INSTALLATION CHECKLIST FOR NEW WINDOWS COMPUTERS ------------------------------------------------ Author : Alain Fauconnet - Security Administrator - ITServ Revision date: 22-Sep-2004 * Windows XP ---------- 1) prefer a custom install, and install only the optional parts you really need e.g. no IIS (web publishing, FTP server) on a workstation, no SMTP server etc. 2) install service pack 1a of Windows XP from: - Thai or English version http://itsec.ait.ac.th/download/updates/windows/wxp/sp/xpsp1a_en_x86.exe - French version http://itsec.ait.ac.th/download/updates/windows/wxp/sp/xpsp1a_fr_x86.exe - Other versions Download from Microsoft, choosing proper language http://www.microsoft.com/downloads/details.aspx?FamilyID=83e4e879-fa3a-48bf-ade5-023443e29d78&DisplayLang=en 3) restart 4) OPTIONAL: install service pack 2 of Windows XP from: http://itsec.ait.ac.th/download/updates/windows/wxp/sp/WindowsXP-KB835935-SP2-ENU.exe This is for Windows XP English or Thai only. Installing it on any other language version will not work. NOTE: Installing SP2 manually is not recommended at this time. SP2 does change a lot of things in Windows XP. It won't harm normal desktops used only for office work and mostly MS software, but may cause problems with non-MS software or more specific software (especially related to networking) If will install automatically after Automatic Updates are enabled (see below). Furthermore, by installing SP1a and the updates above, the resulting Windows installation will be just as secure. This takes much less time too (SP2 installation is quite long). 5) restart if you have performed the installation of SP2 above 6) manually install the following Windows XP critical updates: Note: this applies to English and Thai versions of Windows only. For other versions, you can go to: http://support.microsoft.com/ and enter the KBxxxxxx string in the links below e.g. "KB824146" in the "Search the Knowledge Base" field. This will take you to the correct download link or security bulletin. In some cases, there will be no specific download link for any other language. In that case, you can use the download link below. http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB824146-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB826939-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB823182-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB824141-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB825119-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB828035-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB810217-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB828028-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB837001-x86-ENU.EXE http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB828741-x86-ENU.EXE http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB835732-x86-ENU.EXE http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB840374-x86-ENU.EXE http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB839643-x86-ENU.EXE http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB841873-x86-enu.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB839645-x86-enu.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB840315-x86-enu.exe http://itsec.ait.ac.th/download/updates/windows/wxp/sup/WindowsXP-KB833987-x86-ENU.EXE Note: although some updates may prompt you to restart your computer, you may delay the restart until step 8 below is finished 7) manually install the following Internet Explorer 6 SP1 critical updates: Note: this applies to English and Thai versions of Windows only. For other versions, you can go to: http://support.microsoft.com/ and enter "KB867801" in the "Search the Knowledge Base" field. This will take you to the correct download link or security bulletin. In some cases, there will be no specific download link for any other language. In that case, you can use the download links below. http://itsec.ait.ac.th/download/updates/windows/ie6sp1/IE6.0sp1-KB867801-x86-ENU.exe http://itsec.ait.ac.th/download/updates/windows/ie6sp1/IE6.0sp1-KB833989-x86-ENU.exe 8) manually install the following Outlook Express 6 SP1 critical updates: Note: this applies to English and Thai versions of Windows only. For other versions, you can go to: http://support.microsoft.com/ and enter "KB823353" in the "Search the Knowledge Base" field. This will take you to the correct download link or security bulletin. In some cases, there will be no specific download link for any other language. In that case, you can use the download link below. http://itsec.ait.ac.th/download/updates/windows/ie6sp1/IE6.0sp1-KB823353-x86-ENU.exe 9) restart 10) configure Windows XP for automatic updates: - open the control panel - open 'system' - select the 'automatic updates' tab - check the 'Keep my computer up to date...' box - choose whether you want: (1) updates to be downloaded _and_ installed automatically at a given time (2) updates downloaded automatically and user notified that updates are ready for installation (icon 'Earth globe with Windows logo' in control panel and baloon) (1) is suitable if the normal user is _not_ a member of the Administrators group, if the PC is always turned on or if the installation (and a possible automatic restart) is possible at a given time of the day (e.g. lunch time) (2) is suitable for notebooks that are not turned on every day, if the normal user _is_ member of the Administrators group _and_ can be trusted to pay attention to the 'New updates are ready to install' icon appearing in the taskbar, _and_ act upon it (or that an administrator logs in every day on that computer) 11) set automatic updates to download from our AIT server - open Internet Explorer and go to http://wuserv.ait.ac.th/#wu - read the next under 'AIT Windows Update server' and click on the link, following instructions on the page Direct link to the correct file: http://wuserv.ait.ac.th/WUSUS.REG Open that file (don't just save it), and click Yes to "do you want to add ... to the registry" 12) OPTIONAL but RECOMMENDED: force an immediate update - open a 'cmd' command-line window (Start->Run, then type "cmd" and click OK) - type: net stop wuauserv - type: regedit to start the registry editor - navigate to the following key: \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\AutoUpdate On the right, you should have a list of keys and values, like "AUOptions" etc. - look for the values that are a date and time like: "2004.09.09 19:22:36" (of course actual date/time will differ) There will be 2 or 3 keys having a date/time value, usually LastWaitTimeout and 1 or 2 others. - simple click on the key name, and hit the Delete key to delete these keys. Then exit the registry editor. - in the command-line window, type: net start wuauserv Within 10 about minutes, this computer will start checking for updates and download updates if needed. Some time later, if any update has been downloaded, you will see the "Updates are ready to be installed" icon in the taskbar. 13) install the Trend Micro OfficeScan anti-virus - open Internet Explorer and go to http://avserv.ait.ac.th/#av - read the next under 'AIT campus-wide anti-virus scanner' and click on the link, following instructions on the page Note: If the web-based installation fails for some reason, you can open and run http://avserv.ait.ac.th/download/Packages/OSCENT.exe Please report this case to the Helpdesk. Note: Trend Micro OfficeScan Anti-Virus and XP SP2 A problem has been identified on Windows XP computers that have been updated to SP2 (should be most of them now, since SP2 is on the automatic updates server). SP2 adds a firewall to Windows XP. This firewall can prevent communication from the Trend OSCE server (avserv.ait.ac.th) _to_ the client. The consequences are that: 1) the computer is seen 'offline' in the management interface 2) the computer gets updates slower (probably only when Windows starts) Only _some_ computers are affected, the cause is unknown at this time (Trend Micro is working on it). There are two ways to solve this problem: - Method 1 (preferred): open the 'Windows Firewall' control panel (directly or from the Security Center control panel), open the 'Advanced' tab, choose the LAN network interface you are using if there is more than one (check the name of the active one from the icon at the bottom right of the taskbar), click 'Settings', look in the list and make sure that the 'OfficeScan NT Listener' box is checked. If it is _not_, check it _and_ kindly report how many computers you have found with the box unchecked to me. - Method 2 (faster): open the following registry URL: http://wuserv.ait.ac.th/XPSP2FW_OSCE.REG, 'Open' the file and click 'Yes' when asked if you want to import it into the registry. 14) restart 15) Install the Microsoft Baseline Security Analyzer - open: http://itsec.ait.ac.th/download/tools/windows/scanners/MBSASetup-en.msi - if you are asked to install a more recent version of the Windows installer, open: http://itsec.ait.ac.th/download/tools/windows/misc/InstMsiW.exe - if the installer requires you to install the XML parser, open: http://itsec.ait.ac.th/download/tools/windows/scanners/msxml.msi The MBSA can be run by clicking on its desktop icon, then choosing 'scan a computer'. The name of this computer should appear as 'Computer name'. Then click 'Start scan'. It will check that the computer is up-to-date regarding Windows 2000, IE and OE security updates (not application software like Office). The entries with red icons must be checked 16) Not for CSIM laboratory: set an appropriate login user name and password, or authentication from a server if you have one 17) Not for CSIM laboratory: set the computer to automatically lock its console when unused: - open the control panel - open 'display' - select the 'screen saver' tab - choose an appropriate screen saver, wait delay and check the 'password protected' box