WIN'MIT'EDU Container Administrator Training - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

WIN'MIT'EDU Container Administrator Training

Description:

Departmental container administrators have many tools to build their workstation ... Container administrators control machines and access to their resources instead ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 48
Provided by: R165
Category:

less

Transcript and Presenter's Notes

Title: WIN'MIT'EDU Container Administrator Training


1
WIN.MIT.EDU Container Administrator Training
  • Architecture Overview
  • Container maintenance
  • Lab
  • User features
  • Lab
  • Disconnected operation
  • RIS Remote Installation Services
  • Security and using Server 2003
  • Lab
  • Windows Vista
  • Lab

2
Architecture Active Directory
  • Cross-Realm Trust
  • Trust of MIT Kerberos Realm by WIN.MIT.EDU allows
    single sign-on to multiple resources.
  • Delegated User Management - MIT Kerberos accounts
    departments control resources by managing group
    membership, machines and ACL's
  • Single Domain/Forest Model
  • Model in use by many large schools, corporations
    and ISPs
  • Delegation of Containers (OUs) Islands of
    Control
  • Departmental container administrators have many
    tools to build their workstation and server
    environments. Each department builds and
    customizes their own environment.
  • Container administrators control machines and
    access to their resources instead of the users
    directly
  • Group policy
  • Software distribution, Security, Registry, and
    other feature settings can be assigned on a
    container basis. ACLs via Moira groups. Custom
    group policy settings written by IST
  • Standard MIT DNS Services
  • win.mit.edu uses MITs UNIX based DNS services
    instead of Microsofts
  • LDAP Directory populated by data from

3
WIN.MIT.EDU Architecture
Moira
Populator
MIT Kerberos KDCs
WIN.MIT.EDU DCs
Data Warehouse
MITnet DNS
DFS Storage
Query
Data Feed
4
Architecture Moira Data Feed Incremental
  • The Moira incremental update is used to keep the
    WIN.MIT.EDU domain synchronized to the Moira
    database. The Moira incremental will create and
    maintain the following in Active Directory
  • User accounts (MIT Kerberos IDs principals),
    and profile options
  • Account status changes such as activation/deactiva
    tion
  • Lists and Groups with their memberships
  • Container Hierarchy
  • The Moira incremental is a UNIX executable image
    and resides on the Moira server and runs
    continuously. This application uses Kerberos V5
    authentication to establish an LDAP connection
    with the Windows domain to perform the updates.
    It has been completely integrated into Moira
    operations.
  • When relevant changes to users groups and
    containers are made in Moira the incremental is
    triggered and the change is propagated to Active
    Directory.
  • The Moira incremental will distinguish between
    list and groups when propagating them in Active
    Directory
  • Lists Distribution groups
  • Groups Security groups
  • We do not write directly to AD to create Domain
    groups
  • The data may be over-written
  • Make these changes in Moira
  • Local groups can be managed directly via Windows

5
Container maintenance Web forms for container
administrators
  • Opt into/out of various domain-wide deployments
  • https//wince.mit.edu/optoutrollout/index.jsp
  • A container administrator can opt out of certain
    deployments until you are ready or to opt into
    test deployments early before they are released
    domain-wide. Containers and/or individual
    machines can opt-in or opt-out.
  • Submit a Container Maintenance Job SelfMaint
  • https//wince.mit.edu/containermaint/index.jsp
  • Schedule a container reboot, defrag, or custom
    script. Selfmaint scripts can wait until a user
    is logged out in order to not disturb normal
    machine use.
  • Delete a Machine from Active Directory
  • https//wince.mit.edu/deletemachine/index.jsp
  • A convenient tool if other tools are not
    available. To reinstall a computer, its machine
    account must first be deleted from Active
    Directory, but NOT from Moira.
  • RIS or Join Computer Page
  • https//wince.mit.edu/getrisaccount/index.jsp
  • a container administrator or a container
    membership administrator, you may use this
    service to obtain a short-term account and
    password to be used while adding machines to
    WIN.MIT.EDU (the Moira host information should
    already exist)

6
Container maintenance Joining a machine
  • One-time considerations for new hosts and users
  • Is there a Moira record for the machine which has
    propagated to the MITnet DNS?
  • Has the machine been assigned to a container?
    (Stella)
  • Is your Kerberos password up-to-date?
  • General instructions
  • If reinstalling or rejoining, use the web form
    located on the Domain Machine Management page to
    delete the old machine account
  • Remove existing (non-WIN) MIT Kerberos software
    and reboot
  • Verify correct IP and DNS settings, join machine
    to domain and reboot.
  • If no packages are downloaded, reboot a second
    time due to the XP fast boot default.
  • Using the "tempjoin" Account
  • Regular user accounts in WIN do not have rights
    to create new machine accounts, a requirement
    when joining a machine or using RIS.
  • The web form requires MIT certificates. It
    creates a Windows account with your username,
    followed by ".tempjoin." A temporary password,
    which is valid for 48 hours, is displayed on the
    screen. This is the appropriate username and
    password to use while joining the machine to the
    domain or authenticating to the RIS server.

7
Container maintenance Moira Tools Stella
machine management
  • One-time Assignment of the Machine to a Container
  • In order for a machine to get group policies and
    MSI packages it requires to function properly in
    the domain, it must be assigned, in Moira, to a
    container that is within the "Machines" container
    in AD. If there is no assignment, the machine
    will appear in the "Orphans/Machines" container,
    and not get the group policy objects it needs.
  • You can use the stella command to assign the
    container, stella hostname -lcn lists the
    container if one has been assigned, the -dcn
    option removes an existing machine-to-container
    assignment, and -acn adds one. Perhaps this query
    is a good candidate for a future web application.
  • If a machine needs to be reinstalled or replaced,
    the Moira container mapping does not have to be
    deleted. Only the AD machine account needs to be
    deleted via the web form.
  • To check if a host already has been assigned to a
    container use the -lcn option
  • stella my-machine -lcn
  • Machine my-machine Container
    Machines/my-container
  • If the machine has not been assigned to a
    container, you will not get any output from the
    command.
  • To assign the machine to a container use the -acn
    option
  • stella my-machine -acn Machines/my-container
  • If the machine already has been assigned to a
    container, but you wish to move it to another
    one, you must first delete the old container
    assignment using the -dcn option, then assign it
    to the new container with -acn
  • stella my-machine -dcn Machines/my-container
  • stella my-machine -acn Machines/my-other-container

8
Container maintenance Moira Tools Mitch
container management
  • You can use mitch to get container info
  • Basic info mitch machines/my-container
  • List sub-containers mitch machines/my-container
    ls
  • List machines in the container mitch
    machines/my-container lm
  • Use the recursive switch r to get subcontainer
    info
  • You can use mitch to set container properties
  • Memacl who can add a machine to the container
    MA
  • Set the description mitch Machines/my-container
    -d My Container
  • Modify the contact mitch Machines/my-container
    -c my-list
  • You can also use mitch to map and un-map machines
    from your container
  • Add a machine mitch Machines/my-container -am
    my-machine
  • Remove a machine mitch Machines/my-container
    -am my-machine
  • Do not use the rename function
  • This function does not work properly if there are
    subcontainers involved
  • GPO object names do not get changed along with
    the container
  • If you need to do a rename, send mail to the
    network team with your request

9
Container maintenance Moira Tools Blanche
group management
  • You can use blanche to add and remove members
    from groups
  • Blanche groupname a (add)
  • Blanche groupname d (remove) user
  • Add / remove users based on a file
  • Blanche groupname al (add) filename
  • Blanche groupname dl (remove) filename
  • Modify the description, owner and memacl
    information
  • -d My Description, -o owner, -MA memacl
  • Always make sure the G group option is used for
    Security groups in Active Directory, (referred to
    as AFS group on the list creation request form).
  • Use the Use the recursive switch r to expand
    nested group memberships
  • You can use qgrep on your win.mit.edu machine to
    search a list for a member
  • Blanche my-very-big-list r qgrep myusername
  • A webform is also a available for group creation
    and management (requires MIT certificates)

10
Container maintenance Lab
  • Lab 1 Using Moira tools and joining a machine

11
Container maintenance Group Policy Objects
  • GPOs are created and stored in SYSVOL
  • DFS share replicated to each domain controller
  • SYSVOL is a file system, a new directory is
    created for each GPO, not for each container
  • A GPO may be linked to multiple containers
  • AD ACLs may be used to control who can read a
    GPO or which users or machines it can be applied
    to
  • GPO inheritance favors the lower level GPO unless
    the override bit is set (called enforce in gpmc)
  • GPOs are created when a container is requested.
  • The default configuration is one parent container
    with server and workstation subcontainers
  • Individual GPOs are created for each of these
    containers
  • Additional subcontainers and GPOs may be
    requested
  • Additional GPO links may be requested

12
Container maintenance Group Policy Management
Tools
  • Group Policy Management Console gpmc.msc
  • Preferred GP Management tool. An add-on MSI for
    XP, installed by default on Vista
  • View GPO settings and permissions
  • Can launch gpeditor
  • Resultant Set of Policy rsop.msc
  • Diagnostic tool to view how GP inheritance is
    working
  • AD Users and Computers dsa.msc
  • Views and info of containers and machines
  • Group Policy Editor gpedit.msc
  • Launched by gpmc or dsa, edit settings
  • Gpupdate - Command line utility
  • Refresh group policy
  • GPFind win.mit.edu command line script
  • Search by GPO name and launch the gpeditor

13
Container maintenance Group Policy .adm and
.admx files
  • The SYSVOL share contains ASCII files with the
    .adm extension that define administrative
    template group policy settings.
  • Within win.mit.edu, updated template versions are
    propagated across SYSVOL to insure consistency
    across containers.
  • New versions are released by Microsoft with every
    new service pack
  • IST has written custom .adm templates to augment
    group policy options
  • Windows Vista and above employs an XML file
    format using the .admx extension. Existing .adm
    settings still apply to Vista machines where
    applied
  • Settings particular to the .admx file format need
    to be managed from a machine running Windows
    Vista or above
  • Some new .admx settings have the ability to apply
    only to Vista and not XP if the administrator
    chooses. They employ .ini files on the GPOs
    directory in SYSVOL to track desired behavior
  • New SYSVOL storage options are available to
    optimize storage utilization. All .admx files can
    be stored centrally instead of being replicated
    in each GPO directory

14
Container maintenance Group Policy Settings -
Software
  • The Software section is where MSI based
    applications are assigned to a container.
  • The assigned MSI should be referenced via a UNC
    path
  • Transforms and ACLs may be assigned to an MSI
    via the Modifications tab on the MSI properties
  • Software policy processing occurs only at boot
    time
  • Packages may be assigned to upgrade existing
    packages
  • Do not use your GPO to upgrade a package
    currently opted in using the web form since the
    Software Distribution GPO uses the no override
    option. If you need to do this, remove the opt-in
    via the webform.
  • Packages assigned domain wide
  • ActivePerl
  • MIT Hesiod client
  • Print queue resolution
  • MIT Kerberos for Windows 2.6.5
  • MIT LogonBefore Provider
  • Was for disconnected operations being phased
    out

15
Container maintenance Group Policy Settings
Security
  • Recommended uses of the security section
  • Startup scripts
  • User Rights Assignments
  • This will be covered in more detail in the server
    2003 section
  • Restricted groups
  • You may use addmin as a non-exclusive alternative
    to this setting
  • System Services
  • IPSec (this must be sent to the network team as a
    request)

16
Container maintenance Group Policy
Administrative Template Settings
  • Windows Components section highlights
  • NetMeeting
  • RSS Feeds
  • Task Scheduler
  • Windows Messenger
  • Windows Media Digital Rights Management
  • Windows Movie Maker
  • Windows Update - patching
  • Windows Media Player
  • System Section highlights
  • User Profiles
  • Scripts
  • Logon
  • Disk Quotas
  • Group Policy
  • Network Section highlights
  • DNS Client
  • Offline Files
  • Network Connections

17
Container maintenance Group Policy
win.mit.edu Printer settings
  • Microsoft did not have a machine based group
    policy option to assign printers prior to Server
    2003 R2/Windows Vista.
  • When Windows 2000 was released, IST developed
    custom printer extensions for win.mit.edu. When
    Windows XP is closer to being phased out, we plan
    to phase out these custom settings. The new
    Microsoft settings are available today for Vista
    users
  • Two types of printers may be assigned using the
    win.mit.edu extensions
  • KLPR Printers Queues that require Kerberos
    authentication
  • Use the MIT Hesiod client installed on the
    machine for queue resolution
  • Currently the KLP MSI is deployed by default
  • There is an opt-in for the newer LPNG MSI
  • There is a specific list of supported drivers
  • additional drivers can be added but in some cases
    are not compatible with the UNIX print queue
  • An opt-out of all Kerberized printer clients is
    available
  • Network Printers Standard Microsoft Network
    Printers assigned per machine
  • Uses standard UNC path name
  • Both options have the ability to assign a default
    printer to the machine
  • IST is phasing out Kerberized printing, the KLPR
    packages are no longer being maintained. The KLPR
    packages do not support Windows Vista.

18
Container maintenance Group Policy - Custom
registry keys
  • IST developed a utility called regpoledit to
    edit the binary .pol file allowing us to manually
    insert custom registry keys without having to
    extend the .adm templates.
  • Sets of custom registry keys are applied to
    win.mit.edu machines for the following
    applications
  • Cross-realm MIT Kerberos logon
  • Internet Explorer
  • Windows Explorer
  • Eventsyslogger
  • These keys can be viewed in the Administrative
    Template/Extra Registry Keys section of the RSoP
    utility
  • If container administrators require custom keys
    the network team can be contacted for assistance

19
Container maintenance ScriptsMirror-distrib
  • At first startup machines in win.mit.edu apply
    group policy and install assigned MSI
    applications which restart the computer afterward
    installation. Once this is done WSH and Perl
    scripts assigned via group policy begin running.
  • When a machine is booted up it looks locally for
    a script that synchronizes the local script and
    utility cache. If the script does not exist
    locally it will run off a network path. Startup
    and logon scripts also will run from a local copy
    as first preference but can run from the network
    copy as a fallback.
  • The script that initially creates, than later
    synchronizes the local script and utility cache
    with DFS is a Perl script called mirror-distrib.
  • The local cache is in ProgramFiles\MIT\mirror\di
    strib. After the initial first time bootstrapping
    when the cache is created, this script continues
    to run both at startup and daily as a Selfmaint
    job to propagate any updates to these scripts to
    client machines.
  • To troubleshoot the bootstrap process, first
    check that the machine is in its proper
    container. If it is, run gpupdate /force and
    reboot, then check if the default MSI
    installations went successfully. If the Perl MSI
    fails to install, mirror-distrib and other
    scripts cannot run.

20
Container maintenance Scripts Main Startup
Script Operations
  • Script operations are logged to the system
    Application log
  • Group policy tells the machine to check locally
    for the script, then run it from DFS if it is not
    found locally
  • Example myscript.pl the GPO is set to run
    cmd.exe with these parameters
  • /c if exist "programfiles\mit\mirror\distrib\mys
    cript.pl ("programfiles\mit\mirror\distrib\mysc
    ript.pl") else (\\win.mit.edu\dfs\ops\distrib\mysc
    ript.pl)
  • Startup Scripts
  • Mirror-distrib (.pl)
  • Checks for local script cache and creates it if
    necessary, otherwise syncs the contents with DFS
  • Adds the local cache directory to the system path
    if its not already there
  • Startup (.wsf)
  • Sets a machine environment variable with the
    domain name
  • Checks if the machine is connected to MITnet and
    runs the following operations
  • Checks if the machine is in the proper container
  • Win.mit.edu remote event-log settings are
    enforced
  • Win.mit.edu root password settings are enforced
  • Win.mit.edu printer settings are enabled
  • Fix system path script is run
  • Local Administrator is denied access to the
    machine over the network
  • Tempjoin accounts are denied interactive logon
  • If not already set earlier by the populator
    service, the service principal name is set in AD

21
Container maintenance Selfmaint
  • The Selfmaint package is an MIT developed MSI
    that is installed on all domain machines.
  • Selfmaint is a container based scheduling service
    that is is provided in addition to the Windows
    Task Scheduler service, and runs under the SYSTEM
    account. Its main features are
  • Schedule one job for an entire container and
    subcontainers or individual machines.
  • Can reboot, defrag disks, or run custom scripts
  • Scripts reside on the network and will continue
    to run if the OS is reinstalled or a new computer
    is added to the container
  • A script can either wait until no user is logged
    in to run or run unconditionally.
  • A web request form exists to have job setup for
    your container. You may choose common tasks or
    provide your custom scripts. The available
    scheduling options are built into the form. We
    recommend using Perl or VB if you are submitting
    a custom script.
  • Microsoft Hotfixes not supported by WSUS can be
    installed.
  • Certain scripts run domain wide, such as
    mirror-distrib.
  • Scripts reside on DFS, the Selfmaint service
    checks for new jobs and maintains a logfile with
    the most recent time a particular script ran in
    programfiles\MIT\Shared Files\selfmaint.log.
  • At bootup (or service start) the logfile is
    checked for any scripts that are overdue to run
    and Selfmaint runs them immediately

22
Container maintenance Eventsyslogger and OS
Groups
  • The Eventsyslogger package is an MIT developed
    MSI that is installed on all domain machines.
  • Eventsyslogger is a Windows syslog client that
    runs as a service under the SYSTEM account.
  • Event logs are sent to a central syslog server,
    three default filters are setup by the installer
    and their settings are enforced by group policy.
  • Additional filters may be added and logs from
    those filters can be sent to the syslog server of
    your choice.
  • The application can be administered via a control
    panel
  • Description of the OS Groups Service A service
    named "OS Groups" runs as part of the Populator
    services. It automatically populates the
    following groups in Active Directory
  • Win2KPro.group Machines running Windows 2000
    Professional
  • Win2KSrv.group Machines running Windows 2000
    Server
  • Win2K.group Machines running Windows 2000
    Professional or Server
  • WinXPPro.group Machines running Windows XP
    Professional
  • WinSrv2003.group Machines running Windows
    Server 2003 (note, this OS is supported yet under
    test in the domain)
  • WinVista.group Machines running Windows Vista
  • WinOther.group Machines running another OS or
    an unknown OS
  • Note These are not Moira groups. They exist only
    in the Active Directory
  • When a new machine enters the domain or an
    existing machine upgrades its OS, it is
    automatically added to the proper group. These
    groups can therefore be placed on access control
    lists in Active Directory. This is especially
    useful for GPO application and MSI software
    installation, and it eliminates the need for
    separate containers for XP Professional, 2000
    Professional, and 2000 Server machines

23
Container maintenance Lab
  • Lab 2 Using Group Policy Management tools

24
User featuresLogon
  • Single Sign-on
  • User Accounts via the Moira incremental
  • A corresponding user is created in Active
    Directory and automatically mapped to the MIT
    Kerberos principal
  • Profile and Home directory options are written to
    the users account data along with Office
    location, phone and email
  • A random 127 character password is generated and
    stored in the user properties in Active Directory
    so the password does not need to be propagated.
    Cross-Realm authentication will verify the users
    password directly from the MIT Kerberos KDCs.
  • Windows Service exists to refresh random
    passwords every 30 days
  • Webform to set the users Windows password to a
    known value for use with special applications
    where required

25
User featuresWeb forms for users
  • Change Your Active Directory Password.
  • https//wince.mit.edu/changepasswd/index.jsp
  • For users under certain circumstances, it might
    be necessary to set your native WIN domain
    password.
  • Change Profile and Home directory options.
  • https//wince.mit.edu/changeprofile/index.jsp
  • A user can change their default DFS roaming
    profile and home directory locations to a local
    profile and home directory or to a path on a
    departmental server

26
User featuresProfiles and Home directories
  • Default is roaming profile in DFS
  • Configurable via web form
  • .winprofile is created in the users DFS homedir
  • Copied to local drive at logon
  • NTFS user quotas
  • H is mapped to the users DFS home directory
  • Currently 2 GB User quota by default
  • Previous Versions support. This is a self service
    feature where users can retrieve old versions of
    files and folders up to 64 days back
  • Accessed over network as needed
  • Used for folder redirection of Windows homedir

27
User featuresFolder Redirection Windows XP
  • By default, all users and machines use both
    roaming profiles and folder redirection.
  • Computers download the default user profile from
    a DFS share.
  • For the Windows XP environment, WIN.MIT.EDU
    redirects the following folders
  • Application Data H\WinData\Application Data
  • My Documents HOMESHARE\WinData\My Documents
  • My Pictures HOMESHARE\WinData\My Documents\My
    Pictures
  • Favorites HOMESHARE\WinData\Favorites
  • HOMESHARE is the location of the users home
    directory as specified by the user account
    properties in Active Directory. These properties
    are managed by Moira and can be modified via the
    change profile options webform.
  • Machines opted into the disconnected operations
    laptop policy mapped H to their local user
    profile in C\Documents and Settings instead of
    the users DFS home directory. These machines do
    not use roaming profiles.
  • Users who used the change profile options webform
    to set their account to local profiles and no
    folder redirection see similar behavior to those
    who use machines covered under the laptop policy.

28
User featuresPrevious Versions
  • Uses VSS Windows Server 2003 Shadow copy
    services for user Home directories
  • Point-in-time copies of files. View, Copy or
    Restore files and folders as they existed at
    points of time in the past.
  • Recover files that were accidentally deleted or
    overwritten.
  • Compare versions of file while working.
  • Self service file restore capability for the end
    user.
  • Snapshots are made every 4 AM. Versions of up to
    64 days are available.
  • Shadow copies are read-only. You cannot edit the
    contents of a shadow copy.

29
User features Scripts Main Logon Script
Operations
  • Group policy tells the machine to check locally
    for the script, then run it from DFS if it is not
    found locally. These checks are similar to
    startup scripts.
  • Logon Scripts
  • Logonbefore (.wsf) (only runs if the AFS client
    is installed and running)
  • Is launched by the AFS service before
    explorer.exe
  • Checks if the machine is connected to MITnet and
    runs the following operations
  • Map drive z to \\afs\all
  • If specified in win.mit.edu AFS Settings, map the
    selected drive letter to the users AFS home
    directory. Drive I is commonly used.
  • Logonafter (.wsf)
  • Is launched by the operating system after
    explorer.exe
  • Checks if the machine is connected to MITnet and
    runs the following operations
  • Checks if Windows XP home directory mapping
    should be turn off for disconnected operations
    (not needed for Vista)
  • Enforces win.mit.edu default machine printer
    settings if they are set
  • On XP, maps drive H to the local profile if not
    mapped to any network based home directory. This
    is for disconnected operations or the local
    profile option in the user profile options web
    form (XP only, not run for Vista).
  • Runs Desktop-Sync (this will be covered in the
    Vista section)
  • Imports user Kerberos tickets from the MS LSA
    cache to the MIT Kerberos cache

30
Disconnected operationLaptop support
  • Requires opt-in of the machine or container via a
    web form
  • Domain wide scripts have internal checks for
    network based operations, they test for RPC
    availability to win.mit.edu over port 445, if
    there is no connectivity the operation is
    skipped.
  • If a machine boots with no network connectivity
    the user logs on using their domain account with
    cached credentials.
  • People using laptops that are frequently used
    remotely over a broadband connection should
    install the MIT VPN client. If you boot your
    laptop while connected to a home network with
    broadband, you should set the VPN client to allow
    VPN logon before Windows logon.
  • Note about Intel Proset Wireless management
    software This software is currently packaged
    with many laptops, including those from Dell. We
    recommend that you uninstall this portion of the
    software via the add/remove programs control
    panel for use with disconnected operations within
    win.mit.edu. While it is possible to set this
    software to use the Microsoft client to manage
    wireless connections, this setting wont be
    preserved across system reboots.
  • To logon/logoff without the VPN we currently
    recommend that it not be connected to the home
    network until after the Windows logon so the
    operating system understands it is doing a
    disconnected logon. This can be done by
    temporarily sliding out the wireless LAN card,
    disconnecting a network cable, or using a
    function key to disable integrated wireless (F2
    on most Dell laptops). This has nothing to do
    with scripts, Windows merely detects network
    connectivity and attempts to authenticate with a
    domain controller.
  • Windows Vista users should logon as
    username_at_ATHENA.MIT.EDU when doing a cached
    logon. There is an open bug with Microsoft to fix
    this issue, we will be deploying a hotfix when
    this is available.
  • When using disconnected operations with Vista,
    drive H will not be mapped to the local profile
    as in XP. If the machine is connected to MITnet
    at logon, the drive will be mapped to the network
    home directory specified in AD.

31
RIS Remote Installation Services
  • Requirements
  • PXE support enabled for subnet and the computer
    BIOS
  • Moira record should exist for machine and already
    be mapped to container
  • If reinstalling, the previous computer object in
    Active Directory must be removed
  • Tempjoin credentials are used for the
    installation
  • Execution
  • Boot with Network Boot option (using F12)
  • Access to Windows XP images by default, there is
    an ACL for Server 2003 images
  • Machines automatically join the domain
  • RIS Info
  • RIS will format and install the OS on the first
    physical disk
  • Images exist for particular Dell and IBM models
  • If a new model is commonly used, a new image can
    be requested
  • Generic images exist as well that can be used
    for Virtual Machines
  • WDS (Windows Deployment Services) will soon
    replace RIS. WDS will support Vista and Server
    2008

32
User featuresLab
  • Lab 3 Using Previous Versions on the Home
    directory

33
Server 2003 Security RecommendationsCommon
Security policies to implement for server
  • Logon restrictions Computer Configuration/Windows
    Settings/Security Settings/User Rights
    Assignment
  • Allow logon through Terminal Services
  • Generally restricted to the local Administrators
    group
  • (Allow) Logon Locally
  • Generally restricted to the local Administrators
    group but sometimes a service account may require
    this right depending on the application
  • Deny Logon through Terminal services
  • It is recommended to deny the local Administrator
    account logon over Terminal Services. This way,
    the local Administrator account can only be used
    when physically in front of the machine. We
    already deny this account access to the machine
    over the network, this setting is a logical
    extension of the same precaution.
  • Do not use groups or known security principles
    without understanding their scope
  • Authenticated Users, which includes both local
    and domain users, but not anonymous
  • Local Users, which by default includes the Domain
    Users group
  • Always implement the Windows Firewall and only
    open necessary ports to relevant subnets
  • If possible, implement Microsoft IPSec
  • Resource Management and Administration
  • Use NTFS ACLs, not Share permissions for more
    granular security
  • Use one or two top level shares and set NTFS
    ACLs on the sub-folders instead of creating many
    shares
  • Avoid disabling of inheritance, as it will tend
    to yield unexpected results if not well
    documented
  • Avoid granting Full Control (which allows users
    to change permissions) over resources, use the
    Modify right.
  • Use local Groups containing Moira groups or at
    least moira groups on NTFS ACLs
  • Do not assign NTFS permissions or rights to users
    directly, use the group membership

34
Server 2003 Security RecommendationsLeast
Privilege Access Minimize Attack Surface
  • Least Privilege Access (Authorization)
  • Security Principle
  • Assign only the necessary permissions for
    application service accounts, refrain from
    granting Administrator privileges if possible
  • Limit the rights granted to an account, use
    multiple accounts for different services
  • Limit how application service accounts can be
    used
  • deny logon interactively
  • deny logon through terminal services,
  • only allow logon to specific computers
  • Minimize Attack Surface
  • Ensure machines are up-to-date on patches (using
    WSUS)
  • Disable all unnecessary services (using group
    policies)
  • Only open necessary ports to appropriate networks
    (using a combination of IPSec and Firewall)or
    use a hardware firewall if necessary.
  • Utilize Encryption, such as SSL over HTTP on web
    server or IPSec for other applications

35
Server 2003 Security Recommendations Windows
Firewall
  • Supports
  • Available on Windows XP SP2, Server 2003 SP1 and
    higher
  • Can be configured to block incoming connections
  • Allows exceptions based on Ports (UDP/TCP) and
    Applications
  • Can apply to all or some Network Connections
  • Scopes to limit exceptions to specified Hosts or
    Subnets
  • Limitations
  • Cannot create an exception for a range of ports
    (but a host/subnet scope can be defined)
  • Does only block incoming not outgoing
    traffic(Outgoing traffic blocking available in
    Windows Vista/Server 2008)
  • Domain defaults
  • For Windows XP we use the Microsoft default, the
    firewall is on
  • Server 2003 uses the old domain default where it
    is off. The firewall can be enabled by setting
    Computer Settings/Administrative
    Templates/Network/Network Connections Prohibit
    use of Internet Connection Firewall on your DNS
    domain network Disabled. Then the firewall can
    be configured locally or via group policy.
  • Microsofts default for server 2003 is to have
    the firewall off, so even after making the
    setting above, the firewall will need to be
    turned of locally or via group policy
  • Vistas default Firewall settings depend on the
    location chosen when the network for first setup
    (Home, Work or Public). Due to the nature of the
    MIT network Public is the recommended selection.

36
Server 2003 Security RecommendationsIPSec
Features
  • Microsoft IPSec has been a built-in component
    since the release of Windows 2000. It can be used
    to create an encrypted channel between two
    machines, or it can be leveraged to implement
    simple IP based block/allow policies
  • Encrypted channels can be established either by
    Kerberos V5 authentication or via a shared key.
    3DES keys are used by default when doing Kerberos
    authentication.
  • Policies can be configured either to try to
    establish a secure channel but fall back if not
    supported, or to enforce secure channel
    communications only
  • The most common use of IPSec are the IP based
    block/allow rules.
  • Rules can be host or subnet based, include all
    traffic or only specific ports or protocols.
  • An IPSec implementation consists of Policies that
    contain Rules, which are based on Filters
    Actions
  • IPSec Policies can be created and assigned
    locally, imported and exported to a file, or
    assigned through group policy
  • Assigning an IPSec policy via group policy must
    be done via a request to the network team

37
Server 2003 and Security RecommendationsIPSec
filters and policies
  • IPSec can be managed locally on a computer using
    the IP Security Policy Management MMC snap-in.
  • Multiple policies and filters may be stored on a
    machine, but only one policy at a time may be
    assigned
  • Leaving the Default Response filter enabled opens
    port 88 for Kerberos. If not using Kerberos to
    authenticate for an encrypted channel, this
    filter may be disabled
  • A filter may have only one filter action
    assigned, but it may have multiple items in the
    filter list to control multiple host, subnet and
    protocol connections
  • Filter items which require the same filter action
    should be grouped into one filter when possible
    for best practices
  • Group policy assignments override local IPSec
    policy assignments
  • Avoid reusing filters on multiple policies since
    the local machine stores these filters. If an
    existing filter is reused to create a policy it
    will overwrite that filter on another policy

38
Server 2003 and Security RecommendationsUsing
the MIT Windows Update Services
  • Overview
  • Currently running Microsoft WSUS 3.0
  • Internal repository of patches synchronized with
    Microsoft
  • Only patches approved and tested by IST are
    available through WSUS
  • Applied by default on all WIN.MIT.EDU machines
    auto download and auto install

F5 Load balancers
WSUS Servers
Microsoft
  • Options
  • Domain default Option 4 auto download and auto
    install any day _at_ 200 AM
  • Action nothing
  • Usually good for simple file and print servers,
    simple web servers
  • Custom setting Option 4 Auto download and auto
    install on custom schedule
  • Action Set Computer Settings/Administrative
    Templates/Windows Components/Windows
    Update/Configure Automatic Updates to Option 4
    Auto download and notify for install, and set
    custom schedule below
  • Custom setting Option 3 Auto download and
    notify for install
  • Action Set Computer Settings/Administrative
    Templates/Windows Components/Windows
    Update/Configure Automatic Updates to Option 3
    Auto download and notify for install
  • Do not set/reset the WSUS server name, this is
    already done
  • When using option 3, a balloon window
    notification will appear when new patches are
    available.
  • Patch install can be run manually from this
    interface
  • If the administrator wishes, certain patch may be
    skipped using the client interface

39
Security and using Server 2003 Lab
  • Lab 4 Using IPSec and the Windows Firewall

40
Windows VistaDefault Vista Desktop
  • When logging on with a domain account to a Vista
    machine for the first time, a default profile is
    downloaded from a DFS share
  • When logging on with a local machine account for
    the first time, the local profile is generated
    from the Default profile on the local computer.
    This is the Microsoft default Vista profile
  • When logging on with a domain account that does
    not use roaming profiles, the domain default
    profile will still be used. The logon scripts
    will detect these cases and if not already done,
    set the directory structure to the Microsoft
    defaults. Possible cases where this will happen
    are
  • Disconnected operation
  • The account is set to local profiles via the web
    form
  • The container is set to local profiles only
  • The domain default Vista profile looks very
    similar to the XP desktop
  • It is still not the classic XP desktop, it is the
    Windows Standard interface, the new explorer
    interface is used
  • This hybrid desktop is a good default for users
    moving from XP to Vista. It allows them to
    explore some of the new Vista functionality while
    preserving much of the familiar organization
    found in XP
  • The ability to display the Aero interface will
    depend on the graphics card of the computer.
  • Users will be able to enable Aero if supported by
    the hardware and the video driver
  • Profiles are no longer stored in the Documents
    and Settings folder, the new location is in the
    Users folder off the root of the system drive

41
Windows VistaRoaming Profiles
  • Vista roaming profiles are not compatible with XP
    profiles. Microsoft added code in Vista to create
    a new profile directory in the users home
    directory with a .V2 extension
  • XP H\.winprofile
  • Vista H\.winprofile.V2
  • Each profile has its own desktop folder e.g.,
    XPs is H\.winprofile\desktop
  • If you have certificates in your XP profile, you
    will still need to get them separately for Vista
  • Desktop-Sync In order to preserve consistency of
    the desktop files and shortcuts for users logging
    into both XP and Vista machines, WIN.MIT.EDU
    synchronizes the desktop folders of both profiles
    when a user logs on
  • Files saved to an XP desktop will appear on the
    Vista desktop.
  • Files saved to a Vista desktop will appear on the
    XP desktop.
  • If a file is updated on one of the desktops, the
    other desktop will receive the updated version at
    the next user logon regardless of which OS they
    logon to.
  • Important! A cached roaming profile may only be
    deleted via the system control panel. If the
    files are deleted manually, the roaming profile
    will fail to load.
  • Upgrades If a machine is upgraded to Vista, the
    upgraded cached copy of a roaming profile should
    be copied to a new folder via the system control
    panel and not used (more about this in the folder
    redirection topic).
  • A local logon should be used for the upgrade and
    immediately after the upgrade to rename the old
    cached profile.
  • Upgraded versions of non-roaming profiles can be
    preserved and do not need to be modified.

42
Windows VistaFolder redirection
  • By default, all users and machines use both
    roaming profiles and folder redirection.
  • Computers download the default user profile from
    a DFS share.
  • For the Windows Vista environment, WIN.MIT.EDU
    redirects the following folders
  • AppData(Roaming) HOMESHARE\WinData\Application
    Data
  • Contacts HOMESHARE\WinData\My
    Documents\Contacts
  • Documents HOMESHARE\WinData\My Documents
  • Downloads HOMESHARE\WinData\My
    Documents\Downloads
  • Music HOMESHARE\WinData\My Documents\My Music
  • Videos HOMESHARE\WinData\My Documents\My
    Videos
  • Pictures HOMESHARE\WinData\My Documents\My
    Pictures
  • Saved Games HOMESHARE\WinData\My
    Documents\Saved Games
  • Searches HOMESHARE\WinData\My
    Documents\Searches
  • Favorites HOMESHARE\WinData\Favorites
  • Links HOMESHARE\WinData\Favorites\Links
  • The redirected paths for Vista were chosen in
    such a way as to preserve the continuity of user
    experience from XP.

43
Windows VistaUser Files Directory View
  • The users files folder is a programmatically
    merged view of the local cached profile and the
    redirected folders.
  • Its possible to view duplicate entries if a
    directory exists in each location.
  • We reported this to Microsoft, but action was
    taken to remediate the issue.
  • We implemented our own workaround to the user
    file view issue
  • The default domain Vista roaming profile which is
    the source for the cached profiles has the
    folders which are redirected removed.
  • Users in the domain who use a local profile
    either on a desktop by opting out of roaming
    profiles or using a computer opted into
    disconnected operation (laptop policy) have the
    removed directories recreated at logon when the
    profile is first created.
  • New logon scripts include logic to detect whether
    the user is roaming or not and create the
    directories if they do not exist.

44
Windows VistaChanges to AppData
  • In XP, all application data was redirected to the
    home directory
  • Vista still redirects most application data to
    the home directory, but now also stores some
    settings data and certificates in the roaming
    profile
  • In XP, non-roaming data was stored in the Local
    Settings directory
  • Vista stores non-roaming data in AppData\Local
  • Vista has a new store for low security data
    called AppData\LocalLow. This is used by IE
    running in protected mode. This data does not
    roam.

45
Windows VistaMIT KfW and the UAC
  • WIN.MIT.EDU uses a different KfW 2.6.5 installer
    then the one on the software download site.
    Unlike the download site installer, our 2.6.5
    installer is fully Vista compatible. Therefore
    there are no pressing reasons for users to
    upgrade to version 3.2.2.
  • Since the latest release of KfW does not fix the
    Vista UAC issue, we are waiting for a later
    release which is UAC compatible to upgrade
    WIN.MIT.EDU machines. When such a version is
    released, we will announce a schedule for the
    upgrade. The decision to wait on this upgrade was
    made by consensus with us and the Kerberos
    Development Team months before version 3.2.2 was
    released.
  • Our current workaround for KfW has been to
    disable the UAC by default, then KfW 2.6.5
    functions normally. However, those who wish to
    enable the UAC in their containers may do so by
    applying the settings to their container
    policies. When a UAC compliant version of KfW is
    available, we will consider changing the default
    UAC settings back to Microsoft's setting of
    enabled.

46
Windows VistaConnecting via Remote Desktop
  • Similar to disconnected operations, IST is
    awaiting a hotfix from Microsoft that will remove
    the requirement of using the UPN (a user
    principal name i.e. username_at_REALMNAME) format
    to connect via remote desktop
  • This issue was resolved when IST worked with
    Microsoft regarding XP SP1 and the fix was rolled
    into SP2. Unfortunately, this code was not ported
    to the Vista release and we are awaiting the
    Kerberos regression hotfixes from Microsoft to be
    re-released for Vista
  • The Remote Desktop client will not store the UPN
    format when it makes connections to Vista
    machines the way it does to XP and 2003. We are
    reporting this behavior to Microsoft as well
  • The Windows Aero interface cannot be displayed
    over Remote Desktop

47
Windows VistaLab
  • Lab 5 Managing Desktop Sync
Write a Comment
User Comments (0)
About PowerShow.com