Presentation is loading. Please wait.

Presentation is loading. Please wait.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

Published byMadlyn Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016."— Presentation transcript:

1 SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016

2 HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

3 HEPiX October 2004 Rafal Otto (CERN IT/IS) What is SMS? Microsoft Systems Management Server serves centrally managed software deployment software and hardware inventory software metering remote control Additional Features Windows Security Updates Scan Tool Microsoft Office Security Updates Scan Tool Supported (managed) platforms Windows 98, NT – SMS Legacy Clients – (none at CERN) Windows 2000, XP, 2003 – SMS Advanced Clients – (~6000) SMS is not designed for system monitoring!

4 HEPiX October 2004 Rafal Otto (CERN IT/IS) Architecture Site Server Remote Clients (VPN, GPRS, Dial-in) Desktop Clients run from the share Distribution Points download (BITS) run locally new package? DP name

5 HEPiX October 2004 Rafal Otto (CERN IT/IS) Deployment SMS 2003 Site Complete SMS 2.0 Infrastructure Client Migration Complete SMS 2003 Infrastructure Complete SMS 2003 SP1 Infrastructure SMS Client Upgrade to SP1 June 2004 End of June 2004 Mid July 2004 Sept 2004 Oct 2004

6 HEPiX October 2004 Rafal Otto (CERN IT/IS) SMS Administration Reporting Remote Tools Software Distribution Anyone who needs Rights Policy Very limited set of administrators Limited set of trusted users SMS administrators + License managers

7 HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

8 HEPiX October 2004 Rafal Otto (CERN IT/IS) Background Software deployment at CERN is currently based on the Group Policy Objects applied on the security groups when one wants to install certain software (i.e. MS Office 2003) on her/his computer, needs to make her/his computer account a member of certain security group (i.e. CERN\GP Apply Office 2003) then, after the reboot machine receives a new installation package To manage memberships of the groups we have a single entry point, which is a WinServices website, in particular a service called Group Manager

9 HEPiX October 2004 Rafal Otto (CERN IT/IS) AD System Discovery Domain Controller Active Directory SMS Database System Discovery Computer accounts (each morning, takes ~90 minutes) System Group Discovery Group membership of computer accounts (each morning, takes ~30 minutes) Updating Collections (takes few seconds) Any change of computer’s group membership during the day … … will propagate to SMS next morning!!!

10 HEPiX October 2004 Rafal Otto (CERN IT/IS) CERN System Group Discovery SMS Site Server requests Windows Service SMS Database Collections Update

11 HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

12 HEPiX October 2004 Rafal Otto (CERN IT/IS) SUS Feature Pack Microsoft Download Center SMS 2003 Site Server MSSecure.xml Sync Tool MSSecure.xml update request Patches, QFEs, SPs Scan Tool Hardware Inventory Advertisement Installation Status Limitation! Works only with updates managed by MBSA 1.2 (not all products involved)

13 HEPiX October 2004 Rafal Otto (CERN IT/IS) Reports on security updates

14 HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Servers ~130 Windows servers (DCs, WINS, DFS, SMS, Exchange servers, web servers, file servers, custom servers) Most of the updates need a reboot at the end of the installation There are groups of servers that at least one machine from the group has to be online at any time (i.e. 3 domain controllers) We do not want to trust SMS scheduler on rebooting the servers Our approach We deploy patches with an option “postpone reboot forever” Use our mechanism to reboot servers pending reboot by hand The “pending reboot” status of the machine is taken directly from SMS database

15 HEPiX October 2004 Rafal Otto (CERN IT/IS) Rebooting servers

16 HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Desktops (1) SUS Feature Pack is used for the supported patches (those supported by MBSA 1.2) SMS Packages are based on the operating system One package (Adv) used for new patches – published but not assigned Second package contains all baseline patches and is assigned to run each day

17 HEPiX October 2004 Rafal Otto (CERN IT/IS) Updating Desktops (2) Patches not supported by SUS Feature Pack Packages are manually created for each patch Depending on the severity are assigned or published Need of the wrapper, which notifies the user in a more clear way then the standard SMS notification and allows to postpone the installation for many times With new versions of MBSA more and more products should be supported

18 HEPiX October 2004 Rafal Otto (CERN IT/IS) Agenda SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions

19 HEPiX October 2004 Rafal Otto (CERN IT/IS) Other security related actions Windows XP SP2 deployment (pilot) additional firewall features new Internet Explorer and Outlook Express attachment Execution Service, HTML images add-ons manager pop-up blocker DCOM and RPC improved security Get rid of weak LM hashes (soon) used by Windows 95 clients, not patched Windows 98, old samba, NICE XP installation floppy etc. since Windows NT 3.5 NTLM authentication is used (NTLM hash is much stronger)

20 HEPiX October 2004 Rafal Otto (CERN IT/IS) Other security related actions Local administrator password reset periodic (3 months) web interface to change it again (available for main responsible for the machine) Local administrators group (plan) in the past each user was a member of local administrators group on his/her machine will not be mandatory web interface to become a member (available for main responsible for the machine)

21 HEPiX October 2004 Rafal Otto (CERN IT/IS) Conclusions SMS 2003 makes infrastructure much better managed security scans + patch deployment software inventory Other improvements in security were done Windows XP SP2 deployment New policy for local admin password and local administrators group

Download ppt "SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3

SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Understand Virtualized Clients 10753 Windows Operating System Fundamentals LESSON 2.4.

Understand Virtualized Clients Windows Operating System Fundamentals LESSON 2.4.
The Evolution of Managing Windows Computers at CERN Ivan Deloose Internet Services Group Department of Information Technology CERN 7 April 2006 – HEPix.

The Evolution of Managing Windows Computers at CERN Ivan Deloose Internet Services Group Department of Information Technology CERN 7 April 2006 – HEPix.
Collaborative tools in NICE Alex Lossent - CERN IT/IS Hepix Fall 2005.

Collaborative tools in NICE Alex Lossent - CERN IT/IS Hepix Fall 2005.
Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd

Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd
1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.

1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Microsoft® Desktop Deployment Assistance Program 4: SMS OS Deployment Feature Pack Thomas Lee Chief Technologist QA plc

Microsoft® Desktop Deployment Assistance Program 4: SMS OS Deployment Feature Pack Thomas Lee Chief Technologist QA plc
A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.

A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.

Similar presentations

Ads by Google