This is my install guide for my home PC, which uses the following Win2k functionality: * Dial-up standard modem access (so, Remote Access Services) * IIS, www, smtp, ftp * Internet connection sharing I use this machine for: * General internet access * sharing the connection through to other machines (Windows and non-Windows) through a NIC-based LAN * website development (using IIS) * filesharing through FTP to machines on LAN only * sending mail through IIS SMTP, configured allow my machine only to relay * games * office-type apps * DVD playback The kind of things I disable: * Windows filesharing services * Dodgy IIS settings, even though everything with IIS is configured only be access from my machine or LAN only * Other "general Windows crap" I don't need, such as Diskperf *** Install guide instructions start here *** - unplug network cable from PC. There should be no direct connection to the Internet or untrusted network. Modems are fine as they won't automatically connect by default. - Configure PC BIOS to boot from CD. - Boot from CD. - Partition start of disk, 4GB partition, format as NTFS. Don't "repair" if it asks. - when this phase of setup is done, reboot. - put in licence key - go through detection phases, nothing to choose from. - locale change to UK: see http://www.mikeymike.org.uk/wac/localechange.txt - networking: choose 'custom'. Configure your NIC if necessary. - untick "Client for MS networks" and "File/Print sharing for MS networks". - Keep "Internet Protocol (TCP/IP)" ticked, go into properties. - configure the "general" tab however you need it. - select "Advanced". - "DNS" tab > Untick "Register this ... in DNS". - "WINS" tab > Untick "Enable LMHosts lookup" and select "disable NetBIOS". - OK. - Next. - configure workgroup if you need to, leave at default otherwise. - Next all the way until reboot (tell me if I've missed anything here! I think it's all just copying/installing) First boot into Windows. Make any aesthetic changes you wish to make, such as explorer configuration. I'll write an article on a decent set up aesthetic options that don't slow down system responsiveness. - Win2k first boot. Uninstall Indexing Service. - Untick 'Allow Indexing Service...' from all NTFS drives (drive properties) setting from all drive properties. - Install IIS (Just FTP, SMTP and WWW only, select NOTHING else). OK. (the IIS install and the indexing uninstall, keep seperate, although I'm not sure if this makes a difference, but I think it might) - configure IIS: FTP: untick 'allow anonymous connections'. SMTP: connections and relay only to and untick 'allow any authenticated user to relay'. WWW (master site): - bind default website to ; - uninstall FP extensions for the website; - set all logging options ticked except process accounting ones - set performance to <10k - untick indexing - dir security: untick integrated, tick basic - app maps: remove: HTW, IDA, IDQ, HTR, IDC, PRINTER - remove ALL virtual directories - clear out C:\inetpub\wwwroot - check default website has same settings - services config: set the following services from auto to manual, don't stop them!: - COM+ event system - Computer Browser - DHCP Client (if you're using DHCP, read http://www.mikeymike.org.uk/wac/dhcpnote.txt) - Distributed Link Tracking Client - Distributed Transaction Co-ordinator - DNS Client - FTP Publishing Service - IIS Admin Service - IPSEC Policy Agent - Logical Disk Manager - Messenger - Print Spooler - Protected Storage - Remote Registry Service - RunAs - Server - Task Scheduler - TCP/IP NetBIOS Helper Service - Windows Management Instrumentation - Workstation - World Wide Web Publishing Service - switch off web-based printing: http://www.mikeymike.org.uk/wac/printers-vdir,web-based-printing.txt - filesystem permissions - system drive: Admins:F Everyone:R System:F, reset for all child objects - system drive:\WINNT\TEMP: Everyone: F - other drives: Admins:F System:F, reset for all child objects - local security policy - local policy: audit: acc logon: F, acc manage:F S/F, login: S/F, Policy: S/F - user rights: - Access from network: IUSR, IWAM, Admins - Log in locally: IUSR, Admins - security options: - additional permissions for anon: do not allow enumeration - Disable Ctrl+Alt+Del: DISABLE - LAN Manager auth: Send NTLMv2, reject LM and NTLM - computer manager - event log: set all logs to 512KB, overwrite as needed - Indexing service: delete all indexes - rename admin user (disable IUSR and IWAM if you don't intend to use IIS WWW that often) - WMI Control: disable logging, disable auto backup - (if needed) configure dial-up internet connection - enable internet connection sharing - network tab: TCP/IP properties: advanced: DNS: untick 'register...' - command prompt DISKPERF -N the response should be something like: "all logical and physical performance counters have been disabled" (it's important to do this in the same session that the device 'diskperf' has been disabled (a few lines down from here) before rebooting, otherwise the machine will BSOD on boot. This is fixable through recovery console though.) - disable DCOM http://www.mikeymike.org.uk/wac/dcom.txt - device manager - view > show hidden devices - disable: - network: direct parallel - network: WAN Miniport (L2TP) - network: WAN Miniport (PPTP) - Non PnP: diskperf - Non PnP: NetBIOS Over TCP/IP - Non PnP: Parallel - Non PnP: Parport - Non PnP: ParVdm - Non PnP: RAS Auto connection driver - install any drivers for your hardware, storage drivers last, then reboot. - install SP2 or SP4 (SP3 has a dodgy "all your base" EULA) - (if SP3 or later): set the following services to manual: - Automatic Updating - Background Intelligent Transfer Service - check that Control Panel > Automatic Updates: "Keep my computer up to date" is ghosted or unticked. - Install IE6 SP1 - Install DirectX 8.1 - install post- service pack patches (an automated, quiet method using VBS available here: http://www.mikeymike.org.uk/wac/install_patches_with_vbs.txt) - disable any performance counters you don't want (see http://www.mikeymike.org.uk/wac/perfmon.txt, but I'll probably upload my reg file for this soon) - configure filetypes to not have OE as reader for .eml and .nws files notepad/a text viewer instead (security tweak) - disassociate all filetypes from Windows Media Player 6.4 (do not upgrade it, due to DRM and "all your base" EULA clauses): start > run > mplayer2 view > options > formats, untick all (security tweak) - group policy (see http://www.mikeymike.org.uk/wac/group_policy.txt for a 'how to get to this') - computer config > admin templates > system > logon: max retries to unload and update user profile: 2 (stops logoffs taking ages) - user config > desktop > active desktop disable active desktop: enable (reduces explorer memory usage) - Set all user TEMP variables to (whatever your data drive is, assuming D) D:\TEMP - Set system TEMP variables to D:\TEMP - install any other software wanted - defrag system partition, maybe other partitions too if necessary - defrag registry files (a util from www.sysinternals.com, PAGEDFG does this) - GUI tweaks: - CP > 'switch to classic view' > View > List > Tools > Folder Options: [x] Use Windows Classic Desktop > View (untick everything else): [reset all folders] [like current folder] [x] Display compressed files... [x] Display full path in address bar [x] Show hidden files and folders [x] Remember each folder's view settings > Offline Files [ ] Enable Offline Files Modified: 19/01/2005, Mike Coppins. Tested on: Win2k. www.mikeymike.org.uk