Professional Documents
Culture Documents
Microsoft Windows 7 Enterprise Edition for the United States Army May 2011
DISCLAIMER
The contents of this document and/or media are not to be construed as an official Department of the Army position unless so designated by other authorized documents. The use of trade names in this document and/or media does not constitute an official endorsement or approval of the use of such commercial hardware or software. Do not cite this document for the purpose of advertisement. Do not release to other than the intended recipient(s).
CHANGES
Refer requests for all changes that affect this document to: Director, NETCOM/ESTA, ATTN: NETC-EST-G, Fort Huachuca, AZ 85613-7070.
DISPOSITION INSTRUCTIONS
If this document/media is no longer required then it should be destroyed rather than returned to the issuing organization. Safeguard and/or destroy this document with consideration given to its classification or distribution statement requirements.
ADDITIONAL INFORMATION
For additional information please contact us at: AGM.Support@us.army.mil or 1-800-966-7176 https://www.us.army.mil/suite/page/130061
Army Golden Master AGM Windows 7 10.0.1 Configuration Summary US Army Field IT Support staff tasked to deploy the AGM Desktop and Laptop standard build products
Page 1 of 16
Configuration Overview The AGM Windows 7 10.0.1 build does not support an in-place upgrade of an existing platform. It is recommended that the installation process be performed on a new or newly formatted computer. The AGM Windows 7 10.0.1 deployment does not require a pre-existing installation of Microsoft Windows Operating System. All data on the target computer WILL be erased by the AGM Windows 7 10.0.1 installation process. Please ensure that you have taken adequate steps to backup any data on the target computer prior to beginning the build process.
Page 2 of 16
The AGM Windows 7 10.0.1 Installation will NOT support multiple partition hard drive configurations. The AGM Windows 7 10.0.1 custom install.wim is a Sysprepd image file that contains the Army Windows systems security profile and IAVA hotfixes and patches as of March 2011. The AGM Windows 7 10.0.1 build includes a U.S. Army login desktop background and user icon picture.
Configuration Limitation The AGM Windows 7 10.0.1 build only includes device drivers available in the default Windows 7 driver stores, and does not include any platform specific inf or exe device drivers. Hardware device drivers will have to be installed as a post installation task. The AGM Windows 7 10.0.1 installation reboots several times during the build process with no recursive login built into the scripts to pick up where it left off. If the computer is powered off during the deployment, the process may have to be reinitiated from the beginning.
Security Template The AGM security template is a single executable file that configures a Desktop or Laptop workstation to the current FDCC and U.S. ARMY defined Security standards. Operating System The AGM Windows 7 10.0.1 Install.wim contains the following Security Configuration settings:
Configured Windows Firewall Computer System Security template Apply the MSS Security settings to the System Security configuration Apply computer Auditing security rules Set the Local Group Policy Set the local machine Internet Explorer Trusted Sites list Add the AGM Program branding Information Install DoD Root Certificates
Page 3 of 16
Configuration (Post Installation Security Install) Because the custom image file has been prepared with Sysprep, some security settings are configured during deployment. During the first login phase of the AGM Windows 7 deployment, Win7_Post_Inst.EXE is run to configure the following settings:
Rename the guest account to xGuest Set the password restrictions on the administrator and xGuest accounts Set the AGM Program support information in favorites in Internet Explorer Set the Login Warning Banner
NOTE: The specific security template and local group policy settings that comprise the AGM Windows 7 10.0.1 are documented in a spreadsheet located on the AGM KCC website.
Internet Trusted Sites The locally defined Internet Trusted Sites list is configured through the Sites to Zone Mapping key within the local group policy. AGM Trusted Sites List as of: 01 May 2011
*.AFRICOM.MIL *.NGA.MIL *.SKILLSOFT.com https://miap.csd.disa.mil https://web.mail.mil mnf-iraq.com us.army.mil/akoim us.army.mil/armyweb us.army.mil/mes1.dr1 us.army.mil/mes1.ps1 us.army.mil/mes2.dr1 us.army.mil/mes2.ps1 us.army.mil/mes3.dr1 us.army.mil/mes3.ps1 us.army.mil/mes4.dr1 us.army.mil/mes4.ps1 us.army.mil/mes5.dr1 us.army.mil/mes5.ps1 us.army.mil/mes6.dr1 us.army.mil/mes6.ps1 us.army.mil/webmail
Template Version 1.0.1
*.DARPA.MIL *.DAU.MIL *.DC3.MIL *.DCAA.MIL *.DCMA.MIL *.DECA.MIL *.DEFENDAMERICA.MIL *.DEFENSELINK.MIL *.DEPLOYMENTHEALTH.MIL *.DFAS.MIL *.DIA.MIL *.DISA.MIL *.DISAGRID.MIL *.DLA.MIL *.DMSO.MIL *.DOD.MIL *.DODED.MIL *.DODTechnopedia.mil *.DSM.MIL *.DSS.MIL *.DTEPI.MIL
Page 4 of 16
*.JSF.MIL *.JSIMS.MIL *.JTFGNO.MIL *.JWAC.MIL *.KNOWLEDGENET.MIL *.KOREA50.MIL *.MAIL.MIL *.NAVY.MIL *.NEWHORIZONS.COM *.NCSC.MIL *.NIC.MIL *.NIMA.MIL *.NIPR.MIL *.NORAD.MIL *.NORTHCOM.MIL *.NOSC.MIL *.NRO.MIL *.OSD.MIL *.PACOM.MIL *.PCSTRAVEL.MIL *.PDHEALTH.MIL
Release Date: 12/28/2009
IAVA / Security Vulnerability Hotfixes The AGM Windows 7 10.0.1 Desktop workstation build applies Microsoft Security Vulnerability hotfix files for the Microsoft Windows 7 Enterprise as of 12 April 2011 are described below:
Rellease Datte Re ease Da e October 13, 2009 October 13, 2009 October 13, 2009 October 13, 2009 December 8, 2009 Tiittlle T e MS09-054
974455
Descriipttiion Descr p on Cumulative Security Update for Internet Explorer Cumulative Security Update of ActiveX Kill Bits Vulnerabilities in Windows CryptoAPI Could Allow Spoofing Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service Cumulative Security Update for Internet Explorer
MS09-055
973525
MS09-056
974571
Important
MS09-059
975467
Important
MS09-072 976325
Critical
Page 5 of 16
Descriipttiion Descr p on Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution Vulnerabilities in Internet Explorer Could Allow Remote Code Execution (Superseeds MS09-072) Vulnerabilities in SMB Client Could Allow Remote Code Execution (Superseeds MS08068) Cumulative Security Update of ActiveX Kill Bits (Superseeds MS09-055) Vulnerabilities in SMB Server Could Allow Remote Code Execution (Superseeds MS09001) Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (Superseeds MS09-038, MS09-028) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (Superseeds MS09058) Cumulative Security Update for Internet Explorer (Superseeds MS10-002) Vulnerabilities in Windows Could Allow Remote Code Execution Vulnerabilities in SMB Client Could Allow Remote Code Execution (Superseeds MS10006)
Critical
February 9, 2010
MS10-006
978251
Critical
MS10-008
978262
Moderate
MS10-012
971468
Important
February 9, 2010
MS10-013
977914,975560
Critical
February 9, 2010
MS10-015
977165
Important
MS10-018
880182
Critical
MS10-019
981210
Critical Critical
MS10-020
980232
Page 6 of 16
Descriipttiion Descr p on Vulnerabilities in Windows Kernel could allow Elevation of Privilege (Superseeds MS10015) Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (Superseeds MS08-048,MS09037) Vulnerability in Windows KernelMode Drivers Could Allow Elevation of Privilege (Superseeds MS09-065) Vulnerability in Media Decompression Could Allow Remote Code Execution Security Update for ActiveX Kill Bits (Superseeds MS10-008) Cumulative Security Update for Internet Explorer (Superseeds MS10-018) Vulnerability in OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege Vulnerability in Microsoft .NET Framework Could Allow Tampering Reliability Update Vulnerability in Windows Shell Could Allow Remote Code Execution
MS10-022
981169
Important
MS10-030
978542
Critical
June 8, 2010
MS10-032
979559
Important
June 8, 2010
MS10-033
979482
Critical
MS10-034
980195
Critical Critical
MS10-035
982381
June 8, 2010
MS10-037
980218
Important
June 8, 2010
MS10-041
982865, 979909
Important
KB977074 MS10-046
2286198
Critical
Page 7 of 16
Descriipttiion Descr p on Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (Superseeds MS10021) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (Superseeds MS10-032) Vulnerabilities in S Channel Could Allow Remote Code Execution Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (Superseeds MS08-069) Vulnerabilities in SMB Server Could Allow Remote Code Execution (Superseeds MS10012) Vulnerability in Cinepak Codec Could Allow Remote Code Execution Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (Superseeds MS10-029) Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (Superseeds MS09-061) Vulnerability in Print Spooler Service Could Allow Remote Code Execution
Page 8 of 16
MS10-048
2160329
Important
MS10-049
980436
Important
MS10-051
2079403
Critical
MS10-054
982214
Critical
August 10, 2010 August 10, 2010 August 10, 2010 August 10, 2010
MS10-055
982665
Critical
MS10-058
978886
Important
MS10-059
982799
Important
MS10-060
2265906
Critical
MS10-061
2347290
Important
Descriipttiion Descr p on Vulnerability in ASP.NET Cold Allow Information Disclosure Cumulative Security Update for Internet Explorer Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (Superseeds MS10-048) Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution Vulnerability in Media Player Network Sharing Service Could Cause Remote Code Execution Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution Vulnerability in the OpenType Font Format (OTF) Driver Could Allow Elevation of Privilege Vulnerability in Windows Common Control Library Could Allow Remote Code Execution Vulnerability in Windows Media Player Could Allow Remote Code Execution Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution Vulnerabilities in SChannel could allow Denial of Service (Superseeds MS10-049) Vulnerabilities in the OpenType Font (OTF) Driver Could Allow
Page 9 of 16
MS10-071
2360131
MS10-073
981957
October 12, 2010 October 12, 2010 October 12, 2010 October 12, 2010 October 12, 2010 October 12, 2010 October 12, 2010
MS10-074
2387149
Moderate
MS10-075
2281679
Critical
MS10-076
982132
Critical
MS10-078
2279986
Important
MS10-081
2296011
Important
MS10-082
2378111
Important
MS10-083
979688
Important
MS10-085
2207566
Important
MS10-091
2296199
Critical
MS10-092
2279986
Important
MS10-095
2385678
Important
MS10-096
2423089
Important
MS10-098
2436673
Important
MS10-100
2242962
Important
MS11-002
2451910
Critical
MS11-003
2416400
Critical
MS11-007
2485376
Critical
February 8, 2011
MS11-009
2475792
Important
February 8, 2011
MS11-011
2393082
Important
Page 10 of 16
Descriipttiion Descr p on Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege Vulnerabilities in Kerberos Could Allow Elevation of Privilege Vulnerabilities in Windows Media Could Allow Remote Code Execution Vulnerability in Remote Desktop Client Could Allow Remote Code Execution Vulnerabilities in Internet Explorer Vulnerability in Microsoft Windows. Vulnerability in Microsoft Windows Vulnerabilities in Microsoft Windows
MS11-013
2496930
Important
MS11-015
2479943
Critical
March 8, 2011
MS11-017
2483614
Important
April 12, 2011 April 12, 2011 April 12, 2011 April 12, 2011
MS11-018
KB2497640
MS11-019
KB2511455
MS11-020
KB2508429
MS11-024
KB2506212,KB2491683
In addition to the Windows 7 system security vulnerability hotfix files, the AGM Windows 7 10.0.1 Desktop build also includes additional hotfix files to address specific operational concerns in Microsoft Office System 2007 SP2. The additional hotfixes are configured as of 12 April 2011 and are described below.
Rellease Re ease Datte Da e October 13, 2009 October 13, 2009 Tiittlle T e Descriipttiion Descr p on Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution Vulnerabilities in GDI+ Could Allow Remote Code Execution Severiitty Sever y
MS09-060
973965,973709
Critical
MS09-062
972581
Critical
Page 11 of 16
Descriipttiion Descr p on Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160) Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (Superseeds MS08013, MS06-47) Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (Superseeds MS08055, MS10-017, MS09-017, MS10-023, MS10-027) Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (Superseeds MS10-017) Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (Superseeds MS09-060) Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (Superseeds MS09-027 and MS10-036) Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (Superseeds MS10-045)
MS10-017
980150, 978380, 978382
MS10-023
980470
Important
MS10-031
976321
Important
June 8, 2010
MS10-036
983235
Important
June 8, 2010
MS10-038
982331
Important
MS10-044
979440
Critical
MS10-045
980376
Important
MS10-056
2269638
Critical
MS10-063
2288621
Important
MS10-064
2288953
Important
Page 12 of 16
MS10-079
2345043, 2344993
MS10-080
2345035, 2344875, 2345088, 2345015
November 9, 2010 November 9, 2010 December 14, 2010 December 14, 2010 April 12, 2011 April 12, 2011 April 12, 2011 April 12, 2011 April 12, 2011
MS10-087
2289158
Critical
MS10-088
2413381
Important
MS10-103
2292970
Important Important
MS10-105
2455005
MS11-021
2464583
MS11-021
2466156
MS11-022
2464594
MS11-022
2464623
MS11-023
2509488
Page 13 of 16
Page 14 of 16
Page 15 of 16
Page 16 of 16