Temple Illuminatus

System Installation Process for Tightened Security

Tech’s notes: It is better to have a good idea of the End User’s computer use patterns and configuration preferences to properly align the Task Scheduler settings and scheduling to the Users’ schedule(s). For the initial installation from the Operating System disks, no internet access may be connected to the PC until the configuration re-writes are completed and Task Scheduler settings are audited and configured. One thing I’ve found from my own experiences and memory of the comments by other IT personnel – Windows is, itself, a worm program. Since I’ve had to learn much of this procedure the hard way, I’ve found out more than most IT personnel realize, except perhaps System Engineers. It’s best to stick to this process as written, at least until we get to the configuration of Task Scheduler. This is for Microsoft Windows (Vista through 10) – I have not had direct experience with MacIntosh operating systems, although I have been told that they use the same basic operating system functional parameters, it’s just the GUIs (Graphical User Interfaces, or windows) that are set up differently. (Note: MS Windows and MAC OS PC systems seem to have codings built into them – stuff that works on Windows may not work on MacOS PCs, and vice versa.) Since Mac OS also uses Active Directory, the same basic procedure may very well work for them, also, but take that up with a system engineer first, unless you’re into experimentation at your own risk. I will include variation directives for the Professional operating systems in brackets.

Step 1 First, put the Windows OS disk in the optical drive bay and re-start. You will need to know the function key to use to bring up the Boot options menu from the BIOS, so you can press the function key specific to the hardware manufacturer immediately after the POST tests. First you will need to configure your BIOS options (for Windows 7 and later, the mode needs to be set to AHCI and another setting must be SATA – you’ll see them if you just audit the whole thing (I think it’s the Integrated… entries). Once done, go to “Save BIOS and exit Setup”, select the “Y” option, and click “Enter”. The system will have Setup install the operating system. Once that is complete, the system will ask for the Administrator’s name, password, and global time zone for the physical location. Enter this information and let Windows finish setting up.

Step 2 – Now click the Start button/screen and left-click the Control Panel link. Once it opens, note the address bar at the top and the arrow to the right of the Control Panel. Left-click on the arrow to bring up “All Control Panel Items” (these are specific to Windows 7 system config – Windows 8 has a few differences, I’ve noticed), then scroll down to “Taskbar and Start Menu” and left-click on it. First, left-click to de-select “Open Submenus when I pause on them with the Mouse pointer”, then scroll down to System Administration Tools and select to “Display on the Start Menu” to simplify this process (you’ll be using these tools a fair bit before you’re done), then left-click on the “Apply” button and close all open “GUI” boxes.

Step 3 Now left-click the Start button, then “All Programs”, then System Administration Tools, then scroll down to the Services entry and left-click on it to select it, then right-click on it and left-click the “Run As Administrator” option. This will bring up the Services “snap-in” console so you can scroll slowly down the list. When you locate a “Disabled” service, double-left-click on it to bring up the Properties GUI for the Service and look at the “Disabled” setting. Left-click on the down arrow at the right and left-click on the “Manual” entry to change the service setting. The services which will require this are some of the internet-specific services. If you are not going to use Windows Defender, scroll to that entry, double-left-click on it, then put the mouse pointer on the service setting drop-down arrow and click it, then select “Disabled”. (Defender really doesn’t work well after implementing these upcoming permission revisions.)

Step 4 – Scroll to the Remote Registry service, double-left-click it to bring up the properties GUI and do the down-arrow select on the service setting select and choose “Disabled” (Do you REALLY want a remote user to be able to alter your registry? I don’t.) Now close out the Services snap-in, for now.

Step 5 – Now click the Start button/All Programs/System Administration Tools/Task Scheduler, right-click on it after selecting it, and select “Run As Administrator”. The line in the snap-in which reads “Task Scheduler Library” has an arrow on the left, which you will left-click, then left-click the Microsoft down-arrow, then Windows down-arrow, then left-click on Active Directory. There are two Task listings – Automated and Manual, one folder each. You will select the Automated Task and note the User Account entry – it’s set to “Everyone” by default. Left-click on Change User, and in the next GUI box, type “system”, then left-click “Check Name”. The system will show it’s a valid entry by capitalizing it and underlining it – then left-click the “OK” button. On the “Trigger” tab, leave the “Enabled” box un-checked for now, but set the maximum time-length how you want it (I select one hour max). Remember that for the “Settings” tab, it ALSO has a maximum time option, so match the Trigger setting you chose for this option. I also suggest setting the service option at the bottom to “Do not start a new instance”. Now select the Manual task – for this one, set the User Account setting to the name of the Administrator account, and I recommend setting the “Run with Highest Privileges” option on this task. The system will provide an Administrative Password confirmation prompt, asking for the Password of the System administrator. Enter it, leaving this task “Enabled”, then close out the Task Scheduler snap-in.

Step 6 Now click the Start button/All Programs/System Administration Tools/Component Services, left-click on it to select it, then right-click on it, then left-click on “Run As Administrator”. Click the arrow by Component Services, then the arrow by Computer(s), then the arrow on My Computer, then the one by COM+, then the one by System Application, then Roles. You will see five entries – Administrator, Any Application, QC Trusted User, Reader, and Server. You will be adding user entries to the Any Application, Reader, and Server panels, three each, as outlined in the next three steps.

Step 7 – On each of those, left-click the drop-arrow, then the Users drop-down arrow. You will see one entry for “Everyone”. Now, right-click on Users, then put the mouse pointer on New and left-click on “User”. In the resulting GUI, type “system” and click “Check Name” to let the system validate the user entry. Once it’s capitalized and underlined, click “Add” to add the entry. Repeat the process for “Users” and “Authenticated Users” each. Once all three panels are configured consistently, do the drop-arrow select on QC Trusted User and add the name of the Administrator account via the same process for the other entries. Click “Apply”, then delete the “Everyone” entries

on the three categories.

Step 8 – Now collapse the Roles folder and scroll to the Distributed Transaction Coordinator entry and left-click the drop-down arrow. You’ll find the Firewall setting, which you will set to “Home/private network” and left-click the “Allow Access” button. (You will need to decide for yourself whether to allow access for the Public network setting, but note the warning – I wouldn’t, but that’s me.) Then click “Apply” and and close out the Component Services snap-in and re-boot the PC.

 Step 9[For Professional OS, there is no System Hive, so note that before you edit the permissions on “C” drive (next step), it may list them as “Special” when you audit the “Authenticated Users” permission entry.] For other operating systems, click the Start Button/All Programs/System Administration Tools/Computer Management/ then left-click on “Disk Management” to select it. You will see a rather small disk partition on the System drive which has no drive letter. Left-click on the “blank” partition (MS system “boot sector”) to select it, then right-click on it and select “Change drive letter and paths” (something like that, anyway). On the resulting GUI box, left-click the “Add” button, then choose the drive letter you want for it and left-click “Apply”. Note the Authenticated Users permission setting – you’ll need to know it for the next step (It’s supposed to be either “Read” or “Modify”).

Step 10 - Now click the Start button, then the Computer link, then left-click your system partition (usually C: drive) and click the Properties link. You will see permission entries, one of which is “Authenticated Users”, which has no permissions set at this point. To change that, click the “Edit” button and select either the “Read” or “Modify” check-box (and match the MS system hive setting to your operative choice). Now close out the C:/ Properties GUI snap-in and re-boot your PC.

Step 11 - Now we get to the Administrator’s “Take Ownership” ability and how to correctly apply it. First, go to Start button/Control Panel link, left-click it, then left-click the arrow to the right of “Control Panel” in the address bar, then click “All Control Panel Items” and scroll to “Folder Options”. Left-click it, then left-click the “View” tab, then scroll down to the show or hide hidden files and folders option and left-click to “Show…”, then scroll down to left-click to un-check “Hide Protected Operating System files”, then left-click the “Apply” button. Now close the Folder Options GUI box. You will see two disktop.ini icons on your desktop now (usually, depending upon your hardware manufacturer).

Step 12 – You will note several Root Directory folders on C: drive, two of which are “Hiberfil.sys” and “Pagefile.sys”. The system probably won’t let you set permissions on those, but on the “General” tab, you can left-click the “Advanced” button and select the “Allow” for the indexing option for each file. For each physical/logical drive partition on your PC, you will need to (left-)click them (one at a time) to select it, then click the Properties link option, then the Security tab, then click the Advanced button at the bottom, which will bring up the Permissions GUI snap-in. Next, click the “Owner” tab, then the “Edit” button. Set the Owner to “Administrator”, then click “Apply”.

Step 13 – Once you do that, click the Permissions tab and left-click on the “change permissions” button. You will left-click to “Include inheritable permissions from this folder’s parent object”, then click “Apply”. For each folder, the “Creator/Owner” and “Trusted Installer” non-inherited permissions need to be left as they are – but select the (non-inherited) entries which would duplicate the inheriting entries (i.e., “System”, “Administrator”, and “Users”) and select each and click “Remove” (again, one at a time). Once it’s configured, left-click the option to allow these permissions to propagate to all of the “Child objects”, then click “Apply”. After this, select the General tab and uncheck “Read-Only” and click “Apply”. Repeat Steps 12 and 13 for each C:/[root directory folder] object entry listed, but it’s better to only change the Owner on the Performance Log Users and not have permissions inherit for this folder. Now close out the GUI and re-boot again.

Step 14 – Next, click the Start button, then the Control Panel link, then the arrow to the right of Control Panel on the title box and select “All Control Panel Items”. Scroll to “Programs and Features” and left-click it, then select “Turns Windows features on or off”. Fill in the check-boxes with checks (if you see a blue filler in the box, there’s a drop-down arrow to open options to check other boxes – fill them all in.). Once you hit the “OK” button, Windows will take a few minutes to turn them on.

Step 15 – Now, open the root directory on C: drive again, and this time you’ll see a folder named inetpub, for which you will repeat steps 12 and 13, except that you will not include inheritable permissions from the “parent” object. All of the User entries, leave as they are, except to select the “Users” entry, click the “Edit” button, and select “Full Control” and click “Apply”. Now, while still on the “Edit” option, click “Add”, and in the next GUI, type “Authenticated Users”, then left-click “Check Name(s)”. In the next GUI box, you will again select “Full Control” and click “Apply”. Then select the “General” tab and uncheck the “Read-Only” box and click “Apply” (Yes, “allow these changes to propagate to the child objects”). Now close out all of the open GUI boxes.

Step 16 – Go back into Control Panel/All Control Panel Items/Folder Options/View tab, to select “Don’t show hidden files and folders” and “Hide Protected Operating System files” and click “Apply”. Now close the Folder Options GUI snap-in and re-boot your PC.

 

Technician’s Note: Here there is room for some variance for individual preference and/or your system needs – if you check your Device driver tab on the System Properties snap-in and find that you need to do this, then install the required device drivers to bring your Performance Index to optimal. Also, if you’re smart, you will not just have an Administrator account, you will also have a standard user account from which to do your primary internet browsing, as this provides additional protection for your computer system (actually an individual network in and of itself). This is merely an advisory, so ignore this at your own risk.

For Task Scheduler, I suggest that you audit every Task Scheduler entry, but leave Windows Defender and Disk Defragmenter for the very last items (that is, if you’re deciding to use Defender), as they each have their own snap-in panels with which you must coordinate your Task Scheduler settings, and it’s better to turn off the Base Filtering Service on the Services snap-in (Administrative Services) before you start on those two – otherwise, every time you re-boot, you’ll need to reset them again. Once you’re done configuring these two tasks, you’ll need to restart the Base Filtering, IKE…, Firewall, and one other service which stopped when you stopped the Base Filtering service.

 

Step 17 - At the very least, the Task Scheduler needs to be audited for consistency between the Trigger and the Settings tabs (on the max. time allowed for each task) and how you want each task set for the power configuration options and for deciding which tasks need the Start conditions to include “Any connection”, for an example. Oh, don’t forget that you’ll need to enable the Active Directory Automated updater task on the Trigger tab. Configuring Task Scheduler will take a while.

Step 18 –  Go into Start/All Programs/System Admin. Tools/Services, left-click on Services, then right-click to see “Run As Administrator”, which you left-click to select it. Scroll down to the Telnet service and double-left-click it, then go to the “Disabled” entry, left-click the drop-arrow, then left-click on “Manual”, then click “Apply”. Now you can close out the Services snap-in. Now, under “All Control Panel Items”, scroll down to User Accounts and click it, then find the “Change UAC settings” and click that. In the resulting GUI window, select the default entry, which is “Don’t notify me when I make changes to Windows” and click “Apply”. Now close this GUI.

Step 19 – At this time, if you have not completed configuring the rest of the Control Panel options listed  and created and configured any other user accounts (if you’re going to), I suggest that you do so before going to step 20. If you’ve not done so yet, this would be a great time to run Disk Cleanup

and Disk Defragmenter to optimize your system drive (usually C:).

Step 20 – The next thing to do is to left-click on the Start button, left-click on “All Programs”, left-click on “Accessories”, then left-click on Games. Under the “Games” listing, select the MS Games by left-clicking on it. This should bring up the selection option GUI for installing updates for MS products, which you should select your preference at this juncture. At some point, you will also need to bring up Windows Media Player (unless you use another Media Application) and bring up the “Now Playing” window. Then right-click on it and select the arrow to the right of “Enhancements” and scroll to the “SysWOW” feature and left-click it. In the resulting window, there will be a “Turn On” link at the top left, which allows more options and advanced Media options.

Step 21 - Now you can run CHKDSK – which you can do by selecting the C: drive, then Properties (NOT system properties), then the Tools tab, then select “Check the drive for errors”. Windows will tell you that it can’t check the disk while it’s in use and prompts the user for scheduling a disk check. It will wait until the next re-boot to start the CHKDSK utility (on Windows 7, this takes almost 90 minutes – wow, a break, YAY!).

Step 22 - After that, you can either install any other software and/or applications or activate Windows first, whichever you prefer. Note: certain software applications have product keys which need to be validated by the system, so wait until after activating Windows to install these, else the system will not recognize them as valid.

 

Technician’s notes: I’ve noted various tasks and/or services which will need auditing up through the first online connection and after the resulting installation of the Antivirus suite, the anti-malware suite, and miscellaneous other items.

  1. Windows will need to be activated before Windows Backup and System Restore will function properly, and the Automatic Backup task will need to be audited to ensure that it configures for Windows 7 and not Windows Vista – if you’re on Windows 7, that is. (Whatever the OS, auditing each and every entry is always a good idea.)
  2. The Google Software Updater installs on the Task Scheduler Library (indented entry line) as running on Windows Server 2003 (on Windows Vista, Windows 7, and 10 operating systems, from my observations – I don’t recall how it works on Windows 8), so you’ll need to set it to your PC’s operating system instead.
  3. The Antivirus suite will install on Windows 7 systems to run on Windows Vista OS, so you’ll need to audit that, too. This is in the same GUI box as the Google Software Updater task on Task Scheduler. You will need to briefly stop the initial scan and audit the A/V suite’s Emergency Updater task so it runs on Windows 7 (or whatever MS Windows OS you’re using) and then re-start the initial scan.
  4. After the first time on the internet, during which you will need to install the antivirus suite and the anti-malware suite (if you prefer something other than Windows Defender), and perform your first Windows update run on your PC, another task installs on the Media Center panel on Task Scheduler – a second MCupdater task. Farther down the list, there is a new panel which includes two (system) validation tasks, which configure to run every 90 days by default. The Media Center tasks will need to have Triggers added and configured for the internet-specific tasks. This is so the system doesn’t make it’s “best guess” and misconfigure it.
  5. If you are performing this process on the Windows 8 operating system, just be aware that you can add the System Administration Tools to the Start screen, once you get to the Control Panel. You’ll have to use Windows Explorer to perform a search for the Control Panel to get to it. (In Windows 8.1, there is an option to set the appearance to resemble Windows 7 Start Button). Also, various services need to be turned on in the Services snap-in before they appear on the Control Panel, like Windows Defender and Windows Update. Oh, be prepared for your first Windows Update run to take about two days, since it takes several thousand updates on the first run – I’ve heard that from several people who’ve experienced it first-hand.
  6. Any applications specifically marketed by Microsoft will set the Owner by default to “System”, so you’ll need to set the owner to “Administrator”. If you’ve done this sequence without missing anything, the permissions ought to propagate as you’ve configured the System panel and disk properties snap-ins.

 

Tech’s notes: The previous numbered entries have been my overall observations during my learning process about how to do this procedure. Although my procedural guide is specific to Windows 7, as long as you work out the practical deviations to account for different operating systems and/or different PC manufacturers, this general process will work on NTFS/Windows Operating systems from Vista onward. I’ve only been concentrating on integrating and optimizing the Windows (7) operating system, since you’ve got to have a stable operating system on the PC before you even consider any Network Security options and Internet configurations. Do this procedure and your MS/Windows operating system will be much stabler (you could opt to skip the step for removing the “Everyone” from the “Roles” panel in COM+, I suppose, but why?) Have fun, all.

 

 

 

 

 

 

 

 

 

 

 

 

Views: 27

Comments are closed for this blog post

Comment by William J. Coblentz on April 17, 2017 at 9:41am

OMG, it took me six years to realize that I was seriously erring in my sequencing, but FINALLY I figured it out. Considering how many millenia of genetic detritus I had to confront, I guess I shouldn't be hard on myself, but on a more human level, OI, I've been a bit thick. B|

Comment by William J. Coblentz on July 25, 2016 at 9:48am

I DID have one more slight edit to add, please take note of it.

William

Comment by William J. Coblentz on July 19, 2016 at 7:44am
True, but that's the nice thing about MS Office Word - a lot of the functions make editing it a lot easier... B|
Comment by Linda M. on July 18, 2016 at 9:58pm

well, it's good you took the time to redo all of this....that's lots of work.

Comment by William J. Coblentz on July 17, 2016 at 7:02pm

...and hopefully, the last revision I'll need to make - I still need to re-print my Task Scheduler Spreadsheet in Excel, so I don't have to work so much if I ever need to re-install. B|

Have questions?

Need help? Visit our Support Group for help from our friendly Admins and members!

Have you?

Become a Member
Invited Your Friends
Made new Friends
Read/ Written a Blog
Joined/ Created a Group
Read/ Posted a Discussion
Checked out the Chat
Looked at/Posted Videos
Made a donation this month
Followed us on Twitter
Followed us on Facebook

Donations

Please consider a donation to help with our continued growth and site costs

Connect

Visit The Temple
on Facebook:

Blog Posts

SERIOUSLY?

Posted by Rosey on April 24, 2017 at 10:34am 0 Comments

We're Being Evicted

Posted by Tegwedd ShadowDancer on April 22, 2017 at 9:31am 7 Comments

Chimera

Posted by elf ~Hesper Roald Witcher on April 21, 2017 at 6:19am 0 Comments

A Book Review

Posted by Zephonith Serpent Woman on April 11, 2017 at 12:39am 0 Comments

OUR LADY’S WORDS!

Posted by Rosey on April 9, 2017 at 6:59pm 2 Comments

Twin!

Posted by Rosey on April 5, 2017 at 9:26am 0 Comments

~~this months awareness~~

© 2017   Created by Bryan   Powered by

Badges  |  Report an Issue  |  Terms of Service