Windows 2012 R2 and Linux SOE

Windows 2012 R2 SOE

  1. Driver Letters
    1. C:\ – OS
    2. D:\ – App
    3. E:\ – Data
    4. F:\ – Backup
    5. G:\ – Temp
    6. H:\ – Pagefile
    7. SQL Servers
      1. Data
      2. Log
      3. Backup
  2. Update VM Details
    1. Adjust memory to autoscale from lowest to required
    2. Update Boot order (HD and No DVD and No Network)
    3. Remove Floppy Disk
    4. BIOS
      1. Update Boot order
      2. Disable the Serial and Parallel ports
  3. Rename Server
  4. Add NICS in correct order in XenServer
  5. Adjust VM Memory to Auto
  6. Rename NICs
    1. netsh interface set interface name = “Ethernet 3” newname = “External_1”
    2. netsh interface set interface name = “Ethernet” newname = “External_2”
    3. netsh interface set interface name = “Ethernet 2” newname = “MAN_NET”
  7. Reserve DHCP IP for External_1 MAC
  8. Update IP Register
  9. Set Static IP
    1. MAN_NET
    2. External_1
    3. External_2
  10. Adapter Settings / View Details / Layout Menu Bar / Change Order
  11. Windows update
  12. Activate
  13. TimeZone
  14. Time
  15. Add to Domain
  16. Create A and PTR Records
  17. Reboot / Shutdown
  18. Enable RDP
  19. Enable Graphics Hardware Acceleration to Full
  20. Apply OS Hardening
  21. Disable TCP Chimney Offload
    1. http://support.microsoft.com/kb/951037
    2. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009517
    3. https://virtualizationandstorage.wordpress.com/2014/02/13/windows-networking-advance-features/
  22. Install XenTools
    1. Enable VSS / Volume Shadow Copy services (vsadmin) – http://technet.microsoft.com/en-us/library/cc771893.aspx /
    2. Enable XenServer VSS – C:\Program Files (x86)\Citrix\XenTools\install-XenProvider.cmd
    3. http://technet.microsoft.com/en-us/magazine/dd348398.aspx
  23. VMware Tools
    1. Uninstall Shared Folder Option
  24. Via Group Policy
    1. Enable Dedu for Data Drives – http://technet.microsoft.com/en-us/library/hh831434.aspx
    2. Disable AutoStart (GPO) – http://support.microsoft.com/kb/2328787
    3. Setup DelProfile Schedule Task – http://www.microsoft.com/en-au/download/details.aspx?id=5405
    4. Setup Map the shared Drive (GPO)
    5. Sysprep_backup
    6. CryptoLocker (GPO) – https://virtualizationandstorage.wordpress.com/2014/11/27/cryptolocker-group-policy-software-restriction/
    7. Schedule Remove rd /s /q %systemroot%\temp
    8. Empty Recycle Bin rd /s /q %systemdrive%\$Recycle.bin
    9. Schedule Defrag (GPO)
      • (cmd /c defrag c: > c:\temp\lastdefrag.txt)
      • jkdefragcmd.exe – http://www.kessels.com/jkdefrag/
      • cmd.exe /c start “JkDefrag” /BelowNormal “jkdefragCmd.exe”
      • Page file defrag – http://technet.microsoft.com/en-au/sysinternals/bb897426.aspx
    10. Disable IPv6 (GPO) – http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
      1. HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponentsxFF
      2. Disable IP Helper Service
      3. Windows Firewall Block IPv6 Traffic – Block incoming and outgoing IPv6 protocol 41 (for ISATAP and 6to4) and UDP 3544
      4. NetSh
        1. netsh interface teredo set state disabled
        2. netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
        3. netsh interface ipv6 isatap set state state=disabled
    11. EventLog Archive (GPO)
    12. SOX (GPO) – https://virtualizationandstorage.wordpress.com/2013/11/26/sarbanes-and-oxley-settings/
    13. TCP Lock down – http://msdn.microsoft.com/en-us/library/ff648853.aspx
    14. Map Tools Directory and add to search path
    15. System State Backup Schedule (GPO) – http://technet.microsoft.com/en-us/library/cc753201.aspx
    16. Public Sharing On/Off (GPO)
    17. Adjust for Best Performance (GPO)
    18. GPUpdate for users (GPO)
    19. Adjust for Best formance of: Back Ground Services (GPO) “Depends on workload”
    20. Set Path Z: (GPO)
    21. Map Z: (GPO)
    22. Change advanced sharing settings / Turn on Network discover / Turn on file and printer sharing
    23. Adjust Explorer View (Show hidden files,etc)
    24. IE Homepage
    25. IE google search provider
    26. BigINFO -C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    27. RDS License – Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing
    28. Enable Desktop Experience
    29. Task Bar Configuration
      1. Never Combine
      2. All show Icons
    30. Disable the Encrypting File System (EFS)
      1. Fsutil behavior set disableencryption 1
      2. HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableEncryption = 1
    31. Disable QoS Packet Scheduler
    32. Disable ScreenSaver
    33. Software Restrictions GPO
      1. http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
      2. http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx
      3. C:\<random>\<random>.exe
        C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
        C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
        C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
        C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)
      4. %Temp%
        %TMP%
        %APPDATA%
        %LOCALAPPDATA%
    34. Setup backup – wbadmin enable backup -addtarget:\\server\location -schedule:01:00 -systemstate -quiet -vssfull

    35. Maintain Local Admin Password – http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
    36. Deleted Local Profiles on Servers – http://support.microsoft.com/kb/274152
    37. Disk Clean up and Defrag
      1. http://blogs.technet.com/b/askpfeplat/archive/2014/05/13/how-to-clean-up-the-winsxs-directory-and-free-up-disk-space-on-windows-server-2008-r2-with-new-update.aspx
      2. http://support.microsoft.com/kb/2852386
      3. profiles
      4. %TMP%
      5. %AppData%
      6. C:\Windows\Temp
    38. Optimise Services (Exclude Domain Controllers)
      1. Power
      2. iSCSI
      3. Superfetch
      4. Print Spooler
      5. Themes
      6. Software Protection
      7. Remote Registry
      8. Internet Connection Sharing
      9. Windows Audio
      10. Windows Color System
      11. Plug and Play
  25. File Exclusions via End Point Security
  26. Install Software via SCCM
    1. Install 7-Zip
    2. Install PDF Reader
    3. Install CutePDF Writer
    4. Install Java
    5. Install Virus Protection
    6. Install Chrome
    7. Install Flash
    8. Malicious Software Removal Tool – http://www.microsoft.com/security/pc-security/malware-removal.aspx
    9. Microsoft Safety Scanner – http://www.microsoft.com/security/scanner/en-us/default.aspx
    10. http://www.safer-networking.org/full-anti-virus-protection/
  27. Add to XenServer Backup Script
  28. Defrag Disk
  29. Apply OS Optimisation
    1. http://msdn.microsoft.com/en-us/library/windows/hardware/dn529134
    2. https://virtualizationandstorage.wordpress.com/2014/08/27/windows-8-and-server-2012-optimisation-guide/
    3. http://longwhiteclouds.com/2015/01/27/nutanix-sql-server-db-vaai-clone-performance/
    4. https://labs.vmware.com/flings/vmware-os-optimization-tool
  30. Auto Start Join Domain Script
    1. Reserve IP Address for Mac Address
    2. Create DNS record for IP address
    3. Get Hostname via IP address
    4. Rename Server to allocated dns hostname
    5. Create account in domain OU
    6. Join Domain
    7. Delete script
  31. FEP configurations – http://technet.microsoft.com/en-us/library/gg193355.aspx
  32. Windows Firewall
    1. KMS – 1688
    2. DHCP
    3. DNS
  33. Full Microsoft Update
  34. Use IIS-Lockdown or URLScan tools
  35. Security Scans
  36. SYSPREP – C:\Windows\System32\sysprep\sysprep.exe /generalize /oobe /shutdown
  37. Post Configurations Items
    1. Add to Monitoring system
    2. Add to Backups
    3. Add to IP List
    4. Add to Assets Register
      1. Document Maintenance Window
      2. Document Application Owner
      3. Document Change Approval Groups

References

Linux SOE

  1. Edit  etc/sysconfig/network-scripts/ifcfg-eth0
  2. http://www.servermom.org/basic-centos-setup-before-building-a-working-server/414/
  3. Update
    • su -c ‘/sbin/chkconfig –level 345 yum on; /sbin/service yum start’
    • su -c ‘yum update’
  4. Harden OS
  5. ssh disable via root
  6. enable root online in console
  7. enable ssh only via managment network and interface
  8. Disable IPv6 – http://www.cyberciti.biz/tips/linux-how-to-disable-the-ipv6-protocol.html
  9. enable iptables
  10. enable point to point tracffic
  11. enable SELinux
  12. Install http://www.webmin.com/
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s