Win mit edu mit enterprise windows services
Download
1 / 30

- PowerPoint PPT Presentation


  • 495 Views
  • Updated On :

WIN.MIT.EDU MIT Enterprise Windows Services IS&T Network & Infrastructure Services Team WIN.MIT.EDU: MIT’s Central Windows Domain Audience Description Case Studies Architecture Features/Benefits Sub-services Security Support Presented at ITPartners by Richard Edelson Audience

Related searches for

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - adamdaniel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Win mit edu mit enterprise windows services l.jpg
WIN.MIT.EDUMIT Enterprise Windows Services

IS&T Network & Infrastructure Services Team


Win mit edu mit s central windows domain l.jpg
WIN.MIT.EDU: MIT’s Central Windows Domain

  • Audience

  • Description

  • Case Studies

  • Architecture

  • Features/Benefits

  • Sub-services

  • Security

  • Support

Presented at ITPartners by Richard Edelson


Audience l.jpg
Audience

  • Academic Departments

    • Classrooms, Clusters, Labs, Staff, Servers

    • Application, File and Print Services, Database, Web

  • Research Departments

    • Labs, Staff, Servers

    • Application, File and Print Services, Database, Web

  • Administrative Departments

    • Staff, Servers

    • Application, File and Print Services, Database, Web


Description l.jpg
Description

  • win.mit.edu provides a centrally managed Windows environment for the MIT campus. It is integrated with MIT's Kerberos realm, Moira database and MIT's standard DNS namespace. Users logon with single sign-on to many MIT resources.

  • Departments can seamlessly share resources across the Institute with other faculty, staff and students. Departments are given control of their environments to customize in many ways while leveraging the added value IS&T has built into the platform. Departments no longer need to provision and manage user accounts, handle patch management or manage operating system licensing.

  • Over the past year the domain has been used by over 60 departments and 10,000 users. These include faculty, staff, and students in academic, administrative and research departments.


Case studies academic departments l.jpg
Case Studies: Academic Departments

  • Department of Urban Studies and Planning

    • Cluster/Classroom environments

    • Desktop Environment for Faculty and Staff

    • File Servers

  • Chemical Engineering

    • Specialized cluster/lab environment

      with customized applications

  • Teal Classrooms

    • Classroom/Cluster environment

  • IS&T Academic Computing

    • Classroom/Cluster environment

    • High performance computing environment featuring AutoCAD, ArcView GIS, Mathematica, MatLab, Adobe applications and more


Case studies research departments l.jpg
Case Studies: Research Departments

  • Bionet: Biology, Bio Engineering and more

    • 54 labs in 18 DLCs using shared high performance storage on NetApp file appliances joined the win.mit.edu Active Directory.

    • High performance storage required for generation of Genome research computational data.

    • Desktop and Lab PC/Instrument environments

    • Windows File and Print Servers

    • Some Workstation Environments are behind Firewall on Private Subnet

    • Users make use of DFS home directories for personal space

  • CMSE-SEF – Electron Microscope Lab

    • Desktop and Lab PC/Instrument environments

    • Windows File and Print Servers

    • Secure Web site using IIS for external data sharing


Case studies administrative departments l.jpg
Case Studies: Administrative Departments

  • Controller's Accounting Office

    • Desktop, Windows File and Print Server Environments, Secure SAP check printing

  • Human Resources

    • Desktop, Windows File and Print Server Environments, Kiosk Workstations

  • Office of Sponsored Programs

    • Desktop, Windows File and Print Server Environments

  • Campus Police

    • Desktop, Windows File and Print Server Environments, IPSec

  • Card Office

    • Desktop, Windows File and Print Server Environments, Access Management via Citrix

  • Parking Office

    • Desktop, Windows File and Print Server Environments

    • Application Servers for Parking Gate Management

  • Resource Development

    • Desktop, File and Print Server Environments

    • Specialized Database Application Environment via Citrix

  • Student Financial Services

    • Desktop, Windows File and Print Server Environments

    • Financial Aid Database Server with IPSec


Architecture active directory l.jpg
Architecture: Active Directory

  • Cross-Realm Trust

    • Trust of MIT Kerberos Realm by WIN.MIT.EDU allows single sign-on to multiple resources.

    • Delegated User Management - MIT Kerberos accounts – departments control resources by managing group membership and ACL's

  • Single Domain/Forest Model

    • Model in use by large schools, corporations and ISP’s

    • Delegation of Containers (OU’s) – “Islands of Control”

      • Departmental container administrators have many tools to build their workstation and server environments. Each department builds and customizes their own environment.

      • Container administrators control machines and access to their resources instead of the users directly

    • Group policy

      • Software distribution, Security, Registry, and other feature settings can be assigned on a container basis. ACL’s via Moira groups. Custom group policy settings written by IS&T

    • Standard MIT DNS Services

      • win.mit.edu uses MIT’s UNIX based DNS services instead of Microsoft’s

  • LDAP Directory populated by data from:

    • Moira – User, Group, and Container data

    • Populator –Moira host to container mapping, Data Warehouse, spn


Win mit edu architecture l.jpg
WIN.MIT.EDU Architecture

Moira

Populator

MIT Kerberos KDC’s

WIN.MIT.EDU DC’s

MITnet DNS

Data Warehouse

DFS Storage

Query

Data Feed


Architecture moira data feed incremental l.jpg
Architecture: Moira Data Feed – “Incremental”

  • The Moira incremental update is used to keep the WIN.MIT.EDU domain synchronized to the Moira database. The Moira incremental will create and maintain the following in Active Directory:

    • User accounts (MIT Kerberos ID’s – principal’s), and profile options

      • Account status changes such as activation/deactivation

    • Lists and Groups with their memberships

    • Container Hierarchy

  • The Moira incremental is a UNIX executable image and resides on the Moira server and runs continuously. This application uses Kerberos V5 authentication to establish an LDAP connection with the Windows domain to perform the updates. It has been completely integrated into Moira operations.

  • When relevant changes to users groups and containers are made in Moira the incremental is triggered and the change is propagated to Active Directory.

  • The Moira incremental will distinguish between list and groups when propagating them in Active Directory:

    • Lists = Distribution groups

    • Groups = Security groups

  • Do not write directly to AD to create Domain groups or security descriptors

    • The data may be over-written

    • Make these changes in Moira

    • Local groups can be managed directly via Windows


Architecture user experience l.jpg
Architecture: User Experience

Single Sign-on:

User Accounts via the Moira incremental

  • A corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principal

  • Profile and Home directory options are written to the users account data along with Office location, phone and email

  • A random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDC’s.

  • Windows Service exists to refresh random passwords every 30 days

  • Webform to set the users Windows password to a known value for use with special applications where required


Dfs user profiles home directory l.jpg
DFS: User Profiles/Home directory

  • Default is roaming profile in DFS

    • Configurable via web form

    • .winprofile is created in the users DFS homedir

    • Copied to local drive at logon

    • NTFS user quotas

  • H: is mapped to the users DFS home directory

    • 2 GB User quota by default

    • Previous Versions support

    • Accessed over network as needed

    • Used for folder redirection of Windows homedir

    • WinData directory is created in DFS for user data

      • My Documents

      • Application Data

      • Favorites

  • Quickstation utility for public machines


Dfs previous versions l.jpg
DFS: Previous Versions

  • Uses VSS: Windows Server 2003 Shadow copy services for user Home directories

    • Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past.

    • Recover files that were accidentally deleted or overwritten.

    • Compare versions of file while working.

    • Self service file restore capability for the end user.

  • Snapshots are made every 4 AM. Versions of up to 64 days are available.

  • Shadow copies are read-only. You cannot edit the contents of a shadow copy.


Sub services l.jpg
Sub-services

  • Citrix

    • Hosted Business applications

    • http://citrix.mit.edu/citrix/about.html

    • Citrix Staging

  • MIT WAUS:

    • MIT Windows Automatic Update Services

      Site for MIT approved Windows Updates, load balanced via Big IP

    • http://web.mit.edu/ist/topics/windows/updates/

  • Contract Administrative Services via IS&T’s DITR Team

    • WIN.MIT.EDU Group Policy and Container Management

    • Desktop Management and Support

    • Server Management and Support

    • Server Collocation Services in W91


Features benefits l.jpg
Features/Benefits

  • Container Management

  • Delegation of Account Management

  • Container Wide Job Scheduling

  • Web forms

  • Group Policy

  • Storage

  • Printing

  • Laptops

  • Network Boot Installation Services


Container management l.jpg
Container Management

Containers (OU’s) – “Islands of Control”

  • Departments can administer their workstations and servers independently almost as if they were running a separate domain

  • Seamless ability to share resources with other departments

  • Departments control machines and access to their resources instead of the users directly

  • Domain Administrators can be removed from Administrators Group on all workstations and servers

  • Container Administrators have the ability override default domain group policy settings

  • Containers have ACL’s in Moira defining who may administer them and auto creation of groups to set ACL’s on machine accounts within their containers


Delegation of account management benefits l.jpg
Delegation of Account Management benefits

  • MIT Kerberos accounts – departments control resources by managing group membership and ACL's

    • All students and staff have Kerberos ID’s

  • Delegation of password management

    • Save time and money

  • Web forms for some user tasks

    • Easy to use, self service

  • Departments only need to manage their groups

    • Save time and money

  • Seamless ability to share resources with other departments


Container wide job scheduling selfmaint l.jpg
Container Wide Job Scheduling - SelfMaint

  • Container based scheduling service called SelfMaint is provided in addition to the Windows Task Scheduler service.

    • Runs under the SYSTEM account

    • Can reboot, defrag disks or run custom scripts

    • Scripts reside on the network and will continue to run if the OS is reinstalled or a new computer is added to the container

  • A script can either wait until no user is logged in to run or run unconditionally.

  • Web request form

  • Microsoft Hotfixes not supported by WSUS can be installed.

  • Certain scripts run domain wide


Web forms for users l.jpg
Web forms – for Users

  • https://wince.mit.edu - Uses MIT Certificates

    • User and Container Administrator tasks

      User Web forms

  • Change Your Active Directory Password.

    • https://wince.mit.edu/changepasswd/index.jsp

    • For users: under certain circumstances, it might be necessary to set your native WIN domain password.

  • Change Profile and Home directory options.

    • https://wince.mit.edu/changeprofile/index.jsp

    • A user can change their default DFS roaming profile and home directory locations to a local profile and home directory or to a path on a departmental server


Web forms container administrator forms l.jpg
Web Forms - Container Administrator Forms

  • Opt into/out of various domain-wide deployments

    • https://wince.mit.edu/optoutrollout/index.jsp

    • A container administrator can opt out of certain deployments until you are ready or to opt into test deployments early before they are released domain-wide. Containers and/or individual machines can opt-in or opt-out.

  • Submit a Container Maintenance Job

    • https://wince.mit.edu/containermaint/index.jsp

    • Schedule a container reboot, defrag, or custom script. Selfmaint scripts can wait until a user is logged out in order to not disturb normal machine use.

  • Delete a Machine from Active Directory

    • https://wince.mit.edu/deletemachine/index.jsp

    • A convenient tool if other tools are not available. To reinstall a computer, it’s machine account must first be deleted from Active Directory, but NOT from Moira.

  • RIS or Join Computer Page

    • https://wince.mit.edu/getrisaccount/index.jsp

    • a container administrator or a container membership administrator, you may use this service to obtain a short-term account and password to be used while adding machines to WIN.MIT.EDU (the Moira host information should already exist)


Group policy l.jpg
Group Policy

  • Container ACL's –admins control group policy

  • Container admins only use computer settings

  • Software deployment - MSI

  • Assign startup/shutdown scripts

  • Assign security settings

  • Customizable Auditing

  • Configure registry-based software settings


Storage l.jpg
Storage

  • Decentralized Storage Model

    • NTFS: Departments are encouraged to use local departmental servers for their shared data storage needs

    • DFS Home directory: Holds user profiles and home directory data by default, can be changed to be local via a web form

    • DFS common space: generally is used for data used domain wide such as scripts and software packages.

      • Supports multiple writable replicas

      • Supports virtual links to departmental file servers

      • Writable replicas not recommended for highly volatile data


Printing l.jpg
Printing

  • Flexible Printing Model

    • Windows Server Print queue

    • Direct printing – TCP/IP or DLC

    • Queue Published in Active Directory

    • KLPR (configured as local machine ports)

    • Samba

    • WIN.MIT.EDU group policy extensions

      • “Install these Network Printers”

      • “Install these KLPR Printers”

    • Microsoft Server 2003 R2 Print Extensions


Laptops l.jpg
Laptops

  • Supported in a number of scenarios:

    • Directly connected to MITnet – normal operation

    • Wireless on MITnet – normal operation

    • Remote Broadband – VPN / Enhanced settings

      • Laptop with additional opt-in settings

    • Remote Dialup – Similar to Remote Broadband

    • Disconnected – Cached logon. Will prompt user for Kerberos password if later connected

    • Workgroup (non-Domain machine) – Users can map to domain file servers using native windows password from web form


Network boot installation services l.jpg
Network Boot Installation Services

  • PXE – included in most new hardware

  • MITnet DHCP will route PXE requests to WIN.MIT.EDU – RIS

  • For more information see http://web.mit.edu/ist/topics/windows/server/winmitedu/RIS.html


Security l.jpg
Security

  • “Defense in Depth” Measures

    • Layered approach to system security

    • IPSec and Windows Firewall

  • Domain

    • Kerberos V5 Authentication

    • No anonymous enumeration of Active Directory, including via LDAP

  • User

    • Password resides on Kerberos KDC while 127 character random password is written to Active Directory

    • Service refreshes random passwords every 30 days

  • Client Machine

    • Patch management via WSUS

    • No anonymous access to local SAM by default

    • Local administrator denied access over the network by default

    • Logons audited by client system and domain controller

    • Central syslog server


Ipsec l.jpg
IPSec

  • Selectively Block IP traffic

    • Native to Windows 2000 and up operating systems

    • Block all incoming and outgoing traffic except allowed subnets or ports

    • Block all incoming and/or outgoing traffic except allowed ports (all IP’s)

    • Allow a port outgoing only or incoming only

    • Can effectively firewall particular servers or applications

    • Confirms to RFC standards – not proprietary

    • Already in use in WIN.MIT.EDU by a few departments

    • Configurable locally or via group policy

    • Configurable per network interface

  • Encrypt Data Communication between Servers and Workstations

    • To protect sensitive data and resources

    • Supports Kerberos V5 Authentication

    • 3DES by default, configurable key regeneration intervals


Windows firewall l.jpg
Windows Firewall

  • Available on Windows XP SP2 and Server 2003 SP1

  • Exceptions configured on a by port basis, only IPSec can manage all traffic on a by subnet basis.

  • Blocks incoming traffic only

    • Outgoing traffic blocking available in Windows Vista

  • Supports IP ACL’s for individual ports or executables

  • Configurable locally or via group policy

  • Configurable per network interface


Layered security overview l.jpg
Layered Security Overview

Service

Authentication

SMB ports blocked by MIT Border Routers

IPSec

Windows Firewall

Patching of System Services

Blocking of Anonymous NetBIOS queries

Network Based Application Security

Local administrator denied access over the network

Domain account 127 character random password

Kerberos V5 Authentication


Support l.jpg
Support

  • Departmental Admin – Escalation from Users

    • Container Administrator is responsible for their users and computers, but can draw on NIST resources for technical advice if issue is domain based, also peer support is encouraged

  • DITR – SLA based Escalation - Dept Admin, User

    • Some departments may contract DITR to assist or even take place of container administrators depending on the departments needs

  • ACIS – Not SLA based but some support for Admins

    • Usually highly involved in Academic cluster, lab, group implementations with emphasis on application deployment in the Academic space. Training of local administrators but no official ongoing support contract

  • NIST – Escalations from DITR, Container Admins, ACIS

    • Supports the domain infrastructure, container administrators, DITR, ACST

  • PSS – Microsoft Support at discretion of NIST


ad