This is an install guide for a live production server which uses
IIS (www, smtp, ftp), ASP enabled but secured.

The kind of things I disable:

* Windows filesharing services
* Dodgy IIS settings, even though everything with IIS is configured
only be access from my machine or LAN only
* Other "general Windows crap" I don't need, such as Diskperf


*** Install guide instructions start here ***

- unplug network cable from PC.  There should be no direct connection 
  to the Internet or untrusted network.  Modems are fine as they won't 
  automatically connect by default.

- Configure PC BIOS to boot from CD.
- Boot from CD.
- Partition start of disk, 4GB partition, format as NTFS.  Don't "repair"
if it asks.
- when this phase of setup is done, reboot.

- put in licence key

- go through detection phases, nothing to choose from.
- locale change to UK: see http://www.legolas.com/wac/localechange.txt

- add/remove components window: remove indexing service
- untick "Internet Information Services", then click on 'Details'
- tick the following boxes:
  - File Transfer Protocol (FTP) Server
  - SMTP Service
  - World Wide Web server
  (other boxes will be automatically ticked as they're dependencies)
- Hit OK, and OK again.

- networking: choose 'custom'.  Configure NIC if necessary.
- untick "Client for MS networks" and "File/Print sharing for MS networks".
- Keep "Internet Protocol (TCP/IP)" ticked, go into properties.
- configure the "general" tab however you need it.
- select "Advanced".
- "DNS" tab > Untick "Register this ... in DNS".
- "WINS" tab > Untick "Enable LMHosts lookup" and select "disable NetBIOS".
- OK.
- Next.
- configure workgroup if you need to, leave at default otherwise.
- Next all the way until reboot
(tell me if I've missed anything here! I think it's all just copying/installing)

First boot into Windows.  Make any aesthetic changes you wish to make, such as 
explorer configuration.  I'll write an article on a decent set up aesthetic options
that don't slow down system responsiveness.

- Untick 'Allow Indexing Service...' from all NTFS drives (drive properties)

- group policy
  (see http://www.mikeymike.org.uk/wac/group_policy.txt for a 'how to get to this')
  - computer config > admin templates > system > logon:
	max retries to unload and update user profile: 2
	(stops logoffs taking ages)
  - user config > desktop > active desktop
	disable active desktop: enable
	(reduces explorer memory usage)

- configure IIS:

	FTP (master site): 
	 - untick 'allow anonymous connections'.
	 - bind default FTP site to <internal only IP>;
	SMTP: connections and relay only to <internal only IP> and untick 'allow any
              authenticated user to relay'.	
	WWW (master site): 
	 - bind default website to <internal only IP>;
	 - uninstall FP extensions for the website;
	 - set all logging options ticked except process accounting ones
	 - set logging path to something other than default, say D:\iislogs
	        (file permissions: Admins:F SYSTEM:F, that is all that's needed)
	 - set performance to <10k
	 - untick indexing
	 - dir security: untick integrated, tick basic
	 - app maps: remove: HTW, IDA, IDQ, HTR, IDC, PRINTER
	 - remove ALL virtual directories
	 - clear out C:\inetpub\wwwroot
	 - check default website has same settings
         - Change home directory for FTP and website to a more sensible place

- services config:
	set the following services from auto to manual, don't stop them!:
	- COM+ event system
	- Computer Browser
	- DHCP Client (if you're using DHCP, 
               read http://www.legolas.com/wac/dhcpnote.txt)
	- Distributed Link Tracking Client
	- Distributed Transaction Co-ordinator
	- DNS Client
	- IPSEC Policy Agent
	- Logical Disk Manager
	- Messenger
	- Print Spooler
	- Protected Storage
	- Remote Registry Service
	- RunAs
	- Server
	- Task Scheduler
	- TCP/IP NetBIOS Helper Service
	- Windows Management Instrumentation
	- Workstation
	- World Wide Web Publishing Service

- switch off web-based printing:
	http://www.legolas.com/wac/printers-vdir,web-based-printing.txt

- filesystem permissions
	- system drive: Admins:F Everyone:R System:F, reset for all child objects
	- system drive:\WINNT\TEMP: Everyone: F
	- other drives: Admins:F System:F, reset for all child objects

- local security policy
	- local policy: audit: acc logon: F, acc manage:F S/F, login: S/F, Policy: S/F
	- user rights:
		- Access from network: IUSR, IWAM, Admins
		- Log in locally: IUSR, Admins
	- security options:
		- additional permissions for anon: do not allow enumeration
		- Disable Ctrl+Alt+Del: DISABLE
		- LAN Manager auth: Send NTLMv2, reject LM and NTLM

- computer manager
	- event log: set all logs to 4096KB, overwrite as needed
	- Indexing service: delete all indexes
	- rename admin user 
	  (disable IUSR and IWAM if you don't intend to use IIS WWW that often)
	- WMI Control: disable logging, disable auto backup

- configure dial-up internet connection
	- enable internet connection sharing
	- network tab: TCP/IP properties: advanced: DNS: untick 'register...'

- command prompt
  DISKPERF -N
  the response should be something like:
  	"all logical and physical performance counters have been disabled"
  (it's important to do this in the same session that the device 'diskperf'
  has been disabled (a few lines down from here) before rebooting, otherwise 
  the machine will BSOD on boot.  This is fixable through recovery console 
  though.)
  
- disable DCOM
  http://www.legolas.com/wac/dcom.txt

- device manager
	- view > show hidden devices
	- disable:
		- network: direct parallel
		- network: WAN Miniport (L2TP)
		- network: WAN Miniport (PPTP)
		- Non PnP: diskperf
		- Non PnP: IPSec
		- Non PnP: NetBIOS Over TCP/IP
		- Non PnP: Parallel
		- Non PnP: Parport
		- Non PnP: ParVdm
		- Non PnP: RAS Auto connection driver

- install any drivers for your hardware, storage drivers last, then reboot.

- install SP2 or SP4 (SP3 has a dodgy "all your base" EULA)

- (if SP3 or later): set the following services to manual:
	- Automatic Updating
	- Background Intelligent Transfer Service
  - check that Control Panel > Automatic Updates: "Keep my computer up to date" is
    ghosted or unticked.

- Install IE6 SP1

- Install DirectX 8.1

- install post- service pack patches
  (an automated, quiet method using VBS available here:
   http://www.legolas.com/wac/install_patches_with_vbs.txt)

- plug in network connection

- disable any performance counters you don't want
	(see http://www.legolas.com/wac/perfmon.txt, but I'll probably upload
	 my reg file for this soon)

- install any other software wanted
- defrag system partition, maybe other partitions too if necessary
- defrag registry files (a util from www.sysinternals.com, PAGEDFG does this)

- IIS revisited
	FTP: Bind FTP to desired IP
	WWW: create another site to bind to specific host headers (this keeps 
	     your event log clear of worm attacks that are based on IP)

- Set all user TEMP variables to (whatever your data drive is, assuming D) D:\TEMP
- Set system TEMP variables to D:\TEMP

Modified: 15/10/2004, Mike Coppins.
Tested on: Win2k.
www.mikeymike.org.uk