The Windows Server Post-Setup Security Updates window (shown in Figure 7-1) is the first thing that you see when you log on to a server as an administrator after performing a clean install of Windows Server 2003 with Service Pack 1 or Windows Server 2003 R2. Until you click Finish in the Windows Server Post-Setup Security Updates window, Windows blocks all inbound connections to the server (except port 3389 if you enabled Remote Desktop during automated Setup). This prevents viruses or hackers from compromising the security of the server while you install the latest software updates and an antivirus program. The Windows Server Post-Setup Security Updates window does not appear if you explicitly enable or disable the Windows Firewall during Setup using an Unattend.txt file or after Setup using Group Policy. If the window does not appear, update your server manually using Windows Update and also configure Automatic Updates manually.

The Windows Server Post-Setup Security Updates window appears automatically every time an administrator logs in until you click Finish. Simply closing the window does not allow inbound connections.

To use the Windows Server Post-Setup Security Updates window, follow these steps:

Security Alert

When you click Finish in the Windows Server Post-Setup Security Updates window, Windows creates a REG_DWORD value named DontLaunchSecurityOOBE with no data in the following registry key: HKLMSoftwareMicrosoftWindowsCurrent VersionServerOOBESecurityOOBE. This registry key blocks the Windows Server Post-Setup Security Updates window from appearing in the future.

If you have not changed the Windows Firewall settings, Windows also stops and disables the Windows Firewall/Internet Connection Sharing service after you click Finish in the Windows Server Post-Setup Security Updates window. If you enabled Internet Connection Sharing after Setup completed, Windows disables the Windows Firewall but does not stop or disable the shared Windows Firewall/Internet Connection Sharing service.

Unless you prefer the server room to your office, enable Remote Desktop after installing Windows and then relocate to a more comfortable location. Remote Desktop permits you to administer remotely virtually everything you need, as if you were sitting in front of the computer.

Security Alert

A server is only as secure as the least secure computer from which you administer it. For example, if you administer a server from a computer that has been compromised by attackers, viruses, or spyware, the server is probably now compromised as well. This is especially scary if you log on from a public terminal with a keystroke logger! To mitigate this security risk, administer servers only from computers that you secure to the same level as the servers, and do not use these computers for Web browsing and checking e-mail—and even use a separate nonadministrator account.

To enable Remote Desktop automatically, use the [TerminalServices] section of Unattend.txt. (See the Microsoft Windows Corporate Deployment Tools User’s Guide for more information.) To enable Remote Desktop manually after Setup completes, use the following procedure:

Security Alert

You can enable Remote Assistance by selecting the Turn On Remote Assistance check box in the System Properties dialog box. However, enabling Remote Assistance allows a logged-on user to give another user (who doesn’t have explicit permission to access the computer) the ability to view and even control the computer remotely. Control this capability carefully by disabling it entirely, using Group Policy to limit it, or configuring your firewall to block Remote Assistance invitations from leaving your company (block TCP port 3389). For more information about using Remote Assistance with Windows Server 2003, see http://support.microsoft.com/kb/301527/.

After your Windows installation is complete, check the system for setup errors or device problems. Here’s a quick list of actions to perform:

One of the first things to do after installing an operating system is make sure devices are recognized and properly installed. Although Windows Server 2003 Setup usually does a superb job of detecting and configuring devices, Setup isn’t able to resolve resource conflicts or overcome a lack of drivers. You also need to enable any devices that you disconnected or disabled before starting the installation, such as an uninterruptible power supply (UPS).

To add a Plug and Play (PnP) device, plug it in and provide the drivers, if necessary. To check for device configuration problems, use Device Manager.

Using Device Manager

Device Manager is a central repository for device information in Windows. Use it to view or print the configuration and drivers loaded for any device on your system, as well as to disable, uninstall, or change the configuration for a device.

Note

To administer devices from a command line, you can use Devcon.exe, the Windows Management Instrumentation Command-line (WMIC), or scripts. (See Chapter 13 for more information about WMIC and Windows scripts.) Devcon.exe is a command-line version of Device Manager that is part of the Windows Support Tools found in the SupportTools folder on your product CD. Devcon also works in Windows PE, but not in the Recovery Console. For more information, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/0f087656-fb2e-4828-9630-e76051a0a608.mspx.

Working with Device Manager

After opening Device Manager as part of the Computer Management (Compmgmt.msc) console or on the Hardware tab of the System tool in Control Panel, you see a list of all the devices that Windows has detected on your system. (See Figure 7-3.) Device Manager displays any nonfunctioning devices with an exclamation point, indicating that a problem exists with the device; disabled devices are displayed with a small red "x" over the icon.

Figure 7-3. The Device Manager snap-in

Note

To use the Computer Management snap-in to remotely administer another computer running Microsoft Windows 2000, Windows XP, or Windows Server 2003, select Computer Management in the console tree and then choose Connect To Another Computer from the Action menu. Select the computer you want to manage, and click OK. You cannot perform some actions remotely, such as defragmenting disks or enabling Remote Desktop. In addition, Device Manager works on remote computers in read-only mode—you can diagnose problems, but you must make changes locally or using Remote Desktop.

On the far right side of the toolbar, icons are available according to the device you selected. In Figure 7-3, the following buttons are available (reading from left to right):

• Scan For Hardware Changes. Click this button to tell the system to look for changes in hardware. Use this button after adding new PnP devices or after swapping hardware.

• Update Driver. Click this button to open the Hardware Update Wizard, which you can use to install updated or new drivers for a device.

• Uninstall. Select a device and click this button to uninstall it. Uninstalling a device doesn’t remove its drivers from the hard disk.

• Disable/Enable. Select a device and click this button to disable it or enable it, depending on its current status. When a device is disabled, its resources are freed and its drivers remain but are not loaded during startup. Take care not to disable something you need to start the machine.

To change the Device Manager display, choose a setting from the View menu. (See Table 7-1.) Use the different view settings for Device Manager to organize your system’s devices in a way that makes it easy to find the information you need.

Table 7-1. View settings

Setting	Description
Devices By Type	Shows devices categorized by device type; usually the most useful view (also the default)
Devices By Connection	Shows all devices in relation to how they are connected to other devices
Resources By Type	Shows all system resources, organized by type of resource
Resources By Connection	Shows all system resources, organized and grouped by the device to which they’re connected
Show Hidden Devices	Includes devices that are not PnP, devices that might have been physically removed but still have their drivers installed, and kernel drivers that do not correspond to physical devices

Working with Device Properties

To display a device’s properties (as shown in Figure 7-4), select the device and then click the Properties toolbar button or double-click the device.

Figure 7-4. The General tab of the Device Properties dialog box

In the Device Properties dialog box, there are several tabs. You can view the status and configuration information—as well as the device manufacturer, device type, and location—in the upper portion of the General tab. For more information about a message displayed in the Device Status box, check Microsoft Help and Support at http://support.microsoft.com. Other tabs include the Driver tab, which displays the details of the driver and lets you update, rollback, or uninstall the driver, and the Resources tab, which displays the hardware resources for the driver. Along with these tabs, some devices have additional advanced settings or tabs for device-specific settings.

Note

The device name shown in Device Manager is the name of the driver that Windows is using for the device and can be incorrect if the wrong driver is loaded for the device.

Troubleshooting Devices

Troubleshooting devices is not an exact science. Devices in Windows XP and Windows Server 2003 usually just work. If they don’t, it’s often difficult to make them work. With that said, here are some of the troubleshooting techniques gleaned from many years of device-induced headaches:

• Open the properties for the device and see whether the cause of the problem is listed in the General tab or the Resources tab. If there are any conflicts, remove or disable the conflicting device, or plug the device into a different slot (if possible).

• Select the device in Device Manager, and click the Uninstall toolbar button. Click Scan For Changes, and let Windows redetect the device. You can also uninstall the device and then restart Windows for a more thorough but time-consuming attempt.

• Try plugging external devices into a different port or directly into the computer instead of through a hub. Connect high-power, bus-powered Universal Serial Bus (USB) or Firewire devices such as bus-powered external hard drives only to self-powered hubs (hubs with external power supplies). To check the power consumption of USB devices, open the device properties for the USB hub and click the Power tab.

• If the problem is persistent, remove all unnecessary devices from the system and see whether the device works. If not, try the device in another system to see whether it’s faulty or whether there is a conflict unique to your system. If the device works, add the removed devices back one by one until a device fails, and then assess the situation. (You might need to leave some cards or devices unplugged.)

Note

If you disable something essential—like the mouse or keyboard—you can return to the previous hardware profile by restarting with the last good hardware profile. When the Loader menu appears, press F8 and choose Last Known Good Configuration. Then choose the version of Windows you installed from the Loader menu and press Enter. This action enables the last good hardware profile.

Although most computers are properly set up for network access during Windows Setup, you might need to change these settings at some point—possibly immediately if the settings are wrong or incomplete. This section explains how to get a server running properly on a network.

Changing Your Network Identity

To change the identity of a server that isn’t a domain controller, log on using an account with administrator permissions and follow these steps:

1. Open the System tool in Control Panel, and then click the Computer Name tab.

2. Optionally, enter a description for the server in the Computer Description box and then click Change. (The description appears next to the computer name when browsing the local network or searching for a computer in Active Directory.)

3. Type the new name for your computer in the Computer Name text box.

4. To change the domain or workgroup to which you belong, choose either the Domain option or the Workgroup option, and then type the domain or workgroup name in the text box.

5. Click More to manually specify the domain name for your computer and to preview the Network Basic Input/Output System (NetBIOS) name for your system. Click OK when you’re finished.

Real World: Naming Computers

It’s a good idea to use a computer name that is both DNS-compatible and NetBIOS-compatible so that all types of clients see the same name for your computer. To do this, keep the name to 15 characters or fewer and don’t use asterisks or periods. To obtain the best application compatibility, use dashes instead of spaces or underscores.

Configuring Network Components

To add or change the settings for core network components such as clients, services, and protocols, open the Network Connections folder (found in Control Panel), right-click the Local Area Connection icon, and choose Properties from the shortcut menu. This procedure opens the familiar Local Area Connection Properties dialog box shown in Figure 7-5, which you can use to view and change your server’s networking components. The top of the General tab of the dialog box shows the network adapter to which you are binding networking services.

Figure 7-5. The General tab of the Local Area Connection Properties dialog box

To install a network component, click Install, choose the type of component you want to install (Client, Service, or Protocol), and then click Add. Select the component from the list presented and click OK. To configure the component (if the component has a configurable option), select the component and click Properties.

Security Alert

If you have a multihomed server (a server with more than one network adapter) and one of the connections is to the Internet, disable everything but Transmission Control Protocol/Internet Protocol (TCP/IP) (and optionally QoS Packet Scheduler) on the Internet connection to increase security. Then give your local area connections names indicating to which network the adapters are connected. To do so, right-click the connections in the Network Connections folder and choose Rename.

Configuring TCP/IP

TCP/IP is the most important protocol in today’s networks, and it’s the backbone for modern Microsoft networks. The protocol is well suited to enterprise networking, and it’s required for accessing the Internet. If you’re unfamiliar with TCP/IP, see Chapter 16 and Chapter 17 for more information.

Using Dynamic Addressing

The easiest and most reliable way to set up addressing on a network running the TCP/IP suite is to use a DHCP server to automatically distribute IP addresses. DHCP can also inform clients of the appropriate DNS servers and gateways to use. A DHCP server not only simplifies client configuration, but also simplifies server administration by managing the database of available IP addresses dynamically and automatically. (With static IP addressing, you must manually keep track of all IP addresses.)

Windows Server 2003 automatically connects to a DHCP server to obtain an IP address unless the server is a domain controller, in which case Windows prompts you to specify a static IP address. To toggle between dynamic and static IP addressing, follow these steps:

1. Select the Internet Protocol (TCP/IP) component in your Local Area Connection Properties dialog box. (Click Add to install TCP/IP if it’s not already installed.) Then click Properties. The Internet Protocol (TCP/IP) Properties dialog box appears (as shown in Figure 7-6).

   

   Figure 7-6. The General tab of the Internet Protocol (TCP/IP) Properties dialog box

2. Select the Obtain An IP Address Automatically option. Do not select this option on a DHCP server—a DHCP server must have a fixed, static IP address.

3. Select the Obtain DNS Server Address Automatically option if your DHCP server is set up to provide the DNS server addresses to clients; otherwise, select the Use The Following DNS Server Addresses option, and type the IP addresses for the DNS servers you want to use.

Real World: Assigning IP Addresses for WINS and DNS Servers

Most administrators use static IP addresses for WINS and DNS servers, and we prefer this method because it ensures that each server is at a known address, and it allows for easy configuration of specific and consistent IP addresses for DNS and WINS servers across multiple segments of the network. Some administrators, however, prefer to use DHCP reservations for their WINS and DNS servers, and this is technically feasible. It does have certain advantages—specifically it enables the DHCP administrator to easily change TCP/IP options that are included in the DHCP reservation without touching every affected server. It also allows the administrator to take back the address if the server is moved or decommissioned. See Chapter 17 for information about creating reservations on a DHCP server.

Using Static Addressing

If your network doesn’t have a DHCP server or if you’re setting up a DHCP server, use a static IP address and DNS information by using the following steps:

1. Obtain an IP address from the person who maintains the database of IP addresses that your organization can use.

2. If the network also uses DHCP servers, add an exclusion for your IP address to all DHCP servers that service the address range in which your IP address is located.

3. Select the Internet Protocol (TCP/IP) component in the Local Area Connection Properties dialog box, and click Properties.

4. Select the Use The Following IP Address option, type the address you obtained in the IP Address text box, and then press Tab to automatically fill in the default subnet mask. If the network is using a specific subnet mask, type it in the Subnet Mask text box.

5. Type the IP address for the default gateway or router in the Default Gateway text box. The default gateway forwards, or routes, any traffic destined for hosts outside the local subnet, possibly to another portion of the wide area network (WAN) or to the Internet.

6. Choose the Use The Following DNS Server Addresses option to specify the IP addresses of the DNS servers. Type the primary and secondary DNS server addresses in the text boxes provided. Click OK when you are finished.

Setting Advanced TCP/IP Options

If you need to specify advanced TCP/IP options such as WINS servers, NetBIOS over TCP/IP, or multiple IP addresses per connection, click Advanced in the TCP/IP Properties dialog box. This opens the Advanced TCP/IP Settings dialog box.

Configuring IP Settings

The Advanced TCP/IP Settings dialog box contains four tabs, the first of which is the IP Settings tab. Use this tab to add the IP address and subnet mask for a network connection as well as the gateways the server must use. To change the options on this tab, follow these steps:

1. Use the Add, Edit, and Remove buttons in the IP Addresses box (shown in Figure 7-7) to modify the computer’s IP address and subnet mask settings. You can use multiple IP addresses and subnet masks for your network connection—either to access different logical IP networks or to use different IP addresses in a single, logical IP network.

   

   Figure 7-7. The IP Settings tab of the Advanced TCP/IP Settings dialog box

2. To add a default gateway or router, click Add and type the IP address for the router.

Note

A router metric is a measurement of relative "cost" of the connection. Because most companies pay a flat fee for their network connections, this "cost" is usually a performance cost. As such, when you select the Automatic Metric check box, Windows automatically assigns the gateway a metric based on the performance of the gateway. To manually specify a metric, type a lower number (such as 10) for gateways that you want to use preferentially. Windows calculates the route metric for the default gateway based on the speed of the network link: 10 for a 200 Mb or faster link; 20 for an 81 Mb or faster link; 25 for a 21 Mb or faster link; 30 for a 4 Mb or faster link; 40 for a 501 Kb or faster link, or 50 for a 500 Kb or slower link. To view the routing table, type route print at a command prompt.

Configuring DNS Settings

Click the DNS tab to access the advanced DNS settings for your network connection, as shown in Figure 7-8.

Figure 7-8. The DNS tab of the Advanced TCP/IP Settings dialog box

Use the following procedure to specify your DNS settings:

1. Use the Add, Edit, and Remove buttons in the DNS Server Addresses box to add or modify the DNS servers you want to use for this connection. Use the up and down arrows next to the box to change the order in which your server queries the DNS servers.

2. Select the appropriate options for resolution of unqualified names (such as srv1).

   • Append Primary And Connection Specific DNS Suffixes. Limits the resolution for unqualified names to the domain suffixes and connection-specific suffixes. If your primary DNS suffix is eng.example.com and you type ping srv4 at a command prompt, DNS looks for srv4.eng.example.com. If you also specify a connection-specific name (in the DNS Suffix For This Connection text box), such as dev.example.com, DNS queries srv4.eng.example.com and srv4.dev.example.com.

   • Append Parent Suffixes Of The Primary DNS Suffix. Includes parent suffixes up to the second-level domain in the resolution of unqualified names. So if the primary DNS suffix is eng.uk.corp.example.com and you type ping srv4 at a command prompt, DNS queries for the following:

     srv4.eng.uk.corp.example.com

     srv4.uk.corp.example.com

     srv4.corp.example.com

     srv4.example.com

   • Append These DNS Suffixes (In Order). Specifies the only domain suffixes to be appended to unqualified domain names during the name resolution process. If you specify domain suffixes here, Windows does not use the primary and connection-specific suffixes.

3. To override the parent DNS domain name specified for the computer in the Network Identification tab of the System Properties Control Panel tool, type the DNS domain name you want to use in the DNS Suffix For This Connection text box. (You can overrule this using Group Policy.)

4. To prevent the server from registering its IP address with the DNS server, clear the Register This Connection’s Addresses In DNS check box.

5. To force the server to register its fully qualified domain name (FQDN), including the DNS suffix listed in the DNS Suffix For This Connection text box (or taken from the DHCP server), select the Use This Connection’s DNS Suffix In DNS Registration check box.

Configuring WINS Settings

To specify the WINS settings for your computer, click the WINS tab in the Advanced TCP/IP Settings dialog box (shown in Figure 7-9). If WINS servers are operating on the network, add their addresses here. This enables the server to communicate via NetBIOS with hosts on other subnets that are running Microsoft operating systems earlier than Windows 2000, and it minimizes broadcast traffic. For a more thorough discussion of when to use WINS servers on your network, see Chapter 17.

Figure 7-9. The WINS tab of the Advanced TCP/IP Settings dialog box

To enable the use of an Lmhosts file for resolving NetBIOS names to IP addresses, select the Enable LMHOSTS Lookup check box, and click Import LMHOSTS to import an Lmhosts file. Use Lmhosts files only when absolutely necessary because trying to keep them up to date can be tricky—the miniscule reduction of network traffic that Lmhosts files offer isn’t worth it.

Note

When you set up a WINS server, use the Ipconfig command at a command prompt to obtain your current IP address and then type that address in the WINS Addresses field. Don’t type any other WINS server in this field; you don’t want your WINS server registering its NetBIOS name with another WINS server if the WINS service hasn’t started in time to respond at bootup.

Make sure the Enable NetBIOS Over TCP/IP option is selected. Disable this only if you communicate exclusively with other computers running Windows 2000, Windows XP, and Windows Server 2003, or computers that rely solely on DNS for name resolution services (for example, UNIX). Also, note that any applications that use NetBIOS (and there are many of these) don’t work if you select Disable NetBIOS Over TCP/IP, so use this setting with caution.

Configuring TCP/IP Options

If you need to specify any TCP/IP options, click the Options tab in the Advanced TCP/IP Settings dialog box. Select an option you want to modify, and then click Properties. For more information about TCP/IP properties and secure TCP/IP connections, see Chapter 16.

After you click Finish in the Windows Server Post-Setup Security Updates window, the Manage Your Server window (shown in Figure 7-10) appears. You can use the Manage Your Server window to perform the following tasks:

Although you can perform all these tasks using MMC consoles, the Manage Your Server window provides a central location from which you can manage a server. The Configure Your Server Wizard streamlines the role configuration process and guides you through some steps that aren’t included in other wizards.

Figure 7-10. The Manage Your Server window

To add or remove roles from the server, use the Configure Your Server Wizard, as described in the following steps:

Real World: Special Facts About Domain Controllers

Although it’s true that all domain controllers are peers, the first domain controller in a domain is special. The first Active Directory domain controller in a domain automatically assumes the role of Global Catalog server. There must be at least one Global Catalog server in every domain. The global catalog is a database that contains a full replica of all directory objects in its host domain, plus a partial replica of all directory objects in every domain in the forest. The global catalog’s role is to locate in which domain a resource is located and to provide universal group membership information during a logon event. After you install additional controllers, you can reassign the role of Global Catalog server or designate more than one machine as a Global Catalog server. (This is necessary only in multidomain forests and in some branch-office scenarios.) This process is described in Chapter 14.

The first domain controller also takes the operations master roles. A single controller must perform each of these roles because they are functions that cannot be executed in different places at the same time. (For example, a single controller must handle the creation of security identifiers to ensure that each identifier is unique.) Under most circumstances, you don’t have to change the location for any of the operations master roles, but it is helpful to understand each of the roles and what happens in the case of failure. See Chapter 15 for information about operations master roles.

Entire books could be (and have been) written about securing Windows Server 2003, and rightly so; it’s an important topic. In the meantime, here are some security precautions to take before considering your server "online" (for more information, see Chapter 21 and Chapter 22):

Real World: Protecting the Administrator Account

A good precaution after installation is to use the built-in Administrator account to make a second account with full administrative privileges. This account can have a generic name, or you can call it something descriptive. Use it for all the day-to-day administrative work.

Then rename the default Administrator account and relegate it to semi-retirement. If your other administrator account gets disabled for some reason, you still have the original uncontaminated, known-to-be-good administrator account to which you can resort, just in case.

For bonus points, create another account, named Administrator, and disable it. Enable the Audit Account Logon Events setting in Group Policy, and then scan the Event Log for failures to log on with the decoy Administrator account. This tells you how much "action" the account is seeing from internal hackers (or at least, how forgetful the administrators are).

After installing Windows Server 2003, you have some important configuration steps to perform. These tasks include documenting the installation, installing the latest software updates, enabling remote administration, and configuring devices and network settings. You also need to set up the server to fulfill its intended role on the network, which is made easier by the useful Manage Your Server window and the Configure Your Server Wizard. The last part of a server’s post-installation shakedown is securing the server as appropriate for its roles.

In the next chapter, the topic is how to manage print servers.