Windows Server 2022 Installation¶

1. Server system installation¶

1.1 Boot from the CD, confirm the system installation language, time zone and keyboard layout, and click Next.

1.2 Click Install Now.

1.3 Select the system version to be installed. (Please select the one with Desktop Experience suffix)

1.4 Check the Agree to Install License Information, and then click Next.

1.5 Click Custom Installation.

1.6 If you need to create a new partition as the system disk, select new. (The system disk space should be greater than or equal to 100G), and the entire disk is used as the system disk, then click Next directly.

if not found disk, please click Load driver to install virtio driver

Click OK

Select server version driver, and click Next to install driver

Select OS disk, and Click Next

1.7 Wait for the system and driver related programs to be installed.

1.8 After the installation is complete, please set the password of the management account (the privileged account needs more than 15 yards), and then select Finish.

2. the basic settings of the server system¶

2.1 Time and timely area proofreading. Control Panel→Clock and Region→Date and Time→Change adapter settings

2.2 IP address settings.

if install OS with VM, please install vmtools first

open with virtio driver, and double click virtio-win-guest-tools to install vmtools by default settings.

Control Panel→Network and Internet→Network and Sharing Center→Select Network Adapter right-click and select Properties

2.3 Turn off the system firewall (Note: After joining the domain, you need to turn off the firewall again.). Control Panel→System and Security→Windows Defender Firewall→Turn Windows Defender Firewall on or off

2.4 Right-click This PC to select Properties, switch to the Remote tab, and open Remote Desktop.

Click Remote Desktop and to open the Remote Desktop switch

2.5 Modify the server name. Right-click This PC to select the properties, click the Rename button, enter the server name and select the domain you want to join (you need to ask the AD administrator to help you add it).

OA: wzs.wistron
SFCS: sfcs.wzs
TE: Don't join the domain

2.6 Add the SE group to the Administrator group. Computer Management→Local Users and Groups→Groups→ Right-click Administrators to select the property

OA: WZSITSE
SFCS: WZSOTSE

2.7: System activation. Right-click on This PC and select Properties→Change product key or upgrade your edition of Windows→ Check activation status

2.8 Set the virtual memory storage location (if there is only C drive, you do not need to change it, if there are multiple disks, it is not recommended to store the paging file on C drive).

Right-click on 'This PC' to select Properties→Select Advance system settings→Select settings

Click Advanced→ Click Change→to set the space of C as No Paging file and click Set→to set the space of D disk as 1024MB to 10240MB and click Set→ and then click OK. Finally, the restart takes effect

3.1 Antivirus software installation: 64-bit systems need to be accessed through the network path for installation OA antivirus installation path:
\10.41.22.11\Apps\Anti-Virius\ApexOne\New Version(13140)\WZS\OA_Server.msi SFCS\TE antivirus installation path:
\10.41.22.11\Apps\Anti-Virius\ApexOne\New Version(13140)\WZS\SFC_Server.msi

Click NEXT to start the installation, wait for the installation to complete and the Apex One icon in the right corner of the desktop shows that the status is normal

3.2 Install IIS and other components (optional) Server Manager→Select Add Roles and Features→Click Next

Select the installation type for role-based or feature-based installation→ Click Next

Target Server Selection Select a server from the server pool →Click Next

Click Web Server(IIS)→Click Next

Check the option as shown in the figure →Click Next

On the IIS wizard page, briefly introduce the functions of IIS →Click Next

Check the option as shown in the figure →Click Next

Mount the installation image, and then follow the steps below to load path (image letter: \sources\sxs) for installation

3.3 Remote Desktop Vulnerability repair Run gpedit.msc to open Group Policy Manager → Activate NLA settings, open the path below Computer configuration Computer configuration→Administrative Templates→Windows Components→ Remote Desktop Services→Remote Desktop Session Host→Security

Double-click Require user authentication for remote connections by using Network Level Authentication→Select Enabled→ click Apply to confirm

3.4 SSL/TLS Vulnerability repair Run gpedit.msc to open Group Policy Manager → Activate NLA settings，open the path below Computer configuration→Administrative Templates→Network→ SSL Configuration Settings

Double-click SSL Cipher Suite Order→ Select Enabled → Modify the SSL cipher suite → click Apply to confirm TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA,WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA

3.5 Windows Update process (for Windows Server). Set up the WSUS automatic Update script Run the corresponding directory registry key , and then copy the "detecthnow" script to execute locally
OA path:
\\10.41.22.11\Apps\Windows Update\Auto_Windows Update\For OA network
SFCS\TE path:
\\10.41.22.11\Apps\Windows Update\Auto_Windows Update\For SFCS network

After importing the automatic update script, open Windows Update to check for updates and install them

3.6 Install Zabbix monitoring Copy the folder of the corresponding system (IT/OT) to the C drive
\\10.41.22.11\Apps\Zabbix\

Enter the following command in the CMD command line window to install Zabbix Agent 2 (OA).

C:\zabbix_agent2_it\bin\zabbix_agent2.exe –config C:\zabbix_agent2_it\conf\zabbix_agent2.conf --install

Start the Zabbix Agent 2 service Computer Management→Services→Zabbix Agent 2→Start→OK

Add Zabbix Server in Web
IT Zabbix：http://10.41.22.198/zabbix OT Zabbix：http://10.41.23.198/zabbix

3.6 Install ISMS Agent（ \\10.41.22.11\Apps\ISMS Agent）
3.7 Install EDR Agent (\\10.41.22.11\Apps\Anti-Virius\EDR)
3.8 Nessus inspection（https://10.41.20.87:8834/nessus6.html#/） After the system installation and patch and other related settings are completed, use Nessus to perform a complete scan to ensure that all PT items have been repaired and delivered to users or go online.
\\10.41.22.11\MIS OA Guide\Vulnerability Fixes SOP
3.9 Release server images (Optional)

if install with PVE, please release OS/Driver ISO images

4. Update the Server Profile¶

4.1 Update SE WEB-Server profile.
4.2 Feedback system installation record to the software administrator.

Windows Server 2022 Installation¶

1. Server system installation¶

2. the basic settings of the server system¶

3. Installation of system patches and related programs¶

4. Update the Server Profile¶