Page 1 of 4 1234 LastLast
Results 1 to 10 of 32

Thread: New XP Install: Better to install ZA before or after initial Windows Updates?

  1. #1
    bloomcounty Guest

    Default New XP Install: Better to install ZA before or after initial Windows Updates?

    I'm going to be putting XP Home SP2 on a new laptop this weekend -- starting from scratch. I plan on using ZA 6.5.737 and AVG A/V Free on this system.

    I've seen different opinions on what you should do first when it comes to initial Windows Updates, firewall, and a/v.

    Some say:

    AVG A/V > Initial Windows Updates > ZA Firewall

    Others say:

    Initial Windows Updates > ZA Firewall > AVG A/V

    What's the best order? I will be behind a firewall/router when doing the Windows Updates for the first time and I'm thinking it's probably best to do those (with the Windows Firewall on and just no A/V -- with connecting only to the Windows Update site and no other browsing), then install ZA then AVG A/V Free.

    Thoughts? Thanks!

    Operating System:
    Windows XP Home Edition
    Software Version:
    6.5
    Product Name:
    ZoneAlarm (Free)

    Message Edited by bloomcounty on 12-21-2007 11:16 AM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: New XP Install: Better to install ZA before or after initial Windows Updates?

    <hr>
    I'm going to be putting XP Home SP2 on a new laptop this weekend -- starting from scratch. I plan on using ZA 6.5.737 and AVG A/V Free on this system.

    I've seen different opinions on what you should do first when it comes to initial Windows Updates, firewall, and a/v.

    Some say:

    AVG A/V > Initial Windows Updates > ZA Firewall

    Others say:

    Initial Windows Updates > ZA Firewall > AVG A/V

    What's the best order? I will be behind a firewall/router when doing the Windows Updates for the first time and I'm thinking it's probably best to do those (with the Windows Firewall on and just no A/V -- with connecting only to the Windows Update site and no other browsing), then install ZA then AVG A/V Free.

    Thoughts? Thanks!

    Operating System: Windows XP Home Edition
    Software Version: 6.5
    Product Name: ZoneAlarm (Free)
    <hr>


    Both methods are ok. It really is a personal preference.

    As long as the PC is behind the safety of the router and the windows firewall is still enabled and there is no is other internet experiences other than getiing the windows registered and updated. Then there is no issue.

    But I am assuming the new install is with a clean windows install and not from the recovery disk (which usually includes various updaters for hardware and the "added extras" courtesy of the PC manufacture, trials for both security and payware, etc).

    At the vary least, disable the IM, disable the third party cookies in the Internet Options before doing any internet windows updates.

    Another point - as soon as the AV and FW are installed, they hook into various drivers and files of the operating system and into the lower kernel of the operating system. Many will do the updates first and then install the security because of the hooking, to avoid any possible issue.

    Also it depends if going from XP SP1 or the XP with no service packs and getting the the SP1 and/or the SP2 and the following updates.
    I would definitely avoid any security installs until all of the Service Packs are installed - some security apps wreck havoc with the Service Packs.

    Personally (JMHO), I wipe the disk clean with a proper eraser and flash the BIOS, partition and format the drive, install windows, install the latest/preferred drivers from USB, do some basic hardening of the OS all the while still off line. Then staying behind the hardware router get registered, do the updates (selectively and not all are accepted - I always pick and choose). Then some more checking for more updates and repeat until there are no more available (MS seems to allot only so many updates per session and per day). When no more updates are available, do the rest of the hardening and install the AV and the FW. Get these two settled and then install the favorite and usual softwares and then move in the saved files.

    Cheers, Oldsod

    ZA AS 7.0.4

    Message Edited by Oldsod on 12-21-2007 02:54 PM
    Best regards.
    oldsod

  3. #3
    bloomcounty Guest

    Default Follow up...

    The laptop came with Vista on it. I have a XP Home SP2 OEM disk I bought, which I'm going to put in and choose to have XP delete all partitions and reformat as well (which I'm told you're able to do with the XP disk). No need to flash the BIOS as far as I know. Then I will install all the XP drivers that are applicable (which I found on-line).

    Then I'll go on-line and register XP (I'm guessing I need to do that before Windows Updates), then do the Windows Updates (until they're all installed), then get off-line and turn off the Windows Firewall and install ZA 6.5.737 and AVG A/V Free, then go on-line and update the AVG.

    Sound good?

    Also, what do you mean by &quot;basic hardening of the OS&quot; before going on-line? Can you list exactly what you're talking about?

    Thanks!

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Follow up...

    Your plan sounds good.

    The XP will have an icon appearing in the taskbar next to the clock and it will wish to get windows registered - it will also stress you have X number of days left to do so.
    As soon as you attempt to get updates, it will appear again and the update site will usually get involved in getting registered. Just get the registration done first and then the updates will be allowed.

    I usually do some "basic hardening" Not much, because once services or features are disabled, the updates may not install correctly/properly. The XP SP2 does have some security "risky" services off by default (computer browser is one of several), so it is safer to some degree by default than the previous SP1 or the original XP.
    So really do very little at this point. Once all of the updates and downloaded and installed, then I do a full hardening.
    But I do this for the basic hardening before doing the updates or going on line:
    disabling the IM from startup with windows,
    blocking the third party cookies in the internet options and allow first and session only,
    change the IE default home page to microsoft or update.microsoft.com instead of msn.com - I manually type it in,
    make sure the windows fw has no exceptions and is set to log all and change the default location of the log,
    allowing only certain TCP ports and allowed Protocols in the Properties of the TCP/IP,
    disabling the LMHosts,
    disable the NetBIOS over TCP,
    enter the correct DNS and DHCP/gateway with subnet and assigned IP - I know these anyways, so this is not a problem in the network adapter properties,
    usually disable the wake on lan and a few other not needed,
    make sure the DEP is enabled,
    if the PC has memory protection in the BIOS then enable it,
    set the correct time/date in the BIOS,
    optionally, add a signin for the admin account for startup,


    This is off the top of my head. I could add a few more.

    Oldsod
    Best regards.
    oldsod

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Follow up...

    Oh I forgot- use a wired connections instead of a wireless - to the router. Some how I never feel like tangling with WEP or WPA at this point. Or getting the PC/laptop MAC'd in with the router.

    It is much easier to skip the whole issue and just use a regular wired ethernet connection instead.
    Oldsod
    Best regards.
    oldsod

  6. #6
    bloomcounty Guest

    Default Further help...?

    Thanks for the info. I don't know what most of those things are. Do you mind explaining how to do the following?

    1. disabling the IM from startup with windows

    2. allowing only certain TCP ports and allowed Protocols in the Properties of the TCP/IP,

    3. disabling the LMHosts,

    4. disable the NetBIOS over TCP,

    5. enter the correct DNS and DHCP/gateway with subnet and assigned IP

    6. usually disable the wake on lan and a few other not needed,

    7. make sure the DEP is enabled,

    8. if the PC has memory protection in the BIOS then enable it,

    9. set the correct time/date in the BIOS,

    Also, what are the hardening up things you do after for the &quot;full hardening&quot;?

    Note: I will be using a hard-line Ethernet connection to do the Windows Updates and registering.

    Thanks for the help!

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Further help...?

    LOL! ;D
    Ok I will oblige!

    1. I really detest any IM and uninstall after things are settled and updated. So I really haven't seen any IM of any kind in a long time - really have no IM to look at or to show to you. But IIRC, there is an option somewhere in the toolbar or options of the messenger to disable this on windows startups. You could just goole or do a search for this- they have many kb and posts somewhere on the 'net for this.

    8. and 9. Entering the BIOS is done when the manufactures screen appears (before the windows screens) and usually appears in a corner of the screen or in the bottem of the screen, there is some mention of a key to be pressed to enter the BIOS. Usually the manual that came with the PC/laptop has some info on this. Most keys differ, but common is F2 (followed by DEL, ESC, etc or combination of keys). Since I am not a tech for your laptop's vendor, I shall not venture any further. I am quite sure you will investigate this further and find results.

    7. Enable the DEP.
    Right click My Computer. Open the Properties.

    <center>http://i236.photobucket.com/albums/ff2/Oldsod/DEP1.jpg</center>

    <center>http://i236.photobucket.com/albums/ff2/Oldsod/DEP2.jpg</center>

    <center>http://i236.photobucket.com/albums/ff2/Oldsod/DEP3.jpg</center>

    6. Disable the wakeonlan (usually enabled) and do so with disable the network if on a power saving mode (applies to laptops)(if so desired, but it my preference.

    <center>http://i236.photobucket.com/albums/f...onnections.jpg</center>


    <center>http://i236.photobucket.com/albums/f...Connection.jpg</center>


    <center>http://i236.photobucket.com/albums/f...wakeonlan1.jpg</center>


    <center>http://i236.photobucket.com/albums/f...wakeonlan2.jpg</center>

    Reboot and see the next post.

    Oldsod

    Message Edited by Oldsod on 12-21-2007 05:36 PM
    Best regards.
    oldsod

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Further help...?

    <hr>
    Thanks for the info. I don't know what most of those things are. Do you mind explaining how to do the following?

    1. disabling the IM from startup with windows

    2. allowing only certain TCP ports and allowed Protocols in the Properties of the TCP/IP,

    3. disabling the LMHosts,

    4. disable the NetBIOS over TCP,

    5. enter the correct DNS and DHCP/gateway with subnet and assigned IP

    6. usually disable the wake on lan and a few other not needed,

    7. make sure the DEP is enabled,

    8. if the PC has memory protection in the BIOS then enable it,

    9. set the correct time/date in the BIOS,

    Also, what are the hardening up things you do after for the "full hardening"?

    Note: I will be using a hard-line Ethernet connection to do the Windows Updates and registering.

    Thanks for the help!

    <hr>

    Now, we shall do the lMHosts, disable NetBIOS over TCP/IP, and enter the values in the TCP/IP filtering. This should cover the rest of your questions.


    Start once more at Network Connections.

    <center>http://i236.photobucket.com/albums/f...onnections.jpg</center>


    <center>http://i236.photobucket.com/albums/f...Connection.jpg</center>

    Properties of the TCP/IP_ open again.

    <center>http://i236.photobucket.com/albums/f...Properties.jpg</center>

    Notice the DNS and the gateway IP are added in, as is the assigned IP from the router.

    <center>http://i236.photobucket.com/albums/f...ofthetcpip.jpg</center>

    Disable the LMHosts and the NetBIOS over TCP/IP...

    <center>http://i236.photobucket.com/albums/f...od/winstab.jpg</center>

    TCP/IP filtering seen here...


    <center>http://i236.photobucket.com/albums/f...properties.jpg</center>


    <center>http://i236.photobucket.com/albums/f.../tcpports1.jpg</center>


    <center>http://i236.photobucket.com/albums/f.../tcpports2.jpg</center>


    <center>http://i236.photobucket.com/albums/f.../tcpports3.jpg</center>


    <center>http://i236.photobucket.com/albums/f.../tcpports4.jpg</center>

    Notice the filtering is enabled:
    The UDP is allow all.
    The TCP has the 20 and 21 (FTP), the 53 (DNS), the 66, 67,68 (DHCP, but most often just 67 and 68 is just needed), the 80 (HTTP, and the extra 81, 82 and 83 ports are really just "spill over" ports for the HTTP, again the 80 is important and the 81-83 is just an extra) and of course the 443 (HTTPS).
    The Protcols are listed as 1 (ICMP), 6 (TCP) and 17 (UDP).

    Then reboot.

    It is safe to assume you will have further questions, so please ask.

    Oldsod

    Message Edited by Oldsod on 12-21-2007 05:49 PM
    Best regards.
    oldsod

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Further help...?

    Oh while we are still in the Properties of the Network Connections, in the window that appears in the middle (where the Internet Protocol (TCP/IP)) is listed, there are usually or often other entries listed.

    or as seen in here:

    <center>http://i236.photobucket.com/albums/f...Properties.jpg</center>


    These options however can be deselected in the windows installation, using advanced or custom when the network is installed. If you are just a regular home user with no networked printer or have any need of any advanced networking.

    If not this can be skipped during the installation and these can now be deselected.

    All of these can be safely unchecked.....

    Client for Microsoft Networks
    File and Printing Sharing for Microsoft Networks
    QoS Packet Scheduler (also disable the QoS service as well, assuming the laptop is never used in a small business or very large LAN with many networked devices)
    Service Advertising Protocol
    Microsoft TCP/IP version 6 (assuming again there is no use for the TCP/IP version 6)
    Network Monitor Driver
    NWLink IPX/SPX/NetBIOS Compatible Transport Device

    Any of these entries can always be re- checked or re-enabled or installed in the future, if these are needed.

    Oldsod

    Message Edited by Oldsod on 12-21-2007 05:34 PM
    Best regards.
    oldsod

  10. #10
    bloomcounty Guest

    Default Re: Further help...?

    Thanks for all that!

    Was this one on there somewhere?

    Oldsod wrote:
    &quot;Enter the correct DNS and DHCP/gateway with subnet and assigned IP - I know these anyways, so this is not a problem in the network adapter properties&quot;

    -------------

    Also, I was originally going to just set IE security to High and add in the three Windows Update addresses to the exceptions list (and have that set to Medium) -- that's how I have it set on my old computer (I use Firefox for normal browsing, IE only for Windows Updates). But that wouldn't include whatever site you have to go to in order to register Windows XP, right? So I guess I should just set IE like you said until XP is registered, then I can set it to how I described above? Thoughts?

    Thanks!

Page 1 of 4 1234 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •