SMS 2003 Deployment and Managing Windows Security - PowerPoint PPT Presentation

About This Presentation
Title:

SMS 2003 Deployment and Managing Windows Security

Description:

Enhancements in SMS and Active Directory Integration ... DP name. DP name. HEPiX October 2004. Rafal Otto (CERN IT/IS) Deployment. SMS 2003. Site ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 21
Provided by: rafal6
Learn more at: https://www.racf.bnl.gov
Category:

less

Transcript and Presenter's Notes

Title: SMS 2003 Deployment and Managing Windows Security


1
SMS 2003 Deployment and Managing Windows Security
  • Rafal Otto
  • Internet Services Group
  • Department of Information Technology
  • CERN
  • 12 July 2020

2
Agenda
  • SMS 2003 Infrastructure
  • What is SMS?
  • Architecture
  • Deployment
  • Rights Policy
  • Enhancements in SMS and Active Directory
    Integration
  • Managing Windows Security Updates with SMS 2003
  • SUS Feature Pack
  • Updating Servers
  • Updating Desktops
  • Other security related actions
  • Conclusions

3
What is SMS?
  • Microsoft Systems Management Server serves
  • centrally managed software deployment
  • software and hardware inventory
  • software metering
  • remote control
  • Additional Features
  • Windows Security Updates Scan Tool
  • Microsoft Office Security Updates Scan Tool
  • Supported (managed) platforms
  • Windows 98, NT SMS Legacy Clients (none at
    CERN)
  • Windows 2000, XP, 2003 SMS Advanced Clients
    (6000)
  • SMS is not designed for system monitoring!

4
Architecture
5
Deployment
6
Rights Policy
7
Agenda
  • SMS 2003 Infrastructure
  • What is SMS?
  • Architecture
  • Deployment
  • Rights Policy
  • Enhancements in SMS and Active Directory
    Integration
  • Managing Windows Security Updates with SMS 2003
  • SUS Feature Pack
  • Updating Servers
  • Updating Desktops
  • Other security related actions
  • Conclusions

8
Background
  • Software deployment at CERN is currently based on
    the Group Policy Objects applied on the security
    groups
  • when one wants to install certain software (i.e.
    MS Office 2003) on her/his computer, needs to
    make her/his computer account a member of certain
    security group (i.e. CERN\GP Apply Office 2003)
  • then, after the reboot machine receives a new
    installation package
  • To manage memberships of the groups we have a
    single entry point, which is a WinServices
    website, in particular a service called Group
    Manager

9
AD System Discovery
10
CERN System Group Discovery
SMS Site Server
11
Agenda
  • SMS 2003 Infrastructure
  • What is SMS?
  • Architecture
  • Deployment
  • Rights Policy
  • Enhancements in SMS and Active Directory
    Integration
  • Managing Windows Security Updates with SMS 2003
  • SUS Feature Pack
  • Updating Servers
  • Updating Desktops
  • Other security related actions
  • Conclusions

12
SUS Feature Pack
13
Reports on security updates
14
Updating Servers
  • 130 Windows servers (DCs, WINS, DFS, SMS,
    Exchange servers, web servers, file servers,
    custom servers)
  • Most of the updates need a reboot at the end of
    the installation
  • There are groups of servers that at least one
    machine from the group has to be online at any
    time (i.e. 3 domain controllers)
  • We do not want to trust SMS scheduler on
    rebooting the servers
  • Our approach
  • We deploy patches with an option postpone reboot
    forever
  • Use our mechanism to reboot servers pending
    reboot by hand
  • The pending reboot status of the machine is
    taken directly from SMS database

15
Rebooting servers
16
Updating Desktops (1)
  • SUS Feature Pack is used for the supported
    patches (those supported by MBSA 1.2)
  • SMS Packages are based on the operating system
  • One package (Adv) used for new patches
    published but not assigned
  • Second package contains all baseline patches and
    is assigned to run each day

17
Updating Desktops (2)
  • Patches not supported by SUS Feature Pack
  • Packages are manually created for each patch
  • Depending on the severity are assigned or
    published
  • Need of the wrapper, which notifies the user in a
    more clear way then the standard SMS
    notification and allows to postpone the
    installation for many times
  • With new versions of MBSA more and more products
    should be supported

18
Agenda
  • SMS 2003 Infrastructure
  • What is SMS?
  • Architecture
  • Deployment
  • Rights Policy
  • Enhancements in SMS and Active Directory
    Integration
  • Managing Windows Security Updates with SMS 2003
  • SUS Feature Pack
  • Updating Servers
  • Updating Desktops
  • Other security related actions
  • Conclusions

19
Other security related actions
  • Windows XP SP2 deployment (pilot)
  • additional firewall features
  • new Internet Explorer and Outlook Express
  • attachment Execution Service, HTML images
  • add-ons manager
  • pop-up blocker
  • DCOM and RPC improved security
  • Get rid of weak LM hashes (soon)
  • used by Windows 95 clients, not patched Windows
    98, old samba, NICE XP installation floppy etc.
  • since Windows NT 3.5 NTLM authentication is used
    (NTLM hash is much stronger)

20
Other security related actions
  • Local administrator password reset
  • periodic (3 months)
  • web interface to change it again (available for
    main responsible for the machine)
  • Local administrators group (plan)
  • in the past each user was a member of local
    administrators group on his/her machine
  • will not be mandatory
  • web interface to become a member (available for
    main responsible for the machine)

21
Conclusions
  • SMS 2003 makes infrastructure much better managed
  • security scans patch deployment
  • software inventory
  • Other improvements in security were done
  • Windows XP SP2 deployment
  • New policy for local admin password and local
    administrators group
Write a Comment
User Comments (0)
About PowerShow.com