|
| Now that you have installed MetaFrame and all of its components, we are ready to configure MetaFrame and Windows 2000 for optimum performance. The following procedures are just a starting point, you might need to add or remove some of the following procedures. For a detailed list, please check out Rick Dehlingers MetaFrame Installation & Tuning Tips document and Ricks new tuning tips web site: http://www.tweakcitrix.com. It is the bible of MetaFrame tips and tricks. Note: The registry entries listed below have been scripted in to .REG files for your convenience. If you received this document independently from the other material (doc templates, REG file zip) then you will need to download the latest version of this doc and all the registry files discussed below from http://www.dabcc.com/projectinabox. In addition, most changes seen below are also configurable via the MIAB.ADM file as documented in the How to deploy MIAB.ADM later in this document. | Step | Description | | 1. | Remove / disable RDP-TCP Connection in Citrix Connection Configuration Utility Start Programs Citrix MetaFrameXP Citrix Connection Configuration Highlight rdp-tcp and press the delete key | | 2. | Remove the EVERYONE and GUEST account for security reasons on ICA-TCP connection in Citrix Connection Configuration Utility. Start Programs Citrix MetaFrameXP Citrix Connection Configuration Security Permissions | | 3. | Enable Auditing in Local Security Policy Start Settings Control Panel Administrative Tools Local Security Policy applet Local Policies Audit Policies folder Select the Success/Failure events you want to audit. o Account Logon Events: Success and Failure o Audit Logon Events: Success and Failure o Audit System Events: Failure | | 4. | Enable ICA Keep Alives. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Citrix] "IcaEnableKeepAlive"=dword:00000001 "IcaKeepAliveInterval"=dword:0000003c | Registry File: Enable ICA Keep Alives.reg | | | | | 5. | Enable TCP Keep Alives. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "KeepAliveTime"=dword:0000ea60 "KeepAliveInterval"=dword:000003e8 | Registry File: Enable TCP keep alives.reg | | | | | 6. | Clear the last persons name that logged into the server farm, from the username field of the Microsoft Client. [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/system] DontDisplayLastUserName=1 | Registry File: DontDisplayLastUserName.reg | | | | | Step | Description | | 7. | Disable Client Audio Mapping [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp] "fDisableCam"=dword:00000001 | Registry File: disable client audio mapping.reg | | | | | 8. | Disable Client COM Port Mapping [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp] "fDisableCcm"=dword:00000001 | Registry File: disable client COM port mapping.reg | | | | | 9. | Disable Dr Watson [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug] "Debugger"="" | Registry File: Disable Dr Watson.reg | | | | | 10. | Disable paging of the Windows NT Executive [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "DisablePagingExecutive"=dword:00000001 | Registry File: disable paging of the Windows NT Executive.reg | | | | | 11. | Disable Roaming Profile Cache [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "DeleteRoamingCache"=dword:00000001 | Registry File: Disable Roaming Profile Cache.reg | | | | | 12. | Set TcpMaxDataRetransmissions [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "TcpMaxDataRetransmissions"=dword:0000000a | Registry File: Increase Performance and Reliability over WAN links and the Internet.reg | | | | | 13. | Disable NTFS last access time stamp [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem] "NtfsDisableLastAccessUpdate"=dword:00000001 | Registry File: Prevent last access time stamp from being updated on NTFS.reg | | | | | Step | Description | | 14. | Enable ErrorMode [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows] "ErrorMode"=dword:00000002 | Registry File: Set ErrorMode.reg | | | | | 15. | Disable the printer beep. Disable it to reduce bandwidth/increase performance. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\] "BeepEnabled"=dword:00000000 | Registry File: Disable Printer Beep.reg | | | | | 16. | Set Event Log to overwrite entries as needed with a log size of 2MBs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application] "MaxSize"=dword:00200000 : "Retention"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security] "MaxSize"=dword:00200000 : "Retention"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System] "MaxSize"=dword:00200000 : "Retention"=dword:00000000 | Registry File: Set Event Log Parameters.reg | | | | | 17. | Set User ICA-TCP Overrides [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop] "AutoEndTasks"="1" "MenuShowDelay"="10" "CursorBlinkRate"="-1" "DragFullWindows"="0" "WaitToKillAppTimeout" = "20000" "SmoothScroll" = dword:00000000 "Wallpaper" = "(none)" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop\WindowMetrics] MinAnimate"="0" | Registry File: Set WinStation Overrides.reg | | | | | 18. | Disable print events from the Event Log [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers] "EventLog"=dword:00000000 | Registry File: Disable Logging of Print Events to the System Event Log.reg | | | | | 19. | Disable Spooler errors from being displayed on the server console [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler] "ErrorControl"=dword:00000002 | Registry File: Surpress Spooler Error Messages.reg | | | | | Step | Description | | 20. | Disable print spooler notification dialog screen from being displayed on the server console [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers] "NetPopup"=dword:00000000 | Registry File: Turn off NetPopup.reg | | | | | 21. | Disable the Alerter Service in the Services Applet. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter] "Start"=dword:00000004 | Registry File: Disable Alerter Service.reg | | | | | 22. | Set IgnoreLinkResolver entry to fix shortcuts resolving to UNC paths issue. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "LinkResolveIgnoreLinkInfo"=dword:00000001 | Registry File: Fix shortcuts resolving to UNC paths.reg | | | | | 23. | Remove Outlook Express from the Quick Launch bar and Start Menu [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "Stubpath"="" | Registry File: Remove Outlook Express from the Quick Launch bar.reg | | | | | 24. | Changes the name of the My Computer icon to the logged on user and the machine name [HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}] @="My Computer" "InfoTip"="Displays the files and folders on your computer" "LocalizedString"=hex(2):25,00,55,00,53,00,45,00,52,00,4e,00,41,00,4d,00,45,00,\ 25,00,20,00,6f,00,6e,00,20,00,25,00,43,00,4f,00,4d,00,50,00,55,00,54,00,45,\ 00,52,00,4e,00,41,00,4d,00,45,00,25,00,00,00 | Registry File: Change My Computer text.reg | | | | | 25. | Remove the Internet Connection Wizard. By default, the ICW will run for all users the first time they log into a server and get a profile. Delete the "^SetupICWDesktop" value from ["HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce"] You can also modify the following registry entry: Add or Change Key: [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard] Completed=DWORD:0x1 | Registry File: Turn Off Internet Connection Wizard.reg | | | | | 26. | Disable Media Sensing. By default Windows 2000 detects whether or not you have a cable plugged into the NIC. REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip\parameters] "DisableDHCPMediaSense"=dword:00000001 | Registry File: Disable Media Sensing.reg | | | | | Step | Description | | 27. | Disable OS/2 and POSIX subsystems. If you do not have a need for these, disabling them can free up an incremental amount of server resources. Be sure you arent using any OS2 or POSIX apps before proceeding however, since they wont run To disable these subsystems, remove the following keys under [HKLM\System\CurrentControlSet\Control\Session Manager\Subsystems] \OS2 \POSIX | | 28. | Stop extra/unnecessary processes from running in each session. Remove associated entries from [HKLM\Software\Microsoft\Windows\Current Version\Run] Examples: ICABAR.EXE (MetaFrame administrator toolbar) NWTRAY.EXE (Netware tray application) | | 29. | Set RootDrive manually by running C:\WINNT\Application Compatibility Scripts\CHKROOT.CMD and set it to the drive letter you defined in the Design phase. | | 30. | Fine-tune the SERVER Service Start Settings Control Panel Network and Dial-Up Connections Local Area Network Properties File and Print Sharing for Microsoft Networks Maximize Throughput for Network Applications | | 31. | Modify foreground thread timeslices. Start Settings Control Panel System Advanced Tab Performance Options Set Application response to Background services | | 32. | Set Print Spooler Directory to the disk with the most free space (preferably the second partition) Start Settings Printers File Server Properties Advanced tab set the Spool folder to: d:\spool. (d: being the drive with the most free space) | | 33. | Disable Active Desktop in Terminal Services Configuration Utility Start Settings Control Panel Administrative Tools Terminal Services Configuration Server Settings disable Active Desktop | | 34. | Install Internet Explorer 6.0 (if so desired) From command line run: change user /install Install IE 6.0 trough Windows Update When IE is finished installing from command line run: change user /execute | | 35. | Install any remaining critical updates by running Windows Update | | 36. | Remove any unwanted shortcut from: C:\Documents and Settings\All Users\Start Menu\Programs C:\Documents and Settings\Default User\Start Menu\Programs C:\Documents and Settings\Default User.domain_name\Start Menu\Programs | | Step | Description | | 37. | Disable any network services not required. i.e., Alerter, Indexing Service, Remote Access Connection Manager, Telephony and Telnet just to name of few. | | 38. | Protect the registry from anonymous access The default permissions do not restrict remote access to the registry. Only administrators should have remote access to the registry, because the Windows 2000 registry editing tools support remote access by default. To restrict network access to the registry to administrator use only please visit Microsoft Knowledge Base article Q155363. | | 39. | Verify all Microsoft hotfixes are installed. The following tools assist with in task. Microsoft Hotfix checker: hfnetchk.exe Hfnetchk is a command line tool to assess patch status for computers that are running NT 4.0 TSE and or Windows 2000 as well as hotfixes for Internet Information Server 4.0 (IIS), Internet Information Services 5.0 (IIS), SQL Server 7.0, SQL Server 2000 (including Microsoft Data Engine [MSDE]), and Internet Explorer 5.01 or later. For more information please visit: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303215 To download please visit: http://download.microsoft.com/download/win2000platform/Utility/3.3/NT45/EN-US/Nshc332.exe Microsoft Baseline Security Analyzer (MBSA) Microsoft has developed the MBSA version 1.0 that includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000 and will scan for missing hotfixes and vulnerabilities in the following products: NT 4.0, Windows 2000, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, and Office 2000 and 2002. When finished analyzing MBDA stores and displays detailed reports outlining recommendations on how to harden your server further. For more information please read the following MBSA white paper: http://www.microsoft.com/technet/security/tools/tools/mbsawp.asp A technical white paper on MBSA is also available for download at: http://download.microsoft.com/download/win2000platform/Install/1.0/NT5XP/EN-US/mbsasetup.msi | | 40. | Implement any Citrix Security Bulletins Citrix posts security bulletins to its knowledgebase. To search for security bulletins please visit http://knowledgebase.citrix.com and search for security bulletins. | | Step | Description | | 41. | Set Windows 2000 time source Start Run cmd type: net time /setsntp:name_of_timeserver | | 42. | Clean up any error messages in the Event Log | | 43. | It is imperative to install antivirus software and keep up-to-date on the latest virus signatures on all Internet and intranet systems. Also, be very careful when selecting antivirus software and make sure it is compatible with in a Terminal Services environment. | | 44. | Create the ERD Disk - Unless you run RDISK with a command line parameter, the only security info that makes it to the ERD is your initial Administrator user and password. Running it after modifications to the Administrative users updates the SAM info. Run RDISK /S after crippling Administrator. This updates the backup security hive, which is then put on the ERD. Since Win2K creates this as an unlocked copy, be careful to securely store your ERDs. | You are now ready to proceed with imaging servers and installing applications. Note: I highly recommend rebooting the server prior to continuing. |