SMS 2003 Deployment and Managing Windows Security - PowerPoint PPT Presentation

About This Presentation

Title:

SMS 2003 Deployment and Managing Windows Security

Description:

Number of Views:80

Avg rating:3.0/5.0

Slides: 21

Provided by: rafal6

Learn more at: https://www.racf.bnl.gov

Category:

more less

Transcript and Presenter's Notes

Title: SMS 2003 Deployment and Managing Windows Security

1
SMS 2003 Deployment and Managing Windows Security

2
Agenda

3
What is SMS?

4
Architecture
5
Deployment
6
Rights Policy
7
Agenda

8
Background

Software deployment at CERN is currently based on
the Group Policy Objects applied on the security
groups
when one wants to install certain software (i.e.
MS Office 2003) on her/his computer, needs to
make her/his computer account a member of certain
security group (i.e. CERN\GP Apply Office 2003)
then, after the reboot machine receives a new
installation package
To manage memberships of the groups we have a
single entry point, which is a WinServices
website, in particular a service called Group
Manager

9
AD System Discovery
10
CERN System Group Discovery
SMS Site Server
11
Agenda

12
SUS Feature Pack
13
Reports on security updates
14
Updating Servers

130 Windows servers (DCs, WINS, DFS, SMS,
Exchange servers, web servers, file servers,
custom servers)
Most of the updates need a reboot at the end of
the installation
There are groups of servers that at least one
machine from the group has to be online at any
time (i.e. 3 domain controllers)
We do not want to trust SMS scheduler on
rebooting the servers
Our approach
We deploy patches with an option postpone reboot
forever
Use our mechanism to reboot servers pending
reboot by hand
The pending reboot status of the machine is
taken directly from SMS database

15
Rebooting servers
16
Updating Desktops (1)

SUS Feature Pack is used for the supported
patches (those supported by MBSA 1.2)
SMS Packages are based on the operating system
One package (Adv) used for new patches
published but not assigned
Second package contains all baseline patches and
is assigned to run each day

17
Updating Desktops (2)

Patches not supported by SUS Feature Pack
Packages are manually created for each patch
Depending on the severity are assigned or
published
Need of the wrapper, which notifies the user in a
more clear way then the standard SMS
notification and allows to postpone the
installation for many times
With new versions of MBSA more and more products
should be supported

18
Agenda

19
Other security related actions

Windows XP SP2 deployment (pilot)
additional firewall features
new Internet Explorer and Outlook Express
attachment Execution Service, HTML images
add-ons manager
pop-up blocker
DCOM and RPC improved security
Get rid of weak LM hashes (soon)
used by Windows 95 clients, not patched Windows
98, old samba, NICE XP installation floppy etc.
since Windows NT 3.5 NTLM authentication is used
(NTLM hash is much stronger)

20
Other security related actions

Local administrator password reset
periodic (3 months)
web interface to change it again (available for
main responsible for the machine)
Local administrators group (plan)
in the past each user was a member of local
administrators group on his/her machine
will not be mandatory
web interface to become a member (available for
main responsible for the machine)

21
Conclusions