Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Terminal Server & Citrix MetaFrame

Published byEmery Hall Modified over 8 years ago

Similar presentations

Presentation on theme: "Windows Terminal Server & Citrix MetaFrame"— Presentation transcript:

1 Windows Terminal Server & Citrix MetaFrame
Stanford Linear Accelerator Center NT Support Group Gregg Daly Supported by U.S. D.O.E. contract DE-AC03-76SF005515

2 General Information Stanford University operated - U.S.D.O.E funded unclassified research center Heterogeneous computing environment supporting high-energy physics research 3800 hosts (1400 Windows networking), Solaris, Mac OS, Linux & numerous other operating systems Exponential growth at the facility - Research Center - no weapons research, nearly all information is published on our 1/2 million web pages or academic papers - Computing environment - 13 some OS’s (BeOS to Mac to NT to Solaris ) Mac Iici’s, WinTel servers to 64 CPU Sun E10000 - Growth - just one experiment will produce 3 PB of data over 5 years

3 Responding to ‘98 Security Incident
Hackers compromised 25 systems and 50 user accounts Perform data & service analysis on areas of the network Decision to safeguard critical HR and Financial Data on PeopleSoft and Oracle Safeguard personnel data in Human Resource database Safeguard purchasing and budget data in Financial database - Hackers - AIX and Solaris systems effected - direct lessons to be learned - OS and patch not up-to-date leaving holes for “root kits” - SLAC equipped with a filtering router with ACLs but we do not a proxy or stateful inspection firewall system - Determination - What parts of the network could be secured without effecting the open collaboration with sister labs and numerous universities around the world, - Decision - The research doctrine dictated the research networks be safeguard yet no obstacles to the “free flow of data”. That is how or the idea the Internet was built on and SLAC being the first US web site, history won - Safeguard the private data within the PeopleSoft/Oracle databases that contains personnel data (names, addresses, SSN, driver’s licenses) and the financial data (purchasing, credit cards, vendor account data)

4 Options to securing data
Corporate type lock down including limiting access to and from the Internet and other research facilities Two physical networks - one SLAC only & other Internet accessible Moving the data (but not the people) into a highly secured zone. Use encrypted access and extensive monitoring - Corporate Firewall at the Border Router to the Internet - Would cut off SLAC scientists from world-wide collaborators - After opening all holes to provide all the services - Swiss cheese firewall - impractical - Violates the research doctrine of the facility - Two physical networks - Impracticable for the type of environment - unclassified work - Unable to justify cost - Moving the data - Very practical for SLAC environment - Allows users throughout the network complete access - Allow BSD access to both the secure network

5 Business Services Network
Created a highly secure “machine/data only” network Created a user/workstation network to access the secure network Secure all aspects of data access Secured workstations Encrypted application access via Citrix’s Secure ICA Encrypted host connections via Secure Shell (3DES/Blowfish) Two Phase authentication process for secure domain login - This solution allowed for the users on the BSD network to have regular access to the critical HR and Financial data AND access to the rest of SLAC, the staff they service and the Internet. - Separate the users from the data, restricting access to the data - Secure all aspects of data access - Secure workstations by boot floppy the workstation, erasing the partitions, reloading the OS and applications with users not in the administrator access. Numerous file and registry changes to improve security. - MetaFrame a secure 128-bit RC5 encrypted connection to the application servers. ICA sessions must be initiated from the the BSDnet to the secure BSDnet. - Connections to the secure BSDnet must be with a Secure Shell client (3DES or Blowfish encryption). Telnet daemons unloaded from the hosts. - Security Dynamic’s ACE/Server provides a secondary log in using a pseudo-random tokencode and pin code combo. Passcodes not reusable that eliminates threat of sniffing hack - even if it is sniffed, can not reuse the passcode.

6 PeopleSoft WTS-MetaFrame Farm
Data Data MetaFrame Farm Data Data Oracle Secure BSDnet MS Windows Terminal Server Citrix MetaFrame MetaFrame Load Balance Secure ICA MS Windows Terminal Server Citrix MetaFrame MetaFrame Load Balance Secure ICA PeopleSoft Business Services Division BSD Domain Workstation Connection: Secure ICA (future 2-factor authentication) BSDnet - Secure ICA connections to the MetaFrame servers can only be initiated from the BSDnet - Remote users must VPN into the BSDnet (giving them a BSDnet IP address) and then launch a Secure ICA session through the PPTP server - SLAC Internet

7 Secure Business System
- In the event of a security incident, Secure BSD net and BSDnet can be isolated from SLAC and the Internet - In the case of a BSDnet computer being compromised, the BSDnet can be isolated from Secure BSDnet, the rest of SLAC and the Internet

8 Prod Test WTS Secure BSDnet BIS Data File Server SMS, BDC BSD BSDnet
PeopleSoft Test PeopleSoft WTS +Citrix Farm UserMC Secure BSDnet “Air Gap” BIS Web Server Data Warehouse File Server SMS, BDC BSD PDC User01 UserYY UserXX “Air Gap” BSDnet Rest of SLAC - Topology of the network - Gigabit backbone - Green - BSDnet - BSDnet / BSD NT Domain - Mainly NT workstations & servers - Self contained network with Domain Controllers, Backups, SMS, web servers - Users and workstation in the network - Red - Secure BSDnet - Servers and data only - “Emergency” workstation - WTS / MetaFrame applications servers run PS and connect to DB running on Oracle/Solaris - Can only be accessed from a BSDnet addresses computer, router (both border and BSD) have access controls against spoofed Ips - Gigabit Ethernet

9

10 Lessons of the implementation
SLAC’s business process application, PEOPLESOFT is not native to the Windows Terminal Server/Citrix Metaframe environment Increased session security incompatible with cross-platform access 3rd Party applications (Crystal Reports) has to be reconfigured to not only run on WTS but also run with a non-standard implementation of a “multi-user” PeopleSoft Securing the application servers running WTS Staff intensive installation and troubleshooting - Peoplesoft 6.5 required extensive scripting during application startup to enumerate variables within each individuals WTS session, intensive debugging and required a highly advanced knowledge of both PS, WTS, and MetaFrame - Current OS levels (SAMBA) does not supported MS heightened session security SMB and NTLMv2; rumors in fall a capability layer with MS - Techniques to lock down workstations, such as removing hidden shares, broke services, like SMS -

11 Securing WTS/MetaFrame
Physical security critical - “Log on Locally” to all users Restrict anonymous connections Separate %rootdrive% and %systemroot% from %apps% Apply Microsoft ZAK for WTS Create bin folder on %apps% with system32 user apps Remove “everyone” access from everywhere file & registry Apply security based Service Packs and hot fixes immediately Recommend encrypted client Run highest NT authentication hash compatible with your site

12 Securing Business Services
Standardized workstations Add’l filtering router on business subnet Secure application publishing - MetaFrame Two phase authentication Encrypted host, app & remote access Active monitoring “Air gap” fail-safe measure in the event of intrusion

13 General Use App Farm Goal: To provide non-Windows clients access to Windows applications; encourage single platform clients Based on Dell Dual PII-400, 1/2 GB RAM, RAID 0 servers “Master” to clone maintenance plan Provide most every app needed/requested by users

14 General Use App Farm Strong support for LINUX and Solaris clients
Beware of potential “bad apps” on WTS NetMeeting ( DOS applications Using Basic encryption for general sessions, considering bit SecureICA for all access to both farms

15 Future of Thin Client Windows 2000 servers “natively” support thin client - Watch for more features in MS’ RDP clients Windows 2000 Applications Deployment Services “Rental applications” Watch for significant changes in licensing requirements and fees from Microsoft and other software vendors Microsoft’s 2000 logo program “requires” WTS compliance Return to the mainframe-like methodology with Win2K and thin client solutions

16 WTS/Citrix Paper NT Security in an Open Academic Environment - SLAC 8172 Find the document at :

17 Questions HEPNT ‘99 www.slac.stanford.edu/comp/winnt

Download ppt "Windows Terminal Server & Citrix MetaFrame"

Similar presentations

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.

Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.
1 Module 1 The Windows NT 4.0 Environment. 2  Overview The Microsoft Operating System Family Windows NT Architecture Overview Workgroups and Domains.

1 Module 1 The Windows NT 4.0 Environment. 2  Overview The Microsoft Operating System Family Windows NT Architecture Overview Workgroups and Domains.
Saving Money by Recycling Existing Computers with LTSP Peter Billson Linux Terminal Server Project (LTSP.org) Linux User Group in Princeton LUG/IP July.

Saving Money by Recycling Existing Computers with LTSP Peter Billson Linux Terminal Server Project (LTSP.org) Linux User Group in Princeton LUG/IP July.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation

Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
A SOLUTION: 2X REMOTE APPLICATION SERVER. 2X REMOTE APPLICATION SERVER.

A SOLUTION: 2X REMOTE APPLICATION SERVER. 2X REMOTE APPLICATION SERVER.
CSE 190: Internet E-Commerce Lecture 14: Operations.

CSE 190: Internet E-Commerce Lecture 14: Operations.
Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.

Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.

Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.

1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Desktop in the Clouds Using Virtualization to Extend Client Outreach and Protect Data.

Desktop in the Clouds Using Virtualization to Extend Client Outreach and Protect Data.
Common Services in a network Server : provide services Type of Services (= type of servers) –file servers –print servers –application servers –domain servers.

Common Services in a network Server : provide services Type of Services (= type of servers) –file servers –print servers –application servers –domain servers.

Similar presentations

Ads by Google