FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL.

Slides:



Advertisements
Similar presentations
Auditing Microsoft Active Directory
Advertisements

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
Group Policy in Microsoft Windows Active Directory.
IT:Network:Microsoft Applications
SUS Services ECE Computer Facilities. SUS Services Software Update Services Microsoft Security And Critical Update Service Microsoft Security And Critical.
16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
Deploying and Managing Software by Using Group Policy.
Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
FNAL Configuration Management Jack Schmidt Cyber Security Workshop May th 2006.
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Module 1: Installing Windows XP Professional. Overview Manually Installing Windows XP Professional Automating a Windows XP Professional Installation Using.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
IT:Network:Microsoft Server 2 Chapter 27 WINDOWS SERVER UPDATE SERVICES.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 12: Deploying and Managing Software with Group Policy.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
Module 13: Maintaining Software by Using Windows Server Update Services.
Implementing Update Management
Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.
Module 14: Configuring Server Security Compliance
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
PC MANAGER MEETING January 23, Agenda  Next Meeting  Training  Windows Policy  Main Topic: Windows AV Service Review.
Module 6: Implementing Group Policy. Overview Implementing Group Policy Objects Implementing GPOs in a Domain Managing the Deployment of Group Policy.
1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.
11 SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL Chapter 9.
Implementing Group Policy. Overview What is Group Policy Introduction to Group Policy Group Policy Structure How Group Policy Settings Are Applied in.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Module 6: Designing Security for Network Hosts
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Jonathan Loving Fermi Lab Computing Division
Module 6: Deploying and Managing Software by Using Group Policy.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
THIS PRESENTATION: WINDOWS UPDATES VIA AUTOMATIC DEPLOYMENT RULES BEST PRACTICES SYSTEM CENTER CONFIGURATION MANAGER 2012 R2 Jodie Gaver Jodie Gaver Working.
Deploying Software with Group Policy Chapter Twelve.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
NetTech Solutions Protecting the Computer Lesson 10.
WebCCTV 1 Contents Introduction Getting Started Connecting the WebCCTV NVR to a local network Connecting the WebCCTV NVR to the Internet Restoring the.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,
Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.
PC Manager Meeting May 25, Today Updates Next Meeting Security Meeting Maker Update This Month: What SMS Can Do For You – Cele Bruce.
Module 8: Implementing Group Policy. Overview Multimedia: Introduction to Group Policy Implementing Group Policy Objects Implementing GPOs on a Domain.
Scientific Linux Inventory Project (SLIP) Troy Dawson Connie Sieh.
Scientific Linux Connie Sieh CSAM Meeting May 2, 2006.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Al Lilianstrom CD/LSC/SOS/ESG  Blocked?  Operating Systems  Baselines  Detection  TiSSUE  Compliance  Windows  OS/X  Questions.
Lesson 19: Configuring and Managing Updates
Self-service enrollment for Windows desktops
MCSA VCE
Module 8: Implementing Group Policy
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL has over 5000 PCs running either Linux or Windows software. Protecting these systems efficiently against the latest vulnerabilities that arise has prompted FNAL to take a more central approach to patching systems. Due to different levels of existing support infrastructures, the patching solution for linux systems differs from that of windows systems. In either case, systems are checked for vulnerabilities by Computer Security using the Nessus tool. Patching Solution Design Based on the working group study, a two-tiered system for patch deployment; Local Tier and Lab-wide Tier. Computer Security along with the Windows Policy Committee define patches that are required by windows systems present on the Fermilab network. Patch deployment is based on level of criticality, existing infrastructure prevention (ie site NetBIOS blocks, VPN usage, etc) and threat assessment. Patch Approval Process When a critical patch is released to address a security flaw, Computer Security with the advice of the Windows Policy Committee decides whether or not the patch will be declared to be mandatory. Patches that address flaws which allow remotely initiated compromises will almost always be declared to be mandatory. Patches are initially tested by the Computing Division to verify basic compatibility. Once a patch is approved for deployment two things happen, (1) local administrators must deploy the patch using their Local Tier systems and (2) Computer Security will specify a date, on which deployment from the Labwide Tier will be enabled. Note: At any time during the testing, local system administrators can choose to deploy the patch to their systems using their Local Tier. Local Tier Each division and section at Fermilab configures their systems (software and hardware) in order to meet their specific requirements. Because system configurations are not uniform, patching requirements are not uniform. Each major local support group manages their part of the Local Tier of the patch deployment system. Local Tier Implementation Local support groups can implement and maintain their own Local Tier system. If local support groups decide to do this, they can use any product or combination of products; the only requirements are: the system must work, the system must not violate Computer Security Policy and the system must not be disruptive. Local support groups also have the option of using the Site Local Tier server provided by the Computing Division. Labwide Tier Patches deemed mandatory, require a redundant level of patch protection. For this reason a lab-wide patch deployment system was implemented. The Lab-wide Tier is centrally managed by the Computing Division with oversight provided by Fermilab Computer Security. The Labwide Tier automatically deploys mandatory patches to those systems which were missed by the Local Tier at the end of the deployment lifecycle. Lab-wide Tier Implementation The Labwide Tier uses Microsoft Software Update Services (SUS). The Fermilab implementation of Microsoft SUS has two main components: a single SUS Update Server and the Automatic Update Service. The SUS Update Server is a Windows 2000 server running IIS and Update Server software from Microsoft. The Automatic Update Service runs on Windows 2003, Windows 2000 and Windows XP client computers. The Automatic Update service on client computers in the FERMI domain are configured using a domain level group policy object (GPO). The domain level SUS GPO will automatically set several client parameters; one of the parameters points client systems to the Fermilab SUS Update Server. Sometime after a client system is configured by the domain level SUS GPO, the set of patches installed on the client will be compared with the set of mandatory patches; any missing mandatory patches will be deployed to the client. Note that, non FERMI domain systems can be manually configured to point to the Fermilab SUS Update Server. Critical Patch Exemptions It is possible that patch testing will show that there is a conflict between a mandatory patch and the operation of a system which provides an important service (for example: payroll, beam control). For each conflicting patch, the administrator of such a system requests an exemption with Computer security. Patch released by vendor Initial testing of patch Patch critical or mandatory? Local tier patching of systems Global tier patching of systems Computer Security scans for vulnerability Windows Patching Cycle Windows Patching Overview Until fall of 2003, Fermilab Windows administrators used a variety of methods to apply software patches to address security flaws. Many of these methods were slow, unreliable and labor intensive. Due to the recent onslaught of vulnerabilities, the CSExec asked the Windows Policy Committee to design a patching solution that provides critical updates to systems in a timely manner. The solution had to make use of the existing Active Directory structure but also be available for non-domain systems. The working group met and reviewed existing patching methods across the lab, identifying positive and negative issues with each solution.

FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Linux Patching Overview 1999 Gave users optional use of auto patching via autorpm. Next release it was installed by default Kerberized linux is required to use the FNAL network. Increase in users of Fermi Linux! 2002 Switched from autorpm to YUM. YUM (Yellowdog Update Manager) is an automatic updater and package installer/remover for linux systems Scientific Linux released. Site customizations built on Scientific Linux are automatically patched. FNAL currently provides security errata for 7.3.x, LTS 3.0.x, SL 3.0.x Patch Rollout Steps Vendor releases security updates. Patches are reviewed by the Linux Support team and tested on basic systems. Reviewed and tested updates are moved to the “YUM” distribution server security update area. Each night YUM checks to see if there are new security updates that are needed to be installed. The Fermi Linux Support team will make announcements via the linux-users mailing list about the availability of a security update. Users are given 1 day notice before the update is moved to the “YUM” server. Security update released by vendor Initial testing of update Users given 1 day notice Updates moved to site YUM server Fermi Linux systems nightly query YUM server for updates Linux Patching Cycle

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.