Add to collection(s) Add to saved
  1. No category
Uploaded by waleed khalid

Windows 2016 Configuration Guide

advertisement 
TABLE OF CONTENTS
1
2
Introduction ............................................................................................................................................. 2
1.1
Document Purpose .................................................................................................................................. 2
1.2
Acronyms and Abbreviations .................................................................................................................. 2
1.3
Definitions ............................................................................................................................................... 2
1.4
Distribution ............................................................................................................................................. 2
1.5
References............................................................................................................................................... 2
Configure Windows 2016 after installation .............................................................................................. 3
2.1
Parameters ............................................................................................................................................. 3
2.2
Installation Procedure ............................................................................................................................. 3
1 Introduction
1.1
Document Purpose
1.2
Acronyms and Abbreviations
Acronym/Abbreviation
N.A.
1.3
Definitions
Word/Phrase
1.4
Ref.
DR.1
DR.2
Definition
Distribution
Name
Service Group
1.5
Definition
Not Applicable
Company
INDEFF
Phone
e-mail
References
Reference Document
Corresponding HDS
Version
Draft
Pag. 2 of 34
2 Configure Windows 2016 after installation
2.1
Parameters
Parameter
Time Zone
Auto Adjust for Daylight Saving Time
Location
Keyboard
Regional Format
Default Values
YES
(YES or NO)
English United States
Naming convention for parameter usage in the installation procedure is: <ParameterName> (in Bold/italics!).
!
2.2

The table above contains default values, to help guide you when settingup a new case from a
referring document or in the event this document is ever used without a referring document.

When using this document from a referring document such as a CG the parameters values listed
in that document are to be used.
Installation Procedure
Installation procedure
1
(Re)boot the server and logon
Draft
Pag. 3 of 34
2
After logon, a window “Initial Configuration Tasks” appears
This is the screen enumerates a few tasks that needs to be done to configure your server
Go to Configure this local server
3
First set the <Time Zone> for the server and check the <Automatically adjust clock for Daylight saving
time> according to <Automatically adjust for Daylight saving time>
Draft
Pag. 4 of 34
Draft
Pag. 5 of 34
4
Next in line is the network-configuration.
When you click the link ‘Configure Networking’, you are redirected tot the network-connections.
Rightclick the NIC you want to configure and choose for ‘Properties’.
Select the TCP/IPV4 protocol and configure your IP-address, subnetmask, gateway and DNS, according
[DR.1].
Draft
Pag. 6 of 34
5
Now it’s time to name your computer and give it a useful description, according [DR.1]
First enter the description and then press the <change> button to change the name of your server.
If the server is is going to be a member of a domain, please join the domain here, according [DR.1].
6
7
Go to the “Remote” tab and select <Allow connection from computers running any version of Remote
Desktop (less secure)>
After pressing OK you will be prompted that the changes will only take effect after rebooting.
Draft
Pag. 7 of 34
If you press <OK> on this popup, you will still get the chance to delay the reboot of the systeem
8
Click <Restart Later>.
Draft
Pag. 8 of 34
9
Disable Windows Update
Open Windows PowerShell ISE.
Draft
Pag. 9 of 34
10
Copy the following code:
Write-Host "Disabling Windows Update" -ForegroundColor Cyan
if( -Not (Test-Path -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' ) )
{ New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows -Name WindowsUpdate }
if( -Not (Test-Path -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' ) )
{ New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name AU }
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -Value 1
… Hit “F5”…
11
More than 2 Nics (refer to [DR.1]):
1.
2.
3.
Set a security policy so that Windows Server 2012 do not re-set the RMC NIC to a Public profile
on rebooting the system or changing the IP address. To make the Private profile setting
persistent, do the following:
If you have more than two NICs, make sure all connected NICs are configured with an IP address.
On the Windows Start menu, click Run.
Draft
Pag. 10 of 34
12
Windowskey + r : Enter and run this command: SECPOL.MSC. The Local Security Settings menu appears.
Draft
Pag. 11 of 34
13
Select Network List Manager Policies on the menu tree.
Select Unidentified Network from the Network Names displayed.
14
15
Right click, then select Properties, and then change the Location type from Not configured to Private.
To turn off UAC
Draft
Pag. 12 of 34
1.
2.
3.
4.
Click <Start>, and then click <Control Panel>.
In Control Panel, click <User Accounts>.
In the User Accounts tasks window, click <change user account control settings>.
Move the slider down
Draft
Pag. 13 of 34
16
Check Regional Settings
17
Select the right <Location>, <Keyboard>Layout and <Regional Format>
Disable DEP and PAE
Make sure you start the DOS prompt with “Run as administrator”.
ENABLE/DISABLE DEP:
The way to turn off DEP in Windows 2016 is to issue this command :
bcdedit.exe /set {current} nx AlwaysOff
...and reboot.
To verify the status of DEP enter following command in DOS prompt:
wmic OS Get DataExecutionPrevention_SupportPolicy
The number which is displayed gives the status of DEP on your machine.
0 : DEP is disabled for all processes
1: DEP is enabled for all processes
2: DEP is enabled for only Windows system components and services.(default)
3: DEP is enabled for all processes
ENABLE/DISABLE PAE:
The way to turn off PAE in Windows 2012 is to issue this command :
bcdedit.exe /set {current} pae ForceDisable
...and reboot.
Draft
Pag. 14 of 34
18
DCOM Settings
1. Run dcomcnfg.exe from Start/Run. (Windows key + R)
This is the editor you use to make local DCOM changes to DCOM security levels on the computer.
2. Expand the branches as follows:
Component Services/Computers/MyComputer
3. Right click on My Computer, then click Properties.
Click the COM Security tab.
Under each Security grouping, ensure that the security settings are set similar to those described below.
These are the minimum settings needed.
Draft
Pag. 15 of 34
Launch And Activation Permissions: Add EVERYONE & ANONYMOUS LOGON – Allow Local Launch,
Remote Launch, Local Activation, Remote Activation
Draft
Pag. 16 of 34
Access Permissions: Add EVERYONE & ANONYMOUS LOGON – Allow local and remote access
Ensure the Enable Distributed COM on this computer option is checked
Draft
Pag. 17 of 34
19
Archestra Logviewer
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC]
"RestrictRemoteClients"=dword:00000000
Draft
Pag. 18 of 34
Draft
Pag. 19 of 34
20
Network card order, according [DR.1]
For ever connection change the Interface metric.




Server network first
= 10
Office network (if available) = 20
PLC network second
= 30
RMC last
= 40
With PowerShell instruction you can check the order.
Get-NetIPInterface -AddressFamily IPv4
Draft
Pag. 20 of 34
21
Disable DNS for “PLC” and “RMC” network card
Draft
Pag. 21 of 34
22
Disable all unused protocols (also IPV6) on the correct NICs.
Example : only enable Siemens protocols on PLC network card.
23
Check NetBios setting
Check if NetBIOS is enabled on all cards whit static IP-adress.
24
Enable File & Printer sharing on RMC channel
Draft
Pag. 22 of 34
25
Disable Fast User Switching
PREVIOUS SETTINGS: Hide entry points = ‘Not Configured’
1.
2.
Click Start, then Run, and enter gpedit.msc in the text box. Press Enter.
Go to the following location:
Local Computer Policy\Computer Configuration\Administrative Templates\System\Logon.
3.
Set Hide entry points for Fast User Switching to Enabled.
Draft
Pag. 23 of 34
4.
26
Exit the Group Policy Editor.
By enabling the policy, Administrators hide the Switch User button in the Windows logon, in the Start
menu, and in the Task Manager.
Add Wonderware Information Server to the list of trusted sites or to the local intranet zone
1.
2.
3.
In Internet Explorer click <Tools, Internet Options, Security>.
Select Local Intranet and click <Sites>….
Enter the name of the Wonderware Information Server (bemsmsf043) site to add and click
<Add>.
Draft
Pag. 24 of 34
27
Adjust the Internet Explorer settings related to ActiveX controls and plug-ins
1.
2.
3.
4.
28
In Internet Explorer click on Tools, Internet Options, Security tab.
Select Local Intranet and select <Custom Level>. The Security Settings dialog box appears.
Scroll down to the ActiveX controls and plug-ins section.
Set the security level for the listed items as follows:
Automatic
Enable
Required to initiate download of Process
prompting for
Graphics Client-Side components
ActiveX controls
Binary and
Enable
script behaviors
Download
Prompt/Enable Required to download the process
signed ActiveX
graphics, chart control etc..
controls
Download
Prompt/Enable Required to support ActiveX controls
unsigned
packaged by Win-XML Exporter during
ActiveX controls
publishing.
Run ActiveX
Enable
controls and
plug-ins
Script ActiveX
Enable
controls
marked safe for
scripting
Disable Check for server certificate revocation / publisher’s certificate revocation
1.
2.
3.
From the main menu select Tools > Internet Options.
Click the Advanced tab and scroll down to the Security section.
Uncheck the Check for publisher’s certificate revocation option and the check for server
certificate revocation and click <OK>.
Draft
Pag. 25 of 34
29
30
Reboot the server
Type regedit
Draft
Pag. 26 of 34
Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
– LocalAccountTokenFilterPolicy DWORD aanmaken en op 1 zetten
– EnableLUA op 0 zetten
31
Reboot the server
Set windows Firewall OFF but keep the services running! Otherwhise some items will not work!
32
Disable complex passwords (for certain clients), according [DR.1]
Run gpedit.msc and go to:
Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account
Policies > Password Policy
Change the following policies:
Password must meet complexity requirements DISABLED
Minimum password length
1 characters
Draft
Pag. 27 of 34
33
Create Remote Desktop Connections to all servers.
Click Start and select Remote Desktop Connection
Draft
Pag. 28 of 34
Fill in on tab:
 General: IP-address/credentials/save credentials
 Display: Full screen/mark “use all my monitors…” if you have multiple screens/mark “Display the
connection bar”
 Local resources: Unmark printers / More > select all drives
 Experience: Select LAN
 Save them to D:\INDEFF\INSTALL\RDP
Create a shortcut to this map and place it on the desktop
The next Part applies only to the Terminal server VM, after configuring the TS you need to apply the
below settings.
Draft
Pag. 29 of 34
1
Press the Windows key + X to open the Quick Access menu. Click on Command Prompt (Admin).
2
Press the Windows key + X to open the Quick Access menu. Click on Command Prompt (Admin).
Draft
Pag. 30 of 34
3
-Computer Configuration > Administrative Templates > Windows Components > Remote Desktop
Services > Remote Desktop Session Host > Session Time Limits
-In the right panel, double-click the “Set time limit for active but idle Remote Desktop Services sessions”
policy.
4
Draft
Pag. 31 of 34
Change it to Enabled, then set the desired amount of time in the drop-down list right below. Click Apply
and then OK. Reboot your computer to put the policy into effect.
5
-When any RDP user is idle for the group policy specified amount of time, they will receive the
following warning:
“Session has been idle over its time limit. It will be disconnected in 2 minutes. Press any key now to
continue session.”
-You have the chance to click OK to extend the session. Otherwise, the idle session will log off
automatically two minutes later.
6
Type Regedit.exe and click ok
Draft
Pag. 32 of 34
7
Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Quota
System” and change EnableCPUQuota to 0 instead of 1
8
Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TSFairShare\Disk” and change
EnableFairShare to 0 instead of 1
Draft
Pag. 33 of 34
9
Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TSFairShare\NetFS” and
change EnableFairShare to 0 instead of 1
Procedure Completed
Draft
Pag. 34 of 34
Related documents
missing information
missing information
Literature Supervising PhD`s
Literature Supervising PhD`s
CEM17-L
CEM17-L
Sandler 1999. Para la síntesis del amoniaco pag. 646.
Sandler 1999. Para la síntesis del amoniaco pag. 646.
Punctuation & Grammar in the New Curriculum
Punctuation & Grammar in the New Curriculum
Download
advertisement