1 / 20

SMS 2003 Deployment and Managing Windows Security

SMS 2003 Deployment and Managing Windows Security. Rafal Otto Internet Services Group Department of Information Technology CERN 13 July 2014. Agenda. SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration

dinos
Download Presentation

SMS 2003 Deployment and Managing Windows Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 13 July 2014

  2. Agenda • SMS 2003 Infrastructure • What is SMS? • Architecture • Deployment • Rights Policy • Enhancements in SMS and Active Directory Integration • Managing Windows Security Updates with SMS 2003 • SUS Feature Pack • Updating Servers • Updating Desktops • Other security related actions • Conclusions Rafal Otto (CERN IT/IS)

  3. What is SMS? • Microsoft Systems Management Server serves • centrally managed software deployment • software and hardware inventory • software metering • remote control • Additional Features • Windows Security Updates Scan Tool • Microsoft Office Security Updates Scan Tool • Supported (managed) platforms • Windows 98, NT – SMS Legacy Clients – (none at CERN) • Windows 2000, XP, 2003 – SMS Advanced Clients – (~6000) • SMS is not designed for system monitoring! Rafal Otto (CERN IT/IS)

  4. Distribution Points download (BITS) run locally run from the share Remote Clients (VPN, GPRS, Dial-in) DP name DP name new package? Desktop Clients new package? Site Server Architecture Rafal Otto (CERN IT/IS)

  5. Complete SMS 2.0 Infrastructure Client Migration Complete SMS 2003 Infrastructure SMS Client Upgrade to SP1 Complete SMS 2003 SP1 Infrastructure SMS 2003 Site End of June 2004 Mid July 2004 Oct 2004 June 2004 Sept 2004 Deployment Rafal Otto (CERN IT/IS)

  6. SMS Administration Software Distribution Very limited set of administrators Limited set of trusted users Reporting Remote Tools Anyone who needs SMS administrators + License managers Rights Policy Rafal Otto (CERN IT/IS)

  7. Agenda • SMS 2003 Infrastructure • What is SMS? • Architecture • Deployment • Rights Policy • Enhancements in SMS and Active Directory Integration • Managing Windows Security Updates with SMS 2003 • SUS Feature Pack • Updating Servers • Updating Desktops • Other security related actions • Conclusions Rafal Otto (CERN IT/IS)

  8. Background • Software deployment at CERN is currently based on the Group Policy Objects applied on the security groups • when one wants to install certain software (i.e. MS Office 2003) on her/his computer, needs to make her/his computer account a member of certain security group (i.e. CERN\GP Apply Office 2003) • then, after the reboot machine receives a new installation package • To manage memberships of the groups we have a single entry point, which is a WinServices website, in particular a service called Group Manager Rafal Otto (CERN IT/IS)

  9. Domain Controller Computer accounts SMS System Discovery (each morning, takes ~90 minutes) Active Directory Database Group membership of computer accounts System Group Discovery Updating Collections (takes few seconds) (each morning, takes ~30 minutes) Any change of computer’s group membership during the day … … will propagate to SMS next morning!!! AD System Discovery Rafal Otto (CERN IT/IS)

  10. requests Windows Service Collections Update <request type="add"> <group name="GP Apply WXP SP2 Settings"/> <member type="computer" name="pcap9"/> </request> SMS Database CERN System Group Discovery SMS Site Server Rafal Otto (CERN IT/IS)

  11. Agenda • SMS 2003 Infrastructure • What is SMS? • Architecture • Deployment • Rights Policy • Enhancements in SMS and Active Directory Integration • Managing Windows Security Updates with SMS 2003 • SUS Feature Pack • Updating Servers • Updating Desktops • Other security related actions • Conclusions Rafal Otto (CERN IT/IS)

  12. MicrosoftDownload Center Sync Tool MSSecure.xml MSSecure.xml update request Patches, QFEs, SPs Limitation! Works only with updates managed by MBSA 1.2 (not all products involved) SMS 2003 Site Server Scan Tool Hardware Inventory Advertisement Installation Status SUS Feature Pack Rafal Otto (CERN IT/IS)

  13. Updating Servers • ~130 Windows servers (DCs, WINS, DFS, SMS, Exchange servers, web servers, file servers, custom servers) • Most of the updates need a reboot at the end of the installation • There are groups of servers that at least one machine from the group has to be online at any time (i.e. 3 domain controllers) • We do not want to trust SMS scheduler on rebooting the servers • Our approach • We deploy patches with an option “postpone reboot forever” • Use our mechanism to reboot servers pending reboot by hand • The “pending reboot” status of the machine is taken directly from SMS database Rafal Otto (CERN IT/IS)

  14. Rebooting servers Rafal Otto (CERN IT/IS)

  15. Updating Desktops (1) • SUS Feature Pack is used for the supported patches (those supported by MBSA 1.2) • SMS Packages are based on the operating system • One package (Adv) used for new patches – published but not assigned • Second package contains all baseline patches and is assigned to run each day Rafal Otto (CERN IT/IS)

  16. Updating Desktops (2) • Patches not supported by SUS Feature Pack • Packages are manually created for each patch • Depending on the severity are assigned or published • Need of the wrapper, which notifies the user in a more clear way then the standard SMS notification and allows to postpone the installation for many times • With new versions of MBSA more and more products should be supported Rafal Otto (CERN IT/IS)

  17. Agenda • SMS 2003 Infrastructure • What is SMS? • Architecture • Deployment • Rights Policy • Enhancements in SMS and Active Directory Integration • Managing Windows Security Updates with SMS 2003 • SUS Feature Pack • Updating Servers • Updating Desktops • Other security related actions • Conclusions Rafal Otto (CERN IT/IS)

  18. Other security related actions • Windows XP SP2 deployment (pilot) • additional firewall features • new Internet Explorer and Outlook Express • attachment Execution Service, HTML images • add-ons manager • pop-up blocker • DCOM and RPC improved security • Get rid of weak LM hashes (soon) • used by Windows 95 clients, not patched Windows 98, old samba, NICE XP installation floppy etc. • since Windows NT 3.5 NTLM authentication is used (NTLM hash is much stronger) Rafal Otto (CERN IT/IS)

  19. Other security related actions • Local administrator password reset • periodic (3 months) • web interface to change it again (available for main responsible for the machine) • Local administrators group (plan) • in the past each user was a member of local administrators group on his/her machine • will not be mandatory • web interface to become a member (available for main responsible for the machine) Rafal Otto (CERN IT/IS)

  20. Conclusions • SMS 2003 makes infrastructure much better managed • security scans + patch deployment • software inventory • Other improvements in security were done • Windows XP SP2 deployment • New policy for local admin password and local administrators group Rafal Otto (CERN IT/IS)

More Related