Regardless of the operating system being installed, an important policy for creating a secure platform is to install the OS, secure it, apply the big patches, and install and configure anti-virus software, anti-spyware software, and a host-based Firewall, BEFORE ever connecting it to the network. I've heard say, and seen in practice any number of times, that a new system will be scanned for vulnerabilities within 10 minutes of it's being placed on the Internet.

One way to do this is to download all the needed big patches to a trusted host and then burn them onto a CD. Another way is to place the needed software on a trusted system accessible on a private intranet. Regardless, up front planning is required to assure the work can be accomplished without requiring the system be placed on the Internet before it's ready. In a few cases I've found this process has become complicated or impossible if certain security software requires registration of the software via the Internet during installation. Other than staying clear of that software or buying versions that don't require such registration (e.g. site-licensed versions) I haven't found a way around this. In some cases it's also becoming increasingly difficult to find the needed security patches for an OS without using the vendor's "update" processes, so plan on extra time to do the searching.

The following steps should be followed to complete a secure installation of an OS:

1. Install the OS off of the Internet by using a CD or installing from a private network
2. Provide a secure administrative password for the system. See the CITES Password page for requirements of a secure password at CITES
3. Disable unnecessary services. Particularly vulnerable services include mail servers, ftp servers, file/print servers (in particular the RPC service), web servers, and SNMP servers.
4. Configure the event logs - enable auditing
5. Configure local security policy
   • On WindowsNT-bases OS'es, change the RestrictAnonymous reg key to 1 or 2 ("Additional restrictions for anonymous connections" in W2K) - THIS IS ONE OF THE MOST IMPORTANT THINGS TO DO BEFORE CONNECTING TO THE NET - it limits null session access to your system.
   • Limit who can access the computer from the network
   • Limit who can log in locally
6. On WinNT-based systems, rename the administrator account and remove it's description (log out & back in after doing this)
7. Disable the guest account, rename it, and remove it's description
8. Create normal user accounts and use them instead of the admin account whenever possible.
9. On WinNT-based systems, change all partitions to NTFS, if it hasn't been done already, and change the the permissions on the NTFS partitions such that they do not include "Everyone" (at a minimum). When changing permissions, you should add the local System and Service accounts to the local administrative groups to insure that your services can start at boot time.
10. Install the major security patches for the OS
11. On Windows Systems, install, update, and configure anti-virus software
12. On Windows Systems, install, update, and configure anti-spyware software
13. Install and configure host-based firewall if one doesn't come with the Operating System

• Use the OS'es update mechanism to look for and install any new patches and bug fixes. Configure this to happen automatically and regularly.
• Use the anti-virus' update feature to look for and install any new updates. This should really be done prior to checking email everyday, and preferrably is done automatically by the anti-virus software itself.
• Use the anti-syware's update feature to look for and install any new updates.
• Keep good backups. In the worst case, you can always reinstall software and then restore data files.