Step 1, Launch instance, Windows 2016 Datacenter, t2.small (I think 2GB is already low for RAM on windows), don’t change instance details, don’t change storage, no tags, setup firewall (I have static IPs, so I allowed all just from those IPs).
Step 2, configure windows (get password, TS to server and):
Remove Features you aren’t using (needs winrm service) – smb 1.0 was the only one I removed
Stop services you aren’t using – for /f %a in (Server2016-Disable-Services) do sc stop %a & sc config %a start= disabled
Add .net 3.5 (don’t yell at me, the application I am installing needs it, used source C:\Windows\servicing\Packages)
Configure NIC – disable: register DNS, ipv6, netbios; remove: client, F&P Share, llmnr, lldp, multiplexor, etc.
Configure windows firewall, added allow all from my IP, disabled everything else (except DHCP, and ICMP un-reachable and fragment)
Install snmp Dism /online /enable-feature /featurename:SNMP
reg add HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers /t REG_SZ /f /v 1 /d “SOME-IP”
reg add HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities /t REG_DWORD /f /v “SNMP-STRING” /d 10
Add get MD5 hash reg add HKLM\SOFTWARE\Classes\*\shell\GetMD5\command /t REG_EXPAND_SZ /f /ve /d “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command \”(New-Object -ComObject Wscript.Shell).Popup((‘%1 = ‘+(get-filehash -Algorithm md5 ‘%1′).Hash),0,’File Hash’,0x0)\””
Thats it for now, I need to look through some of my server 2012 R2 notes and add any policy/security options to add.