Initial Considerations for Secure Deployment

Published: March 12, 2008

By Dave Field, Technical Program Manager, Studio B Productions, Inc.

See other Security Tip of the Month columns

In this month’s newsletter, Jeremy Chapman does a great job of describing how to secure a Windows Vista deployment infrastructure. Securing Windows Vista images and product keys is critical to protecting your license assets. Taking this one step further, I will outline the three steps that you can take to set an initial security posture for your users when deploying Windows Vista using Microsoft Deployment or Business Desktop Deployment 2007. This will help protect your systems during the critical phase between system deployment and the uptake of the system into your security management infrastructure, whether that is Microsoft System Center Configuration Manager 2007, Group Policy, Windows Server Update Services, or another method of tracking updates and hotfixes.

When setting initial security for a Windows Vista desktop in a Microsoft Deployment (or BDD 2007) infrastructure, you should concentrate on the following three areas:

  1. Baseline security

  2. Updates and hotfixes

  3. Handoff to security management

Performing the basic tasks listed above will help you ensure that you are prepared to accept the new systems into your security management infrastructure and that your systems have best odds protection during the transition.

Setting Baseline Security

You can use Local Computer Policy to establish a good baseline security configuration for your systems. This can provide critical protection during the time between deployment through your deployment infrastructure and the system coming under control of your Group Policy infrastructure as provided by Active Directory.

To establish an initial security policy, use the security settings in Local Computer Policy (Figure 1). Configure Local Computer Policy settings for account lockout, user rights, and audit policy.

Figure 1

Configuring Administrator account status using local security settings

For complete coverage of Local Computer Policy, read the Step-by-Step Guide to Managing Multiple Local Group Policy Objects.

Tip: You can import security templates into Local Computer Policy to set all relevant security settings as Local Policy. Consider importing security settings from your domain security policy.

Managing Hotfixes and Updates Using Microsoft Deployment or BDD 2007

Microsoft Deployment and BDD 2007 provide the ability to install hotfixes and service packs. This ability can be used to ensure that every system is provided with critical security updates during deployment. This is important to provide assurance that systems are not vulnerable during the transition to your patch management infrastructure.

Figure 2

Adding an update package using the New Package Wizard

You can get more information on using Microsoft Deployment to install operating system packages in the guidance provided with Microsoft Deployment. You can download Microsoft Deployment from the Desktop Deployment TechCenter on Microsoft TechNet.

Handoff to the Security Management Infrastructure

Once a system is deployed it is important to quickly get it into your security management infrastructure. This will help you get additional critical updates and security settings applied while the system is still in staging.

Two elements of the handoff to management that are especially important are:

  • Group Policy. Often a new system will not be assigned to a user immediately. Consider placing it into a staging organizational unit in your Active Directory infrastructure while it waits for assignment. This will allow it to acquire Domain Security Policy from Active Directory and provide interim protection while it waits for assignment.

  • Anti-Malware. When a new system is imaged, ensure that your antivirus and antispyware are installed as soon as possible. This can be done as part of the deployment process, or manually immediately after deployment. Having anti-malware installed helps provide added assurance that systems remain secure throughout their deployment life cycle.


“Secure by Default” is part of the goal of information security professionals for overall security. It defines initial security to protect systems during the initial installation and configuration phases. You can approach this level of security by applying best odds security practices during and just after deployment. Use the tips in this column to help make this possible.