Creation of CSCF Windows 2008 Standard Server Image

Sun Fire Hardware

Windows Server 2008 will not install on to old Sun hardware such as the Sun Fire 4200 M2 unless the machine's BIOS and firmware are updated to recent versions (we are using version 2.0.2.10 which is from April 2010).

Firmware upgrades can be done by aquiring the appropriate firmware .ima file from the Sun web site for the server hardware. Then using a web browser connect to your server's web based Light Out Management (LOM) site. The LOM tools allow an administrator to remotely upgrade a server's firmware using its Maintenance -> Firmware Upgrade page. The .ima merely has to be accessible to the web browser accessing the server's LOM page.

Changes of Note

Most Windows administrators are familiar with the Windows registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and its importance in starting applications during system startup. In Windows Server 2008 there is a second Run key located at HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run which performs the same purpose. Both keys work but the system seems to be configured to place startup items in the new Run as opposed to the established key.

Network Drivers

Windows 2008 does not appear to have drivers for legacy NICs. Often one should be downloaded for your hardware prior to installation in order to setup networking manually.

License Code

There is a bug in the Windows 2008 installation which causes the process to crash if the license code is entered when requested. You may differ entering the license code as there is a 120 day grace period for server activation.

Custom Install

Select the Custom Installation option when it appears. This will allow you to define installation partition size, among other things. When creating an image it is important to minimize image partition size especially if the image may require installation on legacy hardware.

In our case the image partition size will be 40 GB (40960 MB).

Set Initial Password

After primary installation is complete, you will be required to specify a password for the local Administrator user. This password should be complex and probably one of the department default passwords for such matters.

Install Drivers For Network Adapter

The Windows 2008 installation disk may have a "compatible" driver for your NIC but it may not work once the operating system is installed. It is a good idea to have computer's chipset support CD or DVD in order to obtain a usable network driver. Other drivers may be required but the network driver is the most important for getting the new system ready for use.

Initial Configuration

• Set time zone to be Eastern Time. Deactivate one week warning for change over from Daylight Savings to Standard Time.
• Configure Networking
  • You may have to provide an appropriate set of driver files via CD/DVD or USB drive.
  • Disable Internet Protocol 6
  • Disable Link Layer items.
  • DNS suffix is uwaterloo.ca
  • Ensure that register this connection address in DNS is disabled.
  • Enable NetBIOS over TCP/IP.
• Provide the computer with a name.
• DO NOT begin updating the server with Windows Update. At least ensure that Service Pack 2 (SP2) does not get installed until the foreign languages packages are installed later.
• Add Features
  • Desktop Experience
  • Direct Access Management Console
  • Failover Clustering
  • Group Policy Management
  • Internet Printing Client
  • LPR Port Monitor
  • Network Load Balancing
  • Remote Assistance
  • SNMP Service
  • Subsystem for UNIX Based Applications
  • Telnet Client
  • Windows Internal Database
  • Windows Power Shell Integrated Scripting
  • Windows Server Backup Feature
  • Windows Server Migration Tools
  • Windows System Resource Manager

Other Languages

Due to a bug in Service Pack 2 (SP2), all foreign language packages must be installed prior to the installation of SP2. Therefore, we advise installing all desired (you will not have enough space to install all of them) foreign language packages for the 64-bit Windows Server 2008 (amd64 in our case) prior to installing SP2. This problem may be corrected at a later date.

Download all of the Windows Server 2008 Language Packs from the Microsoft web site: http://www.microsoft.com/Downloads/details.aspx?FamilyID=e9f6f200-cfaf-4516-8e96-e4d4750397ff&displaylang=en

These files download as image (.img) files (and similar to .iso files) which are intended to be burned directly onto CD or DVD. It is easier to download the .img files to a separate workstation equipped with ISO imaging software such as Magic ISO and use that to extract the languagepacks directory and subdirectories from the .img files. These directories with their constituent cabinet files can then be transferred to the Windows 2008 system for installation.

The installation tool on the server is the Regional and Language Options applet in the Control Panel. Select the Keyboards and Languages tab and click on the Install/uninstall Languages button under Display Language. Browse to the languagepacks folder and select a language to install. You will have to install each language one at a time. We have selected to install that following languages.

• Arabic
• Chinese (Simplified)
• Chinese (Traditional)
• French
• Korean
• Japanese
• Russian
• Thai
• Vietnamese

After all the languages are installed, the system will have to be rebooted.

Windows Update

• Download and install updates.
  • For now, set never check for updates and then click the check for updates button. The university has its own SUS server for system updates and we do not normally rely on the Microsoft web site to auto patch our systems. The university SUS server configuration is normally done via GPO when a server is put into service.
  • At this time also disable Allow users to install updates to this computer in the Windows Update setting section.

Server Manager

Security Information

• Turn off IE Enhanced Security for both Administrators and Users.
  • Select the top item in Server Manager, scroll to Security Information and select Configure IE SEC

Registry Modifications

• HKLM\Software\Microsoft\Internet Explorer\Main
  • Set all default start pages to be: http://www.cs.uwaterloo.ca/cscf

File System

Create the following folders at the top of the system drive (normally C:)

• Temp
  • A common all access temporary folder in the same manner as the /tmp directory on UNIX systems.
• software
  • The storage location for software which has been custom packaged for CSCF.
• UserProfileCache

Change permissions at the following locations in the file system:

• C:\
  • Remove all create and write permissions for the group Users. Members of this group should only be capable of read and execute rights. This change will be propagated down through the file system.
• C:\Temp
  • Add create files and create folders permissions to the group Users. This will permit any user to create their own files and folders in Temp. CREATOR-OWNER permissions are propagated down from C:\, user who create files and folders will have full control over them.

We choose to redirect user profile creation and storage to a different files system folder called UserProfileCache. To accomplish this the following alterations are required.

1. Copy the Default profile directory from the Users folder into the UserProfileCache folder.
2. Copy the Public profile directory from the Users folder into the UserProfileCache folder.
3. Create an All Users symlink in the UserProfileCache folder to the C:\ProgramData\Microsoft\Windows, using the mklink /d command.
   mklink /d "All Users" "C:\ProgramData\Microsoft\Windows".
   • The contents All Users in previous Windows versions now resides at %SystemDrive\ProgramData\Microsoft\Windows. Except for the common Desktop folder which is now found under the new "Public" profile as Public Desktop (hidden folder).
4. Create an Default User junction in the UserProfileCache folder to the Default folder in UserProfileCache, using the mklink /j command.
   mklink /j "Default User" "C:\UserProfileCache\Default".
5. In the registry editor (run regedit.exe), navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
   • Change the value of Default to the new default user profile location: %SystemDrive%\UserProfileCache\Default.
     • DO NOT confuse the value named Default with with this registry key's default value which appears as (Default) in the same list of values.
   • Change the value of Public to the new all users profile location: %SystemDrive%\UserProfileCache\Public.
   • Change the value of ProfilesDirectory to the new profile cache location: %SystemDrive%\UserProfileCache.
6. Reboot the computer.

One then has to reconfigure the cache location for all existing users on the system. This should only be the Administrator user at this point.

1. In the registry editor (run regedit.exe), navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
2. Locate the subkey named with the Administrator account SID number.
   • In all cases, this number ends with a -500. No other account has such a suffix.
3. Rename this registry key.
4. Reboot the system.

The system should generate a new personal profile for the local Administrator account in the new profile cache folder.

Internet Explorer

Add the following command script (IEXPLORER.CMD) to the installation directories for both versions of Internet Explorer (32 and 64-bit) and modify all Start Menu shortcuts for Internet Explorer such that the browser is stated using the command script and not the executable directly. This will force Internet Explorer to start in low process priority which is required for efficient Terminal Server operation.

@echo off
rem This command script is written to launch 
rem Internet Explorer in LOW process priority
rem 
rem 
c:
cd "\program files (x86)\Internet Explorer"
start /low iexplore.exe

Adobe Reader

We install version 8.1 of Adobe Reader in spite of the fact that this is not the most up to date version of this software. Version 9 and later editions of Adobe Reader continue to cause problems for users who use roaming profiles. In the case of our Windows Terminal Server, this covers virtually all users.

All other Adobe products such as Flash are the most recent editions.

Local Computer Policy

• Computer\Administrative Templates\Network\DNS Client
  • Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries: Enable
• Computer\Administrative Templates\System\User Profiles
  • Do not check for user ownership of Romain Profile folders: Enable
  • Delete cached copies of roaming profiles: Enable
• Computer\Administrative Templates\System\Windows Time Service\Time Providers
  • Configure Windows NTP Client: Enable
    • NtpServer: ntp.cs.uwaterloo.ca
    • Type: NTP
  • Enable Windows NTP Client: Enable

Local Security Policy

• Interactive Logon: Do not display last user name: Enable
• Interactive Logon: Do not require CTRL-ALT-DEL: Disable
  • This will force a username and password prompt for all new terminal server sessions.
• Recovery Console: Allow administrative logon: Enable
  • This is an image intended for a secure server room. Only authorized personnel would would be able to access a server Recovery Console.
• Recovery Console: Allow floppy copy and access to all drives and folders: Enable
  • This option makes the SET command available in the system's recovery console.
• User Account Control: Run All Administrators in Admin Approval Mode: Disable
• User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode: Elevate Without Prompting
  • This will permit other local admin users (cscf-adm) to perform admin tasks without repeatedly having to be prompted for approval. A new security feature in Windows 2008

Windows Firewall

In the past, terminal server users have been permitted to run their own personal networking software. This updated firewall mechanism might get in th way of this. We will have to review policy.

For the present, ensure the following.

• Ensure that any WINS Service is blocked.
• Enable: Notify Me When Windows Blocks A New Programme.

Terminal Services (Remote Desktop Services in R2)

Windows 2008 installs with two admin user terminal services per installed. For general use of terminal services the full Terminal Services roll must be installed. Rolls can be added using the Server Manager console in Administrative Tools. They may also be added using the Initial Configuration Tasks application which auto stats for the local Administrator user after OS installation is completed.

• Do not require Network Level Authentication

Open the Terminal Services Configuration console n Administrative Tools -> Terminal Services. Select the connection type RDP-tcp (there will likely only be one type to start with) and ensure the following settings.

• Delete temporary folders on exit - Yes
• Use temporary folders per session - Yes
• Restrict each user to a single session - No
• User long mode - Allow all connections

• Logon Settings: Always Prompt for A Password
• Environment: Do not allow initial programme to be launched.

Performance Options

• Visual Effects Tab:
  Leave on only the following options.
  • Show Preview Filters In Folders
  • Smooth Edges of Screen Fonts

Setup Of Default User Profile

Sysprep System For Cloning

For previous versions of Windows cloning of systems was accomplished with a stand alone utility called sysprep.exe. For Windows 2008, the sysprep.exe is now incorporated into a Microsoft package called Windows Automated Installation Kit (AIK). An administrator may download a copy from the Microsoft web site at the following links. Be advised that the required AIK versions differ for whether one is attempting to image an Windows 2008 R1 or R2 operating system.

• For Windows Server 2008 (R1) and Windows Vista
  • 6.0.6001.18000 - Windows Vista and Windows Server 2008
• For Windows Server 2008 R2 and Windows 7
  • 6.1.7600.16385 - Windows 7 and Windows Server 2008 R2

Cloning Onto Sunfire X4200 Type Hardware

Two points:

• By default, the Windows Server 2008 installation has the required mass storage drivers for installing onto Sunfire X4200 hardware. Therefore there is no need to include new drivers into a sysprep image.
  However, it is recommended that the most up to date chipset install be performed on the server after the cloned image has completed its installation.
• The Sunfire hardware (and perhaps other hardware) manifests two virtual drives which are detected by the Windows 2008 OS: A virtual floppy drive and a virtual CD-ROM drive (separate from the real DVD drive that is standard for Sunfire hardware). The devices must be disabled otherwise their presence will interfere with the proper operation of the Windows Virtual Disk service. Resulting in slow system responses to user requests.
  Disabling the virtual drives can be achieved one of two ways.
  • Disable them in the Sunfire's BIOS under Advanced -> USB Configuration.
  • Disable them in the Windows OS Device Manager under Administrative Tools -> Computer Management -> Device Manager.

Change Data Execution Prevention Settings

Some common CSCF supported applications such as Xming run afoul of a new security service in Windows Server 2008 called Data Execution Prevention (DEP). The service monitors the usage of system memory in order to thwart the execution of viruses and spyware that could potentially damage the system.

The CSCF image for Windows 2008 currently leaves this service running in its most secure state. This due to the fact that this image will be used for domain controllers and other sensitive servers in addition to general access terminal servers which are require less security.

For Windows 2008 systems that are intended to be terminal servers, the DEP restrictions can be slackened in the System applet of the Control Panel with the following steps.

1. Select Advanced Settings.
2. Select Advanced tab.
3. Select Performance Settings... button.
4. Select Data Execution Prevention tab.
5. Select Turn ON DEP for essential Windows programs and services only.

NOTE: The DEP can be left in high security mode for a terminal server but some supported applications which worked on previous Windows OS's will not be available.

Joining A Domain

• Although our image is configured to have Windows Firewall off, when a server joins a domain it may be reactivated. This will block all RDP connections and other services. Since we use IPSec instead, Windows Firewall can be turned off again if RDP connections suddenly fail when a system is joined to the domain.