Introduction
This document provides information on configuring and administering a Windows 2000 Member Server in Andrew Windows and includes the following sections.
1. Overview: Andrew Windows 2000 and Microsoft Active directory
2. Installation and Configuration
2.1. Windows 2000 Server Licensing
2.2. Installing Windows 2000 Server
2.3. Upgrade to the Latest Windows 2000 Service Pack
2.4. Shutdown Non-Essential Services
2.5. Install the Latest Security Patches and Hot-Fixes
2.6. Network Registration
2.7. NTFS Disk Format
2.8. RAID
2.9. Install Required Applications
2.10. Macintosh Services
2.11. Printing
2.12. Backups/Restorations
2.13. Internet Information Services (IIS)
3. Andrew Domain Configuration
3.1. Creating a Server Organizational Unit (OU)
3.2. Blocking Inheritance
3.3. Custom GPO for the Server
3.4. Joining the Domain
3.5. Local Administration Access for Accounts and Groups
3.6. Local vice Andrew Domain Accounts
3.7. Local Logon Access
3.8. Restricting Server Access
4. Security
4.1. Physical Security
4.2. Registry Security
4.3. File/Share Access Permissions
4.4. Disable Guest Account
4.5. Virus Software
4.6. Auditing
4.7. Vulnerability Scanners
4.8. Other Security Links
5. On-Going Support Activities
5.1. User Privacy/Confidentiality
5.2. Restrict Administrator Privileges
5.3. Keep the Patches Current
5.4. Review Event Logs
5.5. Disk Defragmenting
6. Trouble-shooting
6.1. Resource Kit
6.1.1. Group Policy Object (GPO) Processing
6.1.2. Group Memberships
1.0 Overview: Windows Member Server Guide
This document is a guide to assist you in setting up a Windows 2000 Member Server within the Andrew Windows Service. Readers should have a general knowledge of Windows 2000 and Active Directory terminology.
This guide is not meant to be a comprehensive resource for configuring a Windows 2000 Server. In order to become familiar with Windows 2000 Server, Computing Services recommends that Computing Administrators complete a course similar to MS Course 2154: Implementing and Administering Microsoft Windows 2000 Directory Services, from a Certificated Microsoft trainer. In addition, many good books exist for Windows 2000 Administration. A book that we recommend is, Mastering Windows 2000 Server, by Mark Minasi.
2.0 Installation and Configuration
2.1 Windows 2000 Server Licensing
The Windows 2000 Server license is not covered under the Microsoft Campus License Agreement. Departments must purchase Windows 2000 Server licenses in order to run Member Servers. Windows 2000 Server licenses and media are available from the CMU Computer Store. Client Access Licenses (CALs) are currently covered under the Microsoft Campus License Agreement and do not need to be purchased separately.
2.2 Installing Windows 2000 Server
Install Windows 2000 from a Windows 2000 installation CD. The CD media can be purchased from the CMU Computer Store. It is recommended that the media be stored in a safe place, as it may be required at a later time.
Until the Windows 2000 Server is patched and secured, the server should not be run on the open campus network. Therefore, it is recommended that the network connectivity be disconnected during the installation process.
2.3 Upgrade to the Latest Windows 2000 Service Pack
Upgrade the Windows 2000 Server to the latest Microsoft Service Pack. The current Service Pack available is Service Pack 2.
2.4 Shutdown Non-Essential Services
You should limit the number of applications that your machine is running to essential services. Services that must be removed for installation in the CMU Campus include WINS and DNS. Services that should be considered for removal include FTP, WWW and SNMP.
Examine the existing services via:
Control Panels->Administrative Tools ->Services.
OR
Start menu->Run…->type “services.msc”
Check out the Microsoft website or a detailed description of the Windows 2000 Services.
It is a good security practice is to limit the amount of critical services that are running on any one machine. Try to avoid running all of your critical departmental services on one server.
2.5 Install the Latest Security Patches and Hot-Fixes
Install Hot-Fixes appropriate to your server while the server is still offline. To stay up to date on Microsoft patches, visit the MS Technet security site where you can join an e-mail list to notify you of new security fixes. The "Windows Update" function allows you to download many patches and updates, and allows you to be informed of critical updates, but it does not contain all security patches.
Microsoft has a number of tools that help with installing security patches. Several that we recommend include:
MS Network Security HotFix Checker (HFNetchk) is a tool that allows you to check for missing security HotFixes.. It must first be run on a computer with network access to download a current list of HotFixes, but then it can be copied to unsecured computers not yet connected to the network. This tool checks for HotFixes related to the operating system and other core components like Internet Explorer. It will not notify the user of Hot-Fixes for applications like Microsoft Office.
A graphical tool, similar to hfnetchk, is the Microsoft Security Baseline Analyzer (MBSA). MBSA will keep a history or scans as well as search for vulnerabilities in the operating system.
Qchain is a tool that allows you to install multiple HotFixes sequentially without requiring multiple reboots.
Network Registration
The Windows 2000 Server should be registered to use the Campus Network via NetReg. After registration, the Server should be configured to run DHCP. It will receive the IP Configuration information after a reboot.
2.7 NTFS Disk Format
Hard disks should be formatted with the NTFS file system. This format allows the most flexibility in security and audit policies and it reduces exposure to boot attacks. Windows 2000 allows the capability to upgrade to NTFS partitions without damaging data. However, when a disk that was installed with FAT/FAT32 is converted to NTFS that the Everyone group has Full Control of all the files/folders on the entire disk, including the \winnt directory.
RAID
RAID (Redundant Array of Independent Disks) technology allows for high availability and increased performance for disk drives. RAID has become very popular throughout server technology and it is recommended for critical File Servers. Windows 2000 has built-in software RAID functionality that should be considered if hardware RAID is not cost-efficient.
2.9 Install Required Applications
It is a good idea to install all of the necessary Application Software to the Member Server prior to releasing it as a production server. As was mentioned with services, it is recommended that Application Software be limited to essential programs.
2.10 Macintosh Services
To provide File and/or Print Sharing to Macintosh Clients, you will need to install and configure the bundled Windows 2000 product “Services for Macintosh”. Services for Macintosh requires the disk(s) be NTFS-formatted. Since AppleTalk routing is being eliminated at CMU, this service will need to be run natively under TCP/IP. The latest Microsoft UAM will need to be installed on your client computer in order to support the more secure NTLMv2 client. Please see the Client Guide for Andrew Windows for specific instructions.
0 comments:
Post a Comment