System Installation Process for Tightened Security
Tech’s notes: It is better to have a good idea of the End User’s computer use patterns and configuration preferences to properly align the Task Scheduler settings and scheduling to the Users’ schedule(s). For the initial installation from the Operating System disks, no internet access may be connected to the PC until the configuration re-writes are completed and Task Scheduler settings are audited and configured. It’s best to stick to this process as written, at least until we get to the configuration of Task Scheduler. This is for Microsoft Windows (Vista through 10) – I have not had direct experience with MacIntosh operating systems. (Note: Stuff that works on MS Windows may not work on MacOS PCs, and vice versa.) Since Mac OS also uses Active Directory, the same basic procedure may very well work for them, also, but take that up with a system engineer first, unless you’re into experimentation at your own risk. One thing is certain – there may be minor differences required for installing your Windows OS on various hardware manufacturers, and certain applications may not be permitted on certain proprietary machines.
Step 1 – First, put the Windows OS disk in the optical drive bay and re-start. You will need to know the function key to use to bring up the Boot options menu from the BIOS, so you can press the function key specific to the hardware manufacturer immediately after the POST tests. First you will need to configure your BIOS options (for Windows 7 and later, the mode needs to be set to AHCI and another setting must be SATA – you’ll see them if you just audit the whole thing (I think it’s the Integrated… entries). Once done, go to “Save BIOS and exit Setup”, select the “Y” option, and click “Enter”. The system will have Setup begin installing the operating system. When setup gets to the installation options, delete the existing disk partitions (main and system hive), and select “New” to make new ones. This will logically reinitialize the disk partitions on which you will be installing Windows. Once that is complete, the system will ask for the Administrator’s name, password, and global time zone for the physical location. Enter this information and let Windows finish setting up.
Step 2 – Now click the Start button/screen and left-click the Control Panel link. Once it opens, note the address bar at the top and the arrow to the right of the Control Panel. Left-click on the arrow to bring up “All Control Panel Items” (these are specific to Windows 7 and 10 system config – Windows 8 has a few differences, I’ve noticed), then scroll down to “Taskbar and Start Menu” and left-click on it. First, left-click to de-select “Open Submenus when I pause on them with the Mouse pointer”, then scroll down to System Administration Tools and select to “Display on the Start Menu” to simplify this process (you’ll be using these tools a fair bit before you’re done), then left-click on the “Apply” button and close all open “GUI” boxes.
Step 3 – Now left-click the Start button, then “All Programs”, then System Administration Tools, then scroll down to the Services entry and left-click on it to select it, then right-click on it and left-click the “Run As Administrator” option. This will bring up the Services “snap-in” console so you can scroll slowly down the list. When you locate a “Disabled” service, double-left-click on it to bring up the Properties GUI for the Service and look at the “Disabled” setting. Left-click on the down arrow at the right and left-click on the “Manual” entry to change the service setting. The services which will require this are some of the internet-specific services.
Step 4 – Scroll to the Remote Registry service, double-left-click it to bring up the properties GUI and do the down-arrow select on the service setting select and choose “Disabled” (Do you REALLY want a remote user to be able to alter your registry? I don’t.) Now close out the Services snap-in, for now.
Step 5 – Now click the Start button/All Programs/System Administration Tools/Task Scheduler, right-click on it after selecting it, and select “Run As Administrator”. The line in the snap-in which reads “Task Scheduler Library” has an arrow on the left, which you will left-click, then left-click the Microsoft down-arrow, then Windows down-arrow, then left-click on Active Directory. There are two Task listings – Automated and Manual, one folder each. You will select the Automated Task and note the User Account entry – it’s set to “Everyone” by default. Left-click on Change User, and in the next GUI box, type “system”, then left-click “Check Name”. The system will show it’s a valid entry by capitalizing it and underlining it – then left-click the “OK” button. On the “Trigger” tab, leave the “Enabled” box un-checked for now, but set the maximum time-length how you want it (I select one hour max). Remember that for the “Settings” tab, it ALSO has a maximum time option, so match the Trigger setting you chose for this option. I also suggest setting the service option at the bottom to “Do not start a new instance”. Now select the Manual task – for this one, set the User Account setting to the name of the Administrator account, and I recommend setting the “Run with Highest Privileges” option on this task. The system will provide an Administrative Password confirmation prompt, asking for the Password of the System administrator. Enter it, leaving this task “Enabled”, then close out the Task Scheduler snap-in.
Step 6 – Click the Start Button/All Programs/System Administration Tools/Computer Management/ then left-click on “Disk Management” to select it. You will see a rather small disk partition on the System drive which has no drive letter. Left-click on the “blank” partition (MS system “boot sector”) to select it, then right-click on it and select “Change drive letter and paths” (something like that, anyway). On the resulting GUI box, left-click the “Add” button, then choose the drive letter you want for it and left-click “Apply”.
Step 7 – Now click "Start", then "All Programs", then "Accessories", then scroll to "Command Prompt" and right-click on it to select "Run As Administrator". Note that you are in <C:\Windows\System32>. Type in "cd C:\" and hit "Enter". Now type in "Icacls S:\* /inheritance:e|takeown /f S:\* /a /r /d y", then hit "Enter".
Step 8 – You'll type in this script: "Icacls C:\* /inheritance:e|takeown /f C:\* /a /r /d y", then hit "Enter". You're getting the computer system to set the ownership and permissions propagation for you. [You might want to check the commands by typing (for example) "Icacls /?" and/or "takeown /?", but my instruction set is specific to Windows 7 (v. 6.1.7601.~) Important Note: Between each character, leave only one space (including between the * and /inheritance:e), else the computer will give you a "syntax error" notification.
Step 9 – Now open Administrative Tools, then Component Services, scroll to the Distributed Transaction Coordinator entry and left-click the drop-down arrow. You’ll find the Firewall setting, which you will set to “Home/private network” and left-click the “Allow Access” button. (You will need to decide for yourself whether to allow access for the Public network setting, but note the warning – I wouldn’t, but that’s me.) Then click “Apply” and close out the Component Services snap-in and re-boot the PC.
Step 10 – Now we get to the Administrator’s “Take Ownership” ability and how to correctly apply it. First, go to Start button/Control Panel link, left-click it, then left-click the arrow to the right of “Control Panel” in the address bar, then click “All Control Panel Items” and scroll to “Folder Options”. Left-click it, then left-click the “View” tab, then scroll down to the show or hide hidden files and folders option and left-click to “Show…”, then scroll down to left-click to un-check “Hide Protected Operating System files”, then left-click the “Apply” button. Now close the Folder Options GUI box. You will see two desktop.ini icons on your desktop now (usually, depending upon your hardware manufacturer).
Step 11 - When you take ownership, start with the system hive, and edit the owner as in the seceding steps. On the Boot Mgr file, include an entry for "Trusted Installer" by clicking "Add", then typing in "Trusted Installer". The system will set "Full Control", but click "Clear All", then select "traverse folder/execute file", "List folder/read data", "read attributes", "read extended attributes", and "read permissions" - ONLY those entries. (This is in the Advanced Security options as you Edit the "Trusted Installer" entry).
Step 12 – You will note several Root Directory folders on C: drive, two of which are “Hiberfil.sys” and “Pagefile.sys”. The system probably won’t let you set permissions on those, but on the “General” tab, you can left-click the “Advanced” button and select the “Allow” for the indexing option for each file. For each physical/logical drive partition on your PC, you will need to (left-)click them (one at a time) to select it, then click the Properties link option, then the Security tab, then click the Advanced button at the bottom, which will bring up the Permissions GUI snap-in. Next, click the “Owner” tab, then the “Edit” button. Set the Owner to “Administrator”, then click “Apply”.
Step 13 – Once you do that, click the Permissions tab and left-click on the “change permissions” button. You will left-click to “Include inheritable permissions from this folder’s parent object”, then click “Apply”. Select the non-inherited entries which would duplicate the inheriting entries (i.e., “System”, “Administrator”, and “Users”) and select each and click “Remove” (again, one at a time). Once it’s configured, left-click the option to allow these permissions to propagate to all of the “Child objects”, then click “Apply”. After this, select the General tab and uncheck “Read-Only” and click “Apply”. Repeat Steps 12 and 13 for each C:/[root directory folder] object entry listed.
Step 14 – Next, click the Start button, then the Control Panel link, then the arrow to the right of Control Panel on the title box and select “All Control Panel Items”. Scroll to “Programs and Features” and left-click it, then select “Turns Windows features on or off”. Fill in the check-boxes with checks (if you see a blue filler in the box, there’s a drop-down arrow to open options to check other boxes – fill them all in.). Once you hit the “OK” button, Windows will take a few minutes to turn them on.
Step 15 – Now, open the root directory on C: drive again, and this time you’ll see a folder named inetpub, for which you will repeat steps 12 and 13, Then select the “General” tab and uncheck the “Read-Only” box and click “Apply” (Yes, “allow these changes to propagate to the child objects”).
Step 16 – Double-click on the "Temp." (or "templates") folder to open it, then audit the entries for owner (Admin), permissions propagation (inheriting), and indexing. Now close out all of the open GUI boxes.
Step 17 - Go back into Control Panel/All Control Panel Items/Folder Options/View tab, to select “Don’t show hidden files and folders” and “Hide Protected Operating System files” and click “Apply”. Now close the Folder Options GUI snap-in and re-boot your PC.
Technician’s Note: Here there is room for some variance for individual preference and/or your system needs – if you check your Device driver tab on the System Properties snap-in and find that you need to do this, then install the required device drivers to bring your Performance Index to optimal. Also, if you’re smart, you will not just have an Administrator account, you will also have a standard user account from which to do your primary internet browsing, as this provides additional protection for your computer system (actually an individual network in and of itself). This is merely an advisory, so ignore this at your own risk.
For Task Scheduler, I suggest that you audit every Task Scheduler entry, but leave Windows Defender and Disk Defragmenter for the very last items (that is, if you’re deciding to use Defender), as they each have their own snap-in panels with which you must coordinate your Task Scheduler settings, and it’s better to turn off the Base Filtering Service on the Services snap-in (Administrative Services) before you start on those two – otherwise, every time you re-boot, you’ll need to reset them again. Once you’re done configuring these two tasks, leave the ones you stopped off, as they'll come back on after the re-boot.
- At the very least, the Task Scheduler needs to be audited for consistency between the Trigger and the Settings tabs (on the max. time allowed for each task) and how you want each task set for the power configuration options and for deciding which tasks need the Start conditions to include “Any connection”, for an example. Oh, don’t forget that you’ll need to enable the Active Directory Automated updater task on the Trigger tab. Configuring Task Scheduler will take a while.
Step 18 – Go into Start/All Programs/System Admin. Tools/Services, left-click on Services, then right-click to see “Run As Administrator”, which you left-click to select it. Scroll down to the Telnet service and double-left-click it, then go to the “Disabled” entry, left-click the drop-arrow, then left-click on “Manual”, then click “Apply”. Now you can close out the Services snap-in. Now, under “All Control Panel Items”, scroll down to User Accounts and click it, then find the “Change UAC settings” and click that. In the resulting GUI window, select the default entry, which is “Don’t notify me when I make changes to Windows” and click “Apply”. Now close this GUI.
Step 19 – At this time, if you have not completed configuring the rest of the Control Panel options listed and created and configured any other user accounts (if you’re going to), I suggest that you do so before going to step 20. If you’ve not done so yet, this would be a great time to run Disk Cleanup and Disk Defragmenter to optimize your system drive, usually C:).
Step 20 - The next thing to do is to left-click on the Start button, left-click on “All Programs”, left-click on “Accessories”, then left-click on Games. Under the “Games” listing, select the MS Games by left-clicking on it. This should bring up the selection option GUI for installing updates for MS products, which you should select your preference at this juncture. At some point, you will also need to bring up Windows Media Player (unless you use another Media Application) and bring up the “Now Playing” window. Then right-click on it and select the arrow to the right of “Enhancements” and scroll to the “SysWOW” feature and left-click it. In the resulting window, there will be a “Turn On” link at the top left, which allows more options and advanced Media options.
Step 21 - Now you can run CHKDSK – which you can do by selecting the C: drive, then Properties (NOT system properties), then the Tools tab, then select “Check the drive for errors”. Windows will tell you that it can’t check the disk while it’s in use and prompts the user for scheduling a disk check. It will wait until the next re-boot to start the CHKDSK utility (on Windows 7, this takes almost 90 minutes – wow, a break, YAY!).
Step 22 - After that, you can either install any other software and/or applications or activate Windows first, whichever you prefer. Note: certain software applications have product keys which need to be validated by the system, so wait until after activating Windows to install these, else the system will not recognize them as valid.
Technician’s notes: I’ve noted various tasks and/or services which will need auditing up through the first online connection and after the resulting installation of the Antivirus suite, the anti-malware suite, and miscellaneous other items.
Windows will need to be activated before Windows Backup and System Restore will function properly, and the Automatic Backup task will need to be audited to ensure that it configures for Windows 7 and not Windows Vista – if you’re on Windows 7, that is. (Whatever the OS, auditing each and every entry is always a good idea.)
The Google Software Updater installs on the Task Scheduler Library (indented entry line) as running on Windows Server 2003 (on Windows Vista, Windows 7, and 10 operating systems, from my observations – I don’t recall how it works on Windows 8), so you’ll need to set it to your PC’s operating system instead.
The Antivirus suite will install on Windows 7 systems to run on Windows Vista OS, so you’ll need to audit that, too. This is in the same GUI box as the Google Software Updater task on Task Scheduler. You will need to briefly stop the initial scan and audit the A/V suite’s Emergency Updater task so it runs on Windows 7 (or whatever MS Windows OS you’re using) and then re-start the initial scan.
After the first time on the internet, during which you will need to install the antivirus suite and the anti-malware suite (if you prefer something other than Windows Defender), and perform your first Windows update run on your PC, Farther down the Task Scheduler folder list, there is a new panel which includes two (system) validation tasks, which configure to run every 90 days by default. The Media Center tasks will need to have Triggers added and configured for the internet-specific tasks. This is so the system doesn’t make it’s “best guess” and misconfigure it.
If you are performing this process on the Windows 8 operating system, just be aware that you can add the System Administration Tools to the Start screen, once you get to the Control Panel. You’ll have to use Windows Explorer to perform a search for the Control Panel to get to it. (In Windows 8.1, there is an option to set the appearance to resemble Windows 7 Start Button). Also, various services need to be turned on in the Services snap-in before they appear on the Control Panel, like Windows Defender and Windows Update. Oh, be prepared for your first Windows Update run to take about two days, since it takes several thousand updates on the first run – I’ve heard that from several people who’ve experienced it first-hand.
Any applications specifically marketed by Microsoft will set the Owner by default to “System”, unless you've audited the "installer" folder in the C:\Windows folder.
After each Windows update run, you'll need to audit your file/folder ownership, permissions, and indexing configuration, as Windows is worse than Clouseau and Kato about keeping your settings intact, especially the BootMgr file in the system hive.
While I'm thinking of it, when first installing Windows, you'll need to audit the core files in SysWOW64, then winsxs(windows system auxilliary services), then System32: ALSO, downloaded installations, downloaded program files, Installer (apps and programs being installed, including settings templates), Software Distribution, and do the Prefetch folder last (system maintenance tasks). I know I had you use that command prompt pipe command, but a direct audit never hurts, especially in Windows. Don't forget the re-boot.
From long experience, I can now say that the more proprietary your computer, the more complicated the process becomes to tame Windows, which is why I'm simplifying this here.
Comments are closed for this blog post