Ghosting
Home

 

Many readers gave us feedback re the last issue on Ghost, and mentioned the downside. Microsoft also sent me their official position, here it is:

"Microsoft provides several methods for the proper deployment of the Windows NT operating system. The use of a supported method is very important to ensuring the security of the systems running Windows NT is not compromised.

There is a reason you can't just copy the hard disk from one computer to another to deploy Windows NT. One of the important features of Windows NT is its security. Each computer is assigned a unique Security ID (SID) during Setup at the time the machine name is entered; this ensures that it can be identified on the network. Almost all of the network services have this security information encoded in their entries in the registry during Setup or subsequent installation. Simply copying the contents of one hard disk to another would give each computer the same SID, making security impossible to maintain.

More Information

When a computer is installed, it is given a SID. For a Windows NT Workstation, Windows NT Member server, or a Windows NT primary domain controller (PDC), that SID is computed to contain a statistically unique 96- bit number. For a Windows NT backup domain controller (BDC), that SID is identical to the SID of the PDC for the domain.

The primary SID is generated during the installation of Windows NT and is the prefix of the SIDs for all the user accounts and group accounts created on the computer. The SID is concatenated with the RID of the account to create the account's unique identifier.

So, if two workstations have the same primary SID, the first user account generated (and so forth) on each workstation is the same because the SID on both computers is the same.

Here is what happens when the SID is created. When you install Windows NT, Setup creates a unique SID for that computer and uses this SID as a prefix for all local machine accounts. This can be seen by using Regedt32.exe to view the local user's SID. If you create several local accounts you will see the SID for that account when logging on as that user.

HKEY_USERS on Local Machine

Example:

S-1-5-21-191058668-193157475-1542849698-500 administrator

S-1-5-21-191058668-193157475-1542849698-1000 User one

S-1-5-21-191058668-193157475-1542849698-1001 User two

S-1-5-21-191058668-193157475-1542849698-1002 User three

Notice that only the last four digits are incremented as new accounts are added. The implication of this for Workgroup security is that local users have rights on other computers according to the order the account in which was created. Additionally, the impact on file ownership for shared/removable media will be compromised and would make security unmanageable.

The "after GUI replication" method is unsupported because of the security, resource ownership and unmanageability implication.

Because the SID identifies the computer or domain as well as the user, it is critical that it be unique to maintain support for current and future applications.

Microsoft Policy Statement

Microsoft does not provide support for systems that have been installed by duplicating fully installed copies of either Windows NT Workstation, Server or Windows 95. Microsoft supports using disk duplication as a method of distribution for Windows NT 4.0 if the disk is duplicated at the point in the Windows NT 4.0 setup process after the second reboot and before the graphical mode portion of Windows NT 4.0 setup.

Clarification

Essentially, this duplication consists of 'XCOPY' of the entire tree structure after Windows NT has been installed, affecting security, hardware and other areas of the product. More technical details below. Windows NT 3.51 CPS and Windows NT 4.0 Deployment Tools, while unattended, are not simple copies and do configure the operating system correctly.

REFERENCE

The Microsoft Knowledge Base provides a variety of articles that outline specifications and how to information for the proper deployment of Windows NT.

The Windows NT 4.0 Workstation Resource Kit provides documentation on the deployment procedures for Windows NT 4.0.

Consult the Computer Profile Setup documentation in the Windows NT 3.5 and Windows NT 3.51 Resource Kits on deployment utilities.