Installing Windows XP
These recommendations are mainly for when installing a new copy
of Windows XP, but many steps are also relevant to existing installations of
XP.
- Only use a
Windows XP CD that says “Includes Service Pack 2”
You can get such a CD from a store, from Drew directly, or make your own
from the ISO image file at \\chemserv.chem.cmu.edu\software\miscellaneous\ISOs.
Carnegie Mellon has a site license for Windows XP Professional.
The original release of Windows XP (sometimes referred to as the OEM
release) includes several network vulnerabilities. Its critical that
you NOT use such a CD for installing a new OS… if you do you run the
risk of being hacked/infected before the installation even finishes, let
alone before you can download/install patches. Computing Services
also scans continuously for unpatched machines and may remove your network
access. If you want to still use an OEM CD and install patches
afterwards (necessary when reinstalling on some laptops, particularly
non-English language laptops), see the Readme.txt file at
\\chemserv.chem.cmu.edu\software\patches\winXP.
- Boot from CD
Booting from CD might require editing the BIOS on the computer to boot
from CD instead of hard drive. If it still doesn't boot from CD, the BIOS
may need a firmware update to recognize that the XP CD is a bootable CD.
See your computer vendor's website for BIOS updates.
- Install XP!
If possible, I recommend copying your data off the computer before
installing XP, then telling the XP installer to delete the partition
entirely and create it again so that you're starting from a blank
partition. (Alternatively, you can have multiple copies of XP on the same
computer, even the same partition, so another option is to tell the
installer to leave the existing partition intact and install to a
different folder. After installation you'll have a boot menu of the
various OSes detected. This menu is kept in the hidden read-only file
c:\boot.ini, which you can edit indirectly from the system control panel,
advanced, startup and recovery settings, edit, to remove lines for the old
OS.)
If you're reinstalling because of a security compromise, do NOT attempt to
reinstall over the existing OS or to use repair/recovery. Either install
to a new directory and then manually delete the old Windows directory, or
install to a blank partition.
PASSWORDS: It’s very important to set your computer's password to a
'safe' password, otherwise an infected or malicious computer on the
network could infect/hack you by guessing your password. Password guessing
is automated and efficient, using entire dictionaries including
permutations. Some information on passwords is at https://www.cmu.edu/computing/documentation/passwords/Password.html.
If your computer is in a physically secure and trusted area, you might
even be better off having NO password on the computer: Windows XP does not
allow accounts with empty passwords to be used remotely, so it’s
actually safer than having a password, from the point of view of network
attacks.
- (If
necessary…) reinstate your computer's network access
If you're reinstalling because you were removed from the network for
bandwidth/security/infection problems, then reinstate your computer by
using another computer to visit the site http://netnotify.net.cmu.edu to
request a reactivation. You should receive an automated email
acknowledging the request, and network access should resume in less than
an hour. If your computer doesn’t show up on the list, email Drew
the 'physical address' of the banned computer, found on that computer via
Start menu, Run, CMD, ipconfig/all.
- (If
necessary…) register your computer on the network
If this is a new computer (or at least new to the Carnegie Mellon
network), bring up a web browser and try to access any web page, like http://www.cmu.edu. You should be
automatically redirected to the network registration web page http://netreg.net.cmu.edu which will
ask for your Andrew userID and password and walk you through the
registration of your computer. For ‘Affiliation’, if you’re
a Chemistry grad, staff, or faculty member select ‘Chemistry’.
If you’re a Chemistry undergrad, select ‘Undergraduate
Students’. Please put a description of the computer in the ‘User
Comment’ field, including a location if it’s a desktop, such
as ‘Dell Dimension 4300, room MI-438’.
- Run Windows
Update
This is located at the Start menu, All Programs, Windows Update. Only
install the 'critical updates and service packs'- not the Windows XP or Driver
Updates. After reboot, run it again to ensure that there are no additional
updates.
- Check the
setting of Automatic Updates
This is located at the Start menu, Settings, Control Panel, Security Center, Automatic Updates. Ensure that its set for ‘Automatic’. This
will allow updates to install even if no one is logged in. If the update
requires a reboot, it will reboot automatically if no one is logged in. If
someone is logged in, they'll be given an opportunity to defer the reboot.
Most updates are released on the second Tuesday of the month.
- Install
Symantec Antivirus
You can download it from http://www.cmu.edu/myandrew.
Version 10 also includes spyware detection and removal.
If your computer already had antivirus software installed, uninstall it
and reboot before installing Symantec Antivirus. The version we have
is a site-licensed corporate version that does not expire.
- Set time
server
Doubleclick on the clock in the tray (lower right corner), set Time Zone
to Eastern Time, set Internet Time Server to ntp.net.cmu.edu. This
will keep the computer’s clock synchronized with the campus
clock. Being out of sync will cause problems with restricted web
sites like http://www.cmu.edu/myandrew,
and being very out of sync can cause problems with Windows Update.
Some further common post-installation information:
- Turn off the
Messenger service
Go to the Start menu, Run, type in ‘services.msc’ (without the
quotes) and Enter, scroll down and double click on 'Messenger', set
startup type to 'disabled', click Stop, and OK. The Messenger service
isn’t really a direct security risk, but isn't needed and can lead
to unwanted Windows popups, which can contain misleading information.
- Only install
software that's needed
Any operating system is only as stable as the software you install on it.
Disk and performance utilities, firewalls, download managers, etc. are all
unnecessary and should be avoided. This includes Zone Alarm, Norton
Utilities, etc. Often they serve only to interfere with basic
functions like accessing \\chemserv, to
become incompatible with other software including OS patches, to make the
computer problems harder to troubleshooting, and to slow the computer
down.
- Avoid
running an FTP or web server
FTP and web servers are also the most common way computers are
compromised, due to frequent security holes in freeware ftpds and
misconfiguration and missing patches in web servers. If at all possible,
use any one of the centrally maintained services like http://www.andrew.cmu.edu/, http://www.contrib.andrew.cmu.edu/
or the departmental web/ftp server.
- Installing
Microsoft Office 2003
We have a site license, but its not allowed to be distributed via
MyAndrew. We have a copy on our fileserver though: Start menu, Run,
\\chemserv.chem.cmu.edu\software, login as 'chem' with password 'chem'.
The license number is in the directory. Installation will look for updates
on the network. You can also manually check for updates in the future via
the Office Updates page at http://office.microsoft.com/officeupdate.
- Visit the
Carnegie Mellon “Securing Your Machine” site
http://www.cmu.edu/computing/documentation/index_security.html