SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

Slides:

Advertisements

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

Advertisements

SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

WSUS Presented by: Nada Abdullah Ahmed.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Understand Virtualized Clients Windows Operating System Fundamentals LESSON 2.4.

The Evolution of Managing Windows Computers at CERN Ivan Deloose Internet Services Group Department of Information Technology CERN 7 April 2006 – HEPix.

Collaborative tools in NICE Alex Lossent - CERN IT/IS Hepix Fall 2005.

Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd

1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Microsoft® Desktop Deployment Assistance Program 4: SMS OS Deployment Feature Pack Thomas Lee Chief Technologist QA plc

A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

Group Policy in Microsoft Windows Active Directory.

Module 16: Software Maintenance Using Windows Server Update Services.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.

PC Manager Meeting January 25, Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.

Wally Mead Senior Program Manager Microsoft Corporation.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

LabMan Conference: June 8 & 9, 2010 Lauren Nicholas, Moravian College

Microsoft ® Official Course Module 9 Configuring Applications.

Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.

SOE and Application Delivery Gwenael Moreau, Abbotsleigh.

Module 1: Installing Windows XP Professional. Overview Manually Installing Windows XP Professional Automating a Windows XP Professional Installation Using.

CERN - European Organization for Nuclear Research Windows 2000 at CERN HepNT- Orsay, France April 24 th, 2001.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

IT:Network:Microsoft Server 2 Chapter 27 WINDOWS SERVER UPDATE SERVICES.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 12: Deploying and Managing Software with Group Policy.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.

The Microsoft Baseline Security Analyzer A practical look….

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Patch management Graham Titmus Computer Laboratory.

Deploy Windows Mobile 5 On Exchange 2003 SP2 Mark Mulvany MCT,MCSE,MCSE+I,CNA Microsoft Small Business Specialist SMS&P Breadth Partner Training Specialist.

CERN IT Department CH-1211 Genève 23 Switzerland t Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet.

The NICE 2000 Web Services Ivan Deloose, Frédéric Hemmer, Alberto Pace, Maciej Sobczac, and others Information Technology Division - CERN.

Supporting and Maintaining Desktop Applications Lesson 13.

Active Directory Harikrishnan V G 18 March Presentation titlePage 2 Agenda ► Introduction – Active Directory ► Directory Service ► Benefits of Active.

Managing Windows Software & Updates SUS Server MS Baseline Security Analyzer Software and Group Policy Paul “The Yellow Dart” Peterson University of Minnesota.

Status of Windows 2000 deployment at CERN Alberto Pace, for the IT/IS group - April 2002

NiceFC and CMF Introduction Ivan Deloose IT-IS Custom Windows Services for Controls Applications.

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Status of Exchange deployment Alberto Pace for the IT/IS group Desktop Forum, April 3 rd 2003.

SMS Software Distribution. Overview  Explaining How SMS Distributes Software  Managing Distribution Points  Configuring Software Distribution and the.

Microsoft Management Seminar Series SMS 2003 Change Management.

Module 8: Managing Software Distribution. Collections Packages Programs Advertisements Collections Packages Programs Advertisements How Software.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

11 IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES Chapter 7.

Migrating to Windows 2000 Graham Titmus Computer Laboratory.

CERN - European Organization for Nuclear Research FOCUS December 7 th, 2000 Frédéric Hemmer - IT Division.

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT305.

How to Deploy Office XP and Windows XP With One Desktop Touch Liz Levitt Desktop Solution Specialist Microsoft Corporation.

CERN - European Organization for Nuclear Research Windows 2000 Update FOCUS June 13 th, 2002.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

12/3/98 Stanford Linear Accelerator Center Patrick R. Hancox

LM/NTLMv1 Retirement Hosted by LSP Services.

Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.

Managed by UT-Battelle for the Department of Energy System Center Configuration Manager at ORNL National Laboratories Information Technology Summit 2008.

Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.

CERN Windows Roadmap Tim Bell 8th June 2011.

CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov

Module 1: Overview of Systems Management Server 2003

Presentation transcript:

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016

HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

HEPiX October 2004 Rafal Otto (CERN IT/IS) What is SMS? Microsoft Systems Management Server serves centrally managed software deployment software and hardware inventory software metering remote control Additional Features Windows Security Updates Scan Tool Microsoft Office Security Updates Scan Tool Supported (managed) platforms Windows 98, NT – SMS Legacy Clients – (none at CERN) Windows 2000, XP, 2003 – SMS Advanced Clients – (~6000) SMS is not designed for system monitoring!

HEPiX October 2004 Rafal Otto (CERN IT/IS) Architecture Site Server Remote Clients (VPN, GPRS, Dial-in) Desktop Clients run from the share Distribution Points download (BITS) run locally new package? DP name

HEPiX October 2004 Rafal Otto (CERN IT/IS) Deployment SMS 2003 Site Complete SMS 2.0 Infrastructure Client Migration Complete SMS 2003 Infrastructure Complete SMS 2003 SP1 Infrastructure SMS Client Upgrade to SP1 June 2004 End of June 2004 Mid July 2004 Sept 2004 Oct 2004

HEPiX October 2004 Rafal Otto (CERN IT/IS) SMS Administration Reporting Remote Tools Software Distribution Anyone who needs Rights Policy Very limited set of administrators Limited set of trusted users SMS administrators + License managers

HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

HEPiX October 2004 Rafal Otto (CERN IT/IS) Background Software deployment at CERN is currently based on the Group Policy Objects applied on the security groups when one wants to install certain software (i.e. MS Office 2003) on her/his computer, needs to make her/his computer account a member of certain security group (i.e. CERN\GP Apply Office 2003) then, after the reboot machine receives a new installation package To manage memberships of the groups we have a single entry point, which is a WinServices website, in particular a service called Group Manager

HEPiX October 2004 Rafal Otto (CERN IT/IS) AD System Discovery Domain Controller Active Directory SMS Database System Discovery Computer accounts (each morning, takes ~90 minutes) System Group Discovery Group membership of computer accounts (each morning, takes ~30 minutes) Updating Collections (takes few seconds) Any change of computer’s group membership during the day … … will propagate to SMS next morning!!!

HEPiX October 2004 Rafal Otto (CERN IT/IS) CERN System Group Discovery SMS Site Server requests Windows Service SMS Database Collections Update

HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

HEPiX October 2004 Rafal Otto (CERN IT/IS) SUS Feature Pack Microsoft Download Center SMS 2003 Site Server MSSecure.xml Sync Tool MSSecure.xml update request Patches, QFEs, SPs Scan Tool Hardware Inventory Advertisement Installation Status Limitation! Works only with updates managed by MBSA 1.2 (not all products involved)

HEPiX October 2004 Rafal Otto (CERN IT/IS) Reports on security updates

HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Servers ~130 Windows servers (DCs, WINS, DFS, SMS, Exchange servers, web servers, file servers, custom servers) Most of the updates need a reboot at the end of the installation There are groups of servers that at least one machine from the group has to be online at any time (i.e. 3 domain controllers) We do not want to trust SMS scheduler on rebooting the servers Our approach We deploy patches with an option “postpone reboot forever” Use our mechanism to reboot servers pending reboot by hand The “pending reboot” status of the machine is taken directly from SMS database

HEPiX October 2004 Rafal Otto (CERN IT/IS) Rebooting servers

HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Desktops (1) SUS Feature Pack is used for the supported patches (those supported by MBSA 1.2) SMS Packages are based on the operating system One package (Adv) used for new patches – published but not assigned Second package contains all baseline patches and is assigned to run each day

HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Desktops (2) Patches not supported by SUS Feature Pack Packages are manually created for each patch Depending on the severity are assigned or published Need of the wrapper, which notifies the user in a more clear way then the standard SMS notification and allows to postpone the installation for many times With new versions of MBSA more and more products should be supported

HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

HEPiX October 2004 Rafal Otto (CERN IT/IS) Other security related actions Windows XP SP2 deployment (pilot) additional firewall features new Internet Explorer and Outlook Express attachment Execution Service, HTML images add-ons manager pop-up blocker DCOM and RPC improved security Get rid of weak LM hashes (soon) used by Windows 95 clients, not patched Windows 98, old samba, NICE XP installation floppy etc. since Windows NT 3.5 NTLM authentication is used (NTLM hash is much stronger)

HEPiX October 2004 Rafal Otto (CERN IT/IS) Other security related actions Local administrator password reset periodic (3 months) web interface to change it again (available for main responsible for the machine) Local administrators group (plan) in the past each user was a member of local administrators group on his/her machine will not be mandatory web interface to become a member (available for main responsible for the machine)

HEPiX October 2004 Rafal Otto (CERN IT/IS) Conclusions SMS 2003 makes infrastructure much better managed security scans + patch deployment software inventory Other improvements in security were done Windows XP SP2 deployment New policy for local admin password and local administrators group