Windows Terminal Server & Citrix MetaFrame

Slides:



Advertisements
Similar presentations
SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
Advertisements

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.
1 Module 1 The Windows NT 4.0 Environment. 2  Overview The Microsoft Operating System Family Windows NT Architecture Overview Workgroups and Domains.
Saving Money by Recycling Existing Computers with LTSP Peter Billson Linux Terminal Server Project (LTSP.org) Linux User Group in Princeton LUG/IP July.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
A SOLUTION: 2X REMOTE APPLICATION SERVER. 2X REMOTE APPLICATION SERVER.
CSE 190: Internet E-Commerce Lecture 14: Operations.
Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
VMware vCenter Server Module 4.
Desktop in the Clouds Using Virtualization to Extend Client Outreach and Protect Data.
Common Services in a network Server : provide services Type of Services (= type of servers) –file servers –print servers –application servers –domain servers.
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Keeping Everyone Happy: Serving Windows Users in a Macintosh Environment Laurie Sutch, University of Michigan.
Task Scheduler Pro Managing scheduled tasks across the enterprise Joe Vachon Sales Engineer.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Windows Server MIS 424 Professor Sandvig. Overview Role of servers Performance Requirements Server Hardware Software Windows Server IIS.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Thin- Client Computing for Windows 1 Alan Darnell University of Alberta Libraries.

Chapter 7: Using Windows Servers to Share Information.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Jetro Platforms – Corporate Introduction What Do We Do? How Do We Do It? Why Choose Jetro CockpIT™ Technical Demonstration Agenda.
C O L L E G E O F E N G I N E E R I N G CSU PDI 2010 Thin Clients as Desktop Computers Mark R. Ritschard Director, Engineering Network Services College.
IMPLEMENTING F-SECURE POLICY MANAGER. Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples.
AMSI Hosting Options User Panel Discussion Presented by Brian Torney Session 107 Advantages of Self Hosting.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Module 5: Designing a Terminal Services Infrastructure.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Computer Emergency Notification System (CENS)
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
Remote Access Using Citrix Presentation Server December 6, 2006 Matthew Granger IT665.
3-Dec-1998 Stanford Linear Accelerator Center Patrick R. Hancox
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
"The majority of users in a typical enterprise simply want frequent, location-independent access to a few key applications, such as , calendar and.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
HNC COMPUTING - Network Concepts 1 Network Concepts Network Concepts Network Operating Systems Network Operating Systems.
12/3/98 Stanford Linear Accelerator Center Patrick R. Hancox
Citrix On Demand Services. Agenda About Citrix & the “on-demand” access infrastructure Traditional client/server via Citrix Access Infrastructure –Scalable,
Windows Server 2003 Terminal Server: Overview And Deployment Haim Inger CTO Malam Group.
System Migration Guy “Randy” Fleegman
Unified Management Agent (UMA)
2016 Citrix presentation.
HARDENING CLIENT COMPUTERS
SLAC Windows Update John Davis, Ricardo Kau,
Windows Terminal Server & Citrix MetaFrame
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Chapter 2 Objectives Identify Windows 7 Hardware Requirements.
Utilize Group Policy Terminal Server Settings
Windows NT to 2000/XP Migration at SLAC
Networks Software.
Lesson 16-Windows NT Security Issues
Designing IIS Security (IIS – Internet Information Service)
PerformanceBridge Application Suite and Practice 2.0 IT Specifications
Presentation transcript:

Windows Terminal Server & Citrix MetaFrame Stanford Linear Accelerator Center NT Support Group www.slac.stanford.edu/comp/winnt Gregg Daly gdaly@slac.stanford.edu Supported by U.S. D.O.E. contract DE-AC03-76SF005515

General Information Stanford University operated - U.S.D.O.E funded unclassified research center Heterogeneous computing environment supporting high-energy physics research 3800 hosts (1400 Windows networking), Solaris, Mac OS, Linux & numerous other operating systems Exponential growth at the facility - Research Center - no weapons research, nearly all information is published on our 1/2 million web pages or academic papers - Computing environment - 13 some OS’s (BeOS to Mac to NT to Solaris ) Mac Iici’s, WinTel servers to 64 CPU Sun E10000 - Growth - just one experiment will produce 3 PB of data over 5 years

Responding to ‘98 Security Incident Hackers compromised 25 systems and 50 user accounts Perform data & service analysis on areas of the network Decision to safeguard critical HR and Financial Data on PeopleSoft and Oracle Safeguard personnel data in Human Resource database Safeguard purchasing and budget data in Financial database - Hackers - AIX and Solaris systems effected - direct lessons to be learned - OS and patch not up-to-date leaving holes for “root kits” - SLAC equipped with a filtering router with ACLs but we do not a proxy or stateful inspection firewall system - Determination - What parts of the network could be secured without effecting the open collaboration with sister labs and numerous universities around the world, - Decision - The research doctrine dictated the research networks be safeguard yet no obstacles to the “free flow of data”. That is how or the idea the Internet was built on and SLAC being the first US web site, history won - Safeguard the private data within the PeopleSoft/Oracle databases that contains personnel data (names, addresses, SSN, driver’s licenses) and the financial data (purchasing, credit cards, vendor account data)

Options to securing data Corporate type lock down including limiting access to and from the Internet and other research facilities Two physical networks - one SLAC only & other Internet accessible Moving the data (but not the people) into a highly secured zone. Use encrypted access and extensive monitoring - Corporate Firewall at the Border Router to the Internet - Would cut off SLAC scientists from world-wide collaborators - After opening all holes to provide all the services - Swiss cheese firewall - impractical - Violates the research doctrine of the facility - Two physical networks - Impracticable for the type of environment - unclassified work - Unable to justify cost - Moving the data - Very practical for SLAC environment - Allows users throughout the network complete access - Allow BSD access to both the secure network

Business Services Network Created a highly secure “machine/data only” network Created a user/workstation network to access the secure network Secure all aspects of data access Secured workstations Encrypted application access via Citrix’s Secure ICA Encrypted host connections via Secure Shell (3DES/Blowfish) Two Phase authentication process for secure domain login - This solution allowed for the users on the BSD network to have regular access to the critical HR and Financial data AND access to the rest of SLAC, the staff they service and the Internet. - Separate the users from the data, restricting access to the data - Secure all aspects of data access - Secure workstations by boot floppy the workstation, erasing the partitions, reloading the OS and applications with users not in the administrator access. Numerous file and registry changes to improve security. - MetaFrame a secure 128-bit RC5 encrypted connection to the application servers. ICA sessions must be initiated from the the BSDnet to the secure BSDnet. - Connections to the secure BSDnet must be with a Secure Shell client (3DES or Blowfish encryption). Telnet daemons unloaded from the hosts. - Security Dynamic’s ACE/Server provides a secondary log in using a pseudo-random tokencode and pin code combo. Passcodes not reusable that eliminates threat of sniffing hack - even if it is sniffed, can not reuse the passcode.

PeopleSoft WTS-MetaFrame Farm Data Data MetaFrame Farm Data Data Oracle Secure BSDnet MS Windows Terminal Server Citrix MetaFrame MetaFrame Load Balance Secure ICA MS Windows Terminal Server Citrix MetaFrame MetaFrame Load Balance Secure ICA PeopleSoft Business Services Division BSD Domain Workstation Connection: Secure ICA (future 2-factor authentication) BSDnet - Secure ICA connections to the MetaFrame servers can only be initiated from the BSDnet - Remote users must VPN into the BSDnet (giving them a BSDnet IP address) and then launch a Secure ICA session through the PPTP server - SLAC Internet

Secure Business System - In the event of a security incident, Secure BSD net and BSDnet can be isolated from SLAC and the Internet - In the case of a BSDnet computer being compromised, the BSDnet can be isolated from Secure BSDnet, the rest of SLAC and the Internet

Prod Test WTS Secure BSDnet BIS Data File Server SMS, BDC BSD BSDnet PeopleSoft Test PeopleSoft WTS +Citrix Farm UserMC Secure BSDnet “Air Gap” BIS Web Server Data Warehouse File Server SMS, BDC BSD PDC User01 UserYY UserXX “Air Gap” BSDnet Rest of SLAC - Topology of the network - Gigabit backbone - Green - BSDnet - BSDnet / BSD NT Domain - Mainly NT workstations & servers - Self contained network with Domain Controllers, Backups, SMS, web servers - Users and workstation in the network - Red - Secure BSDnet - Servers and data only - “Emergency” workstation - WTS / MetaFrame applications servers run PS and connect to DB running on Oracle/Solaris - Can only be accessed from a BSDnet addresses computer, router (both border and BSD) have access controls against spoofed Ips - Gigabit Ethernet

Lessons of the implementation SLAC’s business process application, PEOPLESOFT is not native to the Windows Terminal Server/Citrix Metaframe environment Increased session security incompatible with cross-platform access 3rd Party applications (Crystal Reports) has to be reconfigured to not only run on WTS but also run with a non-standard implementation of a “multi-user” PeopleSoft Securing the application servers running WTS Staff intensive installation and troubleshooting - Peoplesoft 6.5 required extensive scripting during application startup to enumerate variables within each individuals WTS session, intensive debugging and required a highly advanced knowledge of both PS, WTS, and MetaFrame - Current OS levels (SAMBA) does not supported MS heightened session security SMB and NTLMv2; rumors in fall a capability layer with MS - Techniques to lock down workstations, such as removing hidden shares, broke services, like SMS -

Securing WTS/MetaFrame Physical security critical - “Log on Locally” to all users Restrict anonymous connections Separate %rootdrive% and %systemroot% from %apps% Apply Microsoft ZAK for WTS Create bin folder on %apps% with system32 user apps Remove “everyone” access from everywhere file & registry Apply security based Service Packs and hot fixes immediately Recommend encrypted client Run highest NT authentication hash compatible with your site

Securing Business Services Standardized workstations Add’l filtering router on business subnet Secure application publishing - MetaFrame Two phase authentication Encrypted host, app & remote access Active monitoring “Air gap” fail-safe measure in the event of intrusion

General Use App Farm Goal: To provide non-Windows clients access to Windows applications; encourage single platform clients Based on Dell Dual PII-400, 1/2 GB RAM, RAID 0 servers “Master” to clone maintenance plan Provide most every app needed/requested by users

General Use App Farm Strong support for LINUX and Solaris clients Beware of potential “bad apps” on WTS NetMeeting (www.shenton.org/~chris/nasa-hq/netmeeting) DOS applications Using Basic encryption for general sessions, considering 128-bit SecureICA for all access to both farms

Future of Thin Client Windows 2000 servers “natively” support thin client - Watch for more features in MS’ RDP clients Windows 2000 Applications Deployment Services “Rental applications” Watch for significant changes in licensing requirements and fees from Microsoft and other software vendors Microsoft’s 2000 logo program “requires” WTS compliance Return to the mainframe-like methodology with Win2K and thin client solutions

WTS/Citrix Paper NT Security in an Open Academic Environment - SLAC 8172 Find the document at : http://www.slac.stanford.edu/pubs/fastfind.html http://www.slac.stanford.edu/pubs/slacpubs/8000/slac-pub-8172.html

Questions HEPNT ‘99 www.slac.stanford.edu/comp/winnt gdaly@slac.stanford.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.