November 2004 UCIST presentation

advertisement
WNAG: Advisory Report
Presented to: UCIST
by: Stephen Sempson
Description of Computers
• There are approximately 2780 clients on Nexus
• As of Nov. 4, 2004
–
–
–
–
–
2000 Server : 15
2003 Server: 41
2000 Pro: 752
XP Pro: 1895
Netapps: 8 (identified as Windows NT)
(Engelke E. Nov., 2004)
Login Data/Stats
• First time that data has been collected since the move to Nexus (Active
Directory)
• 7MB of data was extracted from over 1300 OUs in the AD
• Question arises, how fair is the sharing of labs?
• Engineering now running a Terminal Server (engterm)
• External account logins account for ~5% of total logins
• Data collection from the spring was problematic, due to people
implementing firewalling.
– This brought several issues to attention which could be resolved in the
coming months.
• Acquisition of stats is difficult
– The acquisition of statistical data is non-trivial, but not difficult.
Processing the huge numbers is slow. Algorithms modified accordingly.
(Engelke E. Jun., 2004)
Accounts
• CS pre-allocate disk-space for students enrolled in
CS courses
• Scratch creates passwords from a trusted source
• Creates homespace and email
• Account creation system (aka Scratch)
• Stephen Carr to write documentation
• Evaluation of the Scratch system to take place
after the Fall 04 term
Scratch (Account Creation Tool)
• Assumes that a unix account for the student does not exist
• Creates password (based on rules defined by faculty) then ssh's into the
host and runs the acct command
• Then sends password to the AD
• AD accounts are already created via adman, possibility of having unix
accounts batch created and just 'sitting' there
• Problems
– Creation of spam
– Users show up in the wrong group
– Any student who is listed as an employee as well (ie co-op students on
campus, athletics instructor, TAs, RA's and the list goes on) can not use
the scratch tool and their uwdir department data is flawed by HR
• Bruce Campbell expresses the hope of having the "New Users" link
working in all faculties
Organizing of Workstations
• Location of workstations is important,
should be standardized across faculties
• Postal Code field to be used for this purpose
• Format to be building code room#
– e.g. BMH 2222
• To be completed at the OU level
GPO Naming Conventions
• Currently
– Faculty - Group - Server Name - Application
Name
• To be changed to
– Faculty - Group - Application Name - Server
Name
• Erick Engelke has adman available to 'fix'
this
Nexus domain printer names
• Labelling of printers is confusing
• Needs to conform to conventions
• Recommend changing to
– Group-Building-Room number
– i.e. Sci-esc-254d
• Remove default of publishing to the AD
New Logon Page
• To be generated by PHP
• Created by OUs (blocking enabled)
• Fine-tuning to be done, eventually to work
off of a server
• The importance of a 'consistent' interface
across campus
Laptops in Nexus
• Enabling Nexus Laptops have been successful in
AHS and Science.
• Currently, one needs to have the user logon once
while the laptop is on the network.
• This is in order to create a “cached” copy of the
local profile.
• Laptop issues should considered when planning
NAA or replacement to in the future.
XP SP2
• This service pack incorporates some new security
• This will cause problems for Nexus clients
– XP SP2 fails with ngina.dll
– Network services at startup are killed
– No warnings given by MS, deemed it to be virus-like
activity
• Implementation SP2 has been held back
– SUS servers will not deploy SP2 yet, it has not been
approved.
• Still numerous W2K workstation out in the field
XP SP2
• August 2004, an emergency XP SP2 version
of ngina.dll was implemented on Nexus
• This program logs basic login/logoff events,
which is used to manage security
• This also enables collection of statistics
• As of Nov. 2004 a new ngina.dll has been
implemented and tested in Engineering.
• No problems to date
Security/Thefts
• Math - using electronic door locks, shut PCs off, locking labs at night
• ES – systems secured with fibre and some labs with door combination
locks. Password controlled teaching labs.
• Arts – bolts their computers to the tables and one public lab is locked
outside regular hours, though this one is booked for some classes.
• AHS - bolting PCs to table, security screws, fibre-optic security cable
• Notice of thefts to be sent via email list, just as a 'heads-up'
• Watcard discussed as possible entry system (cost $800 per swiper)
• Possible for a UPC swiper to read Watcard
• Erick Engelke to work on security system
ADS Domain Comparison
• UW began deploying the two campus
Active Directory domains “Nexus” and
“ADS” about 3.5 years ago.
• Nexus is used by 2726 workstations and
servers.
• The ADS domain is used by approximately
by 1257 workstations and servers.
ADS Domain Comparison
ADS Domain Comparison
• ADS allows approximately
– 9 individuals onto all server areas
– about 25 people onto all workstations
– about 129 people with administrative access to portions
of 1257 computers
• Nexus currently allows
– 26 individuals onto MOST servers areas
– 26 individuals onto MOST workstations
– about 90 people with administrative access to portions
of 2726 computers
ADS Domain Comparison
• a Nexus proposal would allow
–
–
–
–
4 individuals onto most server areas
4 individuals onto all workstations
26 people with access to student user data
about 90 people with administrative access to
portions 2726 computers
– local control, where a faculty or department has
total access to its own area, and very few
outsiders have any access.
Security Approach
• The approach we are taking is to create new
groups in a standardized way so that it's
easier for us to add the necessary
permissions.
• That was made a little bit difficult because
some areas have a different OU structure
than everyone else.
Guiding Principles
• Improvement of security
• No loss in functionality
• Image/Perception of constituent
Guiding Principles
• preserving local administrator’s ability to do the
job unencumbered. These would include ability
to:
–
–
–
–
–
–
add users
install and manage workstations, servers and printers
install software on unit’s workstations
add scripts as necessary
select, review and edit GPOs
select an appropriate SUS and NAV strategy for the
clients
Guiding Principles
• enhancing the effectiveness of local computing
unit
– offer greater assurances of security to the office user
community
– other initiatives not mentioned in this document, eg.
edit the login browser page
• reducing exposure to unnecessary privileges from
‘outsiders’ of the local department.
• providing the ability to select a peer group who
could cover during vacations
Guiding Principles
• enabling of emergency accounts possessing
extraordinary privileges
– to deal with crisis situations
– to provide backup in the rare event that no
departmentally selected peer member can be reached
– to better document changes by requiring WNAG
notification
• maintaining a system consistent with the
distributed management philosophies embodied in
Watstar/Polaris/Nexus of the last twenty years
Security Proposal
• Possible due to:
– Local Flexibility of NEXUS.
– Security on the local PC (on the edge security).
– Dynamic Collaboration/Cooperation of the
group.
• near-autonomous control over their own areas, as
well as the ability to work unencumbered in a large
shared environment.
Security Proposal
• 5 Major Points
– Training (suggested only)
– GPO Editing (GPMC Tool)
– Changing Passwords for moving students
• More specifically, solving problems for all students
– Symantec Administration (MMC on local pc)
– Faculty Representation
Faculty Representation
• How to distribute?
– Agreed upon that 4 !! to be created
– Distribution to be 2 for EC
• Specifically E. Engelke, and H. Tam
– and 2 for other faculties either on a rotational
basis between faculties or to be assigned
The assigned model was noted because of it's
stability and consistency.
Security Proposal
Nov. 11, 2004 WNAG unanimously voted
• adopt the proposed management system
• to effect the changes today
• to review this (or any other aspect of the
system) at any time we wish, and we agreed
that next autumn would be a good time to
review everything we have learned, etc.
Download