Share via


Best practices for installing and upgrading the operating system

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices for installing and upgrading the operating system

Prepare the server before upgrading or installing.

Confirm server settings after running Setup.

  • Check Event Viewer. Check Event Viewer for messages associated with the installation or startup process. For more information, see Event Viewer.

  • Set Event Viewer log size and wrap setting. Define your event log size and wrap (overwrite) setting to match your business and security requirements. For information, see Set event logging options.

  • Check server optimization. Adjust the server optimization setting to match the role the computer will play in your organization. For information about how to access server optimization settings, see To configure memory-related settings on your computer.

  • Verify settings such as IP, DNS, WINS, and default gateway settings. Use the administrative tools described in Network Services to configure and verify your settings. You can also open a command prompt, type ipconfig /all and verify the displayed settings.

  • View the full computer name. Open a command prompt and type net config rdr to view the full computer name. Compare the results against the Active Directory name to confirm that they match or vary as intended.

  • Validate server cluster settings. Follow the steps in Checklist: Validating your clustering system to confirm the basic configuration settings for your cluster storage.

  • Specify options for paging files and memory dumps. Set the paging file size and placement based on memory size and server usage. For information about how to do this, see Change virtual memory settings. Also, set the options for the operating system to use if the system stops unexpectedly (for example, the options for memory dumps). For more information, see Specify what happens when the system stops unexpectedly

  • Configure for remote administration. Identify the remote administration methods you plan to use, and configure them as necessary. For more information, see Remote Administration.

Confirm server security settings after running Setup.

  • Review startup settings for services. Open Computer Management. In the Services folder under Services and Applications, change the Startup Type of services so that services necessary for your server, and only those services, start automatically. Also, confirm that all services that are set to start automatically can start without user intervention or multiple retries. For a list of topics about services, see Services Snap-in. For specific information about services that start by default after Setup (which are different than in Windows 2000), see Default settings for services.

  • Review Internet Explorer security settings. In Windows server 2003 family of operating systems, the Internet Explorer Enhanced Security Configuration is enabled by default. The security settings in this configuration can help make your computer more secure by limiting its exposure to malicious Web sites. Therefore, with this enhanced level of security, you might find that some Web sites do not display correctly in Internet Explorer when you are browsing Internet and intranet Web sites. Also, you might be prompted to enter your credentials when accessing network resources, such as files in Universal Naming Convention (UNC) shared folders. You can easily change the enhanced security settings. For more information, see Internet Explorer Enhanced Security Configuration overview.

  • Review open network ports. To help protect servers against attacks, close ports that are not necessary for the system to function properly. You can review ports with the netstat command. It is useful to also use an external port scanner and compare the results with the netstat results. Be sure to notify other system administrators or affected operations staff before running the port scanner, in case it affects system behavior or sets off your existing triggers for detecting intrusion. For more information about netstat and how you can determine which process is associated with each open port, see Netstat. For more information, also see port number assignments at the Internet Assigned Numbers Authority (IANA) Web site.

    Note

  • Rename or disable the Administrator account; set up or review permissions and accounts that are relevant for this server. Rename or disable the Administrator account created during Setup (it cannot be deleted). Set up the appropriate accounts and permissions for configuring, backing up, operating, and using this server. For both users and administrators, limit access to the minimum access that is necessary; for example, for someone who only performs backups, use the Backup Operators group. Also, set up policies to ensure that users maintain strong passwords. For more information, see:

  • Understand the security implications that apply to your server. The questions to ask about security vary with the intended server use. For example, for a file server, who needs access to a given file or directory, what type of access is needed, and what are the possible consequences of unauthorized access? For a Web server, what Web applications do you want to use, what risks are inherent in those applications, and what settings will help mitigate the risks? For more information, see the links in the following table:

    Type of server Suggested security topics

    Any server

    See Best practices for security and topics for the technologies you use in Best practices: pointers to recommendations and tips.

    File server

    If you are using Shared Folders, see Best practices for Shared Folders for Shared Folders. If you are using Active Directory, see Security overview.

    Multimedia server

    See security sections in the documentation for Windows Media Services, which is available when you install Windows Media Services. For more information, see Using Windows Media Services.

    Print server

    See Printing Best practices for printing.

    Terminal server

    See Terminal Server Best practices for Terminal server.

    Web server

    See the Security section of the server Administration Guide for Internet Information Services (IIS); this documentation is available when you install IIS.

  • Configure auditing settings, set up system protections, and install a virus scanner. Review and implement auditing settings, including those for security events, so that you can track all changes to the system and protect against unwanted changes to software. For more information, see:

  • Ensure that an appropriate firewall is in place. A firewall is a security system that acts as a protective boundary between a network and the outside world. For information about the firewall functionality that is available in Windows Server 2003 operating systems, see Help: Windows Firewall.

  • Consider using the Security Configuration Wizard. The Security Configuration Wizard reduces the attack surface of servers that are running Windows Server 2003 with Service Pack 1 (SP1). The wizard asks the user a series of questions designed to determine the functional requirements of the server. Any functionality that is not required by the roles being performed by the server is then disabled. In addition to being a fundamental security best practice, reducing the attack surface increases the diversity of your Windows landscape, and reduces the number of systems that need to be immediately updated if a security issue arises. For more information, see Windows Server 2003 TechCenter.

Begin routine operations such as backups.

  • Analyze the hard disk for fragmentation. After you run Setup and install programs, analyze the hard disk to see if it needs to be defragmented. For more information, see Analyze a volume.

  • Perform backups and install the Recovery Console. Perform backups, install the Recovery Console so that it is readily available whenever you start the computer, and practice or simulate recovery operations (at times when demand on the server is low). For more information, see:

Familiarize yourself with available information.