Setting Up Windows Systems Securely: Slipstreamed Installation

I've heard that you shouldn't connect new Windows systems to the network until you complete the setup. Why?

When you install Windows, it configures itself with default settings, some of which are insecure even in Windows Server 2003. Additionally, a new Windows system usually lacks all security patches released since the OS was released. The only way to make sure new Windows systems are secure is to perform a slipstreamed installation of Windows, in which you copy the contents of the Windows CD-ROM to a server folder, then install service packs and updates on top of the Windows installation files.

To slipstream a service pack, note the folder to which you've copied the Windows CD-ROM, then run the service pack's update program and use the -s parameter to point to the Windows installation files. For example, if you copied your Windows CD-ROM to \\server1\windows, you'd change your current directory to the directory that contains your service pack and run the command

update -s \\server1\windows

The service pack will update the specified installation files.

A new Windows system is initially vulnerable to a host of risks from other systems on the network. If you connect the new system to the Internet, the risks are even higher—sometimes a new Windows system is hacked even before the administrator can lock it down. Consequently, you should install Windows while the system is disconnected from any network that attackers or malicious insiders could access.

For those who don't have an isolated setup-lab network with a server that hosts Windows setup files and application installation files, Microsoft provides a handy tool called the Security Readiness Kit (SRK) 4.1. The SRK contains the most recent service packs for Windows NT 4.0 and later, Microsoft SQL Server 7.0 and later, Microsoft Data Engine (MSDE) 1.0 and later, and SQL Server Desktop Engine 2000. The SRK lets you install service packs directly from the CD-ROM without having a network. The SRK also provides links to all post-service-pack security updates. To use this feature, you need to connect the computer to a network that provides Internet access, then download the updates from the Windows Update site.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.