Download presentation
Presentation is loading. Please wait.
Published byMadlyn Davidson Modified over 8 years ago
1
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016
2
HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions
3
HEPiX October 2004 Rafal Otto (CERN IT/IS) What is SMS? Microsoft Systems Management Server serves centrally managed software deployment software and hardware inventory software metering remote control Additional Features Windows Security Updates Scan Tool Microsoft Office Security Updates Scan Tool Supported (managed) platforms Windows 98, NT – SMS Legacy Clients – (none at CERN) Windows 2000, XP, 2003 – SMS Advanced Clients – (~6000) SMS is not designed for system monitoring!
4
HEPiX October 2004 Rafal Otto (CERN IT/IS) Architecture Site Server Remote Clients (VPN, GPRS, Dial-in) Desktop Clients run from the share Distribution Points download (BITS) run locally new package? DP name
5
HEPiX October 2004 Rafal Otto (CERN IT/IS) Deployment SMS 2003 Site Complete SMS 2.0 Infrastructure Client Migration Complete SMS 2003 Infrastructure Complete SMS 2003 SP1 Infrastructure SMS Client Upgrade to SP1 June 2004 End of June 2004 Mid July 2004 Sept 2004 Oct 2004
6
HEPiX October 2004 Rafal Otto (CERN IT/IS) SMS Administration Reporting Remote Tools Software Distribution Anyone who needs Rights Policy Very limited set of administrators Limited set of trusted users SMS administrators + License managers
7
HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions
8
HEPiX October 2004 Rafal Otto (CERN IT/IS) Background Software deployment at CERN is currently based on the Group Policy Objects applied on the security groups when one wants to install certain software (i.e. MS Office 2003) on her/his computer, needs to make her/his computer account a member of certain security group (i.e. CERN\GP Apply Office 2003) then, after the reboot machine receives a new installation package To manage memberships of the groups we have a single entry point, which is a WinServices website, in particular a service called Group Manager
9
HEPiX October 2004 Rafal Otto (CERN IT/IS) AD System Discovery Domain Controller Active Directory SMS Database System Discovery Computer accounts (each morning, takes ~90 minutes) System Group Discovery Group membership of computer accounts (each morning, takes ~30 minutes) Updating Collections (takes few seconds) Any change of computer’s group membership during the day … … will propagate to SMS next morning!!!
10
HEPiX October 2004 Rafal Otto (CERN IT/IS) CERN System Group Discovery SMS Site Server requests Windows Service SMS Database Collections Update
11
HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions
12
HEPiX October 2004 Rafal Otto (CERN IT/IS) SUS Feature Pack Microsoft Download Center SMS 2003 Site Server MSSecure.xml Sync Tool MSSecure.xml update request Patches, QFEs, SPs Scan Tool Hardware Inventory Advertisement Installation Status Limitation! Works only with updates managed by MBSA 1.2 (not all products involved)
13
HEPiX October 2004 Rafal Otto (CERN IT/IS) Reports on security updates
14
HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Servers ~130 Windows servers (DCs, WINS, DFS, SMS, Exchange servers, web servers, file servers, custom servers) Most of the updates need a reboot at the end of the installation There are groups of servers that at least one machine from the group has to be online at any time (i.e. 3 domain controllers) We do not want to trust SMS scheduler on rebooting the servers Our approach We deploy patches with an option “postpone reboot forever” Use our mechanism to reboot servers pending reboot by hand The “pending reboot” status of the machine is taken directly from SMS database
15
HEPiX October 2004 Rafal Otto (CERN IT/IS) Rebooting servers
16
HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Desktops (1) SUS Feature Pack is used for the supported patches (those supported by MBSA 1.2) SMS Packages are based on the operating system One package (Adv) used for new patches – published but not assigned Second package contains all baseline patches and is assigned to run each day
17
HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Desktops (2) Patches not supported by SUS Feature Pack Packages are manually created for each patch Depending on the severity are assigned or published Need of the wrapper, which notifies the user in a more clear way then the standard SMS notification and allows to postpone the installation for many times With new versions of MBSA more and more products should be supported
18
HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions
19
HEPiX October 2004 Rafal Otto (CERN IT/IS) Other security related actions Windows XP SP2 deployment (pilot) additional firewall features new Internet Explorer and Outlook Express attachment Execution Service, HTML images add-ons manager pop-up blocker DCOM and RPC improved security Get rid of weak LM hashes (soon) used by Windows 95 clients, not patched Windows 98, old samba, NICE XP installation floppy etc. since Windows NT 3.5 NTLM authentication is used (NTLM hash is much stronger)
20
HEPiX October 2004 Rafal Otto (CERN IT/IS) Other security related actions Local administrator password reset periodic (3 months) web interface to change it again (available for main responsible for the machine) Local administrators group (plan) in the past each user was a member of local administrators group on his/her machine will not be mandatory web interface to become a member (available for main responsible for the machine)
21
HEPiX October 2004 Rafal Otto (CERN IT/IS) Conclusions SMS 2003 makes infrastructure much better managed security scans + patch deployment software inventory Other improvements in security were done Windows XP SP2 deployment New policy for local admin password and local administrators group
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.