1 / 17

Windows Terminal Server & Citrix MetaFrame

Windows Terminal Server & Citrix MetaFrame. Stanford Linear Accelerator Center NT Support Group www.slac.stanford.edu/comp/winnt Gregg Daly gdaly@slac.stanford.edu Supported by U.S. D.O.E. contract DE-AC03-76SF005515. General Information.

ila-golden
Download Presentation

Windows Terminal Server & Citrix MetaFrame

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Terminal Server& Citrix MetaFrame Stanford Linear Accelerator Center NT Support Group www.slac.stanford.edu/comp/winnt Gregg Daly gdaly@slac.stanford.edu Supported by U.S. D.O.E. contract DE-AC03-76SF005515

  2. General Information • Stanford University operated - U.S.D.O.E funded unclassified research center • Heterogeneous computing environment supporting high-energy physics research • 3800 hosts (1400 Windows networking), Solaris, Mac OS, Linux & numerous other operating systems • Exponential growth at the facility

  3. Responding to ‘98 Security Incident • Hackers compromised 25 systems and 50 user accounts • Perform data & service analysis on areas of the network • Decision to safeguard critical HR and Financial Data on PeopleSoft and Oracle • Safeguard personnel data in Human Resource database • Safeguard purchasing and budget data in Financial database

  4. Options to securing data • Corporate type lock down including limiting access to and from the Internet and other research facilities • Two physical networks - one SLAC only & other Internet accessible • Moving the data (but not the people) into a highly secured zone. Use encrypted access and extensive monitoring

  5. Business Services Network • Created a highly secure “machine/data only” network • Created a user/workstation network to access the secure network • Secure all aspects of data access • Secured workstations • Encrypted application access via Citrix’s Secure ICA • Encrypted host connections via Secure Shell (3DES/Blowfish) • Two Phase authentication process for secure domain login

  6. PeopleSoft WTS-MetaFrame Farm Business Services Division BSD Domain Workstation Workstation Workstation Workstation Workstation Workstation Data Data MetaFrame Farm Data Data Oracle Secure BSDnet MS Windows Terminal Server Citrix MetaFrame MetaFrame Load Balance Secure ICA MS Windows Terminal Server Citrix MetaFrame MetaFrame Load Balance Secure ICA PeopleSoft Connection: Secure ICA (future 2-factor authentication) BSDnet SLAC Internet

  7. Secure Business System

  8. BSD PDC Data Warehouse SMS, BDC Prod PeopleSoft Test PeopleSoft WTS +Citrix Farm UserMC Secure BSDnet “Air Gap” BIS Web Server File Server User01 UserYY UserXX “Air Gap” BSDnet Rest of SLAC Gigabit Ethernet

  9. Lessons of the implementation • SLAC’s business process application, PEOPLESOFT is not native to the Windows Terminal Server/Citrix Metaframe environment • Increased session security incompatible with cross-platform access • 3rd Party applications (Crystal Reports) has to be reconfigured to not only run on WTS but also run with a non-standard implementation of a “multi-user” PeopleSoft • Securing the application servers running WTS • Staff intensive installation and troubleshooting

  10. Securing WTS/MetaFrame • Physical security critical - “Log on Locally” to all users • Restrict anonymous connections • Separate %rootdrive% and %systemroot% from %apps% • Apply Microsoft ZAK for WTS • Create bin folder on %apps% with system32 user apps • Remove “everyone” access from everywhere file & registry • Apply security based Service Packs and hot fixes immediately • Recommend encrypted client • Run highest NT authentication hash compatible with your site

  11. Securing Business Services • Standardized workstations • Add’l filtering router on business subnet • Secure application publishing - MetaFrame • Two phase authentication • Encrypted host, app & remote access • Active monitoring • “Air gap” fail-safe measure in the event of intrusion

  12. General Use App Farm • Goal: To provide non-Windows clients access to Windows applications; encourage single platform clients • Based on Dell Dual PII-400, 1/2 GB RAM, RAID 0 servers • “Master” to clone maintenance plan • Provide most every app needed/requested by users

  13. General Use App Farm • Strong support for LINUX and Solaris clients • Beware of potential “bad apps” on WTS • NetMeeting (www.shenton.org/~chris/nasa-hq/netmeeting) • DOS applications • Using Basic encryption for general sessions, considering 128-bit SecureICA for all access to both farms

  14. Future of Thin Client • Windows 2000 servers “natively” support thin client - Watch for more features in MS’ RDP clients • Windows 2000 Applications Deployment Services • “Rental applications” • Watch for significant changes in licensing requirements and fees from Microsoft and other software vendors • Microsoft’s 2000 logo program “requires” WTS compliance • Return to the mainframe-like methodology with Win2K and thin client solutions

  15. WTS/Citrix Paper • NT Security in an Open Academic Environment - SLAC 8172 • Find the document at : http://www.slac.stanford.edu/pubs/fastfind.html • http://www.slac.stanford.edu/pubs/slacpubs/8000/slac-pub-8172.html

  16. HEPNT ‘99 Questions www.slac.stanford.edu/comp/winnt gdaly@slac.stanford.edu

More Related