Download presentation
Presentation is loading. Please wait.
Published byThomas Alexander Modified over 8 years ago
1
PC Manager Meeting February 22, 2006
2
Today Updates Next Meeting Windows Policy EMail Licensing/Training Security Tool Of The Month DOE Microsoft Tech Day This Month: OS & App Baselines; What’s it All About? – Jack Schmidt LUA: More ways and tools to run as LUA – Ken Fidler
3
Next Meeting Mar. 22 nd Windows/Mac Software Licensing Emily Pahlavan InDiCo Agenda John Bellendir/Jack Schmidt
4
Windows Policy Committee Next Meeting: Mar 1 st, 1:30-2:30pm, WH5SW Agenda: Outstanding Account Requests NTP- Does anyone really know what time it is? Desktop Baseline Checklist: New Domain GPOs?
5
Email Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting Kevin Hill
6
Spam Cop Spam Cop started blacklisting the email gateways on 2/14/06. We complained. No response was given on why we were blacklisted but we were removed on 2/16/06 We were added again on 2/17/06! A few sites had us blacklisted for “back-scatter” What we are doing is RFC compliant but that doesn’t always help!
7
Spam Cop Back-scatter Backscatter occurs when an email system accepts a message for delivery and then the system determines that the message can not be delivered and sends an undeliverable mail notification. What to do? Request that fnal.gov be added to the white list at remote site. CD changing email system to prevent back-scatter (enabled 2/21) CD Implementing greylisting soon!
8
Greylisting
9
What It Does Requires all email from unknown servers to retry sending their message a short time later. Virus infected computers spewing spam (and viruses) won’t retry. (yet). Many system administrators report up to 90% spam reduction.
10
How Messages Go Remote IP: smtp42.somelab.org Env Sender: John.smith@somelab.orgJohn.smith@somelab.org Env Recpient: helpdesk@fnal.govhelpdesk@fnal.gov Combination unseen before – Temprarily Reject Message Remote Server retries delivery at a later time, at least 5 minutes later. Remote IP: smtp42.somelab.org Env Sender: John.smith@somelab.orgJohn.smith@somelab.org Env Recpient: helpdesk@fnal.govhelpdesk@fnal.gov Combination in Database – Message Accepted
11
Who uses it University of Bergen - the Norwegian university of Bergen is using greylisting on their mail server. Texas A&M University - This Texas university is using greylisting: www.tamu.edu/network-services/smtp-relay/greylisting.html Leibniz Rechen Zentrum - LRZ is a major German internet hub for academic institutions in southern Germany. They started using greylisting as a method of limiting spam a couple of months ago: www.lrz-muenchen.de/aktuell/ali2052/www.lrz-muenchen.de/aktuell/ali2052/ APNIC (Asia Pacific Network Information Centre) - This organisation, one of the five major internet registries of the world, is also using greylisting: www.apnic.net/info/contact/greylisting.html www.apnic.net/info/contact/greylisting.html RWTH - RWTH is a large German University. They have a page on their greylisting (german) here: www.rz.rwth-aachen.de/infodienste/email/greylisting.php
12
How It Works Records a triplet consisting of remote server ip address, envelope sender, and envelope recipient. If that triplet hasn’t been seen before, enter it in the database and reject the message with a temporary failure code. If the triplet has been seen more than 5 minutes before, and less than the expire time for entries, accept the message.
13
Possible Fallout Some people will see a delay getting email from someone new. This will be between 5 minutes and however long the remote server takes to retry delivery. Generally not more than 1 hour. A few sites won’t retry. They are broken, but need to be dealt with.
14
Solutions Most greylist packages provide downloadable whitelists of known broken/good email servers. Local whitelists are maintainable. Greylisting package we are looking at has Automatic Whitelists. We can maintain an ‘opt-out’ list, for people who prefer to get more spam.
15
Our recommended Implementation Use SQLGREY for Postfix. Uses Mysql for storage of greylist triplets, auto whitelist tables, and opt-out lists. Initial greylist retry wait time is 5 minutes. Message must be resent within 24 hours or new 5 minute wait will be instituted. After 2 successful emails from a Server/Sender Domain pair, that pair is added to the Auto-Whitelist. Auto-whitelist entries expire after 60 days without mail from that server/sender domain.
16
Rollout Timeline Upgrade Hepa machines version of Postfix and install local mysql server. 1 day (Done) Install sqlgrey Greylisting service. Configure postfix to warn only (in the mail logs) to prebuild databases. 15-30 days Monitor Logs for legit mail that isn’t getting through. Ongoing Turn greylisting on “for real”. Hepa machines currently have enough capacity to upgrade/install one while the other handles all incoming mail, so no downtime required.
17
Licensing/Training
18
License Updates VMWare vs Virtual PC VMWare Workstation v5 License: Electronic Download Distribution - $189 Packaged Distribution - $199 Upgrade - $99 (Requires serial number) Virtual PC Year 1 - $108.87 Year 2 - $90.55 Year 3 - $72.24 Note: We have not been able to get this to work with SLF!
19
License Updates Added to Vista Beta! Caveat: Not approved for FERMI Domain May need its own baseline!
20
EA Training Expires in Oct! Consolidate single days? http://computing.fnal.gov/ pcmanagers/licensing/tr aining/ (password required) Division/SectionDays of Training ACC16 BSS5 CD22 CDF1 D00 DIR1 LSS1 ESH1 FESS4 PPD4 TD5
21
Security Updates
22
February Patches MANDATORY Patches: Due Date: None at this time RECOMMENDED Patches: Due Date: 3-15-2006 The following is a link to the February Microsoft list of critical and important patches. http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx SMS Information available at: http://www-win2k/private/sms/patchrollup/ If you need the patches, you can also obtain them from \\pseekits\fermi-rollup\\pseekits\fermi-rollup
23
Cool Tool of The Month Paint.Net (thanks to Don Poll!) http://www.eecs.wsu.edu/paint.net/ FREE!!! Image and photo manipulation software designed to be used on computers that run Windows 2000, XP, Vista, or Server 2003. Much like PaintShop Pro Requires.NET Framework
24
Cool Tool of The Month (cont)
25
DOE Microsoft Tech Day Where: Argonne When: April 11 th Time: ??? The purpose of this day would be to go over (at a very technical level) new products and futures coming from Microsoft (Vista, SQL, Exhchange, etc). Attendance list required…(email to follow)
26
Main Topic OS & Application Baselines- Whats It All About? Jack Schmidt
27
What’s A Baseline? A baseline is a document or set of documents that outlines minimum security requirements for an application, network device or OS to be allowed on the FNAL Network Office of Management and Budget tells DOE. They tell us!
28
Existing Baselines OS Baselines OSX Desktop Scientific Linux Fermi Sun Solaris 9 Windows 2000 & XP Windows 2000 & 2003 Server
29
Existing Baselines Application Baselines Anti-virus (draft form) Oracle Postgres SQL Network Baseline Cisco Firewall Cisco Router
30
Baselines We Still Need OS FreeBSD Generic OS OSX Server Application Generic Web Server (covers Apache and IIS) Generic Web Application Samba
31
Baseline Basics Baseline built on NIST and CIS Benchmark documents Checklists. Tools coming to help check systems!
32
Baseline Questions Does my desktop/server meet the baseline? Fermi domain systems, Fermi Windows built systems and SLF built systems. I can’t meet the baseline requirements! Talk with your GCSC I can’t find my OS/App listed! Check with your GCSC. In most cases, following the generic baseline will work
33
Baseline Questions Who writes them? You Do! Who approves them? FCSC What Apps need a baseline? Defined by DOE Do Application baselines include OS requirements? No! App Baseline + OS Baseline = Approved Design App Baseline + NO OS Baseline ≠ Approved Design
34
Main Topic Least-Privileged User Account -More ways and tools to run as LUA. Ken Fidler – CSS-CSI(WST)
35
LUA – Run IE/E-mail tools Safely Running as ‘local admin’ privilege is dangerous! Special case users require admin privileges How do you get best of both worlds?
36
LUA – Run Network browser/E-mail tools Safer For limited protection, restrict key internet-facing applications to run as non-admin XP and Server 2003 add new Software Restriction Policy (SAFER) Allows running applications as non-admin by stripping out certain SIDs and privileges from the application's token.
37
How do you know you are running apps as non-admin? look at the token associated with the process. Process Explorer from Sysinternals Good FREE replacement for Task Manager PrivBar Free tool that displays User level that IE or Explorer is running at
38
IE – Run as ‘Normal User’
39
IE running as ‘local admin’
40
LUA - PrivBar
42
LUA – DropMyRights.exe Free tool from Microsoft Similar to ‘runas’ tool dropmyrights.exe "c:\program files\internet explorer\iexplore.exe" Can be used on all sorts of applications (e-mail clients like Outlook/Outlook Express, browsers like IE and Firefox, and Instant messaging clients)
43
LUA – DropMyRights Install
44
LUA – DropMyRights DEMO
45
LUA – Dropmyrights – Pros and Cons Pros – Simple to use and setup (MSI package) Cons – Some Web sites that spawn a new web might not start-up as a reduced privilege Can easily run program as a privileged level
46
LUA – SAFER New Software Restriction Policy (SAFER) XP and 2003 only Software restriction policies allow you to control the ability of software to run on your local computer.local computer By Default, only 2 levels exist (disallowed and Unrestricted). A simple change allows adding new levels
47
LUA – SAFER Policy There are in fact three other SAFER security levels beyond Disallow and Unrestricted Normal User (also named Basic User) Constrained (also named Restricted) Untrusted Basic user is what we want to use. The others are too restrictive and break many apps.
48
LUA – SAFER Policy Simple Registry tweak to expose the levels: Add a DWORD value named Levels set to 0x20000 to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows\Safer\CodeIdentifiers
49
LUA – GPOs to run apps safely
50
LUA - GPOs
51
LUA – SAFER DEMO
52
LUA – SAFER (Limitations) Can not run Windows Update (known issue Microsoft plans to fix, and there is a way around this….) User could copy application to alternate path and run application as ‘administrator’
53
LUA – Other Possibilities Create a GPO in your OU to deploy LUA Protect against known malware Add the path/name of the program to the SAFER policy (additional rules) and set the ‘Security Level’ to Disallow Prep software on machines – but keep users from running it until you want them to.
54
LUA - Summary DropMyRights or Using SAFER based policies is no replacement for running as a non-admin, but still much better than giving the loaded gun of full local admin privilege to your users!
55
LUA and VISTA Standard User Privileges V iew system clock and calendar Change time zone Change display settings Change power management settings Install fonts Add printers and other devices that have the required drivers installed Download and install updates using User Account Control compatible installer
56
LUA and VISTA (cont’d) Admin Approval Mode: Right Privilege at the Right Time Allow admins to run apps as basic user Over-the-Shoulder (OTS) Credentials Prompt user when Admin Privs needed File System and Registry Virtualization Create a copy in user profile area
57
LUA – More Info DropMyRights and PrivBAR http://msdn.microsoft.com/library/en-us/dncode/html/secure11152004.asp SAFER http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp BLOG on LUA http://weblogs.asp.net/aaron_margosis Process Explorer http://www.sysinternals.com/ \\PSEEKITS\DesktopTools\Utilities\LUA
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.