Presentation is loading. Please wait.

Presentation is loading. Please wait.

FNAL Configuration Management Jack Schmidt Cyber Security Workshop May 23-24 th 2006.

Published byDomenic Rodgers Modified over 8 years ago

Similar presentations

Presentation on theme: "FNAL Configuration Management Jack Schmidt Cyber Security Workshop May 23-24 th 2006."— Presentation transcript:

1 FNAL Configuration Management Jack Schmidt Cyber Security Workshop May 23-24 th 2006

2 CD/CSS/CSI Fermi National Accelerator Lab Configuration Management Antivirus services for Windows, Linux, Macintosh Patching services for Windows, Linux, Macintosh

3 CD/CSS/CSI Fermi National Accelerator Lab AV AV Policy –All Systems that offer windows services must run AV (Samba servers, shares) –All Windows desktops and servers must run anti virus AV Baseline –Defines AV service as a NIST Major Application –Provides service settings for clients (workstations/servers) and AV servers

4 CD/CSS/CSI Fermi National Accelerator Lab Windows AV Central Windows AV Service –Uses Symantec Enterprise (only AV, no firewall) –Built on cluster for failover* –AV Server contacts Symantec every 15 minutes for updates –Clients contact FNAL server every 30 minutes –Clients contact Symantec daily* –Clients available for all windows systems on the FNAL network (DOE/University owned) except home- owned systems. –Service managed by Domain Administrators

5 CD/CSS/CSI Fermi National Accelerator Lab Linux AV Linux AV Service –No central service at this time* –Scientific Linux Fermi (SLF) distributed with ClamAV RPM –Samba servers required to run centrally supported AV software (ClamAv or Symantec)

6 CD/CSS/CSI Fermi National Accelerator Lab Macintosh AV Macintosh AV Service –Working with Symantec on using Windows central service. –Currently distribute client with no configuration settings* –Samba servers required to run centrally supported AV software (ClamAv or Symantec)

7 CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Windows Patching Service –Designed by Windows Policy Committee –Patches reviewed and rated –Three Tier Solution: Local Method Site SMS Service* Site WSUS Service –Site SMS & WSUS service managed by Domain Admins

8 CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Microsoft Patch Flow –Domain Administrators examine patches on patch Tuesday. –Review patches with Computer Security Team (CST) –Patches rated/required date set: FNAL Mandatory. Required for system to be on network FNAL Recommended

9 CD/CSS/CSI Fermi National Accelerator Lab To: banditos@fnal.gov; Subject: May, 2006 Microsoft Patches MANDATORY Patches: Due Date: None at this time RECOMMENDED Patches: Due Date: 6-15-2006 The following is a link to the May, 2006 Microsoft list of critical and important patches. http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx Except for any patches that have been deemed Mandatory by CST, these patches should be applied within one month at your earliest convenience using patch deployment tools. If you are a subscriber to the central lab SMS facility, additional information can be found at http://#####/private/sms/patchrollup/ An announcement to all SMS OU administrators will be sent out once a SMS package is available. If you need the patches, you can also obtain them from \\#####\fermi-rollup. Please note: The above patches have been flagged as either important or critical from Microsoft and should be installed on Windows systems at your earliest convenience. Some or all of the above may become mandated by CST and could become mandatory to allow your system to be on the Fermilab campus network. -- The Windows Domain Admins

10 CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Microsoft Patch Flow (cont): –Domain Admins build SMS packages –Workstation/Server Admins distribute to systems by given date CST may require central rollout of patch by Domain Admins –WSUS applies mandatory patch to systems after due date Active Directory GPO points domain systems at our WSUS instead of Microsoft Update.

11 CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Other Windows Patches –Notification via CIAC or vendor. Windows Policy Committee monitors lists. –Domain Admins meet with CST. Review importance of patch. –Patch rated/required date set –SMS package made available to Workstation/Server Admins for distribution

12 CD/CSS/CSI Fermi National Accelerator Lab Windows Patching Patch Tracking: –SMS queries used to track patch rollout no matter method used. How Are We Doing? – Much better than visiting each system! – Delegated patch distribution a mixed bag: dependant on skill set of local admins. –Pushing for central rollout of all patches.

13 CD/CSS/CSI Fermi National Accelerator Lab Linux Patching Linux Patching Service –Designed by Our Linux Gurus –Errata review process –Service managed by SLF* Experts –FNAL uses YUM to distribute errata. SLF comes with YUM preconfigured for FNAL servers. *SL Scientific Linux (http://www.scientificlinux.org) SLF Scientific Linux Fermi

14 CD/CSS/CSI Fermi National Accelerator Lab Linux Patching SL(F) Errata Flow –Errata examined by SL(F) maintainers –Review errata with Computer Security Team (CST) –Errata rated/required date set. –Errata built by SL maintainers and released to SL community for testing. –After SL testing/feedback, errata moved to SLF servers and distributed.

15 CD/CSS/CSI Fermi National Accelerator Lab Linux Patching Linux Errata Flow(cont): –Clients check for errata from distribution servers nightly. –Clients check for mandatory errata hourly*

16 CD/CSS/CSI Fermi National Accelerator Lab Linux Patching Errata Tracking: –Building inventory system based on OCSInventory NG How Are We Doing? –Central patching via YUM has been in use for years. Works well. – Local Admins have the ability to disable YUM updates. –SL Caveat. Must build errata from source, can’t use commercial patching solutions

17 CD/CSS/CSI Fermi National Accelerator Lab Macintosh Patching Mac users must patch their own systems No defined patch identification policy Testing Central patching solutions –SMS add-ons (Vintella/Quest) –Apple Workgroup Server

18 CD/CSS/CSI Fermi National Accelerator Lab Questions?

Download ppt "FNAL Configuration Management Jack Schmidt Cyber Security Workshop May 23-24 th 2006."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:

Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Trend Micro Round Table May 19, 2006. Agenda Introduction – why switch? Timeline for implementation Related policies Trend Micro product descriptions.

Trend Micro Round Table May 19, Agenda Introduction – why switch? Timeline for implementation Related policies Trend Micro product descriptions.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd

Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.

A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.
Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.
OIT's Unity Labs Active Directory Windows Environment.

OIT's Unity Labs Active Directory Windows Environment.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
SUS Services ECE Computer Facilities. SUS Services Software Update Services Microsoft Security And Critical Update Service Microsoft Security And Critical.

SUS Services ECE Computer Facilities. SUS Services Software Update Services Microsoft Security And Critical Update Service Microsoft Security And Critical.
TechNet Build’06 “The Secure Well Managed Infrastructure Tour”

TechNet Build’06 “The Secure Well Managed Infrastructure Tour”
16.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.

16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.

Similar presentations

Ads by Google