Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gareth Smith RAL PPD Gareth Smith RAL PPD HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD.

Similar presentations

Presentation on theme: "Gareth Smith RAL PPD Gareth Smith RAL PPD HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD."— Presentation transcript:

1 Gareth Smith RAL PPD Gareth Smith RAL PPD HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD.

2 Gareth Smith RAL PPD Gareth Smith RAL PPD

3 Gareth Smith RAL PPD Gareth Smith RAL PPD Overview HEPiX/HEPNT web pages at: Contain links to this and recent meetings. –Summary by Alan Silverman –Videos of presentations as well as slides. 73 attendees Vendor talks/exhibits (RedHat, Microsoft, Parnasus, Ibrix)

4 Gareth Smith RAL PPD Gareth Smith RAL PPD Timetable HEPiX-HEPNT first three days. –(first day largely site reports). Large Systems SIG /Security Workshop Thursday/Friday. –Parallel sessions Friday morning.

5 Gareth Smith RAL PPD Gareth Smith RAL PPD Windows in Site reports (1) Oxford University –WTS (2000, 2003), Exchange (to 2003) –200 PCs Win 2000 / XP. SLAC –XP migration about complete (total 1700 systems). –Exchange from 5.5 to 2003. TRIUMF –Use of SAMBA, WTS 2003 starting, Docushare.

6 Gareth Smith RAL PPD Gareth Smith RAL PPD Windows in Site reports (2) LAL –IN2P3 forest across multiple sites (7 labs so far, 4 to join). –SMS for upgrades CERN –New PCs with WXP (and/or LINUX) –Mail migration from Solaris servers to Exchange –Pilot WTS 2003; WebDAV –CPU cycles from Windows Screen saver for simulation.

7 Gareth Smith RAL PPD Gareth Smith RAL PPD Windows in Site reports (3) GSI –Windows 200 AD. Testing W2003. DESY –Test migration to Windows XP summer 2003. –Install via RIS. JLAB –Windows 2000 domain upgrade done. NIKHEF –SUS used to update. –Install via RIS or GHOST

8 First Experiences using Windows Terminal Services on Server 2003 Alberto Pace for the IS group

9 Terminal Service Pilot at CERN u Approved by CERN Management on June 2003 u 3 standard computers u desktop 2.4 GHz, 1 GB RAM, 40 GB mirrored disk u Usual scale out architecture u Built-in load balancing u Supported freeware clients u Linux Redhat, Solaris being tested u Mac OS X u All recent Windows versions (98, Me, 2000, XP) u Thin clients simple to install & use u Internet Explorer 4 is enough on Windows u Simpler than the current ongoing effort on supporting Hummingbird Exceed

10 Options that were dropped u Platform-independent clients u HOBLink JWT Java applet, u Not freeware, License cost prohibitive u Citrix ICA ( u Uniquely X11 based u No additional client software required on UNIX clients u Performance issue u Complex Licensing mode

11 Linux clients u rdesktop u freeware client u u Source available u Compiled on Redhat standard IT version and Mandrake 9.0 u tsclient u freeware front-end for rdesktop (XP look) u

12 Discussion with user representatives u A large majority of delegates requested to continue and extend the service u Continue the standard service for the core applications u A subset of the existing one u Envisage the possibility of having instances of TS nodes centrally maintained where a particular service provider could install his own software u LHCB build service u AB/CO controls applications, with managed JVM u ST/MA Asset Tracking and Maintenance Management u EP/SFT for several custom applications u IT/PS for some engineering applications u TH to read mail attachments for non-windows users

13 The proposed standard Service u Core set of applications for the standard service u Microsoft Office XP with Frontpage u Office XP Professional Multilanguage Pack (French, German, Italian) u Adobe Acrobat, Distiller, PDFMaker, Adobe PostScript Printer Driver u Putty 0.53b u CERN Client Printing Package u CERN Phonebook 2000 u Zephyr u Symantec Antivirus Client u To be discussed u ActiveState Perl u Python u Visual Studio.NET u OpenAfs u OpenAFS has been one of the most welcome application but it had several technical issues u Microsoft MS Project 98 / MS Project 2002

14 Conclusion u A step forward in Linux / Windows / Mac integration u Freeware clients exists for all platforms u (except legacy Mac OS 8-9) u STOP or GO decision in November, based on manpower cost u LONG TERM COMMITMENT of 0.5 – 1 FTE

15 Web-based file systems and WebDAV gateway services to CERN DFS file system Alexandre Lossent, Alberto Pace

16 The Web is part of the solution u Standard extensions to the HTTP protocol allow managing files on web servers as if these would be part of the local file system u HTTP Extensions for Distributed Authoring (WebDAV IETF RFC 2518) have been widely adopted on all major OS u Several commercial and public-domain implementations exists

17 WebDAV u Web Distributed Authoring and Versioning u IETF RFC 2518 (February 1999) u u An extension to the HTTP protocol u New verbs (PROPFIND, MKCOL, LOCK...), headers and status codes u Uses XML to format information u Initially designed as a way to author web sites u Redundant with FPSE in the Windows world u Versioning is limited to file locking (check in/out) u Can be used as a low-end network filesystem u WebDAV Home page u u See it also for related open-source projects

18 WebDAV today u File access: u Create / delete files and folders u Read / write files u Copy / Move / Delete / rename files and folders u Document locking u prevent the overwrite problem, where two or more collaborators write to the same resource without first merging changes u Allow implementation of offline folders u Properties u XML properties provide storage for arbitrary metadata

19 WebDAV tomorrow ? u Access control u Set / View / Modify Access Control lists using http u Versioning and Configuration Management u The V in WebDAV means Versioning u Document check-out, check-in u Retrieval of the history list u Offline files and folders u Other advanced features u Symbolic links u Ordered collections u Aggregated operations

20 WebDAV servers u Supported by all common web servers u Apache module mod_dav u WebDAV package in PHP PEAR u Built-in support in IIS 5 and 6 u Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting) u Permissions are managed by NTFS ACLs u Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a scripts output or its source (source access setting)

21 WebDAV servers u Supported by all common web servers u Apache module mod_dav u WebDAV package in PHP PEAR u Built-in support in IIS 5 and 6 u Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting) u Permissions are managed by NTFS ACLs u Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a scripts output or its source (source access setting)

22 Summary u Use of WebDAV as interoperable network filesystem possible today u Can be applied to collaborative tools as well (Exchange) u Takes advantage of HTTP and XML ubiquity u Excellent level of interoperability for file access u Really reachable from any device / anywhere u Very simple to implement u But... u Still few implementation glitches u https support is still limited u Not a high-performance file system u Not a replacement for native file system (eg NTFS) u Permission management still require custom implementations

23 CERN Print Manager Michel Jouvin LAL / IN2P3

24 CERN Print Manager Approach 1 central database describing all printers –Printer server (in a dedicated DNS zone) –Driver to be used for each printer Per OS version (currently W95, WNT, W2K) –Printer default settings 1 client with 3 main components –PrntTray : Printing Control Center (main application) –LPRServ : LPR client (ability to show LPR transactions) –PrinterWizard : add/remove printers, change defaults

25 Client : PrntTray GUI

26 Multi-sites Configuration Allow to switch between different sets of parameters –Central database locations, LPR parameters, … No conflict between sites –Differents directories for data files –Differents registry paths Site definition in an INI file –Client can be distributed with several sites preconfigured –Easy addition of a new site

27 More information e e

28 Installation of W2K/WXP using the project INFN - Napoli 1 INFM - UDR Napoli 2 HEPiX/HEPNT 2003 – Vancouver Rosario Esposito 1 Francesco Maria Taurino 1,2 Gennaro Tortone 1

29 HEPiX/HEPNT 2003 – Vancouver Unattended installation systems [2/3] Its an OpenSource project to manage unattended installations of Windows 2K/XP workstations Advantages: No need of Windows and Active Directory at server side Supports a large number of network adapters Customizable partition scheme No need of.msi format to deploy applications

30 HEPiX/HEPNT 2003 – Vancouver Unattended installation systems [3/3] Disadvantages: No user-friendly interfaces Tuning of some perl scripts and batch files is required at server side to obtain a good site dependent installation system No support for disk imaging based installations

31 HEPiX/HEPNT 2003 – Vancouver Conclusion is a valid alternative for Remote Installation Service (~OpenRIS !), primarily in a Unix-oriented server environment Its completely FREE and presents all of the advantages (and flaws) of an OpenSource project It has interesting features, like the extreme flexibility of installation scripts Its not the optimal choice in the case of homogeneous hardware No support for application deployment after the installation

32 Windows and UNIX Interoperability - tips, tricks, and secrets Peter Skjøtt Larsen Lead PM Microsoft Corporation

33 Client Options for UNIX code A number of alternatives exist today: Improved UNIX clients with better applications Better desktops apps for Linux, etc. UNIX like environments on Win32 API Cygwin, uwin, mks UNIX emulation on Windows Kernel Microsoft Services for Unix Virtual Machines Microsoft Virtual Server Windows like environment on UNIX Wine

34 All the comforts of home … Replaces Posix subsystem (in Windows) C Shell and Korn shell Single-rooted file system Symbolic links Win32 ® programs Terminals and other devices Services and daemons Man pages X windows

35 Windows And SFU Other device drivers CDFSFATNTFS NFS Client Server Gateway SFU/Interix SFU/Interix Windows Color Legend 3rd Party Hardware Abstraction Layer Interix Subsystem UNIX /POSIX APIs BSDSockets UNIX, XPG, POSIX.2commands & utilities UNIXshells telnetd Open Source tools: Apache, Tcl/Tk, bash, etc. X11 Win32 Subsystem Windows APIs Windows system admin, commands & networking WindowsGUI winsock WindowscommandShell X11R6server WindowsAppli-cations WindowsAppli-cations Motif UNIXApplications U N IXSDK(gcc) Windows Kernel win32k.sys

36 Managed Co-Existence with Virtual Server Hardware Abstraction Layer Virtual Server UNIX Kernel UNIX API Cmd & Util X11 Shell UNIX APP NT 4.0 Kernel NT 4.0 API Cmd & Util Gui Shell NT 4.0 APP Windows 2003 Kernel Windows 2003 API Cmd & Util Gui Shell Windows APP Virtual Server

37 Virtualization Results Linux app runs in the Windows environment with integrated … User file store Security context Command execution environment Access Linux transparently from Windows Linux / UNIX apps run out of the box Performance acceptable for many classes of apps

38 More info … Email …

39 Gareth Smith RAL PPD Gareth Smith RAL PPD Windows Discussion (1) Software Update Services. –Good results reported. –Care if using more than one way to update (SUS, SMS etc.). Varied internal mechanisms to decide if patch applied…. –Need to reboot when requiredby SUS otherwise possibility of SUS blocking and not caching more updates. –Synchronize with Microsofts updates (Tuesdays). –Maybe issues of handling Windows 2000 and XP clients at same time.

40 Gareth Smith RAL PPD Gareth Smith RAL PPD Windows Discussion (2) Suggestion of putting personal firewalls on all systems…. –(Felt to be too complicated). SLAC have contracted Microsoft to write a dll that will synchronize passwords between Active Directory and Kerberos. – mailing list. – to join.

41 Computer Security Update Bob Cowles, SLAC bob.cowles @ Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515


43 Slammer Impact

44 MSBlaster Released MSBlaster at SLAC

45 Microsoft @ Stanford Universities tend to be a worst case Diverse, unmanaged –Population –Hardware –Software Unlikely to fit into AD model Stanford had 8000 machines compromised by Blaster BEFORE students returned for classes

46 Conclusions [Unchanged from last year] Poor administration is still a major problem Firewalls cannot substitute for patches Multiple levels of virus/worm protection are necessary Clue is more important than open source

47 CERNs Computer Security Challenge Denise Heagerty, CERN Computer Security Officer

48 Incident Summary, 2001-2003 200120022003 -Sep Incident Type 5931 26 System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE) 4225 27 Compromised CERN accounts sniffed or guessed passwords 1121 305 Serious Viruses and worms Blaster/Welchia (290), Sobig (12), Slammer(3) 1321 119 Unauthorised use of file servers insufficient access controls, P2P file-sharing 1516 1 Serious SPAM incidents CERN email addresses are regularly forged 1196Miscellaneous security alerts 151123484Total Incidents

49 Site Security: actions in progress Hardware address registration enforced for computers using DHCP (wireless, portables) Allows the user to be informed of problems Started for some buildings, rest of site before Xmas Off-site FTP closure Firewall block planned for 20 Jan 2004 AFS password expiry enforcement Forced annual password changes + email warnings Already enforced for Windows/Mail passwords Network connection Rules Defines acceptable network and security practice System admins must agree before connecting systems

50 Worrying Trends Break-ins are devious and difficult to detect E.g. SucKIT rootkit Worms are spreading within seconds Welchia infected new PCs during installation sequence Poorly secured systems are being targeted Home and privately managed computers are a huge risk Break-ins occur before the fix is out SPAM relays used a new hole before a patch and anti-virus available People are often the weakest link Infected laptops are physically carried on site Users continue to download malware and open tricked attachments Intruders and worms can do more damage When?

51 What more can be done? Restrict/eliminate direct modem access Firewall protection has proved to be necessary Modem access is provided by ISPs Reduce the need for VPN to access CERN services Offer popular services to the general Internet: mail, authenticated web sites, file access, … Further enhance firewall protections database driven and based on requirements Enhance system and application security Some patches need deadlines and forced reboots Security & anti-virus updates should not rely on home site access Personal firewalls can reduce risk and buy time Improve security awareness Common messages across the HEP community would help

52 How CERN reacted to the Blaster and Sobig virus attack Christian Boissat, Alberto Pace, Andreas Wagner

53 CERN results and effort involved ActionPreventiveRepair Apply patch to 5000 machines via NICE0.1 Security4.0 Network group6.0 User Support3.5 Coordination0.5 Local support4.0 Total0.118 NB: Does not include effort in other Divisions The hotfix webpage was visited 12200 times in August The emergency measures page 2600 times in second half of August Infected Systems: Blaster/Welchia (~300), Sobig (12) (At end of August in FTE weeks)

54 Conclusion Despite this negative presentation, all CERN Central computing services and its network continued to work without interruption Standard users (more than 95 %) also continued to work as usual Unmanaged computers were heavily affected Many visitor computers were not up-to-date for virus and patches Owners of unregistered computers could not be contacted and informed This is the lesson to learn However, this has triggered additional efforts to further improve patch distribution methods and to reduce further the deployment time Everybody now takes security more seriously and we did not need a catastrophic disaster to achieve this

55 A walk through a Grid Security Incident HEPiX Vancouver, October 24,2004 Dane Skow, Fermilab

56 AFS and User Private Keys Many users have home areas in AFS. Many users do not understand how AFS access control lists work. It is easy for users to leave their private keys world readable in AFS space. Should one proactively create a.globus directory in all users $HOME with the proper permissions ? What about SSH RSA keys, browser credential caches, PGP keys, …

57 The Stats Of 18 directories, 14 were world readable. 11 had valid certificates. After 40 days, 8 had still not been revoked. 3 directories were still readable. 1 new exposure had occurred. Distribution of sources 5 DOEGrids 5 DOESciencegrids 1 Princeton self-signed

58 Matt Crawford Fermilab HEPiX, October 2003 Opportunities for collective incident response... and prevention

59 Receive report or detect activity. Gather additional information. Evaluate. Take immediate steps, if indicated. Estimate effects on/implications for other sites. Plan corrective action. Notify (or consult) management. Notify affected and other concerned parties. Carry out corrective plan. Assess performance and current security posture. Collective Incident Response

60 The common internet threat model is trusted endpoints on an insecure network. SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned this backwards. Weve got more communication security than host security.... and its natural to believe that a message received on a secure channel can be trusted. See also: The Internet is Too Secure Already, by Eric Rescorla. A Problem Statement

61 Thats not so bad, in relative terms. At the last meeting, 6x the people exposed 18x the passwords in the same time period. The bad news: that was GGF. Live It? cm----97r6----4bgo----ngla----28 lu----leca----thfz----00fr----mp tr----u5hy----mjma----_8

62 Gareth Smith RAL PPD Gareth Smith RAL PPD Security Discussion Concern about GRID firewall holes. Idea of information page(s) for visitors to a site. Set-up e-mail list for Security information. –(Contact –Note: This is not for Security alerts. Need laptops updated before they leave home institute. –And ability to update them when away.

63 Gareth Smith RAL PPD Gareth Smith RAL PPD Lots of Other Interesting Talks Root Kit Protection and Detection SPAM fighting (two talks – GSI, Triumf) Console management on farms …….. Next meeting in Edinburgh.

Download ppt "Gareth Smith RAL PPD Gareth Smith RAL PPD HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD."

Similar presentations

Ads by Google