
close
close
advertisment
In this Ask the Admin, I’ll show you how to be sure the source media you use to install software in your business hasn’t been tampered with.
In a previous Ask the Admin, I talked about the clean source principle, which states that a system can be dependent on a higher trust system but not on a lower trust system. Part of implementing the principle is to determine the security dependencies systems have on each other, including servers, users, hardware, and management tools. Server and PC setup starts with the installation source, such as a downloaded file or physical media.
advertisment
If the media used to install or update software has been modified by a malicious actor, then the device on which the software is installed will be compromised from the get-go, along with any systems dependent on it. So, it’s important to understand that installation media is also a security dependency.
Apply the Clean Source Principle to Installation Media (Image Credit: Microsoft)
It’s best practice to validate the integrity of media before it’s used. Once the integrity has been confirmed, the media should be stored in a location that is restricted to systems with the same or higher level of trust as the devices where the software will be installed. For example, application installers should be protected against write access from Internet-connected hosts.
It might seem like overkill but you should check the validity of every installer file you download rather than assuming you have a genuine copy. Files could be downloaded from a site that appears to be the vendor’s but is, in fact, being diverted to a malicious server. This is especially important for mission-critical systems, such as Windows Server.
advertisment
In the steps below, I’ll show you how to generate and compare the hash value of two files. A file’s hash value is a fixed-length number that uniquely identifies the file. You’ll download the file on two separate devices and generate hashes for each file. If the hash value is the same on both files, you can be reasonably sure that the file is genuine.
Generate a Hash Value Using Certutil (Image Credit: Russell Smith)
certutil -hashfile "C:\Users\Public\Downloads\MARSAgentInstaller.EXE"
It might sound like a pain to find two devices connected to different Internet connections but you could download the file at home and work and then compare the hash values.
It’s also worth checking the file’s digital signature. Not all software is digitally signed. But a signed installer package helps you to validate the file’s authenticity and integrity. To check the details of a file’s certificate, download Microsoft’s SysInternals sigcheck command-line tool. The command below will display basic information about the file’s digital signature.
Using SysInternals Sigcheck to View a File’s Digital Signature (Image Credit: Russell Smith)
sigcheck "C:\Users\Public\Downloads\MARSAgentInstaller.EXE"
In this Ask the Admin, I showed you how to check the integrity of installation media using certutil and sigcheck.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft's New Security Experts Service Protects Businesses Against Ransomware Attacks
May 9, 2022 | Rabia Noureen
Microsoft, Google, and Apple to Expand Passwordless Login Across All Major Platforms
May 5, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group