WNAG: Advisory Report Presented to: UCIST by: Stephen Sempson
Description of Computers There are approximately 2780 clients on Nexus As of Nov. 4, 2004 –2000 Server : 15 –2003 Server: 41 –2000 Pro: 752 –XP Pro: 1895 –Netapps: 8 (identified as Windows NT) (Engelke E. Nov., 2004)
Login Data/Stats First time that data has been collected since the move to Nexus (Active Directory) 7MB of data was extracted from over 1300 OUs in the AD Question arises, how fair is the sharing of labs? Engineering now running a Terminal Server (engterm) External account logins account for ~5% of total logins Data collection from the spring was problematic, due to people implementing firewalling. –This brought several issues to attention which could be resolved in the coming months. Acquisition of stats is difficult –The acquisition of statistical data is non-trivial, but not difficult. Processing the huge numbers is slow. Algorithms modified accordingly. (Engelke E. Jun., 2004)
Accounts CS pre-allocate disk-space for students enrolled in CS courses Scratch creates passwords from a trusted source Creates homespace and Account creation system (aka Scratch) Stephen Carr to write documentation Evaluation of the Scratch system to take place after the Fall 04 term
Scratch (Account Creation Tool) Assumes that a unix account for the student does not exist Creates password (based on rules defined by faculty) then ssh's into the host and runs the acct command Then sends password to the AD AD accounts are already created via adman, possibility of having unix accounts batch created and just 'sitting' there Problems –Creation of spam –Users show up in the wrong group –Any student who is listed as an employee as well (ie co-op students on campus, athletics instructor, TAs, RA's and the list goes on) can not use the scratch tool and their uwdir department data is flawed by HR Bruce Campbell expresses the hope of having the "New Users" link working in all faculties
Organizing of Workstations Location of workstations is important, should be standardized across faculties Postal Code field to be used for this purpose Format to be building code room# –e.g. BMH 2222 To be completed at the OU level
GPO Naming Conventions Currently –Faculty - Group - Server Name - Application Name To be changed to –Faculty - Group - Application Name - Server Name Erick Engelke has adman available to 'fix' this
Nexus domain printer names Labelling of printers is confusing Needs to conform to conventions Recommend changing to –Group-Building-Room number –i.e. Sci-esc-254d Remove default of publishing to the AD
New Logon Page To be generated by PHP Created by OUs (blocking enabled) Fine-tuning to be done, eventually to work off of a server The importance of a 'consistent' interface across campus
Laptops in Nexus Enabling Nexus Laptops have been successful in AHS and Science. Currently, one needs to have the user logon once while the laptop is on the network. This is in order to create a “cached” copy of the local profile. Laptop issues should considered when planning NAA or replacement to in the future.
XP SP2 This service pack incorporates some new security This will cause problems for Nexus clients –XP SP2 fails with ngina.dll –Network services at startup are killed –No warnings given by MS, deemed it to be virus-like activity Implementation SP2 has been held back –SUS servers will not deploy SP2 yet, it has not been approved. Still numerous W2K workstation out in the field
XP SP2 August 2004, an emergency XP SP2 version of ngina.dll was implemented on Nexus This program logs basic login/logoff events, which is used to manage security This also enables collection of statistics As of Nov a new ngina.dll has been implemented and tested in Engineering. No problems to date
Security/Thefts Math - using electronic door locks, shut PCs off, locking labs at night ES – systems secured with fibre and some labs with door combination locks. Password controlled teaching labs. Arts – bolts their computers to the tables and one public lab is locked outside regular hours, though this one is booked for some classes. AHS - bolting PCs to table, security screws, fibre-optic security cable Notice of thefts to be sent via list, just as a 'heads-up' Watcard discussed as possible entry system (cost $800 per swiper) Possible for a UPC swiper to read Watcard Erick Engelke to work on security system
ADS Domain Comparison UW began deploying the two campus Active Directory domains “Nexus” and “ADS” about 3.5 years ago. Nexus is used by 2726 workstations and servers. The ADS domain is used by approximately by 1257 workstations and servers.
ADS Domain Comparison
ADS allows approximately –9 individuals onto all server areas –about 25 people onto all workstations –about 129 people with administrative access to portions of 1257 computers Nexus currently allows –26 individuals onto MOST servers areas –26 individuals onto MOST workstations –about 90 people with administrative access to portions of 2726 computers
ADS Domain Comparison a Nexus proposal would allow –4 individuals onto most server areas –4 individuals onto all workstations –26 people with access to student user data –about 90 people with administrative access to portions 2726 computers –local control, where a faculty or department has total access to its own area, and very few outsiders have any access.
Security Approach The approach we are taking is to create new groups in a standardized way so that it's easier for us to add the necessary permissions. That was made a little bit difficult because some areas have a different OU structure than everyone else.
Guiding Principles Improvement of security No loss in functionality Image/Perception of constituent
Guiding Principles preserving local administrator’s ability to do the job unencumbered. These would include ability to: –add users –install and manage workstations, servers and printers –install software on unit’s workstations –add scripts as necessary –select, review and edit GPOs –select an appropriate SUS and NAV strategy for the clients
Guiding Principles enhancing the effectiveness of local computing unit –offer greater assurances of security to the office user community –other initiatives not mentioned in this document, eg. edit the login browser page reducing exposure to unnecessary privileges from ‘outsiders’ of the local department. providing the ability to select a peer group who could cover during vacations
Guiding Principles enabling of emergency accounts possessing extraordinary privileges –to deal with crisis situations –to provide backup in the rare event that no departmentally selected peer member can be reached –to better document changes by requiring WNAG notification maintaining a system consistent with the distributed management philosophies embodied in Watstar/Polaris/Nexus of the last twenty years
Security Proposal Possible due to: –Local Flexibility of NEXUS. –Security on the local PC (on the edge security). –Dynamic Collaboration/Cooperation of the group. near-autonomous control over their own areas, as well as the ability to work unencumbered in a large shared environment.
Security Proposal 5 Major Points –Training (suggested only) –GPO Editing (GPMC Tool) –Changing Passwords for moving students More specifically, solving problems for all students –Symantec Administration (MMC on local pc) –Faculty Representation
Faculty Representation How to distribute? –Agreed upon that 4 !! to be created –Distribution to be 2 for EC Specifically E. Engelke, and H. Tam –and 2 for other faculties either on a rotational basis between faculties or to be assigned The assigned model was noted because of it's stability and consistency.
Security Proposal Nov. 11, 2004 WNAG unanimously voted adopt the proposed management system to effect the changes today to review this (or any other aspect of the system) at any time we wish, and we agreed that next autumn would be a good time to review everything we have learned, etc.