Title: Windows Terminal Server
1Windows Terminal Server Citrix MetaFrame
Stanford Linear Accelerator Center NT Support
Group www.slac.stanford.edu/comp/winnt Gregg Daly
gdaly_at_slac.stanford.edu Supported by U.S. D.O.E.
contract DE-AC03-76SF005515
2General Information
- Stanford University operated - U.S.D.O.E funded
unclassified research center - Heterogeneous computing environment supporting
high-energy physics research - 3800 hosts (1400 Windows networking), Solaris,
Mac OS, Linux numerous other operating systems - Exponential growth at the facility
3Responding to 98 Security Incident
- Hackers compromised 25 systems and 50 user
accounts - Perform data service analysis on areas of the
network - Decision to safeguard critical HR and Financial
Data on PeopleSoft and Oracle - Safeguard personnel data in Human Resource
database - Safeguard purchasing and budget data in Financial
database
4Options to securing data
- Corporate type lock down including limiting
access to and from the Internet and other
research facilities - Two physical networks - one SLAC only other
Internet accessible - Moving the data (but not the people) into a
highly secured zone. Use encrypted access and
extensive monitoring
5Business Services Network
- Created a highly secure machine/data only
network - Created a user/workstation network to access the
secure network - Secure all aspects of data access
- Secured workstations
- Encrypted application access via Citrixs Secure
ICA - Encrypted host connections via Secure Shell
(3DES/Blowfish) - Two Phase authentication process for secure
domain login
6PeopleSoft WTS-MetaFrame Farm
Data
Data
MetaFrame Farm
Data
Data
Oracle
Secure BSDnet
MS Windows Terminal Server Citrix
MetaFrame MetaFrame Load Balance Secure ICA
MS Windows Terminal Server Citrix
MetaFrame MetaFrame Load Balance Secure
ICA PeopleSoft
Connection Secure ICA (future 2-factor
authentication)
BSDnet
SLAC
Internet
7Secure Business System
8WTS Citrix Farm
Test PeopleSoft
Prod PeopleSoft
UserMC
Secure BSDnet
Air Gap
BIS Web Server
File Server
User01
UserYY
UserXX
Air Gap
BSDnet
Rest of SLAC
Gigabit Ethernet
9(No Transcript)
10Lessons of the implementation
- SLACs business process application, PEOPLESOFT
is not native to the Windows Terminal
Server/Citrix Metaframe environment - Increased session security incompatible with
cross-platform access - 3rd Party applications (Crystal Reports) has to
be reconfigured to not only run on WTS but also
run with a non-standard implementation of a
multi-user PeopleSoft - Securing the application servers running WTS
- Staff intensive installation and troubleshooting
11Securing WTS/MetaFrame
- Physical security critical - Log on Locally to
all users - Restrict anonymous connections
- Separate rootdrive and systemroot from apps
- Apply Microsoft ZAK for WTS
- Create bin folder on apps with system32 user
apps - Remove everyone access from everywhere file
registry - Apply security based Service Packs and hot fixes
immediately - Recommend encrypted client
- Run highest NT authentication hash compatible
with your site
12Securing Business Services
- Standardized workstations
- Addl filtering router on business subnet
- Secure application publishing - MetaFrame
- Two phase authentication
- Encrypted host, app remote access
- Active monitoring
- Air gap fail-safe measure in the event of
intrusion
13General Use App Farm
- Goal To provide non-Windows clients access to
Windows applications encourage single
platform clients - Based on Dell Dual PII-400, 1/2 GB RAM,
RAID 0 servers - Master to clone maintenance plan
- Provide most every app needed/requested by users
14General Use App Farm
- Strong support for LINUX and Solaris clients
- Beware of potential bad apps on WTS
- NetMeeting (www.shenton.org/chris/nasa-hq/netme
eting) - DOS applications
- Using Basic encryption for general sessions,
considering 128-bit SecureICA for all access to
both farms
15Future of Thin Client
- Windows 2000 servers natively support thin
client - Watch for more features in MS RDP
clients - Windows 2000 Applications Deployment Services
- Rental applications
- Watch for significant changes in licensing
requirements and fees from Microsoft and other
software vendors - Microsofts 2000 logo program requires WTS
compliance - Return to the mainframe-like methodology with
Win2K and thin client solutions
16WTS/Citrix Paper
- NT Security in an Open Academic Environment -
SLAC 8172 - Find the document at http//www.slac.stanfor
d.edu/pubs/fastfind.html - http//www.slac.stanford.edu/pubs/slacpubs/8000/sl
ac-pub-8172.html
17HEPNT 99
Questions
www.slac.stanford.edu/comp/winnt gdaly_at_slac.stanfo
rd.edu