Windows Installer Provider Security Considerations

  • Article

The Windows Installer Provider allows remote installation of a user specified Installer Package or a Microsoft Windows Installer package file. Improper or unauthorized use of this provider could result in remote execution of code, leaking of high privileged credentials, compromise or damage to the remote or local server. MPF Developers and Administrators should take special care when using or exposing this API through higher level namespaces or user interfaces. Here are a few key considerations:

  • Both the Install and Uninstall methods accept the following parameters installedServer, msiInstallHelper, msiPackage. Each of these input parameters must be validated:

    • installedServer should be sourced from a known location.

    • installedServer should never be based directly on user input.

    • Both msiInstallHelper and msiPackage should be sourced from a list of known good values and should never be based directly on user input.

    • All MSIs in the list of known good MSI's should be stored in a secure location, tested and checked for malicious code regularly.

    • Firewall rules should be configured such that the MPF Engine servers can only establish RPC connections to a list of known valid installedServer servers.

  • Both the Install and Uninstall methods accept a userName and userPassword. These are presumably high privileged credentials in that they have the right to install applications. You should take the following precautions:

    • Credentials should be stored in a secure and encrypted location

    • A strong password policy should be in force

    • Password should be changed regularly

    • Should not be a well-known account such as "administrator"

For more information about input sources and effective data validation for MPS, see Input Validation and Protection against Injection Attacks.