How to configure Windows Installer for maximum security (247528)


The information in this article applies to:

  • Microsoft Windows Installer 1.0
  • Microsoft Windows Installer 1.1
  • Microsoft Windows Installer 1.2
This article was previously published under Q247528
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article describes the available system policies that can be configured to get the maximum security level for Windows Installer.

MORE INFORMATION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The following tables list user and machine policies that can be configured to get the maximum security level for the Windows Installer.

The following machine policies are configured under HKEY_LOCAL_MACHINE\Software\Polices\Microsoft\Windows\Installer.

Value nameDescriptionMaximum security setting
AlwaysInstallElevated (per-machine)If this value is set to "1" and the corresponding user value is also set, the installer always installs with elevated privileges. Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for nonmanaged applications.Do not set this value.
AllowLockdownBrowseIf this policy value is set to "1", nonadministrator users can browse for new sources while running an installation at elevated privileges. Otherwise only administrators can browse for sources during an elevated installation.Do not set this value.
AllowLockdownMediaIf this policy value is set to "1", nonadministrator users can use media sources, such as a CD-ROM, while running an installation at elevated privileges. Otherwise only administrators can use media sources during an elevated installation.Do not set this value.
AllowLockdownPatchIf this policy value is set to "1", nonadministrator users can apply Windows Installer patches to existing products while running an installation at elevated privileges. Otherwise only administrators can patch existing products that were installed at elevated privileges.Do not set this value.
DisableBrowseIf this value exists and is set to "1", users are prevented from browsing to locate installer sources. The Use feature from: combo box for direct input is locked and the Browse button is disabled.Set this value to "1".
DisableMSIIf this value is set to "1", the installer is disabled for nonmanaged applications but is still enabled for managed applications. If this value is set to "0", any other number, or is absent, the installer is always enabled.Set this value to "1".
DisablePatchIf this value is set to "1" the installer does not apply patches.Set this value to "1".
EnableUserControlIf this value is set to "1", then the installer can pass all public properties to the server side during a managed installation.Do not set this value.
SafeForScriptingIf this value is set to "1", users are not prompted when scripts use installer automation within a Web page.Do not set this value.
TransformsSecureSetting the TransformsSecure policy to 1 informs the installer that transforms are to be cached locally on the user's computer in a location where the user does not have write access.Set this value to "1".


The following user policies are configured under HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer.

Value nameDescriptionMaximum security setting
AlwaysInstallElevated (per-user)If this value is set to "1" and the corresponding machine value is also set, the installer always installs with elevated privileges. Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for nonmanaged applications.Do not set this value.
DisableMediaIf this policy value is set to "1", users and administrators are prevented from using media sources, such as CD-ROMs, for installations regardless of whether the installation is with elevated privileges.Set this value to "1".

An administrator can also use the Group Policy Editor (GPR) on Windows 2000 or the System Policy Editor on Windows 95, Windows 98, and Windows NT to configure the installation behavior of the Windows Installer. An administrator can configure the policies for all users of a computer, or all members of a group on the computer.

Also the LockPermissions table can be used to secure individual portions of your application in a locked-down environment. It can be used with the installation of files, registry keys, and created folders. If the folder, file, or registry key already exists, any access control lists (ACLs) are replaced by the entries in this table.

Note Machine information should be stored in HKLM, which is secure if good practices are followed. User information should be located in HKCU. The Windows Installer normally runs in the user context. The special case is managed/elevated installations that can run as "local system".

The user context generally cannot modify keys in HKLM. The user context generally cannot modify the keys under HKCU\Software\policies, so you should be logged on as a user with administrator rights to modify the policy settings under HKCU.

REFERENCES

For additional information on the LockPermission table and system policy, see Help in Windows Installer SDK:

http://msdn.microsoft.com/downloads/default.asp?URL=/code/sample.asp?url=/MSDN-FILES/027/001/457/msdncompositedoc.xml

Modification Type:MinorLast Reviewed:9/28/2004
Keywords:kbFAQ kbhowto kbMSIFAQ KB247528 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.