Windows Server Default Configuration Procedure

OWNER: DRAFT OWNER: SUBJECT:

Document Number:

REVISION:

Window O/S Configuration Procedure

DATE ISSUED/REVISED:

0
PAGE:

Page 1 of 14

1.0 2.0 3.0 4.0

Contents PURPOSE/INTENT.... SCOPE. PROCEDURE.......................................................... MANAGEMENT APPROVAL...

Page 1 2 2-14 14

1.0

PURPOSE/INTENT The purpose of this procedure is to provide the Information Technology Group standardized instructions on how to configure Microsoft Windows 2000 and Windows 2003 Operating Systems.

2.0

SCOPE This procedure applies to all Microsoft Windows servers managed directly by the Information Technology Group.

3.0

PROCEDURE

Server Inventory Information

A new Server worksheet is to be completed for the new server within a new or existing Server Documentation Workbook (See Systems & Networks Documentation Policy)

Change Control
Submit Change control to add server to the data center

Update Server Firmware and Bios

Use the IBM Driver website or the latest IBM UpdateXpress CD to detect the current level of system and subsystem firmware. Upgrade the BIOS, diagnostics, systems management processors, ServeRAID, tape drives, and hard disk drives.

Please preface all Control Points with a ^ symbol.

Confidential

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 2 of 10

Revision: 0

Drive Configuration

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 3 of 10

Revision: 0

Windows Server Setup

Use the IBM Server Configuration CD and the Windows Server CD with the latest service pack slip streamed to install the NOS and drivers on the server. Primary partition size for Operating System installation varies per server. Please see the Drive Configuration section for more detail Format the partition using the NTFS file system Install Windows Server to the default directory o Windows 2000 C:\WINNT o Windows 2003 C:\Windows Personalize Your Software o Name {Your Company Name} o Organization {YOUR COMPANY NAME} Licensing Modes o Per Seat , Per Device or Per User - each computer must have its own Client Access License Computer Name (See Server Standard Naming Convention Document) Password o Use the current local administrator password. Components o This section applies during the install of Windows 2000 Server Only o Accessories and Utilities Accessibility Wizard Uncheck Accessories Check Communications Uncheck Games Uncheck Multimedia Uncheck o Indexing Service Uncheck o Internet Information Server Uncheck o Management and Monitoring Tools Check Network Monitoring Tools Check o Script Debugger Uncheck o Terminal Services Client Creator Files Uncheck Enable Terminal Services Check Terminal Services Setup o Remote Administration Mode o Some application servers need to run in Application Server Mode Networking Settings o ALL SERVERS HAVE A STATIC ADDRESS Join Workgroup (This will be changed later) Reboot

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 4 of 10

Revision: 0

Update Windows Drivers

Using the IBM Drivers website or the latest IBM UpdateExpress CD now will detect the current level of device drivers and upgrade them. SCSI controllers, Ethernet controllers, video controllers, systems management processors, ServeRAID

Stop and Disable unnecessary services

Alerter Automatic Updates Clipbook Computer Browser o Domain Controllers have this service on o Remote sites with no DC must have at least one server with this service on Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Fax Service Internet Connection Sharing IPSEC Services License Logging Service Messenger Netmeeting Remote Desktop Sharing Network DDE Network DSDM Network Location Awareness (Windows 2003 Only) Print Spooler o Only Turn this off if the server will not be a print server o Metaframe servers need this on Telnet Wireless Configuration (Windows 2003 Only)

Install Windows Server Recovery Console

Insert the Windows Server CD you used to install the Operating System Go to Start Run Type X:\I386\WINNT32.exe /cmdcons (x = cd drive letter)

Install Symantec Antivirus Corporate Edition

Install the latest Symantec AntiVirus CLIENT version. See the Symantec AntiVirus Configuration document.

Audit Settings
MMC -> Local Security Policy
Policy Audit Account Logon Events Audit Account Management Audit Directory Services Access Audit Logon Events Windows Server 2000 & 2003 Success X X X Failure X X X X

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 5 of 10

Revision: 0

Audit Object Access Audit Policy Change Audit Privilege Use Audit Process Tracking Audit System Events User Manager for Domains -> Policies ->Audit Windows NT 4.0 Policy Logon and Logoff File and Object Access Use of User Rights User and Group Management Security Policy Changes Restart, Shutdown, and System Process Tracking

X X X

X X X X X

Success X X X X X

Failure X X X X X X X

Log Settings
On both Windows 2000 and Windows NT 4.0 the log settings shown below can be set using the Event Viewer application. Application Log Maximum Log Size When Maximum Log size is reached: Security Log Maximum Log Size When Maximum Log size is reached: System Log Maximum Log Size When Maximum Log size is reached:

30720 KB* Overwrite events as needed 30720 KB* Overwrite events as needed 30720 KB* Overwrite events as needed

* - Older NT based systems lacking disk space may be set as appropriate. Maximum log size must be no less than 1024 KB on any system. Miscellaneous Log Related Settings Printers Folder -> File -> Server Properties -> Advanced Tab Uncheck Log Spooler Information Events and Notify when remote documents are printed

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 6 of 10

Revision: 0

Account Rights & Privileges

1. Domain and Local Administrator account passwords are never to be given to anyone outside of {Your Company Name} Information Technology Group. 2. Field users are never to be a member of the Domain Admin or any Administrators group. If these rights are needed, they are supplied through site administrator credentials to be supplied to the appropriate personnel at the facility. 3. All passwords for the Domain Admin, all Local administrators, and the SiteAdmin account are to be documented and provided to the Manager of Network Services. Any changes to the above passwords are to be documented and provided to the Manager of Network Services on a timely basis. 4. The built-in Administrator account is to be renamed to ITADMIN and a new account created with the name Administrator. The newly created Administrator account is to be given only guest privileges. 5. Verify NetAdmin account exists. (DO NOT MODIFY IF IT DOES) If it does not exist, create it in the local SAM context with the following properties and email an account creation notice to corporate. a. Username: NetAdmin b. Full Name: *** DO NOT TOUCH *** c. Description: Corporate Network Administrator Account d. Password: temppassword e. Set Password Never Expires right f. Group Membership: Domain\Domain Admins, Domain\Administrators, Server\Administrators (Set primary group to Domain Admins) g. No profile or login script should be assigned 6. Service Accounts should be created for servers required to be logged in with specific credentials and/or rights (e.g. ABC_SERVICE account for ABC Application) or for the purpose of running an application service with a specific identity and/or rights (e.g. Inventory App COM object or BackupExec Service) subject to the following parameters: a. The Service account should be created locally on the server (local SAM) for which it will be used and given ONLY the necessary rights on that server (i.e. Logon as a service, Administrator group membership, etc.) to perform the function for which it had been created. b. The Service Account should have a descriptive user name associating it with the service and/or application for which it will be used. c. The service account must have a unique password and the password must never be identical or similar to the user name d. If domain-based resources are to be accessed, a matching account can be created on the domain (same user name and password), however, the account should be given no more rights on the domain than a generic user. (i.e. Domain Users group, resource specific groups, etc.)

Security Settings
General Security Settings
1. All servers capable of such must display the warning banner as approved by the {YOUR COMPANY NAME} Legal department. Verbiage is provided here: a. Caption is **** WARNING **** b. Text is This is a privately owned system and is not for public use or access. Access is restricted to authorized personnel only. 2. A Screen Saver (or some other software mechanism) should be configured on the server to automatically lock the workstation after no more than 10 minutes. 3. All Windows Servers must comply with the {YOUR COMPANY NAME} Antivirus Policy. Virus definition files must be centrally managed. Real time file system protection must be enabled. Complete scans must be completed weekly. Any deviation from the {YOUR COMPANY NAME} Antivirus Policy must be approved by IT Management.

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 7 of 10

Revision: 0

4. All unnecessary services and applications (e.g. IIS, FTP, SMTP, TFTP servers) should be un-installed from the server. If un-installation is not possible, the service and/or application should be disabled from use and all capabilities of launching automatically be disabled or removed.

Install all available Windows Server Service Packs and Critical Updates
Windows NT 4.0 o Service Pack 6a o All Post-SP6a hotfixes Windows 2000 o Service Pack 4 o All Post-SP4 hotfixes Windows 2003 o Service Pack 2 o All Post-SP2 hotfixes

Network Configuration
Configure Network Adapter o Advanced Tab Link Speed & Duplex Auto Detect Power Management Disable Network Connection Properties o Check the Show icon in taskbar when connected check box o Internet Protocol (TCP/IP) - This information varies per site. IP Address Subnet Mask Default Gateway DNS Servers DNS 1 DNS 2 The Domain Suffix will be filled in when you join the domain. Wins Servers Local WINS Server IP Address First WINS 1 WINS 2 Uncheck Enable LMHOSTS lookup Enable NetBIOS over TCP/IP

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 8 of 10

Revision: 0

Join Active Directory Domain

System Properties o Computer Name Create computer account in AD in relevant OU Change member of domain to {Your Company Name}.com Provide Credentials that have permissions to join computers to the target domain Reboot

Install ServeRAID Manager Software

Install the ServeRaid Manager Do not Install as a service Destination Folder Accept Default

Install Windows Server Resource Kit

Windows 2000 o Typical Install o Do Not install ActivePerl Windows 2003 o Select All Defaults

Install Veritas BackupExec Backup Software

Install from the latest media purchased with the server. Configure according to the Backup & Disaster Recovery Policy

Local Security Policy

Windows 2000 o Local Policies Security Options Additional restrictions for Anonymous Connections o No Access without explicit anonymous permissions o Domain Controllers need to be set to Relay of Default Permissions LAN Manager Authentication o Send LM & NTLM use NTLM2 session security if negotiated Enable Digitally Sign Server Communication (when possible) Windows 2003 o Local Policies Security Options Network Access o Enable Do not allow Anonymous Enumeration of Sam Accounts and Shares o Domain Controllers Disable Do not allow Anonymous Enumeration of Sam Accounts and Shares Disable Do not allow Anonymous Enumeration of Sam Accounts System Settings o Optional Subsystems Delete Posix

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 9 of 10

Revision: 0

Post Software Install Configurations

Device Manager Make sure there are no errors in the device manager. Install drivers as necessary to correct any issues Edit Boot.ini o /3gb switch Use only if you have 3gb of memory and are using Advanced Server http://support.microsoft.com/default.aspx?scid=kb;en-us;328882

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect /3GB o Reset boot.ini to Read-Only when done Configure Print Server Properties o Un-check Log Spooler Information Events o Un-check Notify when remote documents are printed Terminal Services Configuration o Sessions End Disconnected session 5 min Idle Session Limit 2 hours. o Client Settings Connection Uncheck Use connection settings from user settings Uncheck Connect client drives at logon Uncheck Connect client printers at logon Uncheck Default to main client printer Disable the Following Check Drive Mapping Check Windows Printer Mapping LPT Port Mapping COM port mapping Clipboard Mapping Audio Mapping o Network Adapter Set to main production adapter o Server Settings Disable Active Desktop Check Restrict each user to one session System Properties o Remote Check Allow users to connect remotely o Advanced Startup and Recovery Time to display list of operating systems 5 seconds Add/Remove Windows Components Windows 2003 Only o Accessories and Utilities Uncheck Accessibility Wizard Uncheck Communitcations o Management and Monitoring Tools Check Network Monitor Tools Disk Performance Windows 2000 Only o Open a command prompt o Type Diskperf y

Windows Server Default Configuration Procedure

Document Number:

Page No: Page 10 of 10

Revision: 0

Reboot

Applications & Services Installation Procedures

If this server is to host the WINS name resolution service, please follow the WINS Configuration Procedure document. If SQL server is being installed on this server, please follow the SQL Server 2000 Configuration Procedure document. If this server is to be an SMTP relay or utilize the SMTP service for a hosted application, please follow the SMTP Configuration document.

4.0 APPROVAL

6.0 APPROVAL SIGN-OFF Role

Owner Reviewed by Reviewed by Reviewed by Approved by

Responsibility
Correctness and completeness Review of correctness and completeness Review of correctness and completeness Review of correctness and completeness Adoption of policy within department

Name/Function