close

Endpoint Security Calculator

In this blog post I describe the steps required to create a Virtual Machine template using Windows 10 from scratch.

Only optimizations of the core OS are described, the impact of installed applications within the guest will also need to be evaluated.

Below are the steps to follow to create an optimized Golden Image for VDI

STEP 1: VMware Template Configuration

Create a new Virtual Machine using the vSphere Web client

  • Name: depending on naming convention standards (Note: use a name of less then 15 characters)
  • Location: depending on the environment
  • Compute Resource: depending on the environment
  • Storage: depending on the environment
  • Compatibility (=Hardware version): ESXi 6.0 and later (=Hardware version 11)
  • Reference: 
  • Guest OS Family: Windows
  • Guest OS Version: Microsoft Windows 10 (64-bit)
  • Customise Hardware – Virtual Hardware Tab
  • vCPUs: 2
  • Memory: 3072 MB
  • Reserve all guest memory
  • HDD: 32 GB (disk size depends on the number of expected locally installed applications)
  • SCSI Controller: LSI Logic SAS
  • Network:
  • VLAN depending on the environment
  • Connect at Power On: YES
  • Adapter Type: VMXNET3
  • CD/DVD Drive:
  • Select “Datastore ISO File”
  • browse to the appropriate OS iso file
  • Connect at Power On: YES
  • Floppy Drive: Remove
  • Video Card:
  • Select “Specify Custom Settings”
  • Number of displays: 4
  • Total Video Memory: 128 MB
  • Enable 3D support: YES
  • 3D renderer: Automatic
  • 3D Memory: 256 MB
  • Customise Hardware – VM Options tab
  • Boot options:
  • Force BIOS setup: Enable “The next time the virtual machine boots, force entry into the BIOS setup screen”
  • Advanced:
  • Settings:
  • Ensure “Enable logging” is unchecked
  • Configuration Parameters:
  • Edit Configuration Parameters
  • Add Row
  • Name: devices.hotplug
  • Value: false
  • Reference: See 
  • Click Finish

Power on the newly created VM and open the console from within the vSphere client to change the BIOS settings

  • Go to the Advanced tab – I/O Device Configuration and disable Serial Ports, Parallel Ports and Floppy Disk Controllers
  • Go to the Boot tab and change the boot order so the CD-ROM drive is the first boot device
  • Save and exit (F10)

STEP 2: Win10 OS Installation

Boot the VM from the Win10 iso file

Ensure the language, time/currency format and keyboard/input method selections are correct

Click  “Install Windows”

Accept License terms and click “Next”

Select “Custom – Install Windows only”

Select the drive where you want to install Windows (There will be only one”) and click “Next”

Follow the Wizard to finalise a default Win10 installation

  • When asked to create a user, create a user with the name “temp”

STEP 3: Win10 Base Image Customizations

Install VMware Tools (default installation) and reboot VM

  • Note: If you intend to use a vShield Endpoint based solution to protect your Virtual Machines from viruses makes sure to also install the Guest Introspection Drivers (previously called the vShield Endpoint Thin Agent driver) which is not installed by default during a typical VMware Tools installation process. (Custom Install – Add VMCI driver\Guest Introspection Drivers)

Logon to the desktop using the “temp” user

Enable the local Administrator account

  • Right Click on the Start button – Computer Management – Local Users and Groups – Users
  • Check properties of the Administrator account
  • Uncheck “Disable account”
  • Check “Password never expires”
  • Click OK
  • Set a password

Logoff the desktop

Logon to the desktop using the local administrator account

Change Computer Name

  • Right Click on the Start button – Control Panel – System and Security – System
  • Click on “Change Settings” in the section “Computer name, domain and workgroup settings”
  • Click on “Change” next to “To rename this computer or change …”
  • Type the computername (depending on naming convention standards (Note: use a name of less then 15 characters))
  • Click OK
  • Reboot VM

Delete “temp” user profile

  • Right Click on the Start button – Control Panel – System and Security – System – Advanced System Settings – Advanced
  • Click the “Settings” button under the User Profile section
  • Highlight the “temp” account and click Delete

Delete “temp” user

  • Right Click on the Start button – Computer Management – Local Users and Groups – Users
  • Right Click “temp” user and choose Delete

Remove he following features (if they are enabled) from the OS (unless you really need them) and reboot VM:

  • Right Click on the Start button – Programs and Features – Turn Windows Features on or off
  • Unselect the following default installed features: Print and Document Services – Internet Printing Client Print and Document Services – Windows Fax and Scan

Logon to the desktop using the local administrator account

Set Power Options to high

  • Right Click on the Start button – Control Panel – Hardware and Sound – Power Options
  • Click “Show Additional Power Plans”
  • Choose “High Performance”
  • Click “Create a Power Plan”
  • Choose “High Performance”
  • Plan name: type “VDI”
  • Click Next
  • Turn off the display: Select “Never”
  • Put the computer to sleep: Select “Never”
  • Click “Create”

Adjust Visual effects for best performance

  • Right Click on the Start button – Control Panel – System and Security – System – Advanced System Settings – Advanced
  • Click the “Settings” button in the “Performance” section
  • Select “Visual Effects” tab
  • Select “Adjust for Best Performance”
  • Select “OK”

Configure paging file size

  • Right Click on the Start button – Control Panel – System and Security – System – Advanced System Settings – Advanced
  • Click the “Settings” button in the “Performance” section
  • Select “Advanced” tab
  • Click the “Change” button under the “Virtual Memory” section
  • De-select “Automatically manage paging file size for all drives”
  • Select “Custom Size”
  • Initial size (MB): 3072 (equals the amount of memory of the VM)
  • Maximum Size (MB): 3072 (equals the amount of memory of the VM)
  • Click “Set”
  • Click “OK”
  • Reboot VM

Disconnect the installation media in the VM properties in the VMware vSphere (web) Client (set to “Client Device”)

Logon to the desktop using the local administrator account

Run Windows update, install all the latest patches and service packs and reboot VM

  • Click on the Start button – Settings – Update & Security – Check for Updates
  • Reboot VM
  • Note: Repeat this process until all Windows updates have been installed)

Cleanup manager:

  • Open a command prompt
  • Run c:\windows\system32\cleanmgr /sageset:1 and check all the boxes of items you want to delete

Copy file vdi_cleanup.bat to c:\windows\system32

  • The content of vdi_cleanup.bat can be found at 

Enable VerboseStatus

  • Open a command prompt
  • REG ADD HKLM\Software\\Microsoft\Windows\CurrentVersion\Policies\System /v verbosestatus /t REG_DWORD /d 1 /f

Disable some Active Setup components of Windows

  • As per  logon time will be a lot faster when disabling all the Active Setup components of Windows.
  • Delete stubpath under “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}” “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}”

VMware OS Optimization tool:

  • Run the VMware OS Optimization tool:  Adjust the template as needed for your environment
  • Install .NET Framework 3.5 when asked for it

Pre-compile .NET framework assemblies

  • Open an elevated Windows command prompt.
  •  Navigate to the C:\Windows\Microsoft.NET\Framework\v4.0.30319 directory.
  •  Type ngen.exe update /force
  • Notes:
  • This process may require several minutes to complete.
  • Microsoft .NET 3.5 or 4.0 is not installed by default. If Microsoft .NET 3.5 or 4.0 is required on the desktop image, it should be installed prior to running the ngen.exe executequeueditems command.

Reboot VM

STEP 4: Install Horizon View Agent

Install the VMware Horizon View Agent

  • Note: Make sure that the version of the VMware Horizon View Agent you are using is compatible with the View Connection server version you will be using
  • Network Communication Protocol: IPv4
  • Features to be installed (depending on the environment):
  • Serial Port Redirection: No
  • Scanner Redirection: No
  • USB Redirection: Yes
  • HTML Access: Yes
  • VMware Horizon View Composer Agent: Yes
  • Real-Time Audio-Video: Yes
  • Client-Drive Redirection: Yes
  • Virtual Printing: Yes
  • vRealize Operations Agent: Yes
  • VMware Horizon View Persona Management: Yes
  • PCoIP Smartcard: No
  • VMware Audio: Yes
  • Note: An explanation of all these above features can be found 
  • Remote Desktop Protocol Configuration
  • Select “Enable the Remote Dekstop capability on this computer”

Reboot VM

Optional : Join the VM to your Active Directory Domain

Add an Active Directory group containing the users/groups which will be allowed to open Remote Desktop connections to the VM (= all users/groups which will be allowed to connect to a VMware View Desktop)

  • Note: This can also be done via group policy (Restricted Groups GPO – Remote Desktop Users)

Optimization tool:

  • Run the VMware OS Optimization tool:  Adjust the template as needed for your environment

Reboot VM

STEP 5: Installation of some standard applications (OPTIONAL STEP)

Install the latest version of Adobe Flash Player:

  • Browse to  with Internet Explorer
  • Do not select the option to install “McAfee Security Scan Plus”, “Google Toolbar”, …
  • Update method: Never check for updates (see  for instructions)
  • Edit %WINDIR%\SysWow64\Macromed\Flash\mms.cfg and ensure that “AutoUpdateDisable=1” is included in the mms.cfg file
  • Adobe Flash Player test: 

Install the latest version of Adobe Reader

  • Browse to  with Internet Explorer
  • Do not select the option to install “McAfee Security Scan Plus”, “Google Toolbar”, …
  • Manually check for and install updates
  • Enable the “Adobe PDF LInk Helper” add-on
  • Delete shortcut which was added to the desktop
  • REG ADD “HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown” /v bUpdater /t REG_DWORD /d 0 /f
  • REG ADD “HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown” /v Mode /t REG_DWORD /d 0 /f
  • SC stop AdobeARMservice
  • SC config AdobeARMservice start = disabled
  • Adobe Reader test: 

Install the latest version of Adobe Shockwave player

  • Browse to  with Internet Explorer
  • Do not select the option to install “McAfee Security Scan Plus”, “Google Toolbar”, …
  • Disable updates: 
  • Shockwave test: 

Install the latest version of Java (install both 32 and 64 bit on a Win7 64-bit OS)

  • Browse to  with Internet Explorer
  • Do not select the option to install “Ask Toolbar”,  …
  • Delete registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunjavaUpdateShed
  • Java test: 

Install Microsoft Silverlight

  • Go to  and follow the instructions
  • Do not enable Microsoft Update when asked for
  • Silverlight test: 

Reboot VM

Shutdown VM

STEP 6: Clean up

Open an elevated Windows command prompt

Run vdi_cleanup.bat

Take a Snapshot of your golden image

Share this:
Like this: Like Loading...
Related

endpoint security download free     endpoint security by bitdefender blocked this page

TAGS

CATEGORIES