Discussion: W2003 Final Touches

In the Installing Windows 2003: Final Touches recipe, we documented several final procedures we like to take after the basic installation of a standalone Windows 2003 server. Here we discuss the thinking behind those procedures.

  • Opening (procedure)
    • None of the procedures demonstrated in this recipe are essential to the smooth operation of the server. We think they make good sense to perform, though.
  • Connecting via RDP (procedure)
    • In this recipe we connect via Remote Desktop (often called RDP by sysadmins), because this is the way most sysadmins administer the systems under their care. Nothing about this recipe depends on using RDP, however. If you have another preferred means of accessing systems, by all means use it.
  • Automatic Updates (procedure)
    • Automatic updates should, in our opinion, be considered de rigueur for Windows systems.  In later recipes we will show how to manage them via Windows Server Update Services (WSUS), but because this recipe concerns a standalone server (or one built before there is a domain or WSUS infrastructure to depend on), we show the process for setting up automatic updates via Microsoft’s update servers. This is a built-in functionality of Windows, and it is mature, safe, and battle-tested.
    • Generally speaking, Microsoft holds all security patches until the second Tuesday of each month (‘Patch Tuesday’). They also hold security vulnerability information releases until the patch is released, if they can. This is part of their Responsible Disclosure policy, which many consider debatable. I personally happen to agree with it, but if you feel otherwise, please do comment at the bottom of this page!
      • Sometimes, when a problem shows likelihood of serious and immediate danger to Windows systems, Microsoft will push a patch outside of the normal Patch Tuesday cycle. These are generally known as ‘out of band’ patches.
    • In the recipe, we chose the default “download and install,” knowing full well that this could reboot the server. We took note of the day and time this occurs – in the recipe we left it at Every day, 3:00 AM, but we could also have set it to occur on a specified day of the week, and/hour changed the hour at which it occurs.
      • We also took note of the fact that if an Administrator is logged in when AutoUpdates wants to reboot, she may delay the reboot. An standard user would be warned, but would have no opportunity to delay the reboot.
      • Finally we took note of the fact that not all updates require reboot. It’s good to stay informed about upcoming updates. Personally, I do this by subscribing to Randy Franklin Smith’s Patch Tuesday Analysis newsletter.
    • Our reasoning was that all servers should stay updated with minimal fuss and hassle. However, if this were planned to be a more critical server, we would have chosen ‘download and let me choose when to install.’
    • So this outlines our strategy: all servers should automatically update themselves, unless we have good reason to choose otherwise.
  • MBSA Evaluation and Remediation (procedure)
    • Microsoft Baseline Security Analyzer (MBSA) is actually a rather basic series of security checks. There are of course many much more detailed checklists you can use for hardening your server.
    • We allowed the Administrator and Guest accounts to have passwords with no expiration. The theory here is that a user should change passwords regularly, because in this way, even if the password becomes known to unauthorized personnel, changing it on some defined schedule will limit exposure. Generally we agree with this theory, but excluded these two accounts because:
      • We assume the sysadmin who set the Administrator password will use strong measures to protect the passwords she knows, and not carelessly write them down in locations easily accessed by badguys.
      • The Guest account is special. It is disabled by default, and has no password. If enabled, it is used for all anonymous accesses to the system (think file server access, where shares allow anonymous and/or Guest access). A Unix sysadmin could roughly equate Guest to ‘world’ or ‘other’ in the UGO permissions scheme. So it should not have a regular password change policy applied.
  • Clear Desktop Icons (procedure)
    • This procedure is optional. We like clean desktops.
  • Set Index Options (procedure)
    • We like to have the system index fully populated with all files, so we usually set this to index all driveletters, which is not the default. Very handy when you’re trying to locate a DLL or other file somewhere on the system
    • In some situations, file indexing can be an unacceptable drag on performance, and should be turned off. We’ll discuss this more in future articles about performance monitoring and tuning.
      • Please note that in Vista, Server 2008 and beyond, Windows gets a new I/O prioritization capability, and indexing is always given the lowest priority. In that case we unequivocally feel indexing should not be disabled.
  • Inventory Installed Programs and Components (procedure)
    • Here we are finishing up and taking stock of the server. We have a look at all programs and components installed, and evaluate whether they are needed. We feel this is a good thing to do from time to time. Uninstalling programs and components you don’t need is one of the best ways to have a highly performant server. It’s also one of the simplest, and as such, often overlooked!
    • We did remove the “Chat” application from the Communications components group. We have no idea why MS left this enabled on a server OS.
  • Check Firewall Settings (procedure)
    • Finally we have a quick look at firewall settings, noting that the Windows Firewall is enabled and has only one exception (for RDP).
    • We’ve heard a number of people say they distrust the Windows Firewall. We invite them to find technical reasons for this distrust!
  • Closing (procedure)
    • This concludes our series on installing Windows 2003. We’ll be  doing a lot more with it in later recipes – including changing some of these settings.