John Taylor, Deputy CISO Martin Myers, IT Architect How Johns Hopkins Achieves Security and Operational Efficiencies Using a Common Windows Operating System Deployment John Taylor, Deputy CISO Martin Myers, IT Architect October 7, 2019
About IT@JH Administrators of SMS/SCCM since 1996 Central Active Directory (started 2002) Central IT (IT@JH) with 40 other IT groups using common SCCM Core Enterprise SCCM Roles: SCCM Central Packager SCCM Infrastructure Engineer ECI Engineer IT Architect In our Enterprise Management, Monitoring, and Security (EMMS) team Delegated OU/SCCM collections, centralized SCCM packages and inventory Use SharePoint to provide documentation and blog posts about SCCM
Enterprise Client Image (ECI) Initiative Provide a common Windows client image as an Enterprise Service Started initiative in Fall of 2013 Must integrate with SCCM Must provide customizations for IT groups Provide common solutions to update existing client software 48,584 systems running ECI today Customizations were required
Dependencies Networking Storage/ Virtualization ECI Policy & Standardization IT Group Participation ECI
Achieving Departmental/Schools Buy-In Meet with Management of each IT group Started with IT Management only on ECI Committee Committee Meetings initially every two weeks (had many debates) Meetings became technical only
ECI Roles and Responsibilities - EMMS Create and maintain common base client image Document client image feature set Document process for deploying image (USB and over the wire) Document packages available for deployment to all existing deployed ECI systems Create templates for documenting Task Sequences Quarterly update for each OS version Maintain change log for all ECI changes
ECI Roles and Responsibilities – ECI Customers Regular Attendance at meetings Define Operating System version(s) requirements Define core application/feature set Define policy for types of updates included in the client image Use SharePoint site for client image documentation and meeting minutes Create and document all Task Sequences not provided by the common image Test enterprise client image as updates are released Deploy quarterly image updates to client systems via SCCM
Enterprise OSD Imaging scenarios Deployment options Bare-Metal Refresh Replace Deployment options PXE Lite-Touch Zero-Touch Distributed task sequence templates Each IT group configures their own task sequences from the template No universal domain join account or admin group December 14, 2019
Technical Challenges Hardware standardization and drivers Scaled back RBAC for Driver Packages Worked with Hardware Standards Committee Worked with VAR for imaging client hardware Infrastructure File storage Network bandwidth IT Group learning curve Scaling out the SCCM infrastructure Distribution Points State Migration Points Import Computer process using SCORCH
All editions: Enterprise Operating Systems Windows 7 Dec 2013 – Nov 2018 Windows 8.1 Aug 2014 – Feb 2016 Windows 10 1511 Feb 2016 – May 2016 Windows 10 1607 Nov 2016 – Jun 2017 Windows 10 1703 Jun 2017 – Apr 2018 Windows 10 1709 Jun 2018 – Oct 2018 Windows 10 1803 Aug 2018 – Apr 2019 Windows 10 1809 Mar 2019 – Jan 2020 . 2014 . 2015 . 2016 … 2017 … 2018 … 2019 … 2020 All editions: Enterprise
Core Applications Microsoft Office Citrix Receiver Started with Office 2010, Office 2013 (in 2014), currently Office 2016 Citrix Receiver Adobe Reader, Shockwave, and Flash Player Google Chrome Enterprise .NET Framework Microsoft Bitlocker Administration and Monitoring (MBAM) Imprivata (ESSO) Pulse Secure VPN Latest Java (JRE) client (eliminated in Fall 2018) Windows Management Framework OS Security Updates
Windows 10 ECI Update Strategy Initially, quarterly updates Every 3 months Each ECI release supported for 1 year Later, moved to tri-annual updates Every 4 months Microsoft announced 30 months of support for Windows 10 Enterprise build versions 4 total releases for each Windows 10 version With Windows 10 1607, added a supported upgrade Task Sequence for Windows 10 upgrades
Upgrade Task Sequences Supported for all systems using ECI Tested by EMMS and ECI customers Not supported for non-Enterprise editions Standardizes solution for OS upgrades across JH Released with each new Windows 10 ECI Can be deployed as available or required Customers can update early (available) Long-term, communicated deadline (required)
Security Efforts Supported Removal of SMBv1 (Oct. 2016) Ensure Windows Auditing meets standard (if no GPO) Laptop and Desktop Encryption compliance Local Admin Password Solution (LAPS) EMET (Windows 7) Defender ATP Windows EOL compliance Increased awareness of application security issues across JH
Workstation Health Dashboard Measures Security and Operational Compliance SCCM/ECI Compliance OS Version Compliance Security Updates and Reboot Length LAPS, Defender ATP, and Encryption Status, NAC Chrome, Citrix Receiver, Office Versions, Imprivata, Adobe Reader IT Management, Audits and IT Staff subscribe to dashboard SCCM Root Collection Based
Unexpected Benefits Created a forum for Windows client issue discussions A regular discussion with SCCM Admins across JH Increased SCCM Admin proficiencies Centralized application compatibility issues Familiar platform for customers/IT staff who move between departments
Enterprise Management, Monitoring, and Security Information Technology @ Johns Hopkins