You are here

CSS Compliance Notes: Windows

These instructions include screenshots from a client running Windows 7. Depending on the version of Windows a device is running, the steps may be very similar (as in Windows Vista) or very different (as in Windows XP/2000). Windows XP/2000 users may contact a CSE computing staff member for assistance as required. The concepts are similar in all Windows-based operating systems that can join a domain.

These instructions will not work for systems that are behind a NAT gateway. If you are not directly connected to the CSE research network (i.e. your device's IP address does not start with 164.107), please contact a CSE computing staff member so that we are aware of the situation and can assist you with compliance.

Verify hostname and IP address

First, determine your device's IP address with the ipconfig command from a Command Prompt as follows:

Z:\>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : cse.ohio-state.edu
IPv4 Address. . . . . . . . . . . : 164.107.120.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 164.107.120.1

If the IPv4 address listed doesn't start with 164.107, the device is probably behind a NAT device; if this is the case, contact a CSE computing staff member for assistance with CCSS compliance. It is possible to have multiple network interfaces, as long as at least one of them is connected to the CSE research network, the device may be brought into compliance with the procedure outlined in this document.

Once you've determined your device's IP address, you can look up the appropriate hostname in the CSE DNS space with the nslookup command:

Z:\>nslookup 164.107.120.111
Server: cs2.cse.ohio-state.edu
Address: 164.107.112.76:53

Name: pc-dl887r.cse.ohio-state.edu
Address: 164.107.120.111

The hostname for the device with IP address 164.107.120.111 is pc-dl887r.

Install current Windows patches

Navigate to Start ⇒ All Programs ⇒ Windows Update and install any pending Windows updates before proceeding.

Join the device to the RESEARCH domain

If you are currently joined to a domain or running a Windows server that is acting as a domain controller, please contact a CSE staff member about CCSS compliance. These instructions are for client-based Windows systems. You may determine if you are part of a domain by following the first step, described below.

Navigate to Start ⇒ Control Panel and double-click the System icon. Click on "Advanced system settings on the left hand side of the window, and select the Computer Name tab, as shown here:

The "Workgroup" line indicates that the device is a member of a workgroup. The workgroup name will vary from device to device. If the "Workgroup" line is missing and a "Domain" line is present, the device is already joined to a domain and should not be joined to the RESEARCH domain. If the device is not currently a member of a domain, click the "Change..." button to join the machine to the RESEARCH domain. In the resulting "Computer Name/Domain Changes" window, click the "Domain:" radio button and enter research.cse.ohio-state.edu in the corresponding text field, as shown below:

Note that the "Computer Name:" value should be the hostname assigned to the device in the CSE DNS as obtained from nslookup. Click the "OK" button in the "Computer Name Changes" window to join the RESEARCH domain. An authentication dialog box will appear. User the username research\join and the password joinresearch.

 

You will then be prompted to restart the computer. Click "OK" four times; the computer should reboot. Be sure to reboot before proceeding.

Authentication Controls: Set your password

Group Policy is used on the RESEARCH domain to enforce appropriate authentication controls. After the device reboots, all users will need to press CTRL+ALT+DEL and enter a username and password to login. If you were using an account with no password, simply use the same account name in the login field, and leave the password field blank to login the first time. Once you have logged in, press CTRL+ALT+DEL again and click "Change Password...". Leave the "Old Password" text field empty and enter a new password in the "New Password" and "Confirm New Password" fields and click "OK". Password complexity is enforced on the RESEARCH domain by Group Policy. After you've set your password, click "Cancel" to exit the CTRL+ALT+DEL options window.

Per the CCSS specification, all normal user accounts must have a robust password, and automatic logins are not permitted. Appropriate settings should be enforced by Group Policy on the RESEARCH domain; users are not permitted to do any of the following:

  • Create an account with no password.
  • Create an account with a weak or easily compromised password. (dictionary words, account name, etc.)
  • Set the password for any account not to expire.
  • Configure the device to automatically login any account.

The user accounts on the device will be local accounts, just as they were originally, and logins will work even if the device is not in contact with the RESEARCH domain controller. A RESEARCH domain account that has administrative rights to the local machine does exist, and is used by CSE staff for regular CCSS compliance audits. This account will not be used for any purpose not related to CCSS compliance.

Firewall

Windows Firewall settings are enforced by Group Policy on the RESEARCH domain. Windows Firewall must be enabled at all times; several default exceptions should already be configured through Group Policy. Additional exceptions may be made as necessary.

Current Operating System & Software

Windows Update settings are also enforced by Group Policy on the RESEARCH domain. By default, devices on the RESEARCH domain will obtain updates via the CSE Windows Server Update Services (WSUS) server, but users may check for updates from Microsoft's servers if they choose. For desktop devices that are continually in contact with the CSE network, a policy similar to that enforced on the CSE instructional desktops is used: users will be notified when new updates are available and given the opportunity to install them at their convenience; any updates that remain pending at 5:00AM each Friday morning will be automatically installed, and the device will be rebooted if necessary. Laptops on the RESEARCH domain are configured to only notify and prompt for installation of updates at this time.

Anti-Malware

The CSE Department uses Symantec virus scan, which is licensed by the Department. It is strongly recommended that any currently installed anti-malware products be removed before completing this step.

Open My Computer and enter \\rsdc1.research.cse.ohio-state.edu\software in the "Address" text field. An authentication dialog box will appear. Enter the username research\join and the password joinresearch to access the share as shown below:

Once the Software folder opens, double-click the "Installers" Folder,

then double-click the appropriate folder depending on your device and OS.

Double-click the "Symantec Endpoint Protection ..." folder and run the "setup.exe" program.

A security warning dialog box like the following may appear; if it does, click the "Run" button to continue. This may happen more than once, click "Run" each time.

CCSS Compliance Certification

After all the steps in this document have been completed, send an e-mail to help@cse.ohio-state.edu to request a certification appointment. A staff member will arrange a time to meet with you and verify that your device meets CCSS compliance standards.