New install questions

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
craiggsmith
Senior Member
Posts: 851
Joined: Sun Sep 12, 2010 3:14 pm
Location: South Jordan, Utah

New install questions

#1

Post by craiggsmith »

With this latest computer I'm revisiting my setup instructions and have a few questions:

Adobe Flash - do we really need this?
Java - past discussions have said we don't need this; any new thoughts?
Lenovo tools- do these really add any value? I used to leave it on but I've found that it can dramatically increase the startup time.
Adobe Reader - the link on the web takes us to the page for the DC (distribution) option, but it actually gives us all 3 options to download: DC, 10, and 11. Do you recommend DC or 11?
Nitro Pro - Looks like an alternative to Adobe Reader and CutePDF, but appears to cost money, so I assume we might want to delete it.
SHAREit - doesn't look like something we want to use.
Windows Defender - still appears necessary to disable this.

I have a long list of other small changes I make but am starting to lean towards just sticking with the defaults. If you have any other important ones though please comment.
Craig
South Jordan, UT
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New install questions

#2

Post by russellhltn »

craiggsmith wrote:Adobe Flash - do we really need this?
I'd leave it out. If it's needed, it can be installed on the fly. Chrome, and I think Firefox include it, so it's really only needed for IE. These days, I'm inclined to install Chrome, set it as default, and "hide" IE. Most church sites seem to do better with Chrome - and it seems to do a good job in keeping itself updated.

craiggsmith wrote:Java - past discussions have said we don't need this; any new thoughts?
Not for MLS. OpenOffice/LibreOffice might need it for some functions. But I'd probably leave it out. It's another security nightmare with all the updates.

craiggsmith wrote:Lenovo tools- do these really add any value? I used to leave it on but I've found that it can dramatically increase the startup time.
Not sure about Lenovo, but with HP, there's a HP Support Assistant that suggests BIOS and Driver updates.

craiggsmith wrote:Adobe Reader - the link on the web takes us to the page for the DC (distribution) option, but it actually gives us all 3 options to download: DC, 10, and 11. Do you recommend DC or 11?
I thought DC is what came after 11. I can't say as I'm a fan of it, but if it's the future of Adobe reader ....

craiggsmith wrote:Nitro Pro - Looks like an alternative to Adobe Reader and CutePDF, but appears to cost money, so I assume we might want to delete it.
If it's trialware, I'd uninstall it.

craiggsmith wrote:SHAREit - doesn't look like something we want to use.
Sounds like a open invite to trouble. I'd uninstall it.

craiggsmith wrote:Windows Defender - still appears necessary to disable this.
Probably.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
craiggsmith
Senior Member
Posts: 851
Joined: Sun Sep 12, 2010 3:14 pm
Location: South Jordan, Utah

Re: New install questions

#3

Post by craiggsmith »

russellhltn wrote:These days, I'm inclined to install Chrome, set it as default, and "hide" IE. Most church sites seem to do better with Chrome - and it seems to do a good job in keeping itself updated.
Thanks, I've been debating whether to make Chrome the default.

russellhltn wrote:
craiggsmith wrote:Java - past discussions have said we don't need this; any new thoughts?
Not for MLS. OpenOffice/LibreOffice might need it for some functions. But I'd probably leave it out. It's another security nightmare with all the updates.
Yeah, how could I forget the hassle of keeping it up to date.
russellhltn wrote:
craiggsmith wrote:Lenovo tools- do these really add any value? I used to leave it on but I've found that it can dramatically increase the startup time.
Not sure about Lenovo, but with HP, there's a HP Support Assistant that suggests BIOS and Driver updates.
Yes, it is supposed to help keep your system up to date. I would like to think the church does this but probably not. I did a check and it did show an update to the Intel LAN driver. But mostly it showed updates to itself and other Lenovo software; I remember now that this was most often the case, and it was really slow. I've gone ahead and turned off a lot of things which should help although I've still gotten complaints from the clerks in the past. But I guess I'll leave it on for now and see how this version goes. It looks like only a small piece is still running in the background.
russellhltn wrote:
craiggsmith wrote:Adobe Reader - the link on the web takes us to the page for the DC (distribution) option, but it actually gives us all 3 options to download: DC, 10, and 11. Do you recommend DC or 11?
I thought DC is what came after 11. I can't say as I'm a fan of it, but if it's the future of Adobe reader ....
DC appears to be an enterprise distribution version. I think I'll try it with the hopes that it's less of a maintenance headache.

Thanks very much!
Craig
South Jordan, UT
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New install questions

#4

Post by russellhltn »

craiggsmith wrote:DC appears to be an enterprise distribution version. I think I'll try it with the hopes that it's less of a maintenance headache.
I went and looked. I'm sure the place you were sent was a enterprise download spot, but "DC" stands for 'Document Cloud' - a way to share and work with PDFs in "the cloud". This immediately makes me suspicious that it may not be a good choice for church use.

More info here

Also, when setting up new machines, I turn off the default admin share. I'll have to look up how to do that.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
craiggsmith
Senior Member
Posts: 851
Joined: Sun Sep 12, 2010 3:14 pm
Location: South Jordan, Utah

Re: New install questions

#5

Post by craiggsmith »

russellhltn wrote:
craiggsmith wrote:DC appears to be an enterprise distribution version.
I went and looked. I'm sure the place you were sent was a enterprise download spot, but "DC" stands for 'Document Cloud' - a way to share and work with PDFs in "the cloud". This immediately makes me suspicious that it may not be a good choice for church use.

More info here
Interesting, hadn't heard of this. I'm not sure that there's much change for the Reader app, but the reviews on the new version in general aren't very good and if it has the same lame update behavior then I think I'll go back to 11.
russellhltn wrote:Also, when setting up new machines, I turn off the default admin share. I'll have to look up how to do that.
Yeah, me too. I usually set up a Stake Clerk account instead, although maybe I could just use the default Admin account?

One other thing I do is turn off password memorization in browsers.

I turned off bluetooth; I got an error when trying to disable it via the system tray or properties, so I just disabled it in the network control panel.

I'm surprised these machines still come with VGA.
Craig
South Jordan, UT
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New install questions

#6

Post by russellhltn »

OK, here's my list:

When connecting to the network, set to "Public". (I think there's also a checkbox to make all future connections "Public" as well. - check that.)

Under Network properties:
Remove:
Client for Microsoft Networks
File and Printer Sharing for Microsoft Networks

Disable: IPv6


Add restrictions using GPEdit.msc:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments
Change the system time - Remove Admin, add stake

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >
Interactive logon: Do not display last user name - Enabled
Interactive logon: Do no require CTRL + ALT + DEL - Enabled

Computer Configuration > Administrative Templates > Network > Microsoft Peer-to-Peer Networking Services
Turn off Microsoft Peer-to-Peer Networking services - Enabled

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile >
Allow inbound file and printer sharing exceptions - Disabled

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile >
Allow inbound file and printer sharing exceptions - Disabled

Computer Configuration > Administrative Templates > System > Logon >
Hide entry points for Fast User Switching - Enabled
Always use classic logon - Enabled

Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Turn off Autoplay - Enabled

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services >
Remote Disktop Session Host > Connections
`Allow users to connect remotely using RDP - Disabled

User Configuration > Administrative Templates > Control Panel > Personalization
Enable screen saver - Enabled
Password protect the screen saver - Enabled
Screen saver timeout - Enabled 900 seconds (15 minutes)
Force specific screen saver - Enabled PhotoScreensaver.scr


Using Regedit:
Remove File Sharing
Find the key: HKEY_CLASSES_ROOT\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}

Export a copy

Right-click and delete it.

If you cannot delete it, please take the ownership of this key, follow these steps:

1. Right-click the key - Permissions - Advanced

2. Owner Tab, Click your user name and check the box "Replace owner on subcontainers and objects", Apply - OK.

3. Click Administrators under Group or user name, check Allow Full Control. Then Apply - OK.

Now delete that key.

Disable administrative sharing
Regedit
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
AutoShareServer - DWord 0
AutoShareWks - DWord 0



I've confirmed this will kill the admin share. Otherwise, I could probably walk into your building, and using the WiFi signal, browse the C drive of the ward computer.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
rsidwell
Member
Posts: 51
Joined: Fri Nov 07, 2014 3:57 pm
Location: Riverside, California, USA

Re: New install questions

#7

Post by rsidwell »

craiggsmith wrote:I'm surprised these machines still come with VGA.
The church doesn't replace operational monitors, and there are a lot of VGA only monitors out there! I'm sure VGA support was one of the requirements for new clerk computers.
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New install questions

#8

Post by russellhltn »

rsidwell wrote:The church doesn't replace operational monitors,
Depends on your FMG. Mine replaced them - but then they were mostly CRTs. I'm not expecting replacements on the next round.

I think most "desktops" still have the VGA port, just for comparability. I think you can use that to create a dual-monitor setup - one VGA and one Display Port.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
drepouille
Senior Member
Posts: 2859
Joined: Sun Jul 01, 2007 6:06 pm
Location: Plattsmouth, NE

Re: New install questions

#9

Post by drepouille »

russellhltn wrote:When connecting to the network, set to "Public". (I think there's also a checkbox to make all future connections "Public" as well. - check that.)
I thought the installation instructions told us to set the network to "Work". I believe that allows peer-to-peer sharing of printers, without the dangers of Public.
Dana Repouille, Plattsmouth, Nebraska
drepouille
Senior Member
Posts: 2859
Joined: Sun Jul 01, 2007 6:06 pm
Location: Plattsmouth, NE

Re: New install questions

#10

Post by drepouille »

craiggsmith wrote:One other thing I do is turn off password memorization in browsers.
Good idea, and you need to do that for each Windows account (if you use more than one).

I once went into a clerk's office to do a random tune-up and inspection. I discovered I could run Chrome, go to lds.org, and was immediately logged in as the bishop. I turned off the "remember password" feature, and deleted all saved passwords. Then I told the bishop and the ward clerk what I had done. They both looked a bit sheepish.
Dana Repouille, Plattsmouth, Nebraska
Post Reply

Return to “Clerk Computers”