FNAL Configuration Management Jack Schmidt Cyber Security Workshop May 23-24 th 2006.

Slides:

Advertisements

Similar presentations

Auditing Microsoft Active Directory

Advertisements

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

WSUS Presented by: Nada Abdullah Ahmed.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Trend Micro Round Table May 19, Agenda Introduction – why switch? Timeline for implementation Related policies Trend Micro product descriptions.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.

OIT's Unity Labs Active Directory Windows Environment.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

Group Policy in Microsoft Windows Active Directory.

IT:Network:Microsoft Applications

SUS Services ECE Computer Facilities. SUS Services Software Update Services Microsoft Security And Critical Update Service Microsoft Security And Critical.

TechNet Build’06 “The Secure Well Managed Infrastructure Tour”

16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.

SYSTEM CENTER: ENDPOINT PROTECTION FUNDAMENTALS Howard A. Carter III Senior Consultant Microsoft Consulting Services September 21, 2013 TechGate 2013 –

PC Manager Meeting January 25, Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.

Microsoft ® Official Course Module 9 Configuring Applications.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Introduction to Active Directory December 10th, pm Daniels 407.

9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.

SOE and Application Delivery Gwenael Moreau, Abbotsleigh.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

IT:Network:Microsoft Server 2 Chapter 27 WINDOWS SERVER UPDATE SERVICES.

Randy Diddel A+ Certified Technician Apple Certified Associate-Mac Integration OS X ITIL Foundations v3 Mac Team Technical Support Analyst II UNM IT Workstation.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Kaseya Fundamentals Workshop Developed by Kaseya University Powered by IT Scholars Kaseya Version 6.5 Last updated March, 2014 DAY FOUR.

LO2 Understand the key components used in networking

Tim Vander Kooi Systems

W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16.

Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.

September 29, 2009Computer Security Awareness Day1 Fermilab.

October, Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.

Module 15: Manage the Windows ® Small Business Server 2008 Environment Using Group Policy.

FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

PC MANAGER MEETING January 23, Agenda  Next Meeting  Training  Windows Policy  Main Topic: Windows AV Service Review.

Desktop computer security policies Applies to ALL computers connecting to the PathStone network irrespective of device ownership.

11.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 11: Planning.

Active Directory Harikrishnan V G 18 March Presentation titlePage 2 Agenda ► Introduction – Active Directory ► Directory Service ► Benefits of Active.

Implementing Group Policy. Overview What is Group Policy Introduction to Group Policy Group Policy Structure How Group Policy Settings Are Applied in.

Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.

Jonathan Loving Fermi Lab Computing Division

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Deploying Software with Group Policy Chapter Twelve.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Reducing server sprawl and IT power/cooling costs Moving from reactive to proactive state Quickly troubleshooting PC and laptop issues Deploying new.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

Unix Users Meeting June 28 th,2006. CD/CSS/CSI Fermi National Accelerator Lab Training Update Upcoming Classes: –Verilog Introduction, August 7 & 8, 2006.

12/3/98 Stanford Linear Accelerator Center Patrick R. Hancox

GROUP POLICY. Group Policy is a hierarchical infrastructure which allows systems administrators to configure computer and user settings from a central.

Mac Fermilab Name: Ben Segbawu Fermi National Accelerator Laboratory Computer Services Specialist May

PC Manager Meeting May 25, Today Updates Next Meeting Security Meeting Maker Update This Month: What SMS Can Do For You – Cele Bruce.

Module 8: Implementing Group Policy. Overview Multimedia: Introduction to Group Policy Implementing Group Policy Objects Implementing GPOs on a Domain.

Scientific Linux Inventory Project (SLIP) Troy Dawson Connie Sieh.

PC Manager Meeting February 23, Today Updates Next Meeting Windows Policy Security This Month: Lessons Learned: Building the Symantec Patch (Andy.

CompTIA Server+ Certification (Exam SK0-004)

NTC 324 RANK Education Your Life - ntc324rank.com.

NTC 324 RANK Perfect Education/ ntc324rank.com.

NTC 324 RANK Education for Service-- ntc324rank.com.

IS3440 Linux Security Unit 8 Software Management

Presentation transcript:

FNAL Configuration Management Jack Schmidt Cyber Security Workshop May th 2006

CD/CSS/CSI Fermi National Accelerator Lab Configuration Management Antivirus services for Windows, Linux, Macintosh Patching services for Windows, Linux, Macintosh

CD/CSS/CSI Fermi National Accelerator Lab AV AV Policy –All Systems that offer windows services must run AV (Samba servers, shares) –All Windows desktops and servers must run anti virus AV Baseline –Defines AV service as a NIST Major Application –Provides service settings for clients (workstations/servers) and AV servers

CD/CSS/CSI Fermi National Accelerator Lab Windows AV Central Windows AV Service –Uses Symantec Enterprise (only AV, no firewall) –Built on cluster for failover* –AV Server contacts Symantec every 15 minutes for updates –Clients contact FNAL server every 30 minutes –Clients contact Symantec daily* –Clients available for all windows systems on the FNAL network (DOE/University owned) except home- owned systems. –Service managed by Domain Administrators

CD/CSS/CSI Fermi National Accelerator Lab Linux AV Linux AV Service –No central service at this time* –Scientific Linux Fermi (SLF) distributed with ClamAV RPM –Samba servers required to run centrally supported AV software (ClamAv or Symantec)

CD/CSS/CSI Fermi National Accelerator Lab Macintosh AV Macintosh AV Service –Working with Symantec on using Windows central service. –Currently distribute client with no configuration settings* –Samba servers required to run centrally supported AV software (ClamAv or Symantec)

CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Windows Patching Service –Designed by Windows Policy Committee –Patches reviewed and rated –Three Tier Solution: Local Method Site SMS Service* Site WSUS Service –Site SMS & WSUS service managed by Domain Admins

CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Microsoft Patch Flow –Domain Administrators examine patches on patch Tuesday. –Review patches with Computer Security Team (CST) –Patches rated/required date set: FNAL Mandatory. Required for system to be on network FNAL Recommended

CD/CSS/CSI Fermi National Accelerator Lab To: Subject: May, 2006 Microsoft Patches MANDATORY Patches: Due Date: None at this time RECOMMENDED Patches: Due Date: The following is a link to the May, 2006 Microsoft list of critical and important patches. Except for any patches that have been deemed Mandatory by CST, these patches should be applied within one month at your earliest convenience using patch deployment tools. If you are a subscriber to the central lab SMS facility, additional information can be found at An announcement to all SMS OU administrators will be sent out once a SMS package is available. If you need the patches, you can also obtain them from \\#####\fermi-rollup. Please note: The above patches have been flagged as either important or critical from Microsoft and should be installed on Windows systems at your earliest convenience. Some or all of the above may become mandated by CST and could become mandatory to allow your system to be on the Fermilab campus network. -- The Windows Domain Admins

CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Microsoft Patch Flow (cont): –Domain Admins build SMS packages –Workstation/Server Admins distribute to systems by given date CST may require central rollout of patch by Domain Admins –WSUS applies mandatory patch to systems after due date Active Directory GPO points domain systems at our WSUS instead of Microsoft Update.

CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Other Windows Patches –Notification via CIAC or vendor. Windows Policy Committee monitors lists. –Domain Admins meet with CST. Review importance of patch. –Patch rated/required date set –SMS package made available to Workstation/Server Admins for distribution

CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Patch Tracking: –SMS queries used to track patch rollout no matter method used. How Are We Doing? – Much better than visiting each system! – Delegated patch distribution a mixed bag: dependant on skill set of local admins. –Pushing for central rollout of all patches.

CD/CSS/CSI Fermi National Accelerator Lab Linux Patching Linux Patching Service –Designed by Our Linux Gurus –Errata review process –Service managed by SLF* Experts –FNAL uses YUM to distribute errata. SLF comes with YUM preconfigured for FNAL servers. *SL Scientific Linux ( SLF Scientific Linux Fermi

CD/CSS/CSI Fermi National Accelerator Lab Linux Patching SL(F) Errata Flow –Errata examined by SL(F) maintainers –Review errata with Computer Security Team (CST) –Errata rated/required date set. –Errata built by SL maintainers and released to SL community for testing. –After SL testing/feedback, errata moved to SLF servers and distributed.

CD/CSS/CSI Fermi National Accelerator Lab Linux Patching Linux Errata Flow(cont): –Clients check for errata from distribution servers nightly. –Clients check for mandatory errata hourly*

CD/CSS/CSI Fermi National Accelerator Lab Linux Patching Errata Tracking: –Building inventory system based on OCSInventory NG How Are We Doing? –Central patching via YUM has been in use for years. Works well. – Local Admins have the ability to disable YUM updates. –SL Caveat. Must build errata from source, can’t use commercial patching solutions

CD/CSS/CSI Fermi National Accelerator Lab Macintosh Patching Mac users must patch their own systems No defined patch identification policy Testing Central patching solutions –SMS add-ons (Vintella/Quest) –Apple Workgroup Server

CD/CSS/CSI Fermi National Accelerator Lab Questions?