Creating Network Administrative Installation Package to Apply Office Service Packs Using Hercules Remediation Hercules v2.2.0

Creating Network Administrative Installation Package to Apply Office Service Packs Using Hercules Remediation Hercules v2.2.0 Citadel Security Software, Inc. 8750 North Central Expressway Suite 100 Dallas, Texas 75231 (214) 520-9292 (214) 520-9293 FAX www.citadel.com

2003 Citadel Security Software, Inc. All rights reserved. This document cannot, in whole or part, be copied, photographed, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior written consent from Citadel Security Software, Inc. Hercules is copyrighted software of Citadel Security Software, Inc. Hercules is a trademark of Citadel Security Software, Inc. Windows is a registered trademark of Microsoft, Inc. W3C SOFTWARE NOTICE AND LICENSE Copyright 1994-2003 World Wide Web Consortium <http://www.w3.org/>, (Massachusetts Institute of Technology <http://www.lcs.mit.edu/>, Institut National de Recherche en Informatique et en Automatique <http://www.inria.fr/>, Keio University <http://www.keio.ac.jp/>). All Rights Reserved. http://www.w3.org/consortium/legal/ This W3C work (including software, documents, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions: Permission to use, copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications, that you make: The full text of this NOTICE in a location viewable to users of the redistributed or derivative work. Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, a short notice of the following form (hypertext is preferred, text is permitted) should be used within the body of any redistributed or derivative code: "Copyright 2003 World Wide Web Consortium <http://www.w3.org/>, (Massachusetts Institute of Technology <http://www.lcs.mit.edu/>, Institut National de Recherche en Informatique et en Automatique <http://www.inria.fr/>, Keio University <http://www.keio.ac.jp/>). All Rights Reserved. http://www.w3.org/consortium/legal/" Notice of any changes or modifications to the W3C files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.) THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION. The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders. All other products are trademarks of their respective holders. ii

Contents Creating Network Administrative Installation Package to Apply Office Service Packs Using Hercules Remediation...1 Account and System Setup...1 Administrative Installation Package Creation...15 Office 2000 Administrative Installation:...15 Office 2000 Service Release / Service Pack Application...18 Office XP Administrative Installation...20 Office XP Service Pack Application...23 Customization and Application of the Remedy...25 Customize a remedy for an individual device...26 Customize a remedy for a group using policy...30 Customize a global remedy for all devices...35 iii

Support When you purchase a Customer Support Agreement and register your Citadel software product, you are eligible to receive technical support pursuant to the terms of the contract you purchased. Technical support is available for registered users from Citadel s technical support hot line (214) 750-2482, toll-free (800) 962-0701, e-mail support@citadel.com or at www.citadel.com. Business hours for telephone support are from 8:30 a.m. until 5:30 p.m. Monday through Friday, U.S. Central Standard Time. Please have the following information available: Hercules version number The Hercules serial number The type of hardware being used iv

Creating Network Administrative Installation Package to Apply Office Service Packs Using Hercules Remediation Due to the sensitivity of the information contained in the installation script for this remedy, we recommend you only use this remedy if you are using Hercules in conjunction with SSL. NOTE: The procedure described in this section must be completed prior to remediation of the client with Office Service Packs. Otherwise, the remediation will fail, due to the necessary files and folders not being available. Additionally, a separate administrative installation point must be created for each version of Office you wish to remediate. For example, Office 2000 Professional must have a different Administrative Installation Package than Office 2000 Standard. These instructions assume the user has internet access and a functional SMB share for hosting the Office Administrative Installation Package. The instructions for this remediation assume that we are hosting the Office Administrative Installation Package on a Windows 2000 System that is NOT a Domain Controller. The Office Remedy is divided into 3 sections: Account and System Setup Administrative Installation Package Creation Customization and Application of the Remedy Account and System Setup To perform the office remedy, it is necessary to create a share on a computer on the network and a user account with access rights to the share. The Hercules Server should work fine for this step. The user account can be reused for performing remediation of all Office versions; however, an additional share must be created for each Office Administrative Installation Point. The following steps should be followed to create the user account and share: User Account Creation: 1. Right Click My Computer and left-click Manage 2. Expand Local Users and Groups in the left-hand pane. 1

3. Right click the Users Folder in the left-hand pane of the Window and left-click New User 4. Enter a User name and Password for the user account. The example uses the User name OfficeUser with a password of Password. 5. Uncheck the User must change password at next logon field. 6. Check the Password never expires field and the User Cannot Change Password field. 2

7. Click the Create button and then close the New User dialog box. 8. With the Users folder still selected on the left side of the Computer Management Console, double click the new user you created on the right side of the console. 9. Click the Member of tab. Highlight the Users group in the list and click the remove button. Then click Apply and then Close 3

10. Close the Computer Management Console. 11. Right click My Computer and left click Explore 4

12. Right click the c:\ drive and left click Properties 13. Click the Security Tab. 5

14. Click the Add button. This will bring up the Select Users, Components, or Groups dialog. Make sure the Look in drop down menu shows the local computer, highlight the user you created, and click the Add button. Then Click OK. 15. Check the Full Control in the DENY column. This should automatically check all of the other boxes in the deny column. 6

16. Click the Apply button and click Yes on the Security dialog that pops up. It may take a few minutes to apply this change. NOTE: All folders currently set to inherit permissions from the root (C:) will reflect this change. Any folders that are not set will need to be manually modified with this deny permission for your newly created user, if you feel it is necessary. 17. Click OK to close the properties window. 18. Close Windows Explorer. Shared Directory Creation and Setup: 1. Right-click My Computer and left-click Explore. 2. Choose a location on the system for the creation of the shared Office directory. The example uses the root of the c:\ drive, but the share can be anywhere on the system. 7

3. In the left-hand pane, single left-click the location where you wish to create the Office share. In the right-hand pane, right click a blank area and choose New Folder. 4. Name the directory the example uses Office2K as the name for the directory. 8

5. Right click the directory you want to share and click Properties. Choose the Sharing tab and choose to Share this folder. 6. Click the Permissions button on the Sharing Tab. This will bring you to the Share Permissions dialog for this directory. 9

7. With Everyone highlighted, click the Remove button. This should remove Everyone from the list. 8. Click the Add button to open the Select Users, Components, or Groups dialog. 9. Make sure the Look in drop down menu shows the local computer, highlight the user you created in the list and click the Add button. Then Click OK. 10

10. Make sure only the Read box is checked in the Allow column at the bottom of the Share Permissions dialog. Then click Apply and the OK. 11. Next, click the Security tab at the top of the directory properties dialog box. Uncheck the Allow inheritable permissions from parent to propagate to the object. 11

12. Click Copy on the Security dialog to copy the current permissions to the directory. 13. With your user highlighted, uncheck ALL of the boxes in the Deny column and check the Read & Execute box under the Allow column and click Apply. 12

14. Click the Advanced button to open the Access Control Settings dialog. On the Permissions tab and with your user highlighted in the list, check the box next to Reset permissions on all child objects and enable propagation of inheritable permissions. Then click Apply. 15. Click Yes on the Security dialog. 13

16. Click OK on all dialog boxes and close Windows Explorer. Securing the System: 1. To secure the system through the Local Security Policy, start by clicking Start Programs Administrative Tools Local Security Policy. Expand Local Policies and click on User Rights Assignments. 2. The following changes should be made to the local policies: 3. Deny logon as a batch job Add the user you created 4. Deny logon as a service Add the user you created 5. Deny logon locally Add the user you created 6. Close the local policies window. 14

Administrative Installation Package Creation The next step in preparation for Hercules remediation of Office is to create a network Administrative Installation Package. This administrative installation point will work for Office versions installed from CD as well as those installed from network shares. Be sure you are using the Service Pack Administrative Package. The standard packages will not work. Note: Once this remediation is complete, the Administrative Installation Package MUST remain on the server. The Office installations on the client systems will be mapped to this directory for adding Office components and repairing Office installations. Office 2000 Administrative Installation: 1. Create a network administrative installation point for Microsoft Office. To do this run the setupxxx.exe on the Office CD-ROM file from the command prompt with the following syntax: Setupxxx.exe /a dataxxx.msi. NOTE: Since there are multiple versions of Office 2000, both setupxxx.exe and dataxxx.msi could be named differently. 2. You must supply the CD Key and Company name for the Administrative Installation. This will only need to be used during the Administrative Installation; the client computers will not require the CD Key or Company name for Office Installation or Updates. 15

3. You must accept the licensing agreement for the administrative installation. Check the box to accept the licensing agreement and click Next. 4. Type the path to the share you created in the location box. Click Install Now and allow the administrative installation to complete. 16

17

Office 2000 Service Release / Service Pack Application NOTE: Service Releases / Service Packs for Office 2000 are not always cumulative. Please note any requirements before applying a Service Pack to the installation point. For example, Office 2000 SP3 requires Service Release 1. You must apply the SR-1 package to the installation point before applying the Service Pack. Also note that you must acquire the Administrative Service Pack download. For Service Release 1, the URL to the Administrative Service Release is listed below. Download the Data1.exe file. Do not get the o2ksr1adl.exe download, this is not the complete version of the Service Release. http://download.microsoft.com/download/office2000pro/patch/4.71.1015.sr1/win98mexp/en- US/data1.exe 1. Once the installation is complete, apply any Service Packs to the administrative installation point. 2. Download the appropriate Service Pack Administrative Package and double click it to extract all of the files. 3. Enter the directory where you would like to place the extracted files. This should not be the Administrative Installation point for Office. 4. To Apply the Service Pack to the Administrative Installation Point, run the Microsoft Installer from a Command Prompt as follows: 18

msiexec /p [path to the.msp file in the extracted sp files] /a [path to the.msi file in the administrative installation package] SHORTFILENAMES=TRUE /qb 5. Optionally you may add the parameter /L*v [path\name of log file] to this command to have a log file generated in the location of your choice. NOTE: The default name of the MSP file from Service Release 1 is data1.msp for Office disk 1. 19

6. Close your command prompt and any other open windows. Repeat these steps with SP2/3 as necessary noting dependencies on previous Service Packs. Office XP Administrative Installation 1. Create a network administrative installation point for Microsoft Office. To do this run the setupxxx.exe on the Office CD-ROM from the command prompt with the following syntax: Setupxxx.exe /a xxx.msi NOTE: Since there are multiple versions of Office XP, both setupxxx.exe and xxx.msi could be named differently. Note: It is important that your administrative install point matches the version your script is to remediate. For instance, the corporate version of Office XP Professional can be installed in a variety of MSI versions including pro.msi and proplus.msi pro is professional without Front Page and proplus is with Front Page. Remediation will fail if the administrative install point does not match the version of Microsoft Office installed. 2. You must supply the CD Key, Organization name, and the installation path for the Administrative Installation. This will only need to be used during the Administrative Installation, the client 20

computers will not require the CD Key for Office Installation or Updates. The installation location is the directory you shared for the administrative installation point. 3. You must accept the licensing agreement for the administrative installation. Check the box to accept the licensing agreement and click Install. 21

4. Click Install Now and allow the administrative installation to complete. 22

Office XP Service Pack Application NOTE: Service Packs for Office XP are not cumulative. Please note any requirements before applying a Service Pack to the installation point. For example, Office XP SP2 requires SP1. You must apply the SP1 package to the installation point before applying the Service Pack 2. Be sure you are using the Service Pack Administrative Package. The standard packages will not work. You may download these packages from: http://support.microsoft.com/?kbid=307843 Service Pack 1 http://support.microsoft.com/?kbid=325671 Service Pack 2 1. Once the installation is complete, apply any Service Packs to the administrative installation point. 2. Download the appropriate Service Pack Administrative Package and double click it to extract all of the files. 3. Accept the License Agreement by clicking Yes. 4. Choose a location to place the extracted files. This should not be the same directory as the Administrative Installation Point. 23

5. To Apply the Service Pack to the Administrative Installation Point, run the Microsoft Installer from a Command Prompt, as follows: msiexec /p [path to the.msp file in the service pack extracted files] /a [path to the.msi file in the administrative installation point] SHORTFILENAMES=TRUE /qb 6. Optionally you may add the parameter /L*v [path\name of log file] to this command to have a log file generated in the location of your choice. NOTE: The default name of the MSP file from the Service Pack is MAINSP1_Admin.msp for Office disk 1. 24

7. Close your command prompt and any other open windows. 8. Repeat these steps to apply SP2 or later Service Packs as they become available. Not all Office Service Packs are cumulative. Please note any dependencies before applying a Service Pack to an Administrative Installation Package. Customization and Application of the Remedy The final steps in remediating Office using Hercules is to customize the install script for the Office remedy for each device you wish to remediate. Three different remediation strategies are outlined in this section of the document. Customize a remedy for an individual device this entails creating a custom remedy for each device that requires Office remediation Customize a remedy for a group using policy (recommended) this entails creating a policy containing a custom remedy and applying the policy to groups in Hercules Customize a global remedy for all devices creating a custom remedy to apply to all systems which contain the vulnerability 25

Customize a remedy for an individual device 1. Locate the device you wish to remediate in the Hercules Administrator console. 2. Expand the import sessions under the device and locate an import session (if your list is blank you either need to import scanner data or add the remedy manually). 26

3. Locate an Office Vulnerability in the top pane on the right hand side of the Hercules Administrator Console. 4. In the top pane of the right hand side of the console, right click the Office Vulnerability and choose Add Custom Remedy. 5. In the Add Custom Remedy dialog, select your vulnerability title from the bottom pane and click Finish. This step can take several minutes to complete. 27

6. The remedy should come up already populated with actions. The CommandLineParameter action property is not used by this remedy and is populated with a label to distinguish the Office Versions for each remedy. These actions will only execute if the appropriate version of Office is installed on the client system, so one Office vulnerability can be used to remediate all supported versions of Office. If you do not use one of the versions of Office, it is recommended you delete the unused actions to simplify the remedy. Choose the action you wish to modify. The correct action properties for this action are listed below. Any fields not listed below should be left blank. Command Line Parameter does not matter. This field does not get used by the script, but it is a required field. Repository Path does not really matter. This field does not get used by the script, but it is a required field. Patch type should be Patch if pre-populated. If you are choosing creating your own action from scratch, you must enter the number 6 in this field. Script should be populated with a VB Script to perform the necessary client-side actions to patch the Office installation from the Administrative Installation Point. This script must be updated manually to match your environment. Compliance Script should be populated with a VB Script that verifies the correct version of Office for each action. This ensures that Office 2000 Professional is patched from the Office 2000 Professional Administrative Installation Package and Office XP Standard is patched from the Office XP Standard Administrative Installation Package. 28

7. The values listed below appear in the Script action property and need to be replaced for the remedy to function correctly. These modifications must be done for each action in the remedy, otherwise the remedy will fail. To simplify modifying the script, use a text editor like WordPad to modify the scripts. <<drive letter>> -- Our script needs to temporarily map a drive top the office share. We need an unused drive letter for the systems that will be remediated. <<servername>> -- The name of the system on which the Office share is hosted <<sharename>> -- The name of the share to which we installed the Administrative Installation Point of Office. <<password>> -- The password for the User Account we created for the Office installation. <<useraccount>> -- The name of the user account we created for the Office installation. <<msipkg>> -- The name of the.msi file in the Administrative Installation Package. 8. Once all of these values are replaced, copy the script back into bottom pane of the Custom Remedy Editor dialog and click Apply and Then OK. 9. Now check the Remediation in the middle pane on the right hand side of the Hercules Administrator console. 10. Click the Group of devices that contains your device in the left hand pane of the Hercules Administrator console. Check the box on the right hand side for the device to remediate. 29

11. Your remedy should now begin according to your remediation scheduling. Depending on the version of Windows Installer on the machine and whether the source files are in use, this remedy may spontaneously reboot the client system. This remedy should not be left checked after remediation has completed or the remedy will execute on every remediation. This remedy will not show compliance. Customize a remedy for a group using policy 1. In the left hand pane of the Hercules Admin console, locate the Policies folder. Right Click the Policies folder and choose Add Policy. 2. Name the policy. In the example, the policy is labeled Office Policy. 3. Right click the new policy and choose Add Custom Remedy. This will launch the Add Custom Remedy dialog. 4. In the Name Starts With: field in the dialog, type in a key word to locate the vulnerability with which you wish to associate the remedy and click the Search button. 5. Highlight the vulnerability in the Vulnerabilities: list and click Next. 30

6. Select the Operating System for the remedy. Typically, the Office remedies can use the All Windows property. This will allow the same remedy to apply to any supported Windows OS version without having to create a custom remedy for each flavor of Windows. Then click Finish. 7. The remedy should come up already populated with actions. The CommandLineParameter action property is not used by this remedy and is populated with a label to distinguish the Office Versions for each remedy. These actions will only execute if the appropriate version of Office is installed on the client system, so one Office vulnerability can be used to remediate all supported versions of Office. If you do not use one of the versions of Office, it is recommended you delete the unused actions to simplify the remedy. Choose the action you wish to modify. The correct action properties for this action are listed below. Any fields not listed below should be left blank. 31

Command Line Parameter does not matter. This field does not get used by the script, but it is a required field. Repository Path does not matter. This field does not get used by the script, but it is a required field. Patch type should be Patch if pre-populated. If you are choosing creating your own action from scratch, you must enter the number 6 in this field. Script should be populated with a VB Script to perform the necessary client-side actions to patch the Office installation from the Administrative Installation Point. Compliance Script should be populated with a VB Script that verifies the correct version of Office for each action. This ensures that Office 2000 Professional is patched from the Office 2000 Professional Administrative Installation Package and Office XP Standard is patched from the Office XP Standard Administrative Installation Package. 9. The values listed below appear in the Script action property and need to be replaced for the remedy to function correctly. These modifications must be done for each action in the remedy, otherwise the remedy will fail. To simplify modifying the script, use a text editor like WordPad to modify the scripts by copying the script from the Property value section and pasting it back there. <<drive letter>> -- Our script needs to temporarily map a drive to the office share. We need an unused drive letter for the systems that will be remediated. <<servername>> -- The name of the system on which the Office share is hosted <<sharename>> -- The name of the share to which we installed the Administrative Installation Point of Office. <<password>> -- The password for the User Account we created for the Office installation. 32

<<useraccount>> -- The name of the user account we created for the Office installation. <<msipkg>> -- The name of the.msi file in the Administrative Installation Package. 10. Once all of these values are replaced, copy the script back into bottom pane of the Custom Remedy Editor dialog and click Apply and Then OK. 11. Once the custom remedy is complete for the policy, make sure the vulnerability selected is listed for all devices you wish to remediate. The easiest way to accomplish this is to Add a Vulnerability to Group Devices for each group you wish to remediate. To perform this, right click the group and choose Vulnerability Add a Vulnerability to Group Devices. Choose the same vulnerability that you did when customizing the remedy on the policy. 12. In the left hand pane of the Hercules Administrator console expand the device, expand Import Sessions, and click on the Manually Added Vulnerabilities and check the top pane on the right hand side of the console to verify that the vulnerability has been associated to the devices. 33

13. Apply the policy to the group to remediate. Right click the group in the Hercules Administrator console and click Edit Group. Change the Policy drop down to the policy you created and click OK. 14. For each device, expand Import Sessions on the left side of the console and click Manually Added Vulnerabilities. On the right side of the console in the top pane, click the vulnerability you added to the group. Check the box in the Vulnerability Instances pane to select the remedy. 34

15. Click the group in the left hand pane of the Hercules Administrator Console. In the right hand pane, check all of the systems you wish to remediate. Office should now be remediated according to your remediation schedule. NOTE: Depending on the version of Windows Installer on the machine and whether the source files are in use, this remedy may spontaneously reboot the client system. This remedy should not be left checked after remediation has completed or the remedy will execute on every remediation. This remedy will not show compliance. Customize a global remedy for all devices 1. In the left hand pane of the Hercules Admin console, locate the Global Vulnerabilities folder. Locate the vulnerability in the Vulnerabilities on *ServerName* for which you wish to create a custom remedy. 35

2. Right click the vulnerability in the upper right pane and click Add Custom Remedy. Select the vulnerability from the Vulnerabilities: pane in the Add Custom Remedy dialog and click Next. 3. Select the Operating System for the remedy. Typically, the Office remedies can use the All Windows property. This will allow the same remedy to apply to any supported Windows OS version without having to create a custom remedy for each flavor of Windows. Then click Finish. 36

37

4. The remedy should come up already populated with actions. The CommandLineParameter action property is not used by this remedy and is populated with a label to distinguish the Office Versions for each remedy. These actions will only execute if the appropriate version of Office is installed on the client system, so one Office vulnerability can be used to remediate all supported versions of Office. If you do not use one of the versions of Office, it is recommended you delete the unused actions to simplify the remedy. Choose the action you wish to modify. The correct action properties for this action are listed below. Any fields not listed below should be left blank. Command Line Parameter does not matter. This field does not get used by the script, but it is a required field. Repository Path does not really matter. This field does not get used by the script, but it is a required field. Patch type should be Patch if pre-populated. If you are choosing creating your own action from scratch, you must enter the number 6 in this field. Script should be populated with a VB Script to perform the necessary client-side actions to patch the Office installation from the Administrative Installation Point. Compliance Script should be populated with a VB Script that verifies the correct version of Office for each action. This ensures that Office 2000 Professional is patched from the Office 2000 Professional Administrative Installation Package and Office XP Standard is patched from the Office XP Standard Administrative Installation Package. 38

5. The values listed below appear in the Script action property and need to be replaced for the remedy to function correctly. These modifications must be done for each action in the remedy, otherwise the remedy will fail. To simplify modifying the script, use a text editor like WordPad to modify the scripts. <<drive letter>> -- Our script needs to temporarily map a drive top the office share. We need an unused drive letter for the systems that will be remediated. <<servername>> -- The name of the system on which the Office share is hosted <<sharename>> -- The name of the share to which we installed the Administrative Installation Point of Office. <<password>> -- The password for the User Account we created for the Office installation. <<useraccount>> -- The name of the user account we created for the Office installation. <<msipkg>> -- The name of the.msi file in the Administrative Installation Package. 6. Once all of these values are replaced, copy the script back into bottom pane of the Custom Remedy Editor dialog and click Apply and Then OK. 7. Once the custom remedy is complete for the global vulnerability, make sure the vulnerability is listed for all devices you wish to remediate. The easiest way to accomplish this is to Add a Vulnerability to Group Devices for each group you wish to remediate. To perform this, right click the group and choose Vulnerability Add a Vulnerability to Group Devices. Choose the same vulnerability that you did when customizing the remedy on the global vulnerability. 39

8. For each device, expand Import Sessions on the left side of the console and click Manually Added Vulnerabilities. On the right side of the console in the top pane, click the vulnerability you added to the group. Check the box in the Vulnerability Instances pane to select the remedy. 9. Click the group in the left hand pane of the Hercules Administrator Console. In the right hand pane, check all of the systems you wish to remediate. Office should now be remediated according to your remediation schedule. NOTE: Depending on the version of Windows Installer on the machine and whether the source files are in use, this remedy may spontaneously reboot the client system. This remedy should not be left checked after remediation has completed or the remedy will execute on every remediation. This remedy will not show compliance. Because of this, we recommend that you only use this remedy with the Remediate Once and Stop feature in Hercules. 40