Notice! This document is currently in Archived status.
The content of this document may be incorrect or outdated.

Print this article Edit this article

How to Deploy 7012 Compliant Machines

To Start:

Initially, the deployment process of a 7012 machine is the same as any other domain PC. Register the device in Arrow before kicking things off at the rack. The OU is critical though. There is a top level OU group called Restricted Computers. Make sure you add the PC to the right OU— there is one for each project and professor. If you have any questions about which OU to use, check with  Karen Monkhouse or someone from her group via itpolicy@purdue.edu. She is our main point of contact for all things 7012.

Machine names: Try to use names that will not affect GPOs etc if they are moved.

Software Installation:

Once you’ve deployed the PC, you’ll need to review the list of software that the user brings to you. For basic things like Matlab or other computational softwares, you don’t really need to fret. For anything else though, you’ll want to check with Jason Stein before you start installing applications. The key here is to ensure that we don’t corrupt the security compliance of the machine. It’s usually not a bad idea to show him your entire list of software— just to be on the safe side.

 

Security Compliance Checklist:

*** Deploy Checklist is available on \\merlin.ecn.purdue.edu\site\ECN\UDS\Documents\DeployChecklist\7012 pc-deploy-checklist-06-01-2019.pdf ***

1.      Record the make/model/size/serial number of the machine's hard drive in the active item you are working.

2.      In addition to our standard BIOS settings, disable the machines ability to boot from anything other than the HDD. PXE boot can be left intact in the event that we need to blow the PC away and redeploy it in the future. 

3.      You must create a local (standard user) non-administrative account on the PC for each user. For example, if someone named Victor Frankenstein plans to use the PC, you would create a local account called victorlocal for them.     You set up a temporary password for them, but make sure to check off the option dictating that they must change their password after the first logon.

4.      After making sure this local account is able to login (you can create a test one for yourself), you need to then change the GPO to not allow ECN domain accounts to login. To do so, open up the Start menu and type gpedit.msc. Make sure to run this application as an administrator. Then, in the GP editor, navigate to Computer Configuration--> Windows Settings--> Security Settings--> Local Policies--> User Rights Assignment. In the “Deny Logon Locally” field, be sure to add ECN\Domain Users to the list of blocked accounts. After doing so, try to login with your standard test account to ensure the PC is locked down.

5.      You will need create three labels (in addition to the typical host name / IP label) and affix them somewhere on the tower. 

                       -- CONTAINS CUI DATA

                       -- AUTHORIZED USERS ONLY

                       -- DESTROY HARD DRIVE BEFORE SALVAGING

6.       Send a copy of the HD serial number, the PC serial number, and the PC's OU to Export Controls (exportcontrols@purdue.edu) so that they can keep track of things, too.

7.       Navigate to the following path on merlin:

         \\ecn-merlin.ecn.purdue.edu\site\ECN\UDS\7012-DFAR Reg Key Fix

         Download and run the registry fix found there on the 7012 machine as ela. This will ensure that the computer locks out after 15 minutes of inactivity.

8.      Update CUI Computers Tracking spreadsheet located on UDS OneDrive

 

BitLocker:

This application is used to encrypt the machine’s hard drive, another requirement of 7012 machines. However, you will sometimes encounter machines that are not new enough to run BitLocker. This application requires Trusted Platform Module (TPM) version 1.2 or greater and some of the older Precisions and OptiPlexes weren’t built for this functionality. In these cases, you should again check with Jason Stein to be certain on how to proceed. You might be able to get around BitLocker if the PC is behind more than one access controlled door. For example, PTC machines don’t necessarily need BitLocker because you can’t get in to most rooms without an escort. 

For step by step instructions on how to run the encryption software, go to Control Panel--> BitLocker Drive Encryption.  If asked whether you would like to create a recovery key, opt not to do so. Mike Barrett has a recovery key on a secure stick. We must inform users that should their drives crash, the data cannot be recovered so they should never save data locally on the PC. 

Please note that once you encrypt the drive, you cannot make changes to the BIOS, run Disk Management, etc. That being said, make sure to encrypt the drive as the FINAL step. You can however create new user accounts and install software after a drive has been encrypted.

 

Log Forwarding:

On all 7012 PCs, we will need to enable Log forwarding. To do so,  open up an ADM command prompt as ela (must be a local admin) and run the following command. Please note that the command below is all one line (in case the page enjambs the line).

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

Reboot your PC after entering the command above. Also, make sure to add the PC in question to the following AD group: Oak_EventForwarderClients.

 

Additional Security Precautions:

When you deliver the machine, you will want to stress that the user should look into acquiring a locking system of some kind to keep the case closed or shackled to the desk. Or if you are setting up a 7012 laptop, they will need to lock the device away when it is not being used. This is very important for shared offices.

 

Last Modified: May 8, 2023 11:05 am GMT-4
Created: Feb 1, 2016 2:33 pm US/Eastern by admin
JumpURL: