Installing Windows XP

These recommendations are mainly for when installing a new copy of Windows XP, but many steps are also relevant to existing installations of XP.

1. Only use a Windows XP CD that says “Includes Service Pack 2”
   
   You can get such a CD from a store, from Drew directly, or make your own from the ISO image file at \\chemserv.chem.cmu.edu\software\miscellaneous\ISOs.  Carnegie Mellon has a site license for Windows XP Professional.
    
   The original release of Windows XP (sometimes referred to as the OEM release) includes several network vulnerabilities.  Its critical that you NOT use such a CD for installing a new OS… if you do you run the risk of being hacked/infected before the installation even finishes, let alone before you can download/install patches.  Computing Services also scans continuously for unpatched machines and may remove your network access.  If you want to still use an OEM CD and install patches afterwards (necessary when reinstalling on some laptops, particularly non-English language laptops), see the Readme.txt file at \\chemserv.chem.cmu.edu\software\patches\winXP.
2. Boot from CD
   
   Booting from CD might require editing the BIOS on the computer to boot from CD instead of hard drive. If it still doesn't boot from CD, the BIOS may need a firmware update to recognize that the XP CD is a bootable CD. See your computer vendor's website for BIOS updates.
3. Install XP!
   
   If possible, I recommend copying your data off the computer before installing XP, then telling the XP installer to delete the partition entirely and create it again so that you're starting from a blank partition. (Alternatively, you can have multiple copies of XP on the same computer, even the same partition, so another option is to tell the installer to leave the existing partition intact and install to a different folder. After installation you'll have a boot menu of the various OSes detected. This menu is kept in the hidden read-only file c:\boot.ini, which you can edit indirectly from the system control panel, advanced, startup and recovery settings, edit, to remove lines for the old OS.)
   
   If you're reinstalling because of a security compromise, do NOT attempt to reinstall over the existing OS or to use repair/recovery. Either install to a new directory and then manually delete the old Windows directory, or install to a blank partition.
   
   PASSWORDS: It’s very important to set your computer's password to a 'safe' password, otherwise an infected or malicious computer on the network could infect/hack you by guessing your password. Password guessing is automated and efficient, using entire dictionaries including permutations. Some information on passwords is at https://www.cmu.edu/computing/documentation/passwords/Password.html. If your computer is in a physically secure and trusted area, you might even be better off having NO password on the computer: Windows XP does not allow accounts with empty passwords to be used remotely, so it’s actually safer than having a password, from the point of view of network attacks.
4. (If necessary…) reinstate your computer's network access
   
   If you're reinstalling because you were removed from the network for bandwidth/security/infection problems, then reinstate your computer by using another computer to visit the site http://netnotify.net.cmu.edu to request a reactivation. You should receive an automated email acknowledging the request, and network access should resume in less than an hour. If your computer doesn’t show up on the list, email Drew the 'physical address' of the banned computer, found on that computer via Start menu, Run, CMD, ipconfig/all.
5. (If necessary…) register your computer on the network
   
   If this is a new computer (or at least new to the Carnegie Mellon network), bring up a web browser and try to access any web page, like http://www.cmu.edu.  You should be automatically redirected to the network registration web page http://netreg.net.cmu.edu which will ask for your Andrew userID and password and walk you through the registration of your computer.  For ‘Affiliation’, if you’re a Chemistry grad, staff, or faculty member select ‘Chemistry’.  If you’re a Chemistry undergrad, select ‘Undergraduate Students’.  Please put a description of the computer in the ‘User Comment’ field, including a location if it’s a desktop, such as ‘Dell Dimension 4300, room MI-438’.
6. Run Windows Update
   
   This is located at the Start menu, All Programs, Windows Update. Only install the 'critical updates and service packs'- not the Windows XP or Driver Updates. After reboot, run it again to ensure that there are no additional updates.
7. Check the setting of Automatic Updates
   
   This is located at the Start menu, Settings, Control Panel, Security Center, Automatic Updates.  Ensure that its set for ‘Automatic’.  This will allow updates to install even if no one is logged in. If the update requires a reboot, it will reboot automatically if no one is logged in. If someone is logged in, they'll be given an opportunity to defer the reboot. Most updates are released on the second Tuesday of the month.
8. Install Symantec Antivirus
   
   You can download it from http://www.cmu.edu/myandrew.  Version 10 also includes spyware detection and removal.
   
   If your computer already had antivirus software installed, uninstall it and reboot before installing Symantec Antivirus.  The version we have is a site-licensed corporate version that does not expire.
9. Set time server
   
   Doubleclick on the clock in the tray (lower right corner), set Time Zone to Eastern Time, set Internet Time Server to ntp.net.cmu.edu.  This will keep the computer’s clock synchronized with the campus clock.  Being out of sync will cause problems with restricted web sites like http://www.cmu.edu/myandrew, and being very out of sync can cause problems with Windows Update.

Some further common post-installation information:

• Turn off the Messenger service
  
  Go to the Start menu, Run, type in ‘services.msc’ (without the quotes) and Enter, scroll down and double click on 'Messenger', set startup type to 'disabled', click Stop, and OK. The Messenger service isn’t really a direct security risk, but isn't needed and can lead to unwanted Windows popups, which can contain misleading information.
• Only install software that's needed
  
  Any operating system is only as stable as the software you install on it. Disk and performance utilities, firewalls, download managers, etc. are all unnecessary and should be avoided.  This includes Zone Alarm, Norton Utilities, etc.  Often they serve only to interfere with basic functions like accessing \\chemserv, to become incompatible with other software including OS patches, to make the computer problems harder to troubleshooting, and to slow the computer down.
• Avoid running an FTP or web server
  
  FTP and web servers are also the most common way computers are compromised, due to frequent security holes in freeware ftpds and misconfiguration and missing patches in web servers. If at all possible, use any one of the centrally maintained services like http://www.andrew.cmu.edu/, http://www.contrib.andrew.cmu.edu/ or the departmental web/ftp server.
• Installing Microsoft Office 2003
  
  We have a site license, but its not allowed to be distributed via MyAndrew. We have a copy on our fileserver though: Start menu, Run, \\chemserv.chem.cmu.edu\software, login as 'chem' with password 'chem'. The license number is in the directory. Installation will look for updates on the network. You can also manually check for updates in the future via the Office Updates page at http://office.microsoft.com/officeupdate.
• Visit the Carnegie Mellon “Securing Your Machine” site
  http://www.cmu.edu/computing/documentation/index_security.html