WIN'MIT'EDU MIT Enterprise Windows Services

1
WIN.MIT.EDUMIT Enterprise Windows Services

• IST Network Infrastructure Services Team

2
WIN.MIT.EDU MITs Central Windows Domain

• Audience
• Description
• Case Studies
• Architecture
• Features/Benefits
• Sub-services
• Security
• Support

Presented at ITPartners by Richard Edelson
3
Audience

• Academic Departments
• Classrooms, Clusters, Labs, Staff, Servers
• Application, File and Print Services, Database,
  Web
• Research Departments
• Labs, Staff, Servers
• Application, File and Print Services, Database,
  Web
• Administrative Departments
• Staff, Servers
• Application, File and Print Services, Database,
  Web

4
Description

• win.mit.edu provides a centrally managed Windows
  environment for the MIT campus. It is integrated
  with MIT's Kerberos realm, Moira database and
  MIT's standard DNS namespace. Users logon with
  single sign-on to many MIT resources.
• Departments can seamlessly share resources across
  the Institute with other faculty, staff and
  students. Departments are given control of their
  environments to customize in many ways while
  leveraging the added value IST has built into
  the platform. Departments no longer need to
  provision and manage user accounts, handle patch
  management or manage operating system licensing.
• Over the past year the domain has been used by
  over 60 departments and 10,000 users. These
  include faculty, staff, and students in academic,
  administrative and research departments.

5
Case Studies Academic Departments

• Department of Urban Studies and Planning
• Cluster/Classroom environments
• Desktop Environment for Faculty and Staff
• File Servers
• Chemical Engineering
• Specialized cluster/lab environment
• with customized applications
• Teal Classrooms
• Classroom/Cluster environment
• IST Academic Computing
• Classroom/Cluster environment
• High performance computing environment featuring
  AutoCAD, ArcView GIS, Mathematica, MatLab, Adobe
  applications and more

6
Case Studies Research Departments

• Bionet Biology, Bio Engineering and more
• 54 labs in 18 DLCs using shared high performance
  storage on NetApp file appliances joined the
  win.mit.edu Active Directory.
• High performance storage required for generation
  of Genome research computational data.
• Desktop and Lab PC/Instrument environments
• Windows File and Print Servers
• Some Workstation Environments are behind Firewall
  on Private Subnet
• Users make use of DFS home directories for
  personal space
• CMSE-SEF Electron Microscope Lab
• Desktop and Lab PC/Instrument environments
• Windows File and Print Servers
• Secure Web site using IIS for external data
  sharing

7
Case Studies Administrative Departments

• Controller's Accounting Office
• Desktop, Windows File and Print Server
  Environments, Secure SAP check printing
• Human Resources
• Desktop, Windows File and Print Server
  Environments, Kiosk Workstations
• Office of Sponsored Programs
• Desktop, Windows File and Print Server
  Environments
• Campus Police
• Desktop, Windows File and Print Server
  Environments, IPSec
• Card Office
• Desktop, Windows File and Print Server
  Environments, Access Management via Citrix
• Parking Office
• Desktop, Windows File and Print Server
  Environments
• Application Servers for Parking Gate Management
• Resource Development
• Desktop, File and Print Server Environments
• Specialized Database Application Environment via
  Citrix
• Student Financial Services
• Desktop, Windows File and Print Server
  Environments
• Financial Aid Database Server with IPSec

8
Architecture Active Directory

• Cross-Realm Trust
• Trust of MIT Kerberos Realm by WIN.MIT.EDU allows
  single sign-on to multiple resources.
• Delegated User Management - MIT Kerberos accounts
  departments control resources by managing group
  membership and ACL's
• Single Domain/Forest Model
• Model in use by large schools, corporations and
  ISPs
• Delegation of Containers (OUs) Islands of
  Control
• Departmental container administrators have many
  tools to build their workstation and server
  environments. Each department builds and
  customizes their own environment.
• Container administrators control machines and
  access to their resources instead of the users
  directly
• Group policy
• Software distribution, Security, Registry, and
  other feature settings can be assigned on a
  container basis. ACLs via Moira groups. Custom
  group policy settings written by IST
• Standard MIT DNS Services
• win.mit.edu uses MITs UNIX based DNS services
  instead of Microsofts
• LDAP Directory populated by data from

9
WIN.MIT.EDU Architecture
Moira
Populator
MIT Kerberos KDCs
WIN.MIT.EDU DCs
Data Warehouse
MITnet DNS
DFS Storage
Query
Data Feed
10
Architecture Moira Data Feed Incremental

• The Moira incremental update is used to keep the
  WIN.MIT.EDU domain synchronized to the Moira
  database. The Moira incremental will create and
  maintain the following in Active Directory
• User accounts (MIT Kerberos IDs principals),
  and profile options
• Account status changes such as activation/deactiva
  tion
• Lists and Groups with their memberships
• Container Hierarchy
• The Moira incremental is a UNIX executable image
  and resides on the Moira server and runs
  continuously. This application uses Kerberos V5
  authentication to establish an LDAP connection
  with the Windows domain to perform the updates.
  It has been completely integrated into Moira
  operations.
• When relevant changes to users groups and
  containers are made in Moira the incremental is
  triggered and the change is propagated to Active
  Directory.
• The Moira incremental will distinguish between
  list and groups when propagating them in Active
  Directory
• Lists Distribution groups
• Groups Security groups
• Do not write directly to AD to create Domain
  groups or security descriptors
• The data may be over-written
• Make these changes in Moira
• Local groups can be managed directly via Windows

11
Architecture User Experience

• Single Sign-on
• User Accounts via the Moira incremental
• A corresponding user is created in Active
  Directory and automatically mapped to the MIT
  Kerberos principal
• Profile and Home directory options are written to
  the users account data along with Office
  location, phone and email
• A random 127 character password is generated and
  stored in the user properties in Active Directory
  so the password does not need to be propagated.
  Cross-Realm authentication will verify the users
  password directly from the MIT Kerberos KDCs.
• Windows Service exists to refresh random
  passwords every 30 days
• Webform to set the users Windows password to a
  known value for use with special applications
  where required

12
DFS User Profiles/Home directory

• Default is roaming profile in DFS
• Configurable via web form
• .winprofile is created in the users DFS homedir
• Copied to local drive at logon
• NTFS user quotas
• H is mapped to the users DFS home directory
• 2 GB User quota by default
• Previous Versions support
• Accessed over network as needed
• Used for folder redirection of Windows homedir
• WinData directory is created in DFS for user data
• My Documents
• Application Data
• Favorites
• Quickstation utility for public machines

13
DFS Previous Versions

• Uses VSS Windows Server 2003 Shadow copy
  services for user Home directories
• Point-in-time copies of files. View, Copy or
  Restore files and folders as they existed at
  points of time in the past.
• Recover files that were accidentally deleted or
  overwritten.
• Compare versions of file while working.
• Self service file restore capability for the end
  user.
• Snapshots are made every 4 AM. Versions of up to
  64 days are available.
• Shadow copies are read-only. You cannot edit the
  contents of a shadow copy.

14
Sub-services

• Citrix
• Hosted Business applications
• http//citrix.mit.edu/citrix/about.html
• Citrix Staging
• MIT WAUS
• MIT Windows Automatic Update Services
• Site for MIT approved Windows Updates, load
  balanced via Big IP
• http//web.mit.edu/ist/topics/windows/updates/
• Contract Administrative Services via ISTs DITR
  Team
• WIN.MIT.EDU Group Policy and Container Management
  
• Desktop Management and Support
• Server Management and Support
• Server Collocation Services in W91

15
Features/Benefits

• Container Management
• Delegation of Account Management
• Container Wide Job Scheduling
• Web forms
• Group Policy
• Storage
• Printing
• Laptops
• Network Boot Installation Services

16
Container Management

• Containers (OUs) Islands of Control
• Departments can administer their workstations and
  servers independently almost as if they were
  running a separate domain
• Seamless ability to share resources with other
  departments
• Departments control machines and access to their
  resources instead of the users directly
• Domain Administrators can be removed from
  Administrators Group on all workstations and
  servers
• Container Administrators have the ability
  override default domain group policy settings
• Containers have ACLs in Moira defining who may
  administer them and auto creation of groups to
  set ACLs on machine accounts within their
  containers

17
Delegation of Account Management benefits

• MIT Kerberos accounts departments control
  resources by managing group membership and ACL's
• All students and staff have Kerberos IDs
• Delegation of password management
• Save time and money
• Web forms for some user tasks
• Easy to use, self service
• Departments only need to manage their groups
• Save time and money
• Seamless ability to share resources with other
  departments

18
Container Wide Job Scheduling - SelfMaint

• Container based scheduling service called
  SelfMaint is provided in addition to the Windows
  Task Scheduler service.
• Runs under the SYSTEM account
• Can reboot, defrag disks or run custom scripts
• Scripts reside on the network and will continue
  to run if the OS is reinstalled or a new computer
  is added to the container
• A script can either wait until no user is logged
  in to run or run unconditionally.
• Web request form
• Microsoft Hotfixes not supported by WSUS can be
  installed.
• Certain scripts run domain wide

19
Web forms for Users

• https//wince.mit.edu - Uses MIT Certificates
• User and Container Administrator tasks
• User Web forms
• Change Your Active Directory Password.
• https//wince.mit.edu/changepasswd/index.jsp
• For users under certain circumstances, it might
  be necessary to set your native WIN domain
  password.
• Change Profile and Home directory options.
• https//wince.mit.edu/changeprofile/index.jsp
• A user can change their default DFS roaming
  profile and home directory locations to a local
  profile and home directory or to a path on a
  departmental server

20
Web Forms - Container Administrator Forms

• Opt into/out of various domain-wide deployments
• https//wince.mit.edu/optoutrollout/index.jsp
• A container administrator can opt out of certain
  deployments until you are ready or to opt into
  test deployments early before they are released
  domain-wide. Containers and/or individual
  machines can opt-in or opt-out.
• Submit a Container Maintenance Job
• https//wince.mit.edu/containermaint/index.jsp
• Schedule a container reboot, defrag, or custom
  script. Selfmaint scripts can wait until a user
  is logged out in order to not disturb normal
  machine use.
• Delete a Machine from Active Directory
• https//wince.mit.edu/deletemachine/index.jsp
• A convenient tool if other tools are not
  available. To reinstall a computer, its machine
  account must first be deleted from Active
  Directory, but NOT from Moira.
• RIS or Join Computer Page
• https//wince.mit.edu/getrisaccount/index.jsp
• a container administrator or a container
  membership administrator, you may use this
  service to obtain a short-term account and
  password to be used while adding machines to
  WIN.MIT.EDU (the Moira host information should
  already exist)

21
Group Policy

• Container ACL's admins control group policy
• Container admins only use computer settings
• Software deployment - MSI
• Assign startup/shutdown scripts
• Assign security settings
• Customizable Auditing
• Configure registry-based software settings

22
Storage

• Decentralized Storage Model
• NTFS Departments are encouraged to use local
  departmental servers for their shared data
  storage needs
• DFS Home directory Holds user profiles and home
  directory data by default, can be changed to be
  local via a web form
• DFS common space generally is used for data used
  domain wide such as scripts and software
  packages.
• Supports multiple writable replicas
• Supports virtual links to departmental file
  servers
• Writable replicas not recommended for highly
  volatile data

23
Printing

• Flexible Printing Model
• Windows Server Print queue
• Direct printing TCP/IP or DLC
• Queue Published in Active Directory
• KLPR (configured as local machine ports)
• Samba
• WIN.MIT.EDU group policy extensions
• Install these Network Printers
• Install these KLPR Printers
• Microsoft Server 2003 R2 Print Extensions

24
Laptops

• Supported in a number of scenarios
• Directly connected to MITnet normal operation
• Wireless on MITnet normal operation
• Remote Broadband VPN / Enhanced settings
• Laptop with additional opt-in settings
• Remote Dialup Similar to Remote Broadband
• Disconnected Cached logon. Will prompt user for
  Kerberos password if later connected
• Workgroup (non-Domain machine) Users can map
  to domain file servers using native windows
  password from web form

25
Network Boot Installation Services

• PXE included in most new hardware
• MITnet DHCP will route PXE requests to
  WIN.MIT.EDU RIS
• For more information see http//web.mit.edu/ist/to
  pics/windows/server/winmitedu/RIS.html

26
Security

• Defense in Depth Measures
• Layered approach to system security
• IPSec and Windows Firewall
• Domain
• Kerberos V5 Authentication
• No anonymous enumeration of Active Directory,
  including via LDAP
• User
• Password resides on Kerberos KDC while 127
  character random password is written to Active
  Directory
• Service refreshes random passwords every 30 days
• Client Machine
• Patch management via WSUS
• No anonymous access to local SAM by default
• Local administrator denied access over the
  network by default
• Logons audited by client system and domain
  controller
• Central syslog server

27
IPSec

• Selectively Block IP traffic
• Native to Windows 2000 and up operating systems
• Block all incoming and outgoing traffic except
  allowed subnets or ports
• Block all incoming and/or outgoing traffic except
  allowed ports (all IPs)
• Allow a port outgoing only or incoming only
• Can effectively firewall particular servers or
  applications
• Confirms to RFC standards not proprietary
• Already in use in WIN.MIT.EDU by a few
  departments
• Configurable locally or via group policy
• Configurable per network interface
• Encrypt Data Communication between Servers and
  Workstations
• To protect sensitive data and resources
• Supports Kerberos V5 Authentication
• 3DES by default, configurable key regeneration
  intervals

28
Windows Firewall

• Available on Windows XP SP2 and Server 2003 SP1
• Exceptions configured on a by port basis, only
  IPSec can manage all traffic on a by subnet
  basis.
• Blocks incoming traffic only
• Outgoing traffic blocking available in Windows
  Vista
• Supports IP ACLs for individual ports or
  executables
• Configurable locally or via group policy
• Configurable per network interface

29
Layered Security Overview
Authentication
Service
SMB ports blocked by MIT Border Routers
IPSec
Windows Firewall
Blocking of Anonymous NetBIOS queries
Patching of System Services
Local administrator denied access over the network
Network Based Application Security
Domain account 127 character random password
Kerberos V5 Authentication
30
Support

• Departmental Admin Escalation from Users
• Container Administrator is responsible for their
  users and computers, but can draw on NIST
  resources for technical advice if issue is domain
  based, also peer support is encouraged
• DITR SLA based Escalation - Dept Admin, User
• Some departments may contract DITR to assist or
  even take place of container administrators
  depending on the departments needs
• ACIS Not SLA based but some support for Admins
• Usually highly involved in Academic cluster, lab,
  group implementations with emphasis on
  application deployment in the Academic space.
  Training of local administrators but no official
  ongoing support contract
• NIST Escalations from DITR, Container Admins,
  ACIS
• Supports the domain infrastructure, container
  administrators, DITR, ACST
• PSS Microsoft Support at discretion of NIST