OUHSC Information Security Update

1
OUHSC Information Security Update

• IT, Information Security Services
• Randy Moore
• Nathan Gibson
• Greg Bostic

2
Security Project Update

• Active Directory Cleanup Project
• Cleaning the house -- getting rid of old
  computer accounts
• Active Directory GPO project
• Establishing a security baseline
• E-Policy Orchestrator Project
• Mirroring ePO with AD
• Centrally Managing
• Using the tools we have available

3

• Active Directory Cleanup

4
Purpose

• GPOs cannot be applied on the computers container
• ePO Sync would be inaccurate
• Hard to manage with erroneous accounts present

5
Current Status

• 1200 inactive computer accounts disabled and
  moved into the disabled.comps OU
• Computer Accounts have been moved from the
  Computers container into the UnAssigned.Comps OU
• GPO w/ login script applied to UnAssigned.Comps
  OU

6
New Procedures

• All new computers should have account created
  prior to joining domain.
• Computer Account Lifecycle procedure
• 30 days UnAssigned.Comp Active
• 30 days disabled.comps Inactive
• On the 60th day Computer Account deleted
• New Computer Checklist

7
Cleaning Your OU

• Weed out old Computer Accounts
• Use Active Directory Users and Computers
• Go to View in the MMC
• Check Advanced Features
• Go to View and choose Add/Remove Columns
• In the left hand Available columns table choose
  Modified and click Add -gt
• Hit OK

8

• McAfee E-Policy Orchestrator Project(ePO)

9
ePO

• McAfee E Policy Orchestrator
• Provides a way to centrally manage Anti Virus
  protection on all managed devices
• Syncs with Active Directory
• Automatically installs/uninstalls AV
• Automatic DAT updates
• Customizable policies
• Notification Capabilities
• Report Generation

10
Training

• Greg Bostic
• 2nd Annual Cyber Security Day
• October 24, 2007
• 1000 am

11
Cyber Security Day

• Tier 1 Training
• Business Manager Briefings
• End User Briefings

12
Security Baseline

• Active Directory GPO Project

13
GPO Review

• Group Policy Objects
• Allows you to configure baseline settings to
  ensure all resources have the same settings
• Ease the administrative overhead in applying and
  modifying end user device and servers.
• One-Stop-Shop for demonstrating policy
  compliance

14
AD GPO Project

• Round 2 Settings
• Setting 1-
• HSC-IT-Automatic Updates (Workstation Only)
• Enable Windows Updates Power management to
  automatically wake up the system Enabled
• 4- Auto Download and Schedule the Install
• Schedule Install Day 0-Everyday
• Scheduled Install Time 0300
• Setting 2-
• HSC-IT-No Display Last User Login
• Interactive logon do not display last user name
  Enabled

15
No Last User Name Impact
16
Screen Saver Impact
17
House Cleaning Help

• Standardize GPO naming scheme
• Dept-XXXX
• Delete Old GPOs
• Combine GPOs If possible
• Remove GPOs with settings applied at higher lever

18
FUTURE GPO Settings

• Event Logging
• Account Management Success
• Account Logon/Logoff Success/Failure
• Policy Change Success
• System Events Success/Failure
• Screen Saver
• Hide Screen Saver Tab Enabled
• Screen Saver Enabled
• Password protect the Screen Saver Enabled
• Screen Saver Timeout 600(900?)

19
Lets Talk
Questions Concerns ??? http//it.ouhsc.edu/servi
ces/infosecurity/Projects.asp