System Installation Process for Tightened Security
Tech’s notes: It is better to have a good idea of the End User’s computer use patterns and configuration preferences to properly align the Task Scheduler settings and scheduling to the Users’ schedule(s). For the initial installation from the Operating System disks, no internet access may be connected to the PC until the configuration re-writes are completed and Task Scheduler settings are audited and configured. One thing I’ve found from my own experiences and memory of the comments by other IT personnel – Windows is, itself, a worm program. Since I’ve had to learn much of this procedure the hard way, I’ve found out more than most IT personnel realize, except perhaps System Engineers. It’s best to stick to this process as written, at least until we get to the configuration of Task Scheduler. This is for Microsoft Windows (Vista through 10) – I have not had direct experience with MacIntosh operating systems, although I have been told that they use the same basic operating system functional parameters, it’s just the GUIs (Graphical User Interfaces, or windows) that are set up differently. (Note: MS Windows and MAC OS PC systems seem to have codings built into them – stuff that works on Windows may not work on MacOS PCs, and vice versa.) Since Mac OS also uses Active Directory, the same basic procedure may very well work for them, also, but take that up with a system engineer first, unless you’re into experimentation at your own risk. I will include variation directives for the Professional operating systems in brackets.
Step 1 – First, put the Windows OS disk in the optical drive bay and re-start. You will need to know the function key to use to bring up the Boot options menu from the BIOS, so you can press the function key specific to the hardware manufacturer immediately after the POST tests. First you will need to configure your BIOS options (for Windows 7 and later, the mode needs to be set to AHCI and another setting must be SATA – you’ll see them if you just audit the whole thing (I think it’s the Integrated… entries). Once done, go to “Save BIOS and exit Setup”, select the “Y” option, and click “Enter”. The system will have Setup install the operating system. Once that is complete, the system will ask for the Administrator’s name, password, and global time zone for the physical location. Enter this information and let Windows finish setting up.
Step 2 – Now click the Start button/screen and left-click the Control Panel link. Once it opens, note the address bar at the top and the arrow to the right of the Control Panel. Left-click on the arrow to bring up “All Control Panel Items” (these are specific to Windows 7 system config – Windows 8 has a few differences, I’ve noticed), then scroll down to “Taskbar and Start Menu” and left-click on it. First, left-click to de-select “Open Submenus when I pause on them with the Mouse pointer”, then scroll down to System Administration Tools and select to “Display on the Start Menu” to simplify this process (you’ll be using these tools a fair bit before you’re done), then left-click on the “Apply” button and close all open “GUI” boxes.
Step 3 – Now left-click the Start button, then “All Programs”, then System Administration Tools, then scroll down to the Services entry and left-click on it to select it, then right-click on it and left-click the “Run As Administrator” option. This will bring up the Services “snap-in” console so you can scroll slowly down the list. When you locate a “Disabled” service, double-left-click on it to bring up the Properties GUI for the Service and look at the “Disabled” setting. Left-click on the down arrow at the right and left-click on the “Manual” entry to change the service setting. The services which will require this are some of the internet-specific services. If you are not going to use Windows Defender, scroll to that entry, double-left-click on it, then put the mouse pointer on the service setting drop-down arrow and click it, then select “Disabled”. (Defender really doesn’t work well after implementing these upcoming permission revisions.)
Step 4 – Scroll to the Remote Registry service, double-left-click it to bring up the properties GUI and do the down-arrow select on the service setting select and choose “Disabled” (Do you REALLY want a remote user to be able to alter your registry? I don’t.) Now close out the Services snap-in, for now.
Step 5 – Now click the Start button/All Programs/System Administration Tools/Task Scheduler, right-click on it after selecting it, and select “Run As Administrator”. The line in the snap-in which reads “Task Scheduler Library” has an arrow on the left, which you will left-click, then left-click the Microsoft down-arrow, then Windows down-arrow, then left-click on Active Directory. There are two Task listings – Automated and Manual, one folder each. You will select the Automated Task and note the User Account entry – it’s set to “Everyone” by default. Left-click on Change User, and in the next GUI box, type “system”, then left-click “Check Name”. The system will show it’s a valid entry by capitalizing it and underlining it – then left-click the “OK” button. On the “Trigger” tab, leave the “Enabled” box un-checked for now, but set the maximum time-length how you want it (I select one hour max). Remember that for the “Settings” tab, it ALSO has a maximum time option, so match the Trigger setting you chose for this option. I also suggest setting the service option at the bottom to “Do not start a new instance”. Now select the Manual task – for this one, set the User Account setting to the name of the Administrator account, and I recommend setting the “Run with Highest Privileges” option on this task. The system will provide an Administrative Password confirmation prompt, asking for the Password of the System administrator. Enter it, leaving this task “Enabled”, then close out the Task Scheduler snap-in.
Step 6 – Now click the Start button/All Programs/System Administration Tools/Component Services, left-click on it to select it, then right-click on it, then left-click on “Run As Administrator”. Click the arrow by Component Services, then the arrow by Computer(s), then the arrow on My Computer, then the one by COM+, then the one by System Application, then Roles. You will see five entries – Administrator, Any Application, QC Trusted User, Reader, and Server. You will be adding user entries to the Any Application, Reader, and Server panels, three each, as outlined in the next three steps.
Step 7 – On each of those, left-click the drop-arrow, then the Users drop-down arrow. You will see one entry for “Everyone”. Now, right-click on Users, then put the mouse pointer on New and left-click on “User”. In the resulting GUI, type “system” and click “Check Name” to let the system validate the user entry. Once it’s capitalized and underlined, click “Add” to add the entry. Repeat the process for “Users” and “Authenticated Users” each. Once all three panels are configured consistently, do the drop-arrow select on QC Trusted User and add the name of the Administrator account via the same process for the other entries. Click “Apply”, then delete the “Everyone” entries
on the three categories.
Step 8 – Now collapse the Roles folder and scroll to the Distributed Transaction Coordinator entry and left-click the drop-down arrow. You’ll find the Firewall setting, which you will set to “Home/private network” and left-click the “Allow Access” button. (You will need to decide for yourself whether to allow access for the Public network setting, but note the warning – I wouldn’t, but that’s me.) Then click “Apply” and and close out the Component Services snap-in and re-boot the PC.
Step 9 –[For Professional OS, there is no System Hive, so note that before you edit the permissions on “C” drive (next step), it may list them as “Special” when you audit the “Authenticated Users” permission entry.] For other operating systems, click the Start Button/All Programs/System Administration Tools/Computer Management/ then left-click on “Disk Management” to select it. You will see a rather small disk partition on the System drive which has no drive letter. Left-click on the “blank” partition (MS system “boot sector”) to select it, then right-click on it and select “Change drive letter and paths” (something like that, anyway). On the resulting GUI box, left-click the “Add” button, then choose the drive letter you want for it and left-click “Apply”. Note the Authenticated Users permission setting – you’ll need to know it for the next step (It’s supposed to be either “Read” or “Modify”).
Step 10 - Now click the Start button, then the Computer link, then left-click your system partition (usually C: drive) and click the Properties link. You will see permission entries, one of which is “Authenticated Users”, which has no permissions set at this point. To change that, click the “Edit” button and select either the “Read” or “Modify” check-box (and match the MS system hive setting to your operative choice). Now close out the C:/ Properties GUI snap-in and re-boot your PC.
Step 11 - Now we get to the Administrator’s “Take Ownership” ability and how to correctly apply it. First, go to Start button/Control Panel link, left-click it, then left-click the arrow to the right of “Control Panel” in the address bar, then click “All Control Panel Items” and scroll to “Folder Options”. Left-click it, then left-click the “View” tab, then scroll down to the show or hide hidden files and folders option and left-click to “Show…”, then scroll down to left-click to un-check “Hide Protected Operating System files”, then left-click the “Apply” button. Now close the Folder Options GUI box. You will see two disktop.ini icons on your desktop now (usually, depending upon your hardware manufacturer).
Step 12 – You will note several Root Directory folders on C: drive, two of which are “Hiberfil.sys” and “Pagefile.sys”. The system probably won’t let you set permissions on those, but on the “General” tab, you can left-click the “Advanced” button and select the “Allow” for the indexing option for each file. For each physical/logical drive partition on your PC, you will need to (left-)click them (one at a time) to select it, then click the Properties link option, then the Security tab, then click the Advanced button at the bottom, which will bring up the Permissions GUI snap-in. Next, click the “Owner” tab, then the “Edit” button. Set the Owner to “Administrator”, then click “Apply”.
Step 13 – Once you do that, click the Permissions tab and left-click on the “change permissions” button. You will left-click to “Include inheritable permissions from this folder’s parent object”, then click “Apply”. For each folder, the “Creator/Owner” and “Trusted Installer” non-inherited permissions need to be left as they are – but select the (non-inherited) entries which would duplicate the inheriting entries (i.e., “System”, “Administrator”, and “Users”) and select each and click “Remove” (again, one at a time). Once it’s configured, left-click the option to allow these permissions to propagate to all of the “Child objects”, then click “Apply”. After this, select the General tab and uncheck “Read-Only” and click “Apply”. Repeat Steps 12 and 13 for each C:/[root directory folder] object entry listed, but it’s better to only change the Owner on the Performance Log Users and not have permissions inherit for this folder. Now close out the GUI and re-boot again.
Step 14 – Next, click the Start button, then the Control Panel link, then the arrow to the right of Control Panel on the title box and select “All Control Panel Items”. Scroll to “Programs and Features” and left-click it, then select “Turns Windows features on or off”. Fill in the check-boxes with checks (if you see a blue filler in the box, there’s a drop-down arrow to open options to check other boxes – fill them all in.). Once you hit the “OK” button, Windows will take a few minutes to turn them on.
Step 15 – Now, open the root directory on C: drive again, and this time you’ll see a folder named inetpub, for which you will repeat steps 12 and 13, except that you will not include inheritable permissions from the “parent” object. All of the User entries, leave as they are, except to select the “Users” entry, click the “Edit” button, and select “Full Control” and click “Apply”. Now, while still on the “Edit” option, click “Add”, and in the next GUI, type “Authenticated Users”, then left-click “Check Name(s)”. In the next GUI box, you will again select “Full Control” and click “Apply”. Then select the “General” tab and uncheck the “Read-Only” box and click “Apply” (Yes, “allow these changes to propagate to the child objects”). Now close out all of the open GUI boxes.
Step 16 – Go back into Control Panel/All Control Panel Items/Folder Options/View tab, to select “Don’t show hidden files and folders” and “Hide Protected Operating System files” and click “Apply”. Now close the Folder Options GUI snap-in and re-boot your PC.
Technician’s Note: Here there is room for some variance for individual preference and/or your system needs – if you check your Device driver tab on the System Properties snap-in and find that you need to do this, then install the required device drivers to bring your Performance Index to optimal. Also, if you’re smart, you will not just have an Administrator account, you will also have a standard user account from which to do your primary internet browsing, as this provides additional protection for your computer system (actually an individual network in and of itself). This is merely an advisory, so ignore this at your own risk.
For Task Scheduler, I suggest that you audit every Task Scheduler entry, but leave Windows Defender and Disk Defragmenter for the very last items (that is, if you’re deciding to use Defender), as they each have their own snap-in panels with which you must coordinate your Task Scheduler settings, and it’s better to turn off the Base Filtering Service on the Services snap-in (Administrative Services) before you start on those two – otherwise, every time you re-boot, you’ll need to reset them again. Once you’re done configuring these two tasks, you’ll need to restart the Base Filtering, IKE…, Firewall, and one other service which stopped when you stopped the Base Filtering service.
Step 17 - At the very least, the Task Scheduler needs to be audited for consistency between the Trigger and the Settings tabs (on the max. time allowed for each task) and how you want each task set for the power configuration options and for deciding which tasks need the Start conditions to include “Any connection”, for an example. Oh, don’t forget that you’ll need to enable the Active Directory Automated updater task on the Trigger tab. Configuring Task Scheduler will take a while.
Step 18 – Go into Start/All Programs/System Admin. Tools/Services, left-click on Services, then right-click to see “Run As Administrator”, which you left-click to select it. Scroll down to the Telnet service and double-left-click it, then go to the “Disabled” entry, left-click the drop-arrow, then left-click on “Manual”, then click “Apply”. Now you can close out the Services snap-in. Now, under “All Control Panel Items”, scroll down to User Accounts and click it, then find the “Change UAC settings” and click that. In the resulting GUI window, select the default entry, which is “Don’t notify me when I make changes to Windows” and click “Apply”. Now close this GUI.
Step 19 – At this time, if you have not completed configuring the rest of the Control Panel options listed and created and configured any other user accounts (if you’re going to), I suggest that you do so before going to step 20. If you’ve not done so yet, this would be a great time to run Disk Cleanup
and Disk Defragmenter to optimize your system drive (usually C:).
Step 20 – The next thing to do is to left-click on the Start button, left-click on “All Programs”, left-click on “Accessories”, then left-click on Games. Under the “Games” listing, select the MS Games by left-clicking on it. This should bring up the selection option GUI for installing updates for MS products, which you should select your preference at this juncture. At some point, you will also need to bring up Windows Media Player (unless you use another Media Application) and bring up the “Now Playing” window. Then right-click on it and select the arrow to the right of “Enhancements” and scroll to the “SysWOW” feature and left-click it. In the resulting window, there will be a “Turn On” link at the top left, which allows more options and advanced Media options.
Step 21 - Now you can run CHKDSK – which you can do by selecting the C: drive, then Properties (NOT system properties), then the Tools tab, then select “Check the drive for errors”. Windows will tell you that it can’t check the disk while it’s in use and prompts the user for scheduling a disk check. It will wait until the next re-boot to start the CHKDSK utility (on Windows 7, this takes almost 90 minutes – wow, a break, YAY!).
Step 22 - After that, you can either install any other software and/or applications or activate Windows first, whichever you prefer. Note: certain software applications have product keys which need to be validated by the system, so wait until after activating Windows to install these, else the system will not recognize them as valid.
Technician’s notes: I’ve noted various tasks and/or services which will need auditing up through the first online connection and after the resulting installation of the Antivirus suite, the anti-malware suite, and miscellaneous other items.
Tech’s notes: The previous numbered entries have been my overall observations during my learning process about how to do this procedure. Although my procedural guide is specific to Windows 7, as long as you work out the practical deviations to account for different operating systems and/or different PC manufacturers, this general process will work on NTFS/Windows Operating systems from Vista onward. I’ve only been concentrating on integrating and optimizing the Windows (7) operating system, since you’ve got to have a stable operating system on the PC before you even consider any Network Security options and Internet configurations. Do this procedure and your MS/Windows operating system will be much stabler (you could opt to skip the step for removing the “Everyone” from the “Roles” panel in COM+, I suppose, but why?) Have fun, all.
Comments are closed for this blog post