Beams Division Local Administrators Meeting 1/11/2002 Brian Drendel.

Beams Division Local Administrators Meeting 1/11/2002 Brian Drendel

Today’s topic Security n Quick overview of Computer Security Vulnerabilities n Virus attack on Beamssrv1 n How to avoid future attacks –User Education –Virus Protection –Protecting Passwords –Operating System configuration and patches –Application configuration and patches n Local admin access to IP/License database n FileMaker Pro IP/License database lab

What happens when your computer is hacked? n Capture your password(s). n Read files off of your computer. n Copy files to your computer. n Modify or delete files off of your computer. n Execute code on your computer. n Use your computer to attack other computers. n Use your computer to create unwanted network traffic.

Security Vulnerabilities n What are some ways that computers get compromised? –User Actions –Virus –Stolen passwords –Operating System vulnerabilities or misconfigurations –Applications vulnerabilities or misconfigurations

Beamssrv1 attack n 12-11-01: Beamssrv1 and other computers were attacked by a virus. –Beamssrv1 offline for 24 hours –BD/Network resources expended for entire week. –Local administrators had to rebuild desktops. n 12-18-01 –Smaller-scale repeat performance of same attack. –BD/Network resources expended for another two days –Local administrator needed rebuild computer.

Hacked-Desktop1 n Hacked-Desktop1 : –This computer was the first computer to be compromised by this attack. –12:12-12:25: NAV 5.0 quarantined 666 infected files. –Started attacking other computers looking for operating system and IIS vulnerabilities and shares that it could use to spread itself.

Hacked-Desktop1 n What went wrong? –Operating system service packs were 1½ years out of date and was running an unpatched IE. n Allowed the computer to be compromised. –It was using an unsupported NAV that does not report back to our SSC console. n This increased the response time. n This computer was compromised by 12:30pm n Our first indication of a problem wasn’t until after 2:30pm –Open shares n Used these shares to attempt to spread virus. –Also infected with a Spyware trojan horse n Probably unrelated to this incident

Hacked-Desktop1 n User’s Beams account had admin privileges and he left himself logged in while he was on vacation. –Administrator privileges allowed the attack to compromise the unpatched system. –Allowed virus to create more open shares to spread itself. –When the user returned, he started executing tasks on the compromised system, which triggered the attack. n User never logged out after his roaming profile was disabled. –Allowed virus to try to spread itself to \\beamssrv1\profiles n User’s Beams account also had admin privileges on other computers –Allowed other computers to be compromised. n Root of each drive was shared for local backups with poorly setup permissions. –Contributed to compromise of entire system

Hacked-Desktop1 n What was done correct? –User had up-to-date virus definitions (on an old version of Norton Antivirus) that prevented further spread. –User notified us via voicemail when they discovered the problem.

Hacked-Desktop2 n This computer did local backups by attaching to the root of every drive on three desktop computers. n 13:16: Event viewer shows that the security policy was changed on this computer. –Security policy was actually locked out and could not be viewed or changed. n 14:25 – 14:33 NAV stopped infected files from being written to all share directories and subdirectories.

Hacked-Desktop2 n What was done correctly? –Win2k SP2 + hotfixes –Updated IE –Had NAV CE 7.51 with updated virus definitions n Stopped infected files from being written to the computer’s shares –No open shares

Hacked-Desktop2 n What went wrong? –The user from Hacked-Desktop1 was in the administrators group on this PC. –The administrator of this PC was away from the lab, but left himself logged into the localadmin account. n So any actions taken from this PC were done with admin privileges. –This PC had “Full Control” access to the root of each drive on three other computers for backups. n Included Hacked-Desktop1 n Provided a path to two addditional computers (Lucky- Desktop1 and Hacked-Desktop3).

Lucky-Computer1 n One of the desktops that was backed up by Hacked-Desktop2 was turned off so it was not compromised. n It had very poorly configured shares –Beams Key Access and Department global groups had “Full Control” to the root of the drives. n Had this computer been powered up during the attack, it would have been compromised.

Attacked-Console n 14:16 NAV stopped infected files from being written to D:\public open share. n Was a controls console at CHL. n User logged into FileMaker Pro database on Beamsappsrv1 –Gave virus knowledge of Beamsappsrv1 protected share.

Attacked-WebServer n Individual Web server supported by one of the BD Departments. n 14:21 NAV stopped infected files from being written to D:\public open share. n This gave the virus knowledge of shares on two other computers managed by this group (Attacked-Desktop1 and Attacked-Desktop3).

Attacked-Desktop1 n This is a user desktop computer n 14:22 NAV stopped infected files from being written to c:\”username” open share.

Attacked-Desktop2 n Another user desktop computer. n 14:22 NAV stopped infected files from being written to c:\public open share.

Attacked-Desktop3 n 14:37 NAV stopped infected files from being written to c:\imsi open share and all of its subdirectories. –Share created by an application installation. –Administrators need to lock down shares created to share application data.

Beamsappsrv1 n This server run Key Access, is a license server and is a FileMaker 4.1 server. –All of which were not available for about 24 hours due to the attack. n 14:32 NAV stopped infected files from being written to protected share which housed a FMPro database –Attacked-Console was logged into this database to give the virus knowledge of this share.

Attacked-Desktop4 n Another desktop computer. n 14:34 NAV stopped infected files from being written to c:\public share.

Beamssrv1 n 14:36-15:06 NAV stopped infected files from being written to protected \\beamssrv1\profiles protected share. \\beamssrv1\profiles –Knowledge of this share was made available through the Hacked-Desktop1 user’s roaming profile. –Even though the user did not have a roaming profile, he had not logged out since the profile was changed to local, so the local computer still was attached to the profile directory. n 15:06 Beamssrv1 was removed from the network.

Hacked-Desktop3 n 15:25 to 15:30 NAV stopped infected files from being written the hard drive. n Virus accessed computer via the root drive shares used by Hacked-Desktop2’s backup system. –Share was Authenticated Users = Full Control –Drives were FAT, not NTFS n NAV failed, when the drive ran out of disk space while quarantining files.

Beamssrv1 n 17:15 Virus Definitions said that they were the most recent, however, the date on them showed a date that was three weeks earlier. –Manually downloaded definitions and burnt them to CD. –Applied them to Beamsssrv1 manually from the CD. –Dwhwizrd.exe process started eating CPU cycles and Beamssrv1 hung. n 17:30 Beamssrv1 rebooted and reapplied virus definitions from CDROM.

Beamssrv1 n 17:45 Began a manual virus scan of Beamssrv1 –NAV was flagging hundreds of C:\WinNT\dwh****.tmp files as being infected. n All were created after Beamssrv1 was disconnected from the network around the time that the virus definitions were loaded. –While Beamssrv1 was scanning we tracked down the other infected computers, shutoff their network ports, and began to visit them to investigate the problem.

Beamssrv1 n 19:30 Beamssrv1 still scanning n Attempted to call NAV Gold Card tech support, but they are only open from 5am to 5pm Pacific Time. n Midnight: Did all that we could do at that point. Went home and let Beamssrv1 scan overnight.

Beamssrv1 n 8am to Noon the next day: –Worked with Andy Romero from CD –Talked to NAV Support n DHW****.tmp files were created by a corrupt set of virus definitions. n Beamssrv1 was not compromised. –Manually scanned Beamssrv1 from a hardened server n Placed both servers on an isolated hub n Completed a network scan from the hardened server to Beamssrv1. n Noon: Computing Security gives permission to put Beamssrv1 and Beamappsrv1 back on the network.

Cleanup n The next few days were spend. –Gathering information from the infected computers –Documenting the incident for computer Security –Monitoring Beamssrv1 for further suspicious activity –Educating Local Administrators and Users on the hazards of n Open shares n Unpatched systems n Local administrators needed to rebuild. –Hacked-Desktop1 –Hacked-Desktop2 –Hacked-Desktop3

Lucky-Desktop2 n Two days after the attack: –The Wednesday administrative NAV scan found and quarantined infected files in an open share. –How did the files get there? n The computer had an open share n NAV Real-time protection was turned off on this computer. –Luckily the user did not execute the infected files before NAV quarantined the files.

Repeat performance? n One week later: –One protected Beamssrv1 user share was being attacked with the same virus files. –NAV stopped files from being written to Beamssrv1. –PDC/BDC event log showed that that user had logged into three different computers during the time of the attack. n Took those computers off the network –Attempted file writes to Beamssrv1 stopped n Began visiting the computers

Attacked-Desktop5 n The user’s primary desktop. n NAV stopped viruses from being written to two “Open Shares” that had the same names as the shares being written to on Beamssrv1.

Macintosh? n Other share accessed by this user account was on a Macintosh: –User setup a Dave SMB file share on his Macintosh for access form his PC. –NAV was installed on this MAC and it was scanned. No virus files were found.

Hacked-Desktop3 n Windows 98 PC n No NAV installed n Many open shares with the same names as those on the user’s Z: drive and on Lucky- Desktop3. n Computer infected files in every subdirectory n This computer was compromised and needed to be rebuilt.

Summary: Who was involved n Hacked Desktops = 3 n Attacked but not hacked = 3 n Attacked Controls System Console = 1 n Infected but virus not executed = 2 n Macintosh =1 n Local backup systems involved =1 n Local web servers involved =1 n Domain Servers involved= 2

How did this happen? n Most of the damage could have been avoided and was due to the following mistakes, all of which violate our documented setup and usage procedures. –Operating System Service Packs were out of date –Users and Administrators created Open Shares –Users were sharing files from their workstation instead of using Beamssrv1 –Users were doing their work from an account that has administrative privileges –Users were not logging out –NAV real-time protection was turned off on one computer –NAV was not installed on another computer.

User Education –It is important that we encourage users to use their computer in a way that will not make it likely to cause a security problem: n Do not open unknown email attachments. n Do not respond to virus hoax emails without consulting an expert first. n Do not create Open Shares n Don’t give your password to other people n Lock your screen when you leave your desk n Logout at night n Leave your computer on at night –This is hard to control at times because the average user is not a computer expert and does not understand the consequences of their actions. They are only trying to do their job.

User Education: Computing Division’s Approach n Computing Division has two monthly talks. –PC Manager’s Meeting: http://www-csi.fnal.gov/talks/ –Security Roundtable http://computing.fnal.gov/security/RoundTables/index.html n CD also offers periodic training classes http://fnalpubs.fnal.gov/train-dev/index.html n CDs Philosophy is to push the management as close to the desktop as possible.

User Education: Beams Division Approach n Beams Division tries to pass on the information from the Computing Division talks to all of the departments and groups through –Regular Emails sent to: n Local Administrators n Departement Heads n Group Leaders –The local administrator meetings n To review slides from recent talks, see: http://www-bdnew.fnal.gov/network/localadmin- meetings.htm http://www-bdnew.fnal.gov/network/localadmin- meetings.htm

User Education: Beam Division’s Approach n Beams Division also provides documentation to help the user setup and use their Beams Account n The Domain Users Guide can be viewed at: http://www- bdnew.fnal.gov/network/WinNT%20User%20Docs.htm http://www- bdnew.fnal.gov/network/WinNT%20User%20Docs.htm n The Beams Account setup document can be viewed at: http://www- bdnew.fnal.gov/network/WinNT%20User%20Setup.htm http://www- bdnew.fnal.gov/network/WinNT%20User%20Setup.htm

Virus Threats n Different Categories –Virus – Computer Programs that spread from one file to another via human action. –Worm – Computer Programs that is designed to copy itself from one computer to another over the network without human intervention. –Trojan Horse – Computer code hidden at the end of another computer program that when executed performs tasks at whatever permission level the user has.

Virus Incidents n We average between 3 and 6 identified virus incidents a week. –Each incident takes time to investigate to ensure that the local computer is not infected. n Many of the virus incidents that we see are the result of users downloading virus files while connected to offsite mail servers. –This used to be against computing policy –It is now an acceptable practice

Virus Hoaxes n Virus hoaxes are spread via email. –They tell users to take unnecessary and sometime harmful actions. –Usually tell users to send to everyone they know n I deal with about 1 of these per week. n Time and resources defusing and recovering from any unnecessary action taken. n One user called Computer Security over a virus hoax and they had him disconnect his computer from the network until the next morning! n There are so many virus hoaxes that Symantec has a virus hoax encyclopedia at http://www.sarc.com/avcenter/hoax.html

Computing Division Virus Approach n How is Computing Division trying to protect us from virus infections: –Mail Gateway (smtp.fnal.gov) has virus protection –Mail Servers (Imapserver1, etc..) have virus protection –Encouraging users to have virus protection on their desktops. –Encouraging groups to implement Norton’s SSC management

SSC implementations labwide n Last year I gave a talk to CD on implementing the NAV Server. See slides at http://www- bdnew.fnal.gov/network/Local%20Admin%20Talks/PC% 20Managers%201-23-01_files/frame.htm http://www- bdnew.fnal.gov/network/Local%20Admin%20Talks/PC% 20Managers%201-23-01_files/frame.htm Since then other divisions have adopted the Norton SSC Console as a standard.

Virus Protection: Beams Division Implementation n There are three layers of virus protection when you read you lab email. –The FNAL Mail Server filters your email for viruses –Beamssrv1 filters your email for viruses if you have your Netscape profile on the server –Your local client computer should have Norton Antivirus

Beams Division: NAV implemenation n Provide a Norton Antivirus installation point on Beamssrv1 for workstation installations. n Provide Local administrator installation instructions on our web page: –Win2k: http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#NAV http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#NAV –WinNT http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.htm#NAV http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.htm#NAV

Beams Division: NAV implementation n BD User setup instructions inform users never to turn off real-time protection. See the following for details. http://www- bdnew.fnal.gov/network/WinNT%20User% 20Setup.htm#NAV http://www- bdnew.fnal.gov/network/WinNT%20User% 20Setup.htm#NAV

Beams-nav-srv How will we manage NAV installation and updates? New COMPAQ Proliant ML370 server Dual 1GHz processor 1GB RAM Will upgrade to GigE network connection.

Symantec System Center Beams-nav-srv will run the Norton Symantec System Center to manage the virus definitions.

SSC Main Screen

SSC Virus Detection When a virus is detected by a workstation, it sends this information to the SSC server. The SSC will be able to see: Which workstations are infected What virus was detected What file(s) were infected What action was taken by NAV

SSC logfiles Norton Antivirus logfiles can show virus history for that any computer that is managed by the SSC.

SSC logfiles Event Log: Shows any configuration changes, virus definition downloads, and any files not scanned.

SSC logfiles SSC logfiles can also show when virus scans are completed

SSC Management Tasks The SSC Console can also edit properties or complete common tasks for one, multiple or all computers managed by the SSC.

SSC Management Tasks Can set real-time protection options from the SSC console More options are available from the ADVANCED tab

SSC Management Tasks n Advanced Options

SSC Management Tasks You can manually start a NAV virus scan on any workstation from the SSC console

SSC Management Tasks We can set the virus scan schedule for all of the workstations from the SSC console

SSC Management Tasks We can view a list of detectable viruses for any workstation from the SSC console

SSC Management Tasks We can manage the virus definition updates from the SSC console

Passwords n Password protection is the basis for Computing Divisions Kerberos implementation. –Don’t want non-kerberos passwords going over the network. n For details, see the strong authentication webpage. http://www.fnal.gov/docs/strongauth/

Passwords: Kerberos in Beams n Kerberos for Windows was the topic of the last local administrator meeting. The slides to this talk can be reviewed at: http://www- bdnew.fnal.gov/network/Local%20Admin% 20Talks/Local%20Admin%20Meeting%201 1-20-2001.htm http://www- bdnew.fnal.gov/network/Local%20Admin% 20Talks/Local%20Admin%20Meeting%201 1-20-2001.htm

Kerberos Exemptions Clarified n CD has pronounced the site kerberized as of 1-1-02. n Any node offering non-kerberos services on the network needs an exemption from Computing Security. n Exemptions were supposed to be filed by 1-1- 02. n Computing Division will be scanning for non- compliance.

Windows Exemption n Windows NT/2000 computers use NTLM to login to the Windows NT domain. –NTLM is less secure than kerberos n The Windows exemption covers: –Domain login to the Windows NT 4.0 domain –Lasts only as long as the Win2k migration schedule permits

Windows Exemption n After the Win2k Migration: –Win2k Workstations logging into the Win2k Domain will use kerberos for authentication. –WinNT Workstations will be forced to upgrade their authentication to NTLMv2. –The migration is not complete until all users, workstations and servers are moved to the Win2k domain. n The Win2k migration schedule can be viewed at: http://www-win2k.fnal.gov/

What Windows and Macintoshes need exemptions? n Any computer that runs an FTP server or equivalent. n Any computer that runs a Telnet server or equivalent. n Running remote control software that other computers can connect to: –Timbuktu –PC Anywhere –VNC –WinCenter –Terminal Server –Any other remote control software

What Windows and Macintoshes need exemptions? n Any file shares on a PC or Macintosh. –Every user who wants a file share on their PC will have to file for an exemption!!! –Win2k/NT Central File Server shares will still be allowed as per the Win2k migration guidelines. –After the Win2k migration, all access to the Win2k Central File Server shares will need to use kerberos, or possibly NTLM v2 for a limited time. n Computer Security says that administrative shares such as C$, D$, ADMIN$, etc… do not need exemptions.

Exemptions: Computing Division Scans n Computing Division has started scanning for non-kerberos services offered on the network. So far this includes. –FTP Servers –Telnet Servers –An old version of SSH that has a security hole, but will soon be scanning for any non-kerberized ssh. n Computing Division plans on expanding the scope of this scan over the next year to search for more non-kerberized services.

Filing Exemptions n How do you file an exemption? n Go to http://www.fnal.gov/docs/strongauth/misc/exemptio n.html http://www.fnal.gov/docs/strongauth/misc/exemptio n.html n Copy the form off of the web page n Email the answers to our Assistant GCSC (General Computer Security Coordinator), Tim Zingelman at Zingelman@fnal.gov n Tim should also be able to answer any questions you have concerning exemptions.

Operating System Vulnerabilities or Misconfiguratoins n Unpatched operating systems or poorly configured operating systems are easy targets for viruses and hackers to compromise your computer. n Recall that the attack on Beamssrv1 earlier in the talk was started with a computer being compromised because it had out of date service packs.

OS Vulnerabilities: Computing Division Response n Computer Security informs us that we have to keep our systems patched and configured properly. –Patches are available on PCKits, but most users don’t have FNAL Domain accounts. –No Centrally managed mechanism to handle patches. n Computing Division is starting to implement security scans to look for non-compliant nodes: –Problems: n Windows Scans are not recent –SP3 is more than years old n They tried to do too much too soon without fully understanding what packets their scanner was outputting.

Beams Division Operating System Configuration n Microsoft Operating systems are not secure with the default settings. n We have complete setup instructions to ensure a secure setup located at: –Win2K Administrative Setup http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm –WinNT Administrative Setup http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.htm http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.htm

OS Vulnerabilities: Service Packs and Hotfixes n Microsoft Operating systems have service pack updates every 6 months to a year. –Service packs patch security holes and fix software bugs and incompatibilities n In between service pack releases, Microsoft releases patches called hotfixes.

Latest Service Pack Information n Latest service pack and hotfix information can be found on our web page at: http://www-bdnew.fnal.gov/network/latest- os-service-packs.htm http://www-bdnew.fnal.gov/network/latest- os-service-packs.htm

What is the current Win2k Service Pack and Hotfix level n SP2 n MS00-077-Q299796 MS01-007-Q285851 MS01-007-Q285851 MS01-013-Q285156 MS01-022-rbupdate MS01-025-Q296185 MS01-031-Q299553 MS01-033-Q300972 MS01-037-Q302755 MS01-040-Q292435 MS01-041-Q298012 MS01-046-q252795

Win2K Service Packs How do you check what service packs and hotfixes you have? Check service pack level by doing a "winver" from the command prompt. Check hotfix levels by looking the registry in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix.

What is the current WinNT Service Pack and Hotfix level n SP6a n Hotfixes –Q299444 rollup –ms01-022-rbupdate –Q305399

WinNT Service Packs n 1. Check service pack level by doing a "winver" from the command prompt. 2. Check hotfix levels by looking the registry in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\

Beams Division Service Pack and Hotfix Scripts n A reboot is required after a service pack installation to load the drivers. n A reboot is also usually required after each individual hotfix application. –Required because hotfix application must be done in the correct order, since some patches override changes made in earlier patchs

Beams Division Service Pack and Hotfix Scripts n Beams Division maintains service pack installation scripts that: –Install the latest Service Packs –Install the latest hotfixes –Run a QCHAIN utility to ensure that all of the patches get applied to the OS in the correct order. –A single reboot at the end of the script.

Beams Division Service Pack Installation n Beams Division has all of the Service Pack scripts available on Beamssrv1 with shortcuts located at \\beamssrv1\win2k-setup or \\beamssrv1\winnt- setup. \\beamssrv1\win2k-setup\\beamssrv1\winnt- setup \\beamssrv1\win2k-setup\\beamssrv1\winnt- setup n Installation instructions are located on our web page at: –Win2K: http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#SP2 http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#SP2 –WinNT: http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.htm#Ser vicePack http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.htm#Ser vicePack

Beams Division Service Pack and Hotfix Scripts n Each time we update a service pack or hotfix, we send out an email notification to all of the local administrators. n It is important to apply the service packs and hotfixes as they become available. n Latest data shows that active attacks are started on average 2 weeks after an exploit is revealed. n Fermilab is probed everyday. n Computers have been hacked within hours of them being added to the network. n Our goal is to start central management of Service Packs and hotfix patches.

Beams-nav-srv n Goal is to centrally manage service packs and hotfixes with Gravity Storm Service Pack manager. n Plan to use Beams-nav-srv to complete this task. n Testing shows that Norton SSC and Gravity Storm Service Pack Manager can be run on the same server.

Service Pack Manager: Opening Screen

SP Manager Net Query Shows SP and hotfixes for each selected computer

SP Manager Export Data The Export Data option lets you save all of the service pack information to an Excel Spreadsheet for further analysis.

Analyize Data You can then sort the data. In this example I sorted computer by Service Pack to show you the worst offenders of the WinNT 4.0 computers. These computers are all potentially security threats.

Analyze WinNT Service Pack Data Results are far better than 6 months ago, but we still have a way to go. SP3SP4SP5SP6a

Analyze Win2k Service Pack Data Win2k Data is surprisingly bad!

SP Manager: Install Service Pack We will show how to install a service pack to a workstation using Service Pack manager run from Beams-nav-srv

SP Manager: Install Service Pack Select the computer or computers that you want to install a service pack to. Select the service pack that you wish to install Right-click and choose to install the service pack.

SP Manager: Install Service Pack Start Win2k SP2 install to \\saugeye from \\beams-nav-srv\\saugeye\\beams-nav-srv

SP Manager: Install Service Pack Files are copied from \\beams-nav-srv to \\saugeye\\beams-nav-srv\\saugeye

SP Manager: Install Service Pack Task manager on \\saugeye shows that CPU usage jumps up to 30-40% while the service pack installation files are being copied from \\beams-nav-srv \\saugeye\\beams-nav-srv

SP Manager: Install Service Pack \\beams-nav-srv\\beams-nav-srv finishes copying files to \\saugeye\\saugeye

SP Manager: Install Service Pack Service Pack installation begins on \\saugeye\\saugeye

SP Manager: Install Service Pack File Extraction and Task Manager show activity on \\saugeye\\saugeye

SP Manager: Install Service Pack Service Pack installation begins on \\saugeye\\saugeye

SP Manager: Install Service Pack After installation, SP Manager reboots \\saugeye\\saugeye

SP Manager: Install Service Pack After the reboot, you can run NetQuery to verify installation

SP Manager: Install Service Pack NetQuery after the service pack installation shows that the service pack was installed properly.

SP Manager: Install hotfixes Here is an example of installing hotfixes to two computers

SP Manager: Install hotfixes Select the computer(s) to update Select the hotfixes to install Right-click and select to install to selected computers

SP Manager: Install hotfixes Countdown timer starts

SP Manager: Install hotfixes After installation is complete, a popup window appears informing you that the task is done.

SP Manager: Install hotfixes Green indicators shows that hotfixes have been installed

What we do to prevent application compromises n Application security compromises are becoming a large concern. n A poorly configured or unpatched application can lead to a system compromise the same way that a poorly configured or unpatched operating system can. n To maintain a secure system, it is important to: –Keep recent and patched applications on your computer. –Follow our setup instructions when installing and configuring applications on your computer.

Application Vulnerabilities n Common targets include: –Internet Explorer –Outlook Express –Outlook –Netscape –Adobe Acrobat –IIS and Peer Web Services

Latest Applications and their patches n To simplify this process, we keep a web page that lists the latest applications along with the required patch level at: http://www-bdnew.fnal.gov/network/latest- software-versions.htm http://www-bdnew.fnal.gov/network/latest- software-versions.htm

Latest Supported Software n Acrobat 5.0 reader n Diskeeper 7 n Exceed 7 with 7.0.0.12 patch n FileZilla 1.5a n Ghostview 4/Ghostscript 7 n IE 6 + MS01-058_q313675 n Leash32 2.0.1.0 n Meeting Maker 7.0.1

Latest Supported Software n Microsoft Office 2000 sr1a + Sp2 + Q288266 + Q306603 + Q306604 (Disc 1 and 2) n Netscape 4.77 n Norton Antivirus 7.6 n WinZIP 8.0

Installation Instructions n Installation shortcuts for all of our applications exist at \\beamssrv1\winnt-setup or \\beamsssrv1\win2k-setup. \\beamssrv1\winnt-setup\\beamsssrv1\win2k-setup\\beamssrv1\winnt-setup\\beamsssrv1\win2k-setup n Installation instructions exist at: –Win2k http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm #Part_4 http://www- bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm #Part_4 –WinNT http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.ht m#Part_4 http://www- bdnew.fnal.gov/network/WinNT%20Admin%20Setup.ht m#Part_4

Application Setup Instructions n In addition, some application require special configurations to ensure that they are secure. These instructions are located at: http://www- bdnew.fnal.gov/network/WinNT%20User% 20Setup.htm http://www- bdnew.fnal.gov/network/WinNT%20User% 20Setup.htm

Application Patches n One goal of ours is to centrally manage the application patches in the way that we are starting to manage the operating system patches. n SP Manager has the start of application patch management built in.

SP Manager: Application Patches Service Pack Manager will allow you to install patches on the above applications, but will not let you do a version upgrade.

SP Manager Applications Here is an example of a IE patch scan

Application Vulnerabilities: Future n As application vulnerabilities become more frequent, we may wish to move on to a more aggressive application management plan. n Both SMS or Win2K active directory allow mechanisms for pushing application installations to the desktops.

License Database n Recently we merged our software license database with our existing IP Database. n This is a FileMaker Pro Database –Currently runs on v4.0 –Soon will be upgraded to version 5.5 n To simplify the update process, we are granting local administrators access to certain fields inside of this database. n If you do not have FileMaker Pro 4.1 on your computer, you can use the following steps to access the database. n When we convert to FileMaker 5.5, you will need to do a local installation of FileMaker 5.5.

FileMaker Pro: Setup First, go to the FileMaker Pro directory on Beamssrv1 Drag a shortcut to your desktop

FileMaker Pro: Setup The first time that you enter FileMaker Pro, you will have to configure it Hit Cancel at the opening screen

FileMaker Pro Setup From the file menu, select Edit->Preferences->Application Select TCP/IP as the network protocol Click Done The above steps only need to be completed the first time you use FileMaker Pro

FileMaker Pro: Open the Database Close down, then re-open FileMaker Pro Select to Open an existing file, then click OK.

FileMaker Pro: Open the Database Click the Hosts button

FileMakerPro: Open the Database Single-click on Beamsappsrv1 in the local hosts menu

FileMaker: Open Database Double-click on ADNET IP Database.fp3 to open the database

FileMaker Pro: Open the Database Type secret password to access the FileMaker Pro IP Database controls. Click OK

FileMaker: Open the Database The IP Database is now open! Click on Edit/Browse Records Detail Format to begin

FileMaker Pro: Default View

FileMaker: Navigating the Database Do a Mode->Find from the filemenu or a Cntl-F to initiate a search.

FileMaker: Navigating Database Next, type what you want to search for (* is wildcard) Nodename field is the name of the computer

FileMaker: Navigating Database After typing your search, click ENTER to complete the search

FileMaker Navigating Database The records field will show how many matches there were to your search. Click on the top page of the notepad to go up one entry Click on the bottom page of the notepad to go down one entry Type a number in below the notepad to go to a specific entry.

FileMaker Navigating Database Clicking on Go To List format shows you all of your search matches in a list Clicking on Go To Detail format takes you back

FileMaker Navigating Database Here is a properly filled out entry

Search Fields You can view, but not edit these fields: IP address = the registered IP address Nodename = the computer name Username = the primary user Admin name = the local administrator To change them, fill out a network connection request at: http://www- bdnew.fnal.gov/network/net%20connection.asp

Search Fields n More entries that you can view or search on, but can not edit.

Editing Database The group field is department or group that owns the PC. Hint: If the group name is the same for all of your computers, it becomes an easy field to search to quickly review all of your computers.

Editing Database The Domain/Cluster is the Domain for Windows computers With the Windows 2000 migration merging the Beams Domain with FNAL, it will be important to: Identify which computers have migrated to the Win2k win.fnal.gov domain. Move controls system computer from the Beams Domain to the BD-Controls domain.

Editing Database The operating system that we have discovered with the Gravity Storm service pack manager software. Used the format: WinNT 4.0 WinNT 4.0 Server Win2k Win2k Server Change this field as you update the operating system on your computers.

Editing Database This is the service pack that we discovered with Gravity Storm Service pack manager Update this field anytime you apply service packs. You may want to enter the date you installed the hotfixes for your own reference.

Editing Database Enter information into this field when you install Microsoft Office on your computer. The old Office 97 installations are no longer secure. Office 2000 + sr1 +sp2 + q288266 + q306603 + q306604 without keyserver is the currently supported version.

Editing Database Enter information into this field when you update your Internet Explorer installations. There are only two supported IE versions: IE 6 + Q313675 patch IE 5.5 SP2 + Q313675 patch All other versions should be upgraded due to security reasons.

Editing Database Update this field when you update your Netscape installations Netscape versions earlier than 4.75 should be upgraded for security reasons.

Editing Database Update this field if you intstall Norton Antivirus. You could put the virus definition dates if you wish to keep track of that. Versions prior to 7.0* are not supported under any operating system and should be upgraded. Versions prior to 7.5* need to be upgraded if you are running Win2k.

Editing Database Diskeeper 7 is faster and more efficient than earlier versions. Modify this field when you upgrade Diskeeper.

Editing Database Modify this field when updating Exceed versions Exceed 7.0 was the first version to support kerberos The Exceed 7.0.0.12 patch is required to make the Exceed usable. Exceed 7.1 changed its installation and has problems in our environment, so it is not supported yet.

Editing Database Anytime you edit any field in the database, please put a date and initials in these fields.

Licensing Issues n All computers with lab software need to be added to this database –This includes home PCs –Most software no longer uses concurent licensing. n Please send email to bd-net- support@fnal.gov with information on any computers that are not in the database that have laboratory software installed on them. bd-net- support@fnal.govbd-net- support@fnal.gov –We will add these entries for you to maintain.

Beams Division Local Administrators Meeting 1/11/2002 Brian Drendel.

Similar presentations

Presentation on theme: "Beams Division Local Administrators Meeting 1/11/2002 Brian Drendel."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Beams Division Local Administrators Meeting 1/11/2002 Brian Drendel.

Similar presentations

Presentation on theme: "Beams Division Local Administrators Meeting 1/11/2002 Brian Drendel."— Presentation transcript:

Similar presentations

About project

Feedback