Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.

Published byRalph Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May."— Presentation transcript:

1 Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May 2005

2 Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

3 Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure -What is SMS ? -SMS History at CERN -Server Architecture Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

4 Michel Christaller – CERN IT/IS What is SMS? Microsoft Systems Management Server Microsoft Systems Management Server -software deployment -software and hardware inventory -software metering -remote control Additional Features (SUS Feature Pack) Additional Features (SUS Feature Pack) -Windows Security Updates Scan Tool -Microsoft Office Security Updates Scan Tool -Extended Security Tool (non-MBSA patches)

5 Michel Christaller – CERN IT/IS SMS Architecture Site & Database Server Desktop Clients run from the share Distribution Points new package? Management Points Inventory Remote Clients (VPN, GPRS, Dial-in) download (BITS) run locally new package? Inventory

6 Michel Christaller – CERN IT/IS SMS History at CERN SMS 2.0 used from 2001 SMS 2.0 used from 2001 SMS 2003 deployed Summer 2004 SMS 2003 deployed Summer 2004 SMS 2003 SP1 deployed Autumn 2004 SMS 2003 SP1 deployed Autumn 2004 More MPs needed due to patch deployments More MPs needed due to patch deployments -3 MPs with NLB 10Gb database now 10Gb database now

7 Michel Christaller – CERN IT/IS Server Infrastructure Native Windows 2003 Active Directory (3 DCs) Native Windows 2003 Active Directory (3 DCs) -Heavy use of Groups, Group Policies and startup scripts SMS infrastructure (Windows 2003, SMS 2003 SP1) SMS infrastructure (Windows 2003, SMS 2003 SP1) -1 Site server, 3 Distribution Points, 3 Management Points Other servers (mostly Windows 2003 SP1) Other servers (mostly Windows 2003 SP1) -~30 file servers -~180 servers total, 50Tb disk space (Mail, Web, Terminal servers, etc..) Web-based administration interface (http://cern.ch/win) Web-based administration interface (http://cern.ch/win)http://cern.ch/win ~6000 managed desktops ~6000 managed desktops -1/4 Windows 2000 -3/4 Windows XP

8 Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets -Desktops installation -Computer Management (web site) -Hardware & Software inventory Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

9 Michel Christaller – CERN IT/IS Desktop Installation DianeCD on WinPE DianeCD on WinPE -Windows Pre-Installation Environment: stripped-down Windows -Includes latest drivers -> no need for DOS network drivers -Available on bootable CD -Configures HCP only -Copies model-dependent drivers to local disk -Launches installation through network -Permits to forbid LM hash authentication (was needed by DOS network layer)

10 Michel Christaller – CERN IT/IS Computer Management User-oriented web-based administration User-oriented web-based administration

11 Michel Christaller – CERN IT/IS Hardware & Software inventory Inventory by SMS: Inventory by SMS: -Hardware -Software (programs installed) -Files

12 Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS -XP SP2 deployment -.Net Framework deployment Deploying security patches with SMS Deploying security patches with SMS Conclusion Conclusion

13 Michel Christaller – CERN IT/IS XP SP2 deployment XP SP2 offers enhanced security XP SP2 offers enhanced security -Firewall, IE6 SP2 90% of XP SP1 computers upgraded to SP2 90% of XP SP1 computers upgraded to SP2 Recurrent SMS Package Recurrent SMS Package -Pop-ups the user every day for one month -Forced installation if user not responsive -Launches the XPSP2.exe upgrade -Distributed to XP SP1 computers, gradually by departments Coupled with Office XP upgrade to Office 2003 Coupled with Office XP upgrade to Office 2003 Almost no incompatibilities seen (but for some engineering applications) Almost no incompatibilities seen (but for some engineering applications) Goal: Support only Windows XP SP2 / Office 2003 by end of year Goal: Support only Windows XP SP2 / Office 2003 by end of year

14 Michel Christaller – CERN IT/IS.Net Framework deployment.Net Framework 1.1 needed to deploy next generation applications like new CERN Newsreader.Net Framework 1.1 needed to deploy next generation applications like new CERN Newsreader SMS Package Combining.NetFramework 1.1, SP1 and hotfix 886903 SMS Package Combining.NetFramework 1.1, SP1 and hotfix 886903 Deployed on all XP SP2 computers Deployed on all XP SP2 computers 25 chances to install at will, then forced 25 chances to install at will, then forced Program deployment with SMS often needs VB scripting to establish a user interface Program deployment with SMS often needs VB scripting to establish a user interface

15 Michel Christaller – CERN IT/IS Adobe Acrobat 7 deployment Acrobat Reader 6 deployed through GP at startup Acrobat Reader 6 deployed through GP at startup Acrobat 7 deployed with SMS Acrobat 7 deployed with SMS -Difficultness: Reader 7 and Professional 7 together -VB script detects status and upgrades -Advertisement comes every day Distributed to computers having Acrobat 6 products Distributed to computers having Acrobat 6 products

16 Michel Christaller – CERN IT/IS Summary CERN infrastructure CERN infrastructure Managing assets Managing assets Deploying programs with SMS Deploying programs with SMS Deploying security patches with SMS Deploying security patches with SMS -Why patching ? -Patching Policy -SUS Feature Pack -Non-MS patches -Reporting Conclusion Conclusion

17 Michel Christaller – CERN IT/IS Why Patching ? Exploits are often made public before patches Exploits are often made public before patches Un-patched computers get viruses Un-patched computers get viruses Which install backdoors Which install backdoors Which comes with key-loggers and root-kits Which comes with key-loggers and root-kits Root-kits are really difficult to clean up or even detect Root-kits are really difficult to clean up or even detect And used for illegal activities (spamming, file exchange, DOS attack etc..) And used for illegal activities (spamming, file exchange, DOS attack etc..) CERN severely affected by an unmanaged computer hacked in May 2004 CERN severely affected by an unmanaged computer hacked in May 2004

18 Michel Christaller – CERN IT/IS Patching Policy How to maximize coverage and minimize reboots ? How to maximize coverage and minimize reboots ? Group patches by products Group patches by products -System-related by OS version -Other products : Messenger, Media Player, Acrobat, Putty etc.. Deploy first as ‘advertised’ (installation not forced) for some time Deploy first as ‘advertised’ (installation not forced) for some time -One package for latest patches, all OS versions Second deployment: forced installation and reboot Second deployment: forced installation and reboot -One baseline package by OS version Recurrent every day on all computers missing patches Recurrent every day on all computers missing patches

19 Michel Christaller – CERN IT/IS SUS Feature Pack Based on MBSA detection tool Based on MBSA detection tool -Windows patches, IE patches, SQL, Exchange, IIS, MSXML, MDAC -MS Office patches with Office Updates Uses a mssecure.xml file Uses a mssecure.xml file Wrapper patchinstall provides for user interface Wrapper patchinstall provides for user interface

20 Michel Christaller – CERN IT/IS SUS Feature Pack Microsoft Download Center SMS 2003 Site Server MSSecure.xml Sync Tool MSSecure.xml update request Patches, QFEs, SPs Scan Tool Hardware Inventory Advertisement Installation Status Limitation! Works only with updates managed by MBSA 1.2 (not all products involved)

21 Michel Christaller – CERN IT/IS Products not detected by MBSA Extended Security Tool Extended Security Tool -Workaround to deploy some MS product patches Windows Messenger & MSN Messenger Windows Messenger & MSN Messenger Media Player Media Player.Net Framework.Net Framework -Similar to SUSFP (XML file and patchinstall wrapper) -Will be merged to SUSFP in the future Non-MS products Non-MS products -Make a VB script for User Interface, deployment based on inventory (file versions / programs installed)

22 Michel Christaller – CERN IT/IS Reports on security updates

23 Michel Christaller – CERN IT/IS Deployment Status of MS05-019 Graph from SMS patch status data Graph from SMS patch status data Patch published by Microsoft on 12 th of May Patch published by Microsoft on 12 th of May Forced deployment started Patch advertised to all CERN computers

24 Michel Christaller – CERN IT/IS Conclusion Reaching 100% coverage is a dream Reaching 100% coverage is a dream Always a computer without disk space, broken files etc..Always a computer without disk space, broken files etc.. SMS 2003 makes infrastructure much better managedSMS 2003 makes infrastructure much better managed Hardware & software inventoryHardware & software inventory Pushed software installations GP ‘Assign to computer’ was running only at startupPushed software installations GP ‘Assign to computer’ was running only at startup patch deployment and statuspatch deployment and status DrawbacksDrawbacks Heavy inventory phases annoying for slow computersHeavy inventory phases annoying for slow computers Packaging steps may be necessary deployment of non-MS products often require VB scriptingPackaging steps may be necessary deployment of non-MS products often require VB scripting

25 Michel Christaller – CERN IT/IS Questions ? Visit us http://cern.ch/win Visit us http://cern.ch/win

Download ppt "Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May."

Similar presentations

SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3

SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 12 Application and Data Provisioning.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 12 Application and Data Provisioning.
The Evolution of Managing Windows Computers at CERN Ivan Deloose Internet Services Group Department of Information Technology CERN 7 April 2006 – HEPix.

The Evolution of Managing Windows Computers at CERN Ivan Deloose Internet Services Group Department of Information Technology CERN 7 April 2006 – HEPix.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.

Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.

A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
SP2 Mikael Nystrom. Agenda Översikt Installation.

SP2 Mikael Nystrom. Agenda Översikt Installation.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Similar presentations

Ads by Google