Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.

Slides:



Advertisements
Similar presentations
SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3
Advertisements

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
WSUS Presented by: Nada Abdullah Ahmed.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 12 Application and Data Provisioning.
The Evolution of Managing Windows Computers at CERN Ivan Deloose Internet Services Group Department of Information Technology CERN 7 April 2006 – HEPix.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
SP2 Mikael Nystrom. Agenda Översikt Installation.
IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Introduction to Active Directory December 10th, pm Daniels 407.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
Module 1: Installing Windows XP Professional. Overview Manually Installing Windows XP Professional Automating a Windows XP Professional Installation Using.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.
IT:Network:Microsoft Server 2 Chapter 27 WINDOWS SERVER UPDATE SERVICES.
Randy Diddel A+ Certified Technician Apple Certified Associate-Mac Integration OS X ITIL Foundations v3 Mac Team Technical Support Analyst II UNM IT Workstation.
Microsoft Installer Technologies and patch management approaches.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 12: Deploying and Managing Software with Group Policy.
W2000 at Saclay Joël Surget CEA/Saclay DAPNIA/SEI.
Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.
Module 13: Maintaining Software by Using Windows Server Update Services.
A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.
Terry Henry IS System Manager, SharePoint SME Micron Technology Inc.
MIS3300_Team8 Service Aron Allen Angela Chong Cameron Sutherland Edment Thai Nakyung Kim.
Course ILT Windows installation and upgrades Unit objectives Install a Windows operating system Upgrade from one version of Windows to another.
Managing and Monitoring Windows 7 Performance Lesson 8.
CERN IT Department CH-1211 Genève 23 Switzerland t Experience with Windows Vista at CERN Rafal Otto Internet Services Group IT Department.
Windows OS and Application Management Chris Brew Rutherford Appleton Laboratory J-Lab, HEPiX/HEPNT 30/10/2000.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
Windows XP Professional Features ©Richard L. Goldman February 5, 2003.
Windows 2003 Installation/Upgrade and Update. Checking Compatibility Supported Upgrade paths Using the MS Windows Upgrade Advisor HCL (Hardware Compatibility.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Deploy Windows Mobile 5 On Exchange 2003 SP2 Mark Mulvany MCT,MCSE,MCSE+I,CNA Microsoft Small Business Specialist SMS&P Breadth Partner Training Specialist.
CERN IT Department CH-1211 Genève 23 Switzerland t Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet.
30/10/2000 Software Installation and Maintenance at LAL - JLab 2000 Software Installation and Maintenance at LAL Michel Jouvin LAL, Orsay
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
NiceFC and CMF Introduction Ivan Deloose IT-IS Custom Windows Services for Controls Applications.
Paul Butterworth Management Technology Architect
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Microsoft Management Seminar Series SMS 2003 Change Management.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
NetTech Solutions Protecting the Computer Lesson 10.
Migrating to Windows 2000 Graham Titmus Computer Laboratory.
How to Deploy Office XP and Windows XP With One Desktop Touch Liz Levitt Desktop Solution Specialist Microsoft Corporation.
12/3/98 Stanford Linear Accelerator Center Patrick R. Hancox
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Managed by UT-Battelle for the Department of Energy System Center Configuration Manager at ORNL National Laboratories Information Technology Summit 2008.
ITMT 1371 – Window 7 Configuration 1 ITMT Windows 7 Configuration Chapter 8 – Managing and Monitoring Windows 7 Performance.
PC Manager Meeting May 25, Today Updates Next Meeting Security Meeting Maker Update This Month: What SMS Can Do For You – Cele Bruce.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Windows Desktop Deployment Service at LANL Mark Wingard Central.
System Center 2012 Configuration Manager
Designing IIS Security (IIS – Internet Information Service)
Module 1: Overview of Systems Management Server 2003
Implementing Security Patch Management
Presentation transcript:

Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May 2005

Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure -What is SMS ? -SMS History at CERN -Server Architecture Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

Michel Christaller – CERN IT/IS What is SMS? Microsoft Systems Management Server Microsoft Systems Management Server -software deployment -software and hardware inventory -software metering -remote control Additional Features (SUS Feature Pack) Additional Features (SUS Feature Pack) -Windows Security Updates Scan Tool -Microsoft Office Security Updates Scan Tool -Extended Security Tool (non-MBSA patches)

Michel Christaller – CERN IT/IS SMS Architecture Site & Database Server Desktop Clients run from the share Distribution Points new package? Management Points Inventory Remote Clients (VPN, GPRS, Dial-in) download (BITS) run locally new package? Inventory

Michel Christaller – CERN IT/IS SMS History at CERN SMS 2.0 used from 2001 SMS 2.0 used from 2001 SMS 2003 deployed Summer 2004 SMS 2003 deployed Summer 2004 SMS 2003 SP1 deployed Autumn 2004 SMS 2003 SP1 deployed Autumn 2004 More MPs needed due to patch deployments More MPs needed due to patch deployments -3 MPs with NLB 10Gb database now 10Gb database now

Michel Christaller – CERN IT/IS Server Infrastructure Native Windows 2003 Active Directory (3 DCs) Native Windows 2003 Active Directory (3 DCs) -Heavy use of Groups, Group Policies and startup scripts SMS infrastructure (Windows 2003, SMS 2003 SP1) SMS infrastructure (Windows 2003, SMS 2003 SP1) -1 Site server, 3 Distribution Points, 3 Management Points Other servers (mostly Windows 2003 SP1) Other servers (mostly Windows 2003 SP1) -~30 file servers -~180 servers total, 50Tb disk space (Mail, Web, Terminal servers, etc..) Web-based administration interface ( Web-based administration interface ( ~6000 managed desktops ~6000 managed desktops -1/4 Windows /4 Windows XP

Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets -Desktops installation -Computer Management (web site) -Hardware & Software inventory Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

Michel Christaller – CERN IT/IS Desktop Installation DianeCD on WinPE DianeCD on WinPE -Windows Pre-Installation Environment: stripped-down Windows -Includes latest drivers -> no need for DOS network drivers -Available on bootable CD -Configures HCP only -Copies model-dependent drivers to local disk -Launches installation through network -Permits to forbid LM hash authentication (was needed by DOS network layer)

Michel Christaller – CERN IT/IS Computer Management User-oriented web-based administration User-oriented web-based administration

Michel Christaller – CERN IT/IS Hardware & Software inventory Inventory by SMS: Inventory by SMS: -Hardware -Software (programs installed) -Files

Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS -XP SP2 deployment -.Net Framework deployment Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

Michel Christaller – CERN IT/IS XP SP2 deployment XP SP2 offers enhanced security XP SP2 offers enhanced security -Firewall, IE6 SP2 90% of XP SP1 computers upgraded to SP2 90% of XP SP1 computers upgraded to SP2 Recurrent SMS Package Recurrent SMS Package -Pop-ups the user every day for one month -Forced installation if user not responsive -Launches the XPSP2.exe upgrade -Distributed to XP SP1 computers, gradually by departments Coupled with Office XP upgrade to Office 2003 Coupled with Office XP upgrade to Office 2003 Almost no incompatibilities seen (but for some engineering applications) Almost no incompatibilities seen (but for some engineering applications) Goal: Support only Windows XP SP2 / Office 2003 by end of year Goal: Support only Windows XP SP2 / Office 2003 by end of year

Michel Christaller – CERN IT/IS.Net Framework deployment.Net Framework 1.1 needed to deploy next generation applications like new CERN Newsreader.Net Framework 1.1 needed to deploy next generation applications like new CERN Newsreader SMS Package Combining.NetFramework 1.1, SP1 and hotfix SMS Package Combining.NetFramework 1.1, SP1 and hotfix Deployed on all XP SP2 computers Deployed on all XP SP2 computers 25 chances to install at will, then forced 25 chances to install at will, then forced Program deployment with SMS often needs VB scripting to establish a user interface Program deployment with SMS often needs VB scripting to establish a user interface

Michel Christaller – CERN IT/IS Adobe Acrobat 7 deployment Acrobat Reader 6 deployed through GP at startup Acrobat Reader 6 deployed through GP at startup Acrobat 7 deployed with SMS Acrobat 7 deployed with SMS -Difficultness: Reader 7 and Professional 7 together -VB script detects status and upgrades -Advertisement comes every day Distributed to computers having Acrobat 6 products Distributed to computers having Acrobat 6 products

Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS -Why patching ? -Patching Policy -SUS Feature Pack -Non-MS patches -Reporting Conclusion Conclusion

Michel Christaller – CERN IT/IS Why Patching ? Exploits are often made public before patches Exploits are often made public before patches Un-patched computers get viruses Un-patched computers get viruses Which install backdoors Which install backdoors Which comes with key-loggers and root-kits Which comes with key-loggers and root-kits Root-kits are really difficult to clean up or even detect Root-kits are really difficult to clean up or even detect And used for illegal activities (spamming, file exchange, DOS attack etc..) And used for illegal activities (spamming, file exchange, DOS attack etc..) CERN severely affected by an unmanaged computer hacked in May 2004 CERN severely affected by an unmanaged computer hacked in May 2004

Michel Christaller – CERN IT/IS Patching Policy How to maximize coverage and minimize reboots ? How to maximize coverage and minimize reboots ? Group patches by products Group patches by products -System-related by OS version -Other products : Messenger, Media Player, Acrobat, Putty etc.. Deploy first as ‘advertised’ (installation not forced) for some time Deploy first as ‘advertised’ (installation not forced) for some time -One package for latest patches, all OS versions Second deployment: forced installation and reboot Second deployment: forced installation and reboot -One baseline package by OS version Recurrent every day on all computers missing patches Recurrent every day on all computers missing patches

Michel Christaller – CERN IT/IS SUS Feature Pack Based on MBSA detection tool Based on MBSA detection tool -Windows patches, IE patches, SQL, Exchange, IIS, MSXML, MDAC -MS Office patches with Office Updates Uses a mssecure.xml file Uses a mssecure.xml file Wrapper patchinstall provides for user interface Wrapper patchinstall provides for user interface

Michel Christaller – CERN IT/IS SUS Feature Pack Microsoft Download Center SMS 2003 Site Server MSSecure.xml Sync Tool MSSecure.xml update request Patches, QFEs, SPs Scan Tool Hardware Inventory Advertisement Installation Status Limitation! Works only with updates managed by MBSA 1.2 (not all products involved)

Michel Christaller – CERN IT/IS Products not detected by MBSA Extended Security Tool Extended Security Tool -Workaround to deploy some MS product patches Windows Messenger & MSN Messenger Windows Messenger & MSN Messenger Media Player Media Player.Net Framework.Net Framework -Similar to SUSFP (XML file and patchinstall wrapper) -Will be merged to SUSFP in the future Non-MS products Non-MS products -Make a VB script for User Interface, deployment based on inventory (file versions / programs installed)

Michel Christaller – CERN IT/IS Reports on security updates

Michel Christaller – CERN IT/IS Deployment Status of MS Graph from SMS patch status data Graph from SMS patch status data Patch published by Microsoft on 12 th of May Patch published by Microsoft on 12 th of May Forced deployment started Patch advertised to all CERN computers

Michel Christaller – CERN IT/IS Conclusion Reaching 100% coverage is a dream Reaching 100% coverage is a dream Always a computer without disk space, broken files etc..Always a computer without disk space, broken files etc.. SMS 2003 makes infrastructure much better managedSMS 2003 makes infrastructure much better managed Hardware & software inventoryHardware & software inventory Pushed software installations GP ‘Assign to computer’ was running only at startupPushed software installations GP ‘Assign to computer’ was running only at startup patch deployment and statuspatch deployment and status DrawbacksDrawbacks Heavy inventory phases annoying for slow computersHeavy inventory phases annoying for slow computers Packaging steps may be necessary deployment of non-MS products often require VB scriptingPackaging steps may be necessary deployment of non-MS products often require VB scripting

Michel Christaller – CERN IT/IS Questions ? Visit us Visit us

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.