Step
1.0 Boot up Windows Server 2003 Standard Edition (Build 3790) CD-ROM to begin installation and configuration.
1.1 When the Welcome Screen Appears, press Enter to continue
1.2 Press F8 to accept the End User License Agreement (EULA).
Note: Install only one instance of the operating system. If you need to get on to a server using another instance, install as needed, and delete afterwards. If there are any previous versions of operating systems, remove by deleting partitions and repartition.
2.0 Create a partition for the Operating System.
2.1 Press C to Create a Partition. In the white space, enter the value of your Operating System partition (this should be at LEAST 6.5GB (6500MB) and more is better) and press Enter to continue.
2.2 Choose the Partition that you just created with the Up/Down arrows and press Enter to begin the OS installation.
2.3 Choose Format the partition using the NTFS file system and press Enter to continue.
After formatting the hard drive and copying over the necessary files, the OS installation will reboot and continue.
3.0 Regional Settings
3.1 Choose regional settings as appropriate
3.2 Enter the following in the allowed whitespace:
Name of your Organization:
Company:
3.3 Enter the Product Activation Key
3.4 Choose the Per Device or Per User radio button
3.5 Give the server a name. Ensure that you follow the current corporate naming constraints for Servers. In general, the server name should consist of 3 letters for the Server function, 3 letters for the Server location and 3 numerals denoting the sequential order of the Server.
Example: The first server for the Web Server Farm, residing in St. Louis WEB-STL-001
3.6 Set a strong administrator password. Ensure that you follow your companys guidelines for creating a strong password.
3.7 Set time and date
4.0 Network Settings
4.1 Choose Typical Settings
4.2 For Workgroup or Computer Domain, choose No, this computer is not on a network In the white space, enter a blank workgroup (ALT-255).
The OS will now continue configuration. When it is done, it will bring you the Login Screen. Login with the password that you set in Step 3.6. After login, the Manage Your Server box will pop up. If you desire, place a check mark in the box labeled Dont display this page at logon and close the window.
5.0 Choose Components
5.1 Go to Start > Control Panel > Add/Remove Programs > Add/Remove Windows Components and select Application Server.
5.2 If you plan on using SNMP to monitor the Server, scroll down and high-light Management and Monitoring Tools
Click on Details
Select only Simple Network Management Protocol
Click OK to return to the previous menu.
5.3 Click Next to begin installation of the Application Server Components.
5.4 When the Application Server has finished installing, you can click the Finish button to complete the installation and then you can close the Add/Remove Programs window.
6.0 Install the latest Patch Releases
As of 05/20/2004:
MS03-039 (824146)
September 10, 2003 - Buffer Overrun In RPCSS Service Could Allow Code Execution.
MS03-041 (823182)
November 17, 2003 Vulnerability in Authenticode Verification Could Allow Remote Code Execution
MS03-043 (828035)
October 15, 2003 Buffer Overrun in Messenger Service Could Allow Code Execution
MS03-044 (825119)
October 22, 2003 Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise
MS03-048 (824145)
December 11, 2003 - Cumulative Security Update for Internet Explorer
MS04-007 (828028)
February 10, 2004 - ASN.1 Vulnerability Could Allow Code Execution
MS04-011 (835732)
April 13, 2004 - Security Update for Microsoft Windows
MS04-012 (828741)
April 13, 2004 Cumulative Update for RPC/DCOM
MS04-015 (840274)
May 11, 2004 Vulnerability in Help and Support Center Could Allow Remote Code Execution
6.1 You may now plug the server into the network.
7.0 Installing SSH Server for Remote Management
For remote access we will use SSH as the only transport. The software is available below for the server and the client.
7.1 Download and install an SSH Server and Client Software
We recommend the server and client from http://www.ssh.com/.
7.2 After installing the server application, open the SSH Secure Shell Server Configuration window:
Go to Start > Programs > SSH Secure Shell Server > Configuration
This will bring up a window that looks like the following:
Under the General Tab:
Increase the "Maximum Number of Connections" value to 2
7.3 Create a new text file called BannerMSG.txt and place it in:
C:\Program Files\SSH Communications Security\SSH Secure Shell Server directory
The file should contain the following verbiage:
WARNING!!!
READ THIS BEFORE ATTEMPTING TO LOGON
This System is for the use of authorized users only. Individuals using this computer without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
7.4 Link the BannerMSG.txt file that you just created in the "Banner message file" box by clicking on the box with the three dots on the right of the white space and finding the file in the above named directory.
The resulting screen should look like this:
7.5 - Under the Encryption Tab:
Ensure that the following settings are selected:
Ciphers: AnyStdCipher
MACs: AnyStdMac
7.6 - Under the Tunneling Tab:
Place a check mark in the box next to Allow TCP Tunneling.
7.7 Under the User Authentication > Password Tab
Ensure that the "Permit empty Passwords" box is NOT checked.
Click Apply to make the changes permanent. Click OK to exit.
8.0 Media Configuration and Permissions
8.1 Go to Start > Programs > Administrative Tools > Computer Management > Disk Management
8.2 - Format unallocated disk space.
In the bottom right panel, Right Click on the section labeled Unallocated (shaded in the picture below) on Disk 0 and choose New Partition.
This will bring up the New Partition Wizard
8.3 Click Next to continue
8.4 Ensure that Primary partition is selected and click Next to continue.
8.5 Select the size of your partition in MB and click Next to continue.
8.6 Assign it the appropriate drive letter, E: and click Next to continue.
8.7 Ensure that Format this partition with the following settings is selected and the values for File System is NTFS and the Allocation unit size is default. You may change the Volume Label if you desire.
Click Next to continue.
8.8 After reviewing your selected settings, click Finish to begin the format.
Upon completion, your disk manager should show 2 partitions on Disk 0 as pictured below.
When the formatting is complete, you can close the Computer Management window.
8.9 Double click on the My Computer icon, Right click on the C: drive and select Sharing and Security
Click on the Security Tab
8.10 Remove the Everyone Group
8.11 Click on Add and add the Backup Operators Group and give them permissions for Modify.
8.12 Click on the Advanced button and highlight the Backup Operators group that you just added.
8.13 Click on the Edit button and ensure that the Backup Operators group has permissions for everything EXCEPT: Full Control, Change Permissions and Take Control
Click OK when done.
8.14 Click on the Add button and add the IIS_Guest Group.
8.15 Click on the Deny checkbox for Full Control.
8.16 Click on the Add button and add the Power Users Group.
8.17 Ensure that the Users Group has permissions for Read & Execute, List Folder Contents and Read only.
8.18 IMPORTANT!! Click the Advanced button and place a check mark in the box labeled Replace permission entries on all child objects with entries shown here that apply to child objects.
8.19 Click OK to apply the new permissions.
A security warning should pop up that looks like this:
8.20 Click Yes to continue.
Right before completion, you will receive an Error Warning box:
8.21 Click Continue to proceed.
8.22 Click on the Advanced button again and go to the Auditing Tab.
8.23 Click the Add button and add the Administrators Group and place a checkmark in the boxes for each of the following:
· Create Files/Write Data
· Create Folders/Append Data
· Delete Subfolders and Files
· Delete
· Change Permissions
· Take Ownership
8.24 Repeat steps (8.22 - 8.23) for the Power Users Group and the Backup Operators Group.
8.25 For the E:\ partition, repeat the above steps (8.10 - 8.23) with the exception of the following permissions:
Give the Power Users group, full access to this partition.
8.26 Repeat the above steps (8.10 8.23) for all additional disk partitions.
8.27 Click Apply then click OK
9.0 Turn off Indexing on all Volumes
9.1 Under the General Tab, uncheck the box marked Allow Indexing Service to index this disk for fast file searching
Click OK
A confirmation box reading Confirm Attribute Changes will pop-up.
9.2 Choose Apply changes to C:\, subfolders and files.
9.3 Repeat this procedure for all other hard drive partitions.
10.0 Virtual Memory Settings
10.1 Right mouse click on the My Computer icon and choose Properties and go to the Advanced Tab.
10.2 Under the Performance subsection, choose Settings and then click on the Advanced Tab.
10.3 Under the Virtual Memory subsection, choose Change.
10.4 Under the Paging file size for selected drive, ensure that Custom size: is selected and set the Initial and Maximum size to be the same (use the Maximum figure as the value).
10.5 Click the Set button.
10.6 Repeat these same steps (10.1-10.5) for all other volumes.
10.7 Click OK to get back to the System Properties window.
11.0 Installing the Anti-Virus Engine
11.1 Download a Virus Scan Engine of your choice. We recommend McAfee and this guide details the installation of that.
11.2 Create a folder and extract the Virus Scan Engine into it.
11.3 Go to the folder that you extracted the file to and double click on vse700.msi
Click Next
11.4 Change the License expiry type to: Perpetual
11.5 Click on I accept the terms in the license agreement
Click OK.
Click Next
Click Install
McAfee will now install the necessary drivers and files.
11.6 Uncheck Update Now and Run On-Demand Scan
Click Finish
11.7 In the task bar, Right click on the McAfee Antivirus icon and choose VirusScan Console
11.8 Right click on Auto Update and select Properties
11.9 Click on the Schedule button
11.10 Under the Schedule Tab you should schedule the Anti-Virus Update according to your needs.
Click Apply then OK.
12.0 - URL Scan Installation
12.1 Download and Double Click on the URLScan 2.5 executable.
12.2 Click on Yes to accept the EULA.
URLScan will install and you will see the screen below when it is finished.
Click on OK to finish installation.
13.0 Disabling Protocols and Setting a Fixed IP for the Server
13.1 Right click on My Network Places and choose Properties.
13.2 Right click on Local Area Connection and choose Properties. Choose the appropriate Local Area Connection and right click on it and choose Properties.
· Uncheck Client for Microsoft Networks
· Uncheck File and Printer Sharing for Microsoft Networks
13.3 Select Internet Protocol (TCP/IP) and click on the Properties button.
13.4 Choose Use the Following IP Address and input your static IP address, Subnet Mask and Default Gateway.
13.5 Choose Use the following DNS Server Addresses and input your DNS Addresses. (NOTE: The addresses in the below example are for illustration purposes only.)
13.6 Click on the Advanced button.
Under the DNS Tab
13.7 Uncheck Register this connection's address in DNS.
Under the WINS Tab
13.8 Remove any WINS entries if they exist.
13.9 Uncheck Enable LMHOSTS lookup
13.10 Choose Disable NetBIOS over TCP/IP
Under the Options Tab
13.11 Choose TCP/IP Filtering and click on the Properties button
13.12 Click on Enable TCP/IP Filtering (All adapters)
13.13 Change the Permit All radio buttons to Permit Only
13.14 Add ONLY the explicitly needed ports and protocols.
TCP Port
UDP Port
IP Protocol
22 SSH
161 SNMP
6 TCP
80 HTTP
162- SNMP Trap
8 ICMP
443 HTTPS
17 UDP
Click OK to apply the filters.
Click OK to return to Internet Protocol (TCP/IP) Properties
Click OK to finalize all configurations.
Click Close to close the Local Area Connection Properties.
13.15 Select Yes when prompted to reboot.
14.0 Turn on Remote Control
14.1 Right Click on My Computer > Properties > Remote
14.2 Under the Remote Desktop subsection, place a checkmark in the box.
15.0 Turn off Automatic Upgrades
15.1 Right Click on My Computer > Properties > Automatic Updates
15.2 Uncheck the Keep my computer up to date box.
16.0 - Disable NetBIOS over TCP/IP
16.1 Click on Hardware Tab > Device Manager box.
16.2 Click on View > Show Hidden Devices
16.3 Click on View > Devices by Connection
16.4 Right click on NetBios over Tcpip > Properties > Disable
A pop up window should open that looks like this:
Choose Yes
Choose Yes when prompted to reboot.
17.0 - SNMP Community String
17.1 Right Click on My Computer > Manage
17.2 Under Services and Applications, select Services
17.3 Scroll Down and right click on SNMP Service and select Properties
Under the Security Tab
17.4 Ensure that Send authentication trap is selected.
17.5 Click Add
17.6 Select READ ONLY for Community Rights
17.7 For Community Name (aka Community String), choose a strong password and type it into the box. This community string (password) will need to be provided to anyone requesting SNMP access to this machine.
17.8 Choose Accept SNMP packets from these hosts.
17.9 Click Add and add the addresses from your SNMP network
17.10 Click on the Traps Tab and in the Community Name white-space, type: public
17.11 Click on the Add button and add the addresses of your trap destinations
17.12 Click Apply then click OK to exit.
17.13 Close the Computer Management window.
18.0 Setup the IPSec Policy
18.1 Download the IPSec Policy File.
18.2 Review the file and remove any IPSec filters that you do not explicitly need.
By default, the following services are configured in the IPSec Policy file:
IIS 6.0 DMZ Server IPSec Network Traffic Map
Service
Protocol
Source Port
Destination Port
Source Address
Destination Address
Action
Mirror
SSH
TCP
ANY
22
ANY
ME
ALLOW
YES
DNS
TCP
ANY
53
ANY
ME
ALLOW
YES
DNS
UDP
ANY
53
ANY
ME
ALLOW
YES
HTTP
TCP
ANY
80
ANY
ME
ALLOW
YES
SNMP
UDP
ANY
161
ANY
ME
ALLOW
YES
SNMP TRAP
UDP
ANY
162
