1.1 The Welcome to Setup screen appears. Press Enter to continue.

1.2 Click F8 to accept End User License Agreement (EULA).

Note: Install only one instance of the operating system. If you need to get on to a server using another instance, install on need, and delete afterwards. If there are any previous versions of operating systems, remove by deleting partitions then repartition.

3.1 Type in name and organization.

3.2 Choose Per Seat License.

5. 1 Go into Details on Accessories and Utilities; uncheck Accessibility Wizard, uncheck Communications, uncheck Games and uncheck Multimedia (uncheck all and leave Accessories checked). Then Click OK

5.2 Back at Components Uncheck Indexing services.

5.3 Go to Details on IIS Services, Uncheck all then check only Common Files, Internet.

5.4 Information Services Snap-In and World Wide Web Server then click OK.

5.5 Uncheck Script Debugger.

5.6 Go to Details on Management and Monitoring Tools, check Simple Network Management.

5.7 Protocol (SNMP) if SNMP is to be used.

5.8 Check Terminal Services.

5.9 So in Windows 2000 Component screen after your finished you will have only Accessories and Utilities, Internet Information Services (IIS) and Terminal Services checked.

5.10 Click Next.

7.1 Choose Typical Network Settings.

8.1 Choose No, This Computer Is Not On a Network, or Is On a Network Without a Domain.

8.2 Type in a random workgroup name (Alt 255 for a blank workgroup).

Note: The file copy starts (This may takes some time). Log back in after reboot.

9.1 Choose I Will Configure This Server Later.

9.2 Click Next, then uncheck Show This Screen at Startup. Close window.

NOTE: After installing the High Encryption Pack, it is necessary to run the KEYMIGRT.EXE utility to upgrade the encryption of the private keys used by IIS SSL from 40-bit RC4 to 168-bit 3DES (http://www.microsoft.com/technet/security/bulletin/ms00-032.asp).

To obtain the Keymigrt tool, run the patch using the -x option, to extract the patch contents. Keymigrt.exe will be one of the files extracted.

10.1 You will now need to reboot.

11.1 When prompted to restart your computer, select Yes.

As of 08/07/2002:

This batch file should do the following:

1. Create a server key
2. Install SSHD as a service
3. Start the sshd service

Note: Check to make sure SSHD is installed as a service and running. If it is not, refer to sshd_install.txt for instructions on how to create a server key and install SSHD as a service.

<Username>:x:<User ID>:<Group ID>:<Full Name>:<home directory>:

Example:

• administrator:x:1:10:Local
• administrator:/bin:

SCP use on NT DMZ host:

1. Move file you need to Unix box running sshd (e.g., host.com)
2. Use srt or terra to connect to NT host running sshd
3. Type scp.exe <username>@<hostname with file>: <filename><path to place file>

Examples:

• To move the file "net.txt" from a Unix host (e.g., host.com) to the directory /bin on an NT host running sshd (with IP address 10.0.0.20) do the following:
  1. Login to host.com
  2. scp net.txt administrator@10.0.0.20:/bin
• To pull test.exe from an NT host running sshd (with IP address 10.0.0.20) to my user directory on host.com do the following:
  1. Login to host.com
  2. scp administrator@10.0.0.20:test.exe /home/user

17.1 Right click on CD-rom and choose Change Drive Letter, click Edit, choose Z for drive.

18.2 Right click on the unallocated space and choose Create Partition. The Create Partition Wizard appears. Click Next, choose Primary Partition, then allocate space as required.

18.3 Click Next, choose drive letter, choose NTFS format.

19.1 Click on Security > Remove Everyone Group, and add Administrators and System Groups, giving both Full Control.

IMPORTANT!! Click Advanced > Check Reset Permissions on all Child Objects (ignore error on pagefile).

20.1 Check the boxes for each of the following:

• Create Files/Write Data
• Create Folders/Append Data
• Delete Subfolders and files
• Delete
• Change Permissions
• Take Ownership

20.2 Repeat this for the Power Users group. Click Apply, then OK, ignore the pagefile error and click Continue.

20.3 Click OK > Apply > OK. You will get a message saying that auditing is not turned on.

21.1 Choose Apply Changes to c:\, subfolders and files.

24.1 Choose Change on Virtual Memory Settings.

24.2 Set the page file's Min/Max as Equal. Click OK.

24.3 You will now need to reboot.

24.1 Click on and run the IISLockd.exe

25.1 The Select Server Type screen will appear.Click View template settings box.

25.2 Highlight static web server and click Next.

26.1 Click the Remove unselected services box.

26.2 Answer Yes to the "do you want to remove these services" box.

26.3 Click Next.

NOTE: If you run ASP or SSI pages you will need to uncheck those boxes appropriately.

 

31.1 Click Next then Finish.
To see exactly what this does, look at this file (oblt-log.log) in the c:\winnt\system32\inetsrv directory.

Note: Most settings that have been applied here are reversible by running the wizard again.
The default URLScan configuration file should work for you as is. It can be found at c:\winnt\system32\inetsrv\urlscan\urlscan.ini.

32.1 Right click on My Network Places, right click on Local Area Connections > Properties > Uninstall File and Print Sharing.

32.2 Uncheck Client for Microsoft Networks.

32.3 Set Fixed IP Address(s) for the server.

33.1 Click DNS, uncheck Register This Connection's Address in DNS.

34.1 Remove any WINS entries.

34.2 Uncheck enable LMHOST lookup.

34.3 Click Disable NetBios over TCP.

35.1 Check Enable TCP/IP Filtering (All Adapters).

35.2 Change Permit All to Permit Only Explicitly Needed Ports.

TCP Ports		UDP Ports		IP Protocols
80	HTTP	161	SNMP	6
443	SSL	162	SNMP	8
22	SSH
3389	RDP

 

 

 

 

35.3 Restart your computer when prompted.

36.1 Right click on My Computer > Properties > Hardware > Device Manager.

36.2 Click on View > Show Hidden Devices.

36.3 Click on View > Devices by Connection.

36.4 Right click on NetBios over TCP/IP > Properties

36.5 Driver Tab > Type > Disabled.

36.6 Click OK.

37.1 Right mouse click on computer then choose" manage click in services".

 

37.2 Right mouse click on SNMP and choose Properties.

NOTE: Set a strong password.

• Alerter
• Computer Browser
• DHCP Client
• Distributed File System
• Distributed Link Tracking Client
• Distributed Link Tracking Server
• Distributed Transaction Coordinator
• DNS Client
• Fax Service
• File Replication
• Indexing Service
• Internet Connection Sharing
• Intersite Messaging
• Kerberos Key Distribution Center
• License Logging Service
• Messenger
• Netmeeting Remote Desktop
• Network DDE
• Network DDE DSDM
• Print Spooler
• QoS RSVP
• Remote Access Auto Connection Manager
• Remote Access Connection Manager
• Remote Registry Service
• Removable Storage
• Run as a Service
• Server
• Simple Mail Transport Protocol (SMTP)
• Smart Card
• Smart Card Helper
• Task Scheduler
• TCP/IP NetBios Helper Service
• Telephony
• Telnet
• Uninterruptible Power Supply
• Windows Time
• Workstation

Setup IPSec policy to deny all and only allow necessary ports. For example:

Use ipsecpol.exe, and make certain these two dll's are in your path: ipsecutil.dll and text2pol.dll. From command prompt, enter following lines:

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "BlockAll" -n BLOCK -f 0=*::*
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowICMP" -n PASS -f 0::=*:*:ICMP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowFTPData-out" -n PASS -f 0:=*:20:TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowFTP-out" -n PASS -f 0:=*:21:TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSSH-in" -n PASS -f 0:22+*::TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSMTP-in" -n PASS -f 0:25+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSMTP-out" -n PASS -f 0:=*:25:TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowDNS_TCP-in" -n PASS -f 0:53+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowDNS_TCP-out" -n PASS -f 0:=*:53:TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowDNS-in" -n PASS -f 0:53+*::UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowDNS-out" -n PASS -f 0:=*:53:UDP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowHTTP-in" -n PASS -f 0:80+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowHTTP-out" -n PASS -f 0:=*:80:TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSNMP-in" -n PASS -f 0:161+*::UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSNMP-out" -n PASS -f 0:=*:161:UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSNMPTrap-in" -n PASS -f 0:162+*::UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSNMPTrap-out" -n PASS -f 0:=*:162:UDP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowHTTPS-in" -n PASS -f 0:443+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowHTTPS-out" -n PASS -f 0:=*:443:TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSysLog-in" -n PASS -f 0:514+*::UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSysLog-out" -n PASS -f 0:=*:514:UDP

REM ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowRDP-in" -n PASS -f 0:3389+*::TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowNetBackup-in" -n PASS -f 0:13700+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowNetBackup-in" -n PASS -f 0:13782+*::TCP

40.1 Go to Start > Programs > Administrative Tools > Terminal Services Configuration (TSC).

40.2 Right mouse click on RDP-TCP, choose Properties > General > Encryption Level: High.

• Uncheck Use Connection Settings From User Settings.
• Uncheck Connect Client Printers at Logon and Default to Main Client Printer.

  41.1 Under Disable:

  • Check all except Clipboard Mapping.

42.1 Check Override User Settings, then choose:

End a Disconnected Session
3 hours	Active Session Limit: 1 Day	Idle Session Limit: 30 minutes

42.2 Check the second Override User Settings, and choose Disconnect From Session.

 

45.1 Open Regedt32, and then change the value data in the Name value from RDPCLIP to FXRDPCLP in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Clip Redirector

45.2 Change the value data in the Startup Programs value from RDPCLIP to FXRDPCLP in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd

45.3 Rename the new rdpclip.exe file included in the Windows 2000 Resource Kit to Fxrdpclp.exe, and then copy the file to the Winnt\System32 folder.

45.4 Copy the fxfr.dll file to the Winnt\System32 folder.

To the Clients that wish to use the enhanced clipboard facilities:

45.5 Copy the 32-bit Fxfr.dll file to the "Program Files\Terminal Services Client" folder.

45.6 Rename the Rdpdr.dll file in the "Program Files\Terminal Services Client" folder to Rdpdr.pss.

45.7 Copy the 32-bit rdpdr.dll file from the resource kit to the "Program Files\Terminal Services Client" folder.

46.1 Set terminal service to manual on the client machine if that client is Windows 2000 Server (ie the port will already be bound and listening).

NOTE : XP currently doesn't work as a client

46.2 Open a cmd.exe (command window), type:

ssh2.exe -L 3389:127.0.0.1:3389 clientname@servername
login as prompted
This uses the following format:
ssh2.exe -L [local port]:[full name of remote host]:[remote port] [username@remote host] [some command]
This will tunnel on the serverside port 3389 to the client side localhost port number 3389.

46.3 Leave the command prompt open and open the terminal service client and connect to localhost.

Note: You will now be running TS over one of the most security scrutinized protocols ever.

47.1 Right click on the PC above it and choose backup metabase.

48.1 Choose Properties > Edit The Master Properties For The WWW Service.

48.2 Choose Website > Enable Logging > W3C Extended Log File Format > Properties.

48.3 Change the New Log Time Period to When The File Reaches 50 MB; click OK.

50.4 Click Properties > Extended Properties > and add checks for Cookies and Referrer.

 

49.1 Remove any unnecessary Application Mappings, as referenced below.

NOTE: Remove them all and add back in as needed!

50.1 For the remaining extensions, consider limiting the HTTP verbs the extension will accept. Instead of using all the verbs (DELETE, GET, HEAD, PUT, and TRACE), use only GET for static Web pages and PUT if you have forms on your site; this way we explicitly allow only the minimum actions needed per extension.

50.2 Click OK to get out of edit mode.

51.1 While still in ISM, highlight your computer name, right mouse click, then choose New, Web Site.

51.2 The new Web Site Wizard will start. Click Next.

53.1 Click Next to finish.

54.1 Go to Properties on the Web Site > Home Directory > Configuration > App Options.

54.2 Uncheck Enable Parent Paths.

This is a good idea if you have the ability to do so. For example, setup your web site:

• D:\test_website\static (.html)
• D:\test_website \include (.inc)
• D:\test_website \script (.asp)
• D:\test_website \executable (.dll)
• D:\test_website \images (.gif, .jpeg)

56.1 Right mouse click on the Default Web Site. Select Properties > Directory > Security > Anonymous Access & Authentication Control > Edit.

56.2 Uncheck all the boxes. You will get a warning that you are shutting off all access, click Yes.

56.3 It will bring up a box on Inheritance. Click Select All > OK.

Note: Do not use the default web site and disable/delete the administrative one.

IIS %webroot%\iissamples

IIS SDK %webroot%\iissamples\sdk

Admin Scripts %webroot%\AdminScripts

Data access c:\Program Files\Common Files\System\msadc\Samples

IIS HELP %systemroot%\help\iishelp

IIS adpwd %systemroot%\system32\inetsrv\iisadmpwd

Delete the printer's virtual directory at %systemroot%\web\printers