Validate the Integrity of Installation Media


In this Ask the Admin, I’ll show you how to be sure the source media you use to install software in your business hasn’t been tampered with.


Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.


In a previous Ask the Admin, I talked about the clean source principle, which states that a system can be dependent on a higher trust system but not on a lower trust system. Part of implementing the principle is to determine the security dependencies systems have on each other, including servers, users, hardware, and management tools. Server and PC setup starts with the installation source, such as a downloaded file or physical media.

If the media used to install or update software has been modified by a malicious actor, then the device on which the software is installed will be compromised from the get-go, along with any systems dependent on it. So, it’s important to understand that installation media is also a security dependency.

Apply the clean source principle to installation media (Image Credit: Microsoft)
Apply the Clean Source Principle to Installation Media (Image Credit: Microsoft)

It’s best practice to validate the integrity of media before it’s used. Once the integrity has been confirmed, the media should be stored in a location that is restricted to systems with the same or higher level of trust as the devices where the software will be installed. For example, application installers should be protected against write access from Internet-connected hosts.


Certutil and Sigcheck

It might seem like overkill but you should check the validity of every installer file you download rather than assuming you have a genuine copy. Files could be downloaded from a site that appears to be the vendor’s but is, in fact, being diverted to a malicious server. This is especially important for mission-critical systems, such as Windows Server.

In the steps below, I’ll show you how to generate and compare the hash value of two files. A file’s hash value is a fixed-length number that uniquely identifies the file. You’ll download the file on two separate devices and generate hashes for each file. If the hash value is the same on both files, you can be reasonably sure that the file is genuine.

Generate a hash value using certutil (Image Credit: Russell Smith)
Generate a Hash Value Using Certutil (Image Credit: Russell Smith)
  1. Download the installer file on two separate devices that are isolated from each other. I.e. it is not connected to the same network or part of the same workgroup or domain. The devices should be connected to different Internet connections.
  2. Use certutil, a command-line tool built into Windows, to generate a hash for the file on both devices.

certutil -hashfile "C:\Users\Public\Downloads\MARSAgentInstaller.EXE"

It might sound like a pain to find two devices connected to different Internet connections but you could download the file at home and work and then compare the hash values.

It’s also worth checking the file’s digital signature. Not all software is digitally signed. But a signed installer package helps you to validate the file’s authenticity and integrity. To check the details of a file’s certificate, download Microsoft’s SysInternals sigcheck command-line tool. The command below will display basic information about the file’s digital signature.

Using SysInternals sigcheck to view a file's digital signature (Image Credit: Russell Smith)
Using SysInternals Sigcheck to View a File’s Digital Signature (Image Credit: Russell Smith)

sigcheck "C:\Users\Public\Downloads\MARSAgentInstaller.EXE"


In this Ask the Admin, I showed you how to check the integrity of installation media using certutil and sigcheck.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: