP]
AdapterSections=params.TCPIP.Adapter1
EnableLMHosts=No

[params.TCPIP.Adapter1]
SpecificTo=adapter1
DHCP=Yes

[Homenet]
InternetConnectionFirewall = Adapter1

Regards,

Hawkens
 
Wow, that was a good answer. I will give it a try. I
am curious though, will not windows know and care that the
files:

ole32.dl_
rpcrt4.dl_
rpcss.dl_

are not the same as listed it the WFP database? I tried
this with another DLL that controlled WFP, I hex edited it
to try and turn in off, then tried to replace it with the
original in the i386 directory, but it did not work,
windows setup knew my file had been replaced, and refused
to complete windows XP installation.

the way of turning on the firewall is very cool though, I
will try that right away, how did you know to do that?

Thanks.
-----Original Message-----
Hi Neal,

Here are some simple steps.

I have listed the following KB as a reference.

814847 How to Slipstream Hotfixes That Replace Pre-
Existing Driver Files
http://support.microsoft.com/?id=814847

The Jest of it is delete the following four files from
your I386 source.

ole32.dl_
rpcrt4.dl_
rpcss.dl_

Then extract the following three files from the Hot Fix
and copy them as they are into your I386 Source.

ole32.dll
rpcrt4.dll
rpcss.dll

You still need to run the actual Hot Fix so it gets
registered with the Operating System Properly either in
your GUIRunOnce or Svcpack.inf, but the above alone will
at least allow you to complete the install without
getting the virus.

If you have a single Network Adaptor the following can be
used to enable the firewall. Just add the following
information to your Unattend.txt The Firewall does get
disabled after running Sysprep though.

[Networking]

[Identification]
JoinWorkgroup = Workgroup

[NetAdapters]
Adapter1=Params.Adapter1

[Params.Adapter1]
InfID=*

[NetProtocols]
MS_TCPIP=Params.MS_TCPIP

[Params.MS_TCPIP]
AdapterSections=params.TCPIP.Adapter1
EnableLMHosts=No

[params.TCPIP.Adapter1]
SpecificTo=adapter1
DHCP=Yes

[Homenet]
InternetConnectionFirewall = Adapter1

Regards,

Hawkens


-----Original Message-----
We have created an unattended network installation for XP,
but our machines are susceptible to worms before we even
finish installing all the security patches since you can't
slipstream the RPC patch. Does anyone know how to get
KB823980 slipstreamed, if not, is there a way I can get
windows to install with the firewall already on, so worms
cannot infect XP while it is still installing?

Thanks in advance.

Neal...
.
Click to expand...
.
Click to expand...
 
Hi Neal,

WFP won't reject these particular files, but you do need
to run the Hot Fix file once at the Desktop. For files
that do get rejected by WFP. Use the exact method
mentioned in the KB I listed earlier, which will have you
add some info to the svcpack.inf, but the Dosnet.inf
editing is not needed unless you are updating a Hot Fix
that includes drivers.

The method listed in the KB is often used to replace
setup based files such as syssetup.dll that are WFP aware.

The information on enabling the Firewall is all in the
Doc's, under the support\tools\deploy.cab

Hawkens



-----Original Message-----
Wow, that was a good answer. I will give it a try. I
am curious though, will not windows know and care that the
files:

ole32.dl_
rpcrt4.dl_
rpcss.dl_

are not the same as listed it the WFP database? I tried
this with another DLL that controlled WFP, I hex edited it
to try and turn in off, then tried to replace it with the
original in the i386 directory, but it did not work,
windows setup knew my file had been replaced, and refused
to complete windows XP installation.

the way of turning on the firewall is very cool though, I
will try that right away, how did you know to do that?

Thanks.
-----Original Message-----
Hi Neal,

Here are some simple steps.

I have listed the following KB as a reference.

814847 How to Slipstream Hotfixes That Replace Pre-
Existing Driver Files
http://support.microsoft.com/?id=814847

The Jest of it is delete the following four files from
your I386 source.

ole32.dl_
rpcrt4.dl_
rpcss.dl_

Then extract the following three files from the Hot Fix
and copy them as they are into your I386 Source.

ole32.dll
rpcrt4.dll
rpcss.dll

You still need to run the actual Hot Fix so it gets
registered with the Operating System Properly either in
your GUIRunOnce or Svcpack.inf, but the above alone will
at least allow you to complete the install without
getting the virus.

If you have a single Network Adaptor the following can be
used to enable the firewall. Just add the following
information to your Unattend.txt The Firewall does get
disabled after running Sysprep though.

[Networking]

[Identification]
JoinWorkgroup = Workgroup

[NetAdapters]
Adapter1=Params.Adapter1

[Params.Adapter1]
InfID=*

[NetProtocols]
MS_TCPIP=Params.MS_TCPIP

[Params.MS_TCPIP]
AdapterSections=params.TCPIP.Adapter1
EnableLMHosts=No

[params.TCPIP.Adapter1]
SpecificTo=adapter1
DHCP=Yes

[Homenet]
InternetConnectionFirewall = Adapter1

Regards,

Hawkens


-----Original Message-----
We have created an unattended network installation for XP,
but our machines are susceptible to worms before we even
finish installing all the security patches since you can't
slipstream the RPC patch. Does anyone know how to get
KB823980 slipstreamed, if not, is there a way I can get
windows to install with the firewall already on, so worms
cannot infect XP while it is still installing?

Thanks in advance.

Neal...
.
Click to expand...
.
Click to expand...
.
Click to expand...
 
Hi, thanks for this response.

I tried enabling the firewall, but it does not do it, here
is my unattend file for my dos based network boot. I
looked through the delpoy docs, as far as I can tell, I
have done everything they ask for, but after install is
complete, I check my advanced tab of Local Area
Connection, and the firewall checkbox is not enabled! Any
ideas?

Thanks.

[Data]
AutoPartition=0
MsDosInitiated="0"
UnattendedInstall="Yes"

[Unattended]
UnattendMode=FullUnattended
ExtendOemPartition=1
FileSystem=ConvertNTFS
OemSkipEula=Yes
OemPreinstall=Yes
TargetPath=\WINDOWS
NoWaitAfterGUIMode=1
DriverSigningPolicy=Ignore
OemPnPDriversPath="x\IntelINF;x\Evo4000
\Aud;x\Evo4000\Vid;x\Evo4000\Eth;x\Dell350\Aud;x\Dell350
\Vid;x\Dell350\Eth;x\Dell350\SCSI"
UnattendSwitch=Yes

[GuiUnattended]
TimeZone=50
AdminPassword=acent
EncryptedAdminPassword=no
Autologon=Yes
AutoLogonCount=5
OEMSkipRegional=1
OemSkipWelcome=1

[UserData]
FullName = "x Limited"
OrgName = "x Limited"
ComputerName = *

[Display]
BitsPerPel=16
Xresolution=1024
YResolution=768
Vrefresh=72

[Components]
autoupdate=Off
chat=Off
deskpaper=Off
fax=Off
media_utopia=off
Msnexplr=Off
MWAccess=Off
OEAccess=off
WMAccess=off

[RegionalSettings]
LanguageGroup=1

[GuiRunOnce]
Command0=C:\x\Scripts\runfirst.bat

[Branding]
BrandIEUsingUnattended=Yes

[Networking]
InstallDefaultComponents=Yes

[Identification]
JoinWorkgroup=xNT

[NetAdapters]
Adapter1=params.Adapter1

[Params.Adapter1]
InfID=*

[NetClients]
MS_MSClient=params.MS_MSClient

[NetProtocols]
MS_TCPIP=params.MS_TCPIP

[params.MS_TCPIP]
DNS=Yes
UseDomainNameDevolution=No
EnableLMHosts=Yes
AdapterSections=params.MS_TCPIP.Adapter1

[params.MS_TCPIP.Adapter1]
SpecificTo=Adapter1
DHCP=Yes
WINS=No
NetBIOSOptions=0

[Homenet]
EnableICS=Yes
InternalIsBridge=No
InternetConnectionFirewall=Adapter1
ShowTrayIcon=Yes

[MassStorageDrivers]
"LSI Logic Ultra320 1020/1030 Driver"="OEM"
"IDE CD-ROM (ATAPI 1.2)/PCI IDE Controller"="RETAIL"
"Adaptec AIC-789X/AHA-3960 Ultra160 PCI SCSI Card"="RETAIL"
"Adaptec AHA-151X/AHA-152X/AIC-6X60 SCSI Adapter"="RETAIL"
"Adaptec AHA-154X/AHA-164X SCSI Host Adapter"="RETAIL"
"Adaptec AHA-294X/AHA-394X/AIC-78XX SCSI
Controller"="RETAIL"
"Adaptec AHA-294XU2/AIC-7890 SCSI Controller"="RETAIL"
"Adaptec AIC-789X/AHA-3960 Ultra160 PCI SCSI Card"="RETAIL"
"Adaptec 2000S/3000S Ultra160 SCSI RAID
Controller"="RETAIL"

[OEMBootFiles]
mpixp32.cat
symmpi.inf
symmpi.sys
txtsetup.oem
symmpi.tag
-----Original Message-----
Hi Neal,

WFP won't reject these particular files, but you do need
to run the Hot Fix file once at the Desktop. For files
that do get rejected by WFP. Use the exact method
mentioned in the KB I listed earlier, which will have you
add some info to the svcpack.inf, but the Dosnet.inf
editing is not needed unless you are updating a Hot Fix
that includes drivers.

The method listed in the KB is often used to replace
setup based files such as syssetup.dll that are WFP aware.

The information on enabling the Firewall is all in the
Doc's, under the support\tools\deploy.cab

Hawkens



-----Original Message-----
Wow, that was a good answer. I will give it a try. I
am curious though, will not windows know and care that the
files:

ole32.dl_
rpcrt4.dl_
rpcss.dl_

are not the same as listed it the WFP database? I tried
this with another DLL that controlled WFP, I hex edited it
to try and turn in off, then tried to replace it with the
original in the i386 directory, but it did not work,
windows setup knew my file had been replaced, and refused
to complete windows XP installation.

the way of turning on the firewall is very cool though, I
will try that right away, how did you know to do that?

Thanks.
-----Original Message-----
Hi Neal,

Here are some simple steps.

I have listed the following KB as a reference.

814847 How to Slipstream Hotfixes That Replace Pre-
Existing Driver Files
http://support.microsoft.com/?id=814847

The Jest of it is delete the following four files from
your I386 source.

ole32.dl_
rpcrt4.dl_
rpcss.dl_

Then extract the following three files from the Hot Fix
and copy them as they are into your I386 Source.

ole32.dll
rpcrt4.dll
rpcss.dll

You still need to run the actual Hot Fix so it gets
registered with the Operating System Properly either in
your GUIRunOnce or Svcpack.inf, but the above alone will
at least allow you to complete the install without
getting the virus.

If you have a single Network Adaptor the following can be
used to enable the firewall. Just add the following
information to your Unattend.txt The Firewall does get
disabled after running Sysprep though.

[Networking]

[Identification]
JoinWorkgroup = Workgroup

[NetAdapters]
Adapter1=Params.Adapter1

[Params.Adapter1]
InfID=*

[NetProtocols]
MS_TCPIP=Params.MS_TCPIP

[Params.MS_TCPIP]
AdapterSections=params.TCPIP.Adapter1
EnableLMHosts=No

[params.TCPIP.Adapter1]
SpecificTo=adapter1
DHCP=Yes

[Homenet]
InternetConnectionFirewall = Adapter1

Regards,

Hawkens



-----Original Message-----
We have created an unattended network installation for
XP,
but our machines are susceptible to worms before we even
finish installing all the security patches since you
can't
slipstream the RPC patch. Does anyone know how to get
KB823980 slipstreamed, if not, is there a way I can get
windows to install with the firewall already on, so
worms
cannot infect XP while it is still installing?

Thanks in advance.

Neal...
.

.
Click to expand...
.
Click to expand...
.
Click to expand...
 
Back
Top