PC Manager Meeting February 22, 2006

Today Updates Next Meeting Windows Policy Licensing/Training Security Tool Of The Month DOE Microsoft Tech Day This Month: OS & App Baselines; What’s it All About? – Jack Schmidt LUA: More ways and tools to run as LUA – Ken Fidler

Next Meeting Mar. 22 nd Windows/Mac Software Licensing Emily Pahlavan InDiCo Agenda John Bellendir/Jack Schmidt

Windows Policy Committee Next Meeting: Mar 1 st, 1:30-2:30pm, WH5SW Agenda: Outstanding Account Requests NTP- Does anyone really know what time it is? Desktop Baseline Checklist: New Domain GPOs?

Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting Kevin Hill

Spam Cop Spam Cop started blacklisting the gateways on 2/14/06. We complained. No response was given on why we were blacklisted but we were removed on 2/16/06 We were added again on 2/17/06! A few sites had us blacklisted for “back-scatter” What we are doing is RFC compliant but that doesn’t always help!

Spam Cop Back-scatter Backscatter occurs when an system accepts a message for delivery and then the system determines that the message can not be delivered and sends an undeliverable mail notification. What to do? Request that fnal.gov be added to the white list at remote site. CD changing system to prevent back-scatter (enabled 2/21) CD Implementing greylisting soon!

Greylisting

What It Does Requires all from unknown servers to retry sending their message a short time later. Virus infected computers spewing spam (and viruses) won’t retry. (yet). Many system administrators report up to 90% spam reduction.

How Messages Go Remote IP: smtp42.somelab.org Env Sender: Env Recpient: Combination unseen before – Temprarily Reject Message Remote Server retries delivery at a later time, at least 5 minutes later. Remote IP: smtp42.somelab.org Env Sender: Env Recpient: Combination in Database – Message Accepted

Who uses it University of Bergen - the Norwegian university of Bergen is using greylisting on their mail server. Texas A&M University - This Texas university is using greylisting: Leibniz Rechen Zentrum - LRZ is a major German internet hub for academic institutions in southern Germany. They started using greylisting as a method of limiting spam a couple of months ago: APNIC (Asia Pacific Network Information Centre) - This organisation, one of the five major internet registries of the world, is also using greylisting: RWTH - RWTH is a large German University. They have a page on their greylisting (german) here:

How It Works Records a triplet consisting of remote server ip address, envelope sender, and envelope recipient. If that triplet hasn’t been seen before, enter it in the database and reject the message with a temporary failure code. If the triplet has been seen more than 5 minutes before, and less than the expire time for entries, accept the message.

Possible Fallout Some people will see a delay getting from someone new. This will be between 5 minutes and however long the remote server takes to retry delivery. Generally not more than 1 hour. A few sites won’t retry. They are broken, but need to be dealt with.

Solutions Most greylist packages provide downloadable whitelists of known broken/good servers. Local whitelists are maintainable. Greylisting package we are looking at has Automatic Whitelists. We can maintain an ‘opt-out’ list, for people who prefer to get more spam.

Our recommended Implementation Use SQLGREY for Postfix. Uses Mysql for storage of greylist triplets, auto whitelist tables, and opt-out lists. Initial greylist retry wait time is 5 minutes. Message must be resent within 24 hours or new 5 minute wait will be instituted. After 2 successful s from a Server/Sender Domain pair, that pair is added to the Auto-Whitelist. Auto-whitelist entries expire after 60 days without mail from that server/sender domain.

Rollout Timeline Upgrade Hepa machines version of Postfix and install local mysql server. 1 day (Done) Install sqlgrey Greylisting service. Configure postfix to warn only (in the mail logs) to prebuild databases days Monitor Logs for legit mail that isn’t getting through. Ongoing Turn greylisting on “for real”. Hepa machines currently have enough capacity to upgrade/install one while the other handles all incoming mail, so no downtime required.

Licensing/Training

License Updates VMWare vs Virtual PC VMWare Workstation v5 License: Electronic Download Distribution - $189 Packaged Distribution - $199 Upgrade - $99 (Requires serial number) Virtual PC Year 1 - $ Year 2 - $90.55 Year 3 - $72.24  Note: We have not been able to get this to work with SLF!

License Updates Added to Vista Beta! Caveat: Not approved for FERMI Domain May need its own baseline!

EA Training Expires in Oct! Consolidate single days? pcmanagers/licensing/tr aining/ (password required) Division/SectionDays of Training ACC16 BSS5 CD22 CDF1 D00 DIR1 LSS1 ESH1 FESS4 PPD4 TD5

Security Updates

February Patches MANDATORY Patches: Due Date: None at this time RECOMMENDED Patches: Due Date: The following is a link to the February Microsoft list of critical and important patches. SMS Information available at: If you need the patches, you can also obtain them from \\pseekits\fermi-rollup\\pseekits\fermi-rollup

Cool Tool of The Month Paint.Net (thanks to Don Poll!) FREE!!! Image and photo manipulation software designed to be used on computers that run Windows 2000, XP, Vista, or Server Much like PaintShop Pro Requires.NET Framework

Cool Tool of The Month (cont)

DOE Microsoft Tech Day Where: Argonne When: April 11 th Time: ??? The purpose of this day would be to go over (at a very technical level) new products and futures coming from Microsoft (Vista, SQL, Exhchange, etc). Attendance list required…( to follow)

Main Topic OS & Application Baselines- Whats It All About? Jack Schmidt

What’s A Baseline? A baseline is a document or set of documents that outlines minimum security requirements for an application, network device or OS to be allowed on the FNAL Network Office of Management and Budget tells DOE. They tell us!

Existing Baselines OS Baselines OSX Desktop Scientific Linux Fermi Sun Solaris 9 Windows 2000 & XP Windows 2000 & 2003 Server

Existing Baselines Application Baselines Anti-virus (draft form) Oracle Postgres SQL Network Baseline Cisco Firewall Cisco Router

Baselines We Still Need OS FreeBSD Generic OS OSX Server Application Generic Web Server (covers Apache and IIS) Generic Web Application Samba

Baseline Basics Baseline built on NIST and CIS Benchmark documents Checklists. Tools coming to help check systems!

Baseline Questions Does my desktop/server meet the baseline? Fermi domain systems, Fermi Windows built systems and SLF built systems. I can’t meet the baseline requirements! Talk with your GCSC I can’t find my OS/App listed! Check with your GCSC. In most cases, following the generic baseline will work

Baseline Questions Who writes them? You Do! Who approves them? FCSC What Apps need a baseline? Defined by DOE Do Application baselines include OS requirements? No! App Baseline + OS Baseline = Approved Design App Baseline + NO OS Baseline ≠ Approved Design

Main Topic Least-Privileged User Account -More ways and tools to run as LUA. Ken Fidler – CSS-CSI(WST)

LUA – Run IE/ tools Safely Running as ‘local admin’ privilege is dangerous! Special case users require admin privileges How do you get best of both worlds?

LUA – Run Network browser/ tools Safer For limited protection, restrict key internet-facing applications to run as non-admin XP and Server 2003 add new Software Restriction Policy (SAFER) Allows running applications as non-admin by stripping out certain SIDs and privileges from the application's token.

How do you know you are running apps as non-admin? look at the token associated with the process. Process Explorer from Sysinternals Good FREE replacement for Task Manager PrivBar Free tool that displays User level that IE or Explorer is running at

IE – Run as ‘Normal User’

IE running as ‘local admin’

LUA - PrivBar

LUA – DropMyRights.exe Free tool from Microsoft Similar to ‘runas’ tool dropmyrights.exe "c:\program files\internet explorer\iexplore.exe" Can be used on all sorts of applications ( clients like Outlook/Outlook Express, browsers like IE and Firefox, and Instant messaging clients)

LUA – DropMyRights Install

LUA – DropMyRights DEMO

LUA – Dropmyrights – Pros and Cons Pros – Simple to use and setup (MSI package) Cons – Some Web sites that spawn a new web might not start-up as a reduced privilege Can easily run program as a privileged level

LUA – SAFER New Software Restriction Policy (SAFER) XP and 2003 only Software restriction policies allow you to control the ability of software to run on your local computer.local computer By Default, only 2 levels exist (disallowed and Unrestricted). A simple change allows adding new levels

LUA – SAFER Policy There are in fact three other SAFER security levels beyond Disallow and Unrestricted Normal User (also named Basic User) Constrained (also named Restricted) Untrusted Basic user is what we want to use. The others are too restrictive and break many apps.

LUA – SAFER Policy Simple Registry tweak to expose the levels: Add a DWORD value named Levels set to 0x20000 to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows\Safer\CodeIdentifiers

LUA – GPOs to run apps safely

LUA - GPOs

LUA – SAFER DEMO

LUA – SAFER (Limitations) Can not run Windows Update (known issue Microsoft plans to fix, and there is a way around this….) User could copy application to alternate path and run application as ‘administrator’

LUA – Other Possibilities Create a GPO in your OU to deploy LUA Protect against known malware Add the path/name of the program to the SAFER policy (additional rules) and set the ‘Security Level’ to Disallow Prep software on machines – but keep users from running it until you want them to.

LUA - Summary DropMyRights or Using SAFER based policies is no replacement for running as a non-admin, but still much better than giving the loaded gun of full local admin privilege to your users!

LUA and VISTA Standard User Privileges V iew system clock and calendar Change time zone Change display settings Change power management settings Install fonts Add printers and other devices that have the required drivers installed Download and install updates using User Account Control compatible installer

LUA and VISTA (cont’d) Admin Approval Mode: Right Privilege at the Right Time Allow admins to run apps as basic user Over-the-Shoulder (OTS) Credentials Prompt user when Admin Privs needed File System and Registry Virtualization Create a copy in user profile area

LUA – More Info DropMyRights and PrivBAR SAFER BLOG on LUA Process Explorer \\PSEEKITS\DesktopTools\Utilities\LUA