slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD. PowerPoint Presentation
Download Presentation
HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD.

Loading in 2 Seconds...

play fullscreen
1 / 63

HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD. - PowerPoint PPT Presentation

  • Uploaded on

HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD. Overview. HEPiX/HEPNT web pages at: Contain links to this and recent meetings. Summary by Alan Silverman Videos of presentations as well as slides. 73 attendees

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD.' - medwin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

HEPiX Autumn 2003

Triumf, Vancouver

Mainly Windows issues.

Gareth Smith. RAL PPD.

  • HEPiX/HEPNT web pages at:

Contain links to this and recent meetings.

    • Summary by Alan Silverman
    • Videos of presentations as well as slides.
  • 73 attendees
  • Vendor talks/exhibits

(RedHat, Microsoft, Parnasus, Ibrix)

  • HEPiX-HEPNT first three days.
    • (first day largely site reports).
  • ‘Large Systems SIG’ /Security Workshop Thursday/Friday.
    • Parallel sessions Friday morning.
windows in site reports 1
Windows in Site reports (1)
  • Oxford University
    • WTS (2000, 2003), Exchange (to 2003)
    • 200 PCs Win 2000 / XP.
  • SLAC
    • XP migration about complete (total 1700 systems).
    • Exchange from 5.5 to 2003.
    • Use of SAMBA, WTS 2003 starting, Docushare.
windows in site reports 2
Windows in Site reports (2)
  • LAL
    • IN2P3 forest across multiple sites (7 labs so far, 4 to join).
    • SMS for upgrades
  • CERN
    • New PCs with WXP (and/or LINUX)
    • Mail migration from Solaris servers to Exchange
    • Pilot WTS 2003; WebDAV
    • CPU cycles from Windows Screen saver for simulation.
windows in site reports 3
Windows in Site reports (3)
  • GSI
    • Windows 200 AD. Testing W2003.
  • DESY
    • Test migration to Windows XP summer 2003.
    • Install via RIS.
  • JLAB
    • Windows 2000 domain upgrade done.
    • SUS used to update.
    • Install via RIS or GHOST
terminal service pilot at cern
Terminal Service Pilot at CERN
  • Approved by CERN Management on June 2003
  • 3 standard computers
    • desktop 2.4 GHz, 1 GB RAM, 40 GB mirrored disk
    • Usual scale out architecture
    • Built-in load balancing
  • Supported freeware clients
    • Linux Redhat, Solaris being tested
    • Mac OS X
    • All recent Windows versions (98, Me, 2000, XP)
  • Thin clients simple to install & use
    • Internet Explorer 4 is enough on Windows
    • Simpler than the current ongoing effort on supporting Hummingbird Exceed
options that were dropped
Options that were dropped
  • Platform-independent clients
    • HOBLink JWT Java applet,
    • Not freeware, License cost prohibitive
  • Citrix ICA (
    • Uniquely X11 based
    • No additional client software required on UNIX clients
    • Performance issue
    • Complex Licensing mode
linux clients
Linux clients
  • rdesktop
    • freeware client
    • Source available
    • Compiled on Redhat standard IT version and Mandrake 9.0
  • tsclient
    • freeware front-end for rdesktop (XP look)
discussion with user representatives
Discussion with user representatives
  • A large majority of delegates requested to continue and extend the service
  • Continue the standard service for the core applications
    • A subset of the existing one
  • Envisage the possibility of having instances of TS nodes centrally maintained where a particular service provider could install his own software
    • LHCB build service
    • AB/CO controls applications, with managed JVM
    • ST/MA Asset Tracking and Maintenance Management
    • EP/SFT for several custom applications
    • IT/PS for some engineering applications
    • TH to read mail attachments for non-windows users
the proposed standard service
The proposed “standard Service”
  • Core set of applications for the standard service
    • Microsoft Office XP with Frontpage
    • Office XP Professional Multilanguage Pack (French, German, Italian)
    • Adobe Acrobat, Distiller, PDFMaker, Adobe PostScript Printer Driver
    • Putty 0.53b
    • CERN Client Printing Package
    • CERN Phonebook 2000
    • Zephyr
    • Symantec Antivirus Client
  • To be discussed
    • ActiveState Perl
    • Python
    • Visual Studio .NET
    • OpenAfs
      • OpenAFS has been one of the most welcome application but it had several technical issues
    • Microsoft MS Project 98 / MS Project 2002
  • A step forward in Linux / Windows / Mac integration
  • Freeware clients exists for all platforms
    • (except legacy Mac OS 8-9)
  • STOP or GO decision in November, based on manpower cost
web based file systems and webdav gateway services to cern dfs file system

Web-based file systems and WebDAV gateway services to CERN DFS file system

Alexandre Lossent, Alberto Pace

the web is part of the solution
The “Web” is part of the solution
  • Standard extensions to the HTTP protocol allow managing files on web servers as if these would be part of the local file system
  • HTTP Extensions for Distributed Authoring (WebDAV IETF RFC 2518) have been widely adopted on all major OS
  • Several commercial and public-domain implementations exists
  • Web Distributed Authoring and Versioning
  • IETF RFC 2518 (February 1999)
  • An extension to the HTTP protocol
    • New verbs (PROPFIND, MKCOL, LOCK...), headers and status codes
    • Uses XML to format information
  • Initially designed as a way to author web sites
    • Redundant with FPSE in the Windows world
    • Versioning is limited to file locking (check in/out)
    • Can be used as a low-end network filesystem
  • WebDAV Home page
    • See it also for related open-source projects
webdav today
WebDAV today
  • File access:
    • Create / delete files and folders
    • Read / write files
    • Copy / Move / Delete / rename files and folders
  • Document locking
    • prevent the overwrite problem, where two or more collaborators write to the same resource without first merging changes
    • Allow implementation of offline folders
  • Properties
    • XML properties provide storage for arbitrary metadata
webdav tomorrow
WebDAV tomorrow ?
  • Access control
    • Set / View / Modify Access Control lists using http
  • Versioning and Configuration Management
    • The V in WebDAV means “Versioning”
    • Document check-out, check-in
    • Retrieval of the history list
    • Offline files and folders
  • Other advanced features
    • Symbolic links
    • Ordered collections
    • Aggregated operations
webdav servers
WebDAV servers
  • Supported by all common web servers
    • Apache module mod_dav
    • WebDAV package in PHP PEAR
  • Built-in support in IIS 5 and 6
    • Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting)
    • Permissions are managed by NTFS ACLs
    • Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a script’s output or its source (source access setting)
webdav servers21
WebDAV servers
  • Supported by all common web servers
    • Apache module mod_dav
    • WebDAV package in PHP PEAR
  • Built-in support in IIS 5 and 6
    • Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting)
    • Permissions are managed by NTFS ACLs
    • Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a script’s output or its source (source access setting)
  • Use of WebDAV as interoperable network filesystem possible today
    • Can be applied to collaborative tools as well (Exchange)
  • Takes advantage of HTTP and XML ubiquity
    • Excellent level of interoperability for file access
    • Really reachable from any device / anywhere
  • Very simple to implement
  • But...
    • Still few implementation glitches
    • https support is still limited
    • Not a high-performance file system
    • Not a replacement for native file system (eg NTFS)
    • Permission management still require custom implementations
cern print manager

CERN Print Manager

Michel Jouvin


cern print manager approach
CERN Print Manager Approach
  • 1 central database describing all printers
    • Printer server (in a dedicated DNS zone)
    • Driver to be used for each printer
      • Per OS version (currently W95, WNT, W2K)
    • Printer default settings
  • 1 client with 3 main components
    • PrntTray : Printing Control Center (main application)
    • LPRServ : LPR client (ability to show LPR transactions)
    • PrinterWizard : add/remove printers, change defaults
multi sites configuration
Multi-sites Configuration
  • Allow to switch between different sets of parameters
    • Central database locations, LPR parameters, …
  • No conflict between sites
    • Differents directories for data files
    • Differents registry paths
  • Site definition in an INI file
    • Client can be distributed with several sites preconfigured
    • Easy addition of a new site
more information
More information
installation of w2k wxp using the unattended sourceforge net project

Installation of W2K/WXP using theunattended.sourceforge.netproject

Rosario Esposito1

Francesco Maria Taurino1,2

Gennaro Tortone1

INFN - Napoli1INFM - UDR Napoli2

HEPiX/HEPNT 2003 – Vancouver

unattended installation systems 2 3
Unattended installation systems [2/3]

It’s an OpenSource project to manage unattended installations of Windows 2K/XP workstations

  • Advantages:
    • No need of Windows and Active Directory at server side
    • Supports a large number of network adapters
    • Customizable partition scheme
    • No need of .msi format to deploy applications

HEPiX/HEPNT 2003 – Vancouver

unattended installation systems 3 3
Unattended installation systems [3/3]

  • Disadvantages:
    • No user-friendly interfaces
    • Tuning of some perl scripts and batch files is required at server side to obtain a good site dependent installation system
    • No support for disk imaging based installations

HEPiX/HEPNT 2003 – Vancouver

  • is a valid alternative for Remote Installation Service (~OpenRIS !), primarily in a Unix-oriented server environment
  • It’s completely FREE and presents all of the advantages (and flaws) of an OpenSource project
  • It has interesting features, like the extreme flexibility of installation scripts
  • It’s not the optimal choice in the case of homogeneous hardware
  • No support for application deployment after the installation

HEPiX/HEPNT 2003 – Vancouver

windows and unix interoperability tips tricks and secrets

Windows and UNIX Interoperability - tips, tricks, and secrets

Peter Skjøtt Larsen

Lead PM

Microsoft Corporation

client options for unix code
Client Options for UNIX code
  • A number of alternatives exist today:
    • Improved UNIX clients with better applications
      • Better desktops apps for Linux, etc.
    • UNIX like environments on Win32 API
      • Cygwin, uwin, mks
    • UNIX emulation on Windows Kernel
      • Microsoft Services for Unix
    • Virtual Machines
      • Microsoft Virtual Server
    • Windows like environment on UNIX
      • Wine
all the comforts of home
All the comforts of home …
  • Replaces Posix subsystem (in Windows)
  • C Shell and Korn shell
  • Single-rooted file system
  • Symbolic links
  • Win32® programs
  • Terminals and other devices
  • Services and daemons
  • Man pages
  • X windows
windows and sfu


Win32 Subsystem

Interix Subsystem

Windows Kernel


NFSClient Server Gateway

Other device drivers




Hardware Abstraction Layer

Windows And SFU




















Open Source

tools: Apache,

Tcl/Tk, bash, etc.







& utilities



Windows system

admin, commands

& networking






3rd Party




Windows APIs


Color Legend

managed co existence with virtual server

Cmd& Util

Cmd& Util

Cmd& Util







Managed Co-Existencewith Virtual Server

Windows APP

NT 4.0 APP


Virtual Server

Windows 2003 API

NT 4.0 API


Windows 2003 Kernel

NT 4.0 Kernel

UNIX Kernel

Virtual Server

Hardware Abstraction Layer

virtualization results
Virtualization Results
  • Linux app runs in the Windows environment with integrated …
    • User file store
    • Security context
    • Command execution environment
  • Access Linux transparently from Windows
  • Linux / UNIX apps run out of the box
  • Performance acceptable for many classes of apps

More info …


Email …

windows discussion 1
Windows Discussion (1)
  • Software Update Services.
    • Good results reported.
    • Care if using more than one way to update (SUS, SMS etc.). Varied internal mechanisms to decide if patch applied….
    • Need to reboot when requiredby SUS otherwise possibility of SUS blocking and not caching more updates.
    • Synchronize with Microsoft’s updates (Tuesdays).
    • Maybe issues of handling Windows 2000 and XP clients at same time.
windows discussion 2
Windows Discussion (2)
  • Suggestion of putting personal firewalls on all systems….
    • (Felt to be too complicated).
  • SLAC have contracted Microsoft to write a dll that will synchronize passwords between Active Directory and Kerberos. – mailing list. – to join.

computer security update

Computer Security Update

Bob Cowles, SLAC

Presented at HEPiX - TRIUMF

23 Oct 2003

Work supported by U. S. Department of Energy contract DE-AC03-76SF00515


SLAC Computer Security

Thinking evil thoughts

Protecting from evil deeds






microsoft @ stanford
Microsoft @ Stanford
  • Universities tend to be a worst case
  • Diverse, unmanaged
    • Population
    • Hardware
    • Software
  • Unlikely to fit into AD model
  • Stanford had 8000 machines compromised by Blaster BEFORE students returned for classes

[Unchanged from last year]

  • Poor administration is still a major problem
  • Firewalls cannot substitute for patches
  • Multiple levels of virus/worm protection are necessary
  • Clue is more important than open source
cern s computer security challenge

CERN’s Computer Security Challenge

Denise Heagerty,

CERN Computer Security Officer

site security actions in progress
Site Security: actions in progress
  • Hardware address registration enforced for computers using DHCP (wireless, portables)
    • Allows the user to be informed of problems
    • Started for some buildings, rest of site before Xmas
  • Off-site FTP closure
    • Firewall block planned for 20 Jan 2004
  • AFS password expiry enforcement
    • Forced annual password changes + email warnings
    • Already enforced for Windows/Mail passwords
  • Network connection Rules
    • Defines acceptable network and security practice
    • System admins must agree before connecting systems
worrying trends
Worrying Trends
  • Break-ins are devious and difficult to detect
    • E.g. SucKIT rootkit
  • Worms are spreading within seconds
    • Welchia infected new PCs during installation sequence
  • Poorly secured systems are being targeted
    • Home and privately managed computers are a huge risk
  • Break-ins occur before the fix is out
    • SPAM relays used a new hole before a patch and anti-virus available
  • People are often the weakest link
    • Infected laptops are physically carried on site
    • Users continue to download malware and open tricked attachments
  • Intruders and worms can do more damage
    • When?
what more can be done
What more can be done?
  • Restrict/eliminate direct modem access
    • Firewall protection has proved to be necessary
    • Modem access is provided by ISPs
  • Reduce the need for VPN to access CERN services
    • Offer popular services to the general Internet: mail, authenticated web sites, file access, …
  • Further enhance firewall protections
    • database driven and based on requirements
  • Enhance system and application security
    • Some patches need deadlines and forced reboots
    • Security & anti-virus updates should not rely on home site access
    • Personal firewalls can reduce risk and buy time
  • Improve security awareness
    • Common messages across the HEP community would help
how cern reacted to the blaster and sobig virus attack

How CERN reacted to the Blaster and Sobig virus attack

Christian Boissat, Alberto Pace, Andreas Wagner

cern results and effort involved
CERN results and effort involved

Infected Systems: Blaster/Welchia (~300), Sobig (12)

(At end of August in FTE weeks)

NB: Does not include effort in other Divisions

The hotfix webpage was visited 12’200 times in August

The emergency measures page 2600 times in second half of August

  • Despite this “negative” presentation, all CERN Central computing services and its network continued to work without interruption
  • Standard users (more than 95 %) also continued to work as usual
  • Unmanaged computers were heavily affected
    • Many visitor computers were not up-to-date for virus and patches
    • Owners of unregistered computers could not be contacted and informed
    • This is the lesson to learn
  • However, this has triggered additional efforts to further improve patch distribution methods and to reduce further the deployment time
    • Everybody now takes security more seriously and we did not need a catastrophic disaster to achieve this
a walk through a grid security incident

A walk through a Grid Security Incident


Vancouver, October 24,2004

Dane Skow, Fermilab

afs and user private keys
AFS and User Private Keys
  • Many users have home areas in AFS.
  • Many users do not understand how AFS access control lists work.

 It is easy for users to leave their private keys world readable in AFS space.

  • Should one proactively create a .globus directory in all users $HOME with the proper permissions ?
  • What about SSH RSA keys, browser credential caches, PGP keys, …
the stats
The Stats
  • Of 18 directories, 14 were world readable. 11 had valid certificates.
  • After 40 days, 8 had still not been revoked. 3 directories were still readable. 1 new exposure had occurred.
  • Distribution of sources

5 DOEGrids

5 DOESciencegrids

1 Princeton self-signed

opportunities for collective incident response and prevention
Opportunities for collective incident response... and prevention
  • Matt Crawford
  • Fermilab
  • HEPiX, October 2003
collective incident response
Collective Incident Response
  • Receive report or detect activity.
  • Gather additional information.
  • Evaluate.
  • Take immediate steps, if indicated.
  • Estimate effects on/implications for other sites.
  • Plan corrective action.
  • Notify (or consult) management.
  • Notify affected and other concerned parties.
  • Carry out corrective plan.
  • Assess performance and current security posture.
a problem statement
A Problem Statement
  • The common internet threat model is trusted endpoints on an insecure network.
  • SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned this backwards. We’ve got more communication security than host security.
    • ... and it’s natural to believe that a message received on a secure channel can be trusted.
  • See also: “The Internet is Too Secure Already,” by Eric Rescorla.
live it
Live It?
  • That’s not so bad, in relative terms.
    • At the last meeting, 6x the people exposed 18x the passwords in the same time period.
    • The bad news: that was GGF.
security discussion
Security Discussion
  • Concern about GRID firewall holes.
  • Idea of information page(s) for visitors to a site.
  • Set-up e-mail list for Security information.
    • (Contact
    • Note: This is not for Security alerts.
  • Need laptops updated before they leave home institute.
    • And ability to update them when away.
lots of other interesting talks
Lots of Other Interesting Talks
  • Root Kit Protection and Detection
  • SPAM fighting (two talks – GSI, Triumf)
  • Console management on farms
  • ……..

Next meeting in Edinburgh.