Presentation is loading. Please wait.

Presentation is loading. Please wait.

PC Manager Meeting February 22, 2006. Today Updates Next Meeting Windows Policy EMail Licensing/Training Security Tool Of The Month DOE Microsoft Tech.

Published byThomas Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "PC Manager Meeting February 22, 2006. Today Updates Next Meeting Windows Policy EMail Licensing/Training Security Tool Of The Month DOE Microsoft Tech."— Presentation transcript:

1 PC Manager Meeting February 22, 2006

2 Today Updates Next Meeting Windows Policy EMail Licensing/Training Security Tool Of The Month DOE Microsoft Tech Day This Month: OS & App Baselines; What’s it All About? – Jack Schmidt LUA: More ways and tools to run as LUA – Ken Fidler

3 Next Meeting Mar. 22 nd Windows/Mac Software Licensing Emily Pahlavan InDiCo Agenda John Bellendir/Jack Schmidt

4 Windows Policy Committee Next Meeting: Mar 1 st, 1:30-2:30pm, WH5SW Agenda: Outstanding Account Requests NTP- Does anyone really know what time it is? Desktop Baseline Checklist: New Domain GPOs?

5 Email Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting Kevin Hill

6 Spam Cop Spam Cop started blacklisting the email gateways on 2/14/06. We complained. No response was given on why we were blacklisted but we were removed on 2/16/06 We were added again on 2/17/06! A few sites had us blacklisted for “back-scatter” What we are doing is RFC compliant but that doesn’t always help!

7 Spam Cop Back-scatter Backscatter occurs when an email system accepts a message for delivery and then the system determines that the message can not be delivered and sends an undeliverable mail notification. What to do? Request that fnal.gov be added to the white list at remote site. CD changing email system to prevent back-scatter (enabled 2/21) CD Implementing greylisting soon!

8 Greylisting

9 What It Does Requires all email from unknown servers to retry sending their message a short time later. Virus infected computers spewing spam (and viruses) won’t retry. (yet). Many system administrators report up to 90% spam reduction.

10 How Messages Go Remote IP: smtp42.somelab.org Env Sender: John.smith@somelab.orgJohn.smith@somelab.org Env Recpient: helpdesk@fnal.govhelpdesk@fnal.gov Combination unseen before – Temprarily Reject Message Remote Server retries delivery at a later time, at least 5 minutes later. Remote IP: smtp42.somelab.org Env Sender: John.smith@somelab.orgJohn.smith@somelab.org Env Recpient: helpdesk@fnal.govhelpdesk@fnal.gov Combination in Database – Message Accepted

11 Who uses it University of Bergen - the Norwegian university of Bergen is using greylisting on their mail server. Texas A&M University - This Texas university is using greylisting: www.tamu.edu/network-services/smtp-relay/greylisting.html Leibniz Rechen Zentrum - LRZ is a major German internet hub for academic institutions in southern Germany. They started using greylisting as a method of limiting spam a couple of months ago: www.lrz-muenchen.de/aktuell/ali2052/www.lrz-muenchen.de/aktuell/ali2052/ APNIC (Asia Pacific Network Information Centre) - This organisation, one of the five major internet registries of the world, is also using greylisting: www.apnic.net/info/contact/greylisting.html www.apnic.net/info/contact/greylisting.html RWTH - RWTH is a large German University. They have a page on their greylisting (german) here: www.rz.rwth-aachen.de/infodienste/email/greylisting.php

12 How It Works Records a triplet consisting of remote server ip address, envelope sender, and envelope recipient. If that triplet hasn’t been seen before, enter it in the database and reject the message with a temporary failure code. If the triplet has been seen more than 5 minutes before, and less than the expire time for entries, accept the message.

13 Possible Fallout Some people will see a delay getting email from someone new. This will be between 5 minutes and however long the remote server takes to retry delivery. Generally not more than 1 hour. A few sites won’t retry. They are broken, but need to be dealt with.

14 Solutions Most greylist packages provide downloadable whitelists of known broken/good email servers. Local whitelists are maintainable. Greylisting package we are looking at has Automatic Whitelists. We can maintain an ‘opt-out’ list, for people who prefer to get more spam.

15 Our recommended Implementation Use SQLGREY for Postfix. Uses Mysql for storage of greylist triplets, auto whitelist tables, and opt-out lists. Initial greylist retry wait time is 5 minutes. Message must be resent within 24 hours or new 5 minute wait will be instituted. After 2 successful emails from a Server/Sender Domain pair, that pair is added to the Auto-Whitelist. Auto-whitelist entries expire after 60 days without mail from that server/sender domain.

16 Rollout Timeline Upgrade Hepa machines version of Postfix and install local mysql server. 1 day (Done) Install sqlgrey Greylisting service. Configure postfix to warn only (in the mail logs) to prebuild databases. 15-30 days Monitor Logs for legit mail that isn’t getting through. Ongoing Turn greylisting on “for real”. Hepa machines currently have enough capacity to upgrade/install one while the other handles all incoming mail, so no downtime required.

17 Licensing/Training

18 License Updates VMWare vs Virtual PC VMWare Workstation v5 License: Electronic Download Distribution - $189 Packaged Distribution - $199 Upgrade - $99 (Requires serial number) Virtual PC Year 1 - $108.87 Year 2 - $90.55 Year 3 - $72.24  Note: We have not been able to get this to work with SLF!

19 License Updates Added to Vista Beta! Caveat: Not approved for FERMI Domain May need its own baseline!

20 EA Training Expires in Oct! Consolidate single days? http://computing.fnal.gov/ pcmanagers/licensing/tr aining/ (password required) Division/SectionDays of Training ACC16 BSS5 CD22 CDF1 D00 DIR1 LSS1 ESH1 FESS4 PPD4 TD5

21 Security Updates

22 February Patches MANDATORY Patches: Due Date: None at this time RECOMMENDED Patches: Due Date: 3-15-2006 The following is a link to the February Microsoft list of critical and important patches. http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx SMS Information available at: http://www-win2k/private/sms/patchrollup/ If you need the patches, you can also obtain them from \\pseekits\fermi-rollup\\pseekits\fermi-rollup

23 Cool Tool of The Month Paint.Net (thanks to Don Poll!) http://www.eecs.wsu.edu/paint.net/ FREE!!! Image and photo manipulation software designed to be used on computers that run Windows 2000, XP, Vista, or Server 2003. Much like PaintShop Pro Requires.NET Framework

24 Cool Tool of The Month (cont)

25 DOE Microsoft Tech Day Where: Argonne When: April 11 th Time: ??? The purpose of this day would be to go over (at a very technical level) new products and futures coming from Microsoft (Vista, SQL, Exhchange, etc). Attendance list required…(email to follow)

26 Main Topic OS & Application Baselines- Whats It All About? Jack Schmidt

27 What’s A Baseline? A baseline is a document or set of documents that outlines minimum security requirements for an application, network device or OS to be allowed on the FNAL Network Office of Management and Budget tells DOE. They tell us!

28 Existing Baselines OS Baselines OSX Desktop Scientific Linux Fermi Sun Solaris 9 Windows 2000 & XP Windows 2000 & 2003 Server

29 Existing Baselines Application Baselines Anti-virus (draft form) Oracle Postgres SQL Network Baseline Cisco Firewall Cisco Router

30 Baselines We Still Need OS FreeBSD Generic OS OSX Server Application Generic Web Server (covers Apache and IIS) Generic Web Application Samba

31 Baseline Basics Baseline built on NIST and CIS Benchmark documents Checklists. Tools coming to help check systems!

32 Baseline Questions Does my desktop/server meet the baseline? Fermi domain systems, Fermi Windows built systems and SLF built systems. I can’t meet the baseline requirements! Talk with your GCSC I can’t find my OS/App listed! Check with your GCSC. In most cases, following the generic baseline will work

33 Baseline Questions Who writes them? You Do! Who approves them? FCSC What Apps need a baseline? Defined by DOE Do Application baselines include OS requirements? No! App Baseline + OS Baseline = Approved Design App Baseline + NO OS Baseline ≠ Approved Design

34 Main Topic Least-Privileged User Account -More ways and tools to run as LUA. Ken Fidler – CSS-CSI(WST)

35 LUA – Run IE/E-mail tools Safely Running as ‘local admin’ privilege is dangerous! Special case users require admin privileges How do you get best of both worlds?

36 LUA – Run Network browser/E-mail tools Safer For limited protection, restrict key internet-facing applications to run as non-admin XP and Server 2003 add new Software Restriction Policy (SAFER) Allows running applications as non-admin by stripping out certain SIDs and privileges from the application's token.

37 How do you know you are running apps as non-admin? look at the token associated with the process. Process Explorer from Sysinternals Good FREE replacement for Task Manager PrivBar Free tool that displays User level that IE or Explorer is running at

38 IE – Run as ‘Normal User’

39 IE running as ‘local admin’

40 LUA - PrivBar

41

42 LUA – DropMyRights.exe Free tool from Microsoft Similar to ‘runas’ tool dropmyrights.exe "c:\program files\internet explorer\iexplore.exe" Can be used on all sorts of applications (e-mail clients like Outlook/Outlook Express, browsers like IE and Firefox, and Instant messaging clients)

43 LUA – DropMyRights Install

44 LUA – DropMyRights DEMO

45 LUA – Dropmyrights – Pros and Cons Pros – Simple to use and setup (MSI package) Cons – Some Web sites that spawn a new web might not start-up as a reduced privilege Can easily run program as a privileged level

46 LUA – SAFER New Software Restriction Policy (SAFER) XP and 2003 only Software restriction policies allow you to control the ability of software to run on your local computer.local computer By Default, only 2 levels exist (disallowed and Unrestricted). A simple change allows adding new levels

47 LUA – SAFER Policy There are in fact three other SAFER security levels beyond Disallow and Unrestricted Normal User (also named Basic User) Constrained (also named Restricted) Untrusted Basic user is what we want to use. The others are too restrictive and break many apps.

48 LUA – SAFER Policy Simple Registry tweak to expose the levels: Add a DWORD value named Levels set to 0x20000 to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows\Safer\CodeIdentifiers

49 LUA – GPOs to run apps safely

50 LUA - GPOs

51 LUA – SAFER DEMO

52 LUA – SAFER (Limitations) Can not run Windows Update (known issue Microsoft plans to fix, and there is a way around this….) User could copy application to alternate path and run application as ‘administrator’

53 LUA – Other Possibilities Create a GPO in your OU to deploy LUA Protect against known malware Add the path/name of the program to the SAFER policy (additional rules) and set the ‘Security Level’ to Disallow Prep software on machines – but keep users from running it until you want them to.

54 LUA - Summary DropMyRights or Using SAFER based policies is no replacement for running as a non-admin, but still much better than giving the loaded gun of full local admin privilege to your users!

55 LUA and VISTA Standard User Privileges V iew system clock and calendar Change time zone Change display settings Change power management settings Install fonts Add printers and other devices that have the required drivers installed Download and install updates using User Account Control compatible installer

56 LUA and VISTA (cont’d) Admin Approval Mode: Right Privilege at the Right Time Allow admins to run apps as basic user Over-the-Shoulder (OTS) Credentials Prompt user when Admin Privs needed File System and Registry Virtualization Create a copy in user profile area

57 LUA – More Info DropMyRights and PrivBAR http://msdn.microsoft.com/library/en-us/dncode/html/secure11152004.asp SAFER http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp BLOG on LUA http://weblogs.asp.net/aaron_margosis Process Explorer http://www.sysinternals.com/ \\PSEEKITS\DesktopTools\Utilities\LUA

Download ppt "PC Manager Meeting February 22, 2006. Today Updates Next Meeting Windows Policy EMail Licensing/Training Security Tool Of The Month DOE Microsoft Tech."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.

MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
SMS Gateway OZEKI NG Document version: v.1.0.0. Adding SMS functionality to SysAid.

SMS Gateway OZEKI NG Document version: v Adding SMS functionality to SysAid.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Cap 333 Network Administration. Grades  20 marks distributed on  Assignments / Project Activities Individual Pairs  1 or 2 tutorial quizzes.

Cap 333 Network Administration. Grades  20 marks distributed on  Assignments / Project Activities Individual Pairs  1 or 2 tutorial quizzes.
Email Update Unix Users Feb 2006 Kevin Hill. Email Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting.

Update Unix Users Feb 2006 Kevin Hill. Update Spam Cop (We’ve been busted!) Greylisting- Next Generation Spam Fighting.
PC Manager Meeting January 25, 2006. Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.

PC Manager Meeting January 25, Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.
SMS Gateway OZEKI NG Document version: v.1.0.0. Adding SMS functionality to Sharepoint.

SMS Gateway OZEKI NG Document version: v Adding SMS functionality to Sharepoint.
What’s New in WatchGuard XCS v9.1 Update 2. WatchGuard XCS v9.1 Update 2  Introduce New Features WatchGuard XCS Outlook Add-in SecureMail Email Encryption.

What’s New in WatchGuard XCS v9.1 Update 2. WatchGuard XCS v9.1 Update 2  Introduce New Features WatchGuard XCS Outlook Add-in Secur Encryption.
Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.

Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Similar presentations

Ads by Google