TAFE Trojans

1. TAFE Trojans http://trojans.virtualhost.com.au Cert 4 Project

2. A Little About Ourselves The Trojans… Nick: Security, firewalls, UNIX and switch management. Paul: Cable Runs, Hardware, web design/management and Documentation. Kellie: Pricing, Documentation, Time Management and Project Analysis. Ian: Research, tech support and Time Management. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

3. The Job • As a part of the cert IV class, TAFE has asked us to address certain problems existing on the network. • These issues are… • 30 day secure channel problem • PXE Workstation Imaging • Internet control and filtering • Network Speed to classroom C-312 We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

4. What We Will Do • 2 New Gigabit Switches for C-312 and C-block server room. • Installation of Smoothwall School Guardian • Implementation of PXE network boot imaging. • 30 day secure channel problem. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

5. What We Won’t Do • System Backups. • Anti-Virus. • KVM-Switch for server room – Already a 4 Port in room. • USB Caddies. • Facility for storing Ghost images – Flash Already Sufficient. • Wireless Connectivity – Not important at the moment but a future possibility. • Domain Controller – IT.net is happy with their 2000 server at the moment. • Moving onto 30 day secure channel… We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

6. 30 day Secure Channel • The Problem. • after 30 days, the it.net computers can’t log onto goth because the secure channel password has changed. • typically a computer has its own individual name and account on the DC, and doesn’t suffer this problem. • unfortunately tafe’s computers all share the same name and therefore he same secure channel password and account. • this password identifies individual computers to the domain, and changes every 30 days. • for Tafe, once this password changes for one computer, the other computers can’t log on because they are using the old password with the same account. • this is where we found a fix We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

7. 30 day Secure Channel • First attempt. • The first registry key we found changed the amount of days till password expriry • Allowed a potential of 1 000 000 days • When the server restarted the registry value was reset • So we thought we could build a startup script or find a better solution. • We went for option 2 ….. We found another key. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

8. 30 day Secure Channel Second Attempt The “new” key is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE /System/CurrentControlSet/Services/NetLogon/Parameters/MaximumPasswordAge Changing the key allows to enable/disable the maximum password age, rather than specify days. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

9. 30 day Secure Channel These changes are illustrated thorough the following various pictures The Registry Entry Before it was changed We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

10. 30 day Secure Channel These changes are illustrated thorough the following various pictures The Registry Entry After it was changed We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

11. 30 day Secure Channel These changes are illustrated thorough the following various pictures The Policy Editor Before it was changed We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

12. 30 day Secure Channel These changes are illustrated thorough the following various pictures The Policy Editor After it was changed We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

13. 30 day Secure Channel Because of these changes through the registry, in effect it turns off the 30 day check. Moving onto PXE… We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

14. PXE • Pre-boot Execution Environment • overview • A network boot enabled PC makes imaging a host computer very easy. • Most computers today support network boot. • Enabled through bios, select first boot device as network boot. • Relies on a DHCP and TFTP server • OS images are transferred via TFTP to the host computer. • The option for a boot menu for user input is available. • Replaces the need for individual boot floppies. (“Thank god” says Andy) We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

15. PXE • Pre-boot Execution Environment • process • Firstly the network boot PC looks for a IP address through DHCP. • The file dhcpd.conf on the DHCP server has a static entry for the workstation, and the bootfile to load. • The Server responds with an IP and asks the client if network boot enabled. • The workstation says “Yes” then gets an IP and is directed to the TFTP server. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

16. PXE • Pre-boot Execution Environment • Process (con’t) • At the TFTP server the workstation requests the “filename”.img referred to in the dhcpd.conf file on the DHCP server and executes it. • The boot image does the rest, maps drives, runs ghost and images the host computer • Moving on to Smoothwall….. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

17. Smoothwall • Introduction to Smoothwall • Linux based operating system. • Simplified Linux Kernel • We will be demonstrating the free version – Smoothwall Express • Very powerful firewall and internet filter • Very easy to install We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

18. Smoothwall • System monitoring.. • Notices of available smoothwall updates • System Uptime, Process status, Disk Usage • Traffic graphs We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

19. Smoothwall This is the main Smoothwall front page. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

20. Smoothwall This is the statistics area. We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

21. Smoothwall Traffic Graphs We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

22. Smoothwall • Security.. • Port Forwarding • DMZ Pinholes • Remote access We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

23. Smoothwall Port Forwarding Interface We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

24. Smoothwall DMZ Pinholes Interface We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

25. Smoothwall • More Security.. • IP Blocking • Internet Connectivity (PPP) • Log Viewer of all activity • Settings - Backup We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

26. Smoothwall Supporting Text We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

27. Smoothwall PPP Internet Connectivity We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

28. Smoothwall Settings - Backup We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE

29. Budget • 2 New switches for C3-12 and C-Block server room - $1310.78 • 100m of Cat 5e for 2 runs from C-Block server room to C3-12 - $450 • Smoothwall School Guardian 4 inc 70 concurrent licences - $2053.70 • Labour Cost for Tafe Trojans (Inc GST) - $2145.00 • ________ • Total (Inc GST) - $5959.48 We Are The Trojans, You will be Assimilated, Your Biological and Technological Distinctiveness will be added to our own… RESISTANCE IS FUTILE