JEDI PMO

1
DIA/DODIIS Implementation of Microsoft Technology
UNCLASSIFIED
JEDI for Windows

• JEDI PMO
• Comm 315-330-7657 DSN 587
• Email jedi_at_rl.af.mil

2
OBJECTIVE

• Provide a brief overview of the Windows 2003
  implementation lockdown in the Defense
  Intelligence community
• Why a DoDIIS Baseline?
• Who Is Building It?
• Workstation Baseline
• Server Baseline
• Provide points of contact

3
Why a DoDIIS Baseline?

• Facilitate FSD / dodiis.ic.gov the DoDIIS
  Enterprise
• Provide a well-engineered reference
  implementation
• DoDIIS Integrators Guide compliant
• ITA Certified
• Fully documented, including SSAA package
• Promote interoperability through common core
  tools
• Provide a common baseline target for integration,
  testing, and deployment of mission apps
• Set a precedent for JWICS that can be shared for
  use on other DoD and coalition networks
• Reduce duplication of similar integration /
  security work

4
Who Is Building It?
Microsoft and Citrix COTS foundation!

• DIA Global Enterprise Services (GES) Roles
• Windows Server Builds
• Documentation
• DoDIIS FSD Guidance
• AFRL/JEDI Roles
• Security Templates (DCID 6/3 DITSCAP)
• JEDI Tools
• Deployment support to sites
• ONI-4 Roles
• Windows Terminal Server Build
• Windows XP Client Build
• JDISS JPO Testing CM support
• ITA / RITF Certification support
• JDISS JPO Deployments to Joint and Allied
  Customers

DoDIIS Baseline Charter MOA, signed 21 Mar 05
(DIA CIO, ONI-4, JEDI PM).
5
DoDIIS Baseline Components

• Windows 2003 Server Builds / Configurations
• Member Server
• Domain Controller
• MS Exchange 2003 Server
• Windows Terminal Server (WTS)
• Internet Information Server (IIS)
• SharePoint Server
• Windows XP Professional (SP2) Build
• Thick Client / Standalone / Laptop all same
  build
• Includes DoDIIS Core Applications set (listed on
  next slide)
• Will supercede JDISS v4.X Baseline
• All builds implement JEDI security templates
• All builds up-to-date on service packs and hot
  fixes

6
DoDIIS Core Applications
Windows XP Professional OS, Service Pack 2 (SP2)

• Sentinel Client Activator v2.2
• Sentinel License Manager v7.2
• Symantec AntiVirus Corp v9.0.1
• Windows Support Tools
• MS MDAC v2.8
• MS Remote Desktop
• MS Windows Installer v3.0
• MS Visio 2003 Viewer
• MSXML v4.0 (SP2)
• I2 Link Chart Reader v6.0
• NicMak WinZip v9.0
• Sun JRE v1.4.2_06
• Kixtart Scripting Language
• USAF NT Toolbox v2.01
• Outlook Classification Tool Build 21
• WS_FTP (LE version)

• Adobe Acrobat Reader v6.0.2
• Adobe SVG Viewer v3.0.1
• Apple QuickTime v6.5
• JEDI Security / Utilities v2.0
• Macromedia Flash v7.0.1.9.0
• Macromedia Shockwave v10
• mIRC v6.1.6 Chat
• MS Internet Explorer v6.0
• MS .Net Framework v1.1
• MS Media Player v10.0
• MS Messenger v5.0
• MS Office 2003 Prof. Ent. (SP1)
• Netscape Communicator v7.2
• RealPlayer v10.0

7
XP Desktop Build Details

• Windows XP unattended with SP2 slipstreamed and
  automatic kickoff of Automated build script.
• Build script written in VBScript
• Insures each baseline build is identical
  facilitating better enterprise management of
  patches and application deployment.
• Automation checks all return codes from silent
  installs and reports any errors.
• All DoDIIS Core applications installed with
  built-in silent mechanisms or packaged to be
  silent.

8
Server Build Details

• Microsoft Windows Server 2003 OS
• IAVA Patches
• JEDI Security Templates and Tools
• WinZip
• Symantec Antivirus
• Tested Hardware
• HP DL580 and HP DL380
• Standard automated build script for Windows 2003
  Member Server
• Automation of Domain Controllers, Exchange,
  WTS/CITRIX, Sharepoint, and IIS is underway
• OPSWARE to maintain patches and track changes

9
Enterprise Management

• OPSWARE (W2K3 Server Management)
• SMS Server 2003 (XP Management)
• Application Deployment
• Software Update Services (SUS) Patches
• Group Policy Software Restrictions
• Application ADM Templates
• Citrix Installation Manager (WTS Server
  Management)

10
Availability

• Late Summer or Fall 2005
• Undergoing ITA certification notionally this
  Summer
• How to get Media Documentation
• JDISS JPO will distribute media and documentation
  for both server and workstation components of the
  DoDIIS Baseline
• Order media on-line via JDISS Web Site on JWICS
• http//jdiss.nmic.ic.gov
• Download documents, patches, and mission
  applications via JDISS Web Site
• Note Cannot download DoDIIS Baseline
  infrastructure (i.e. WinXP / 2003 Baseline)

11
WHAT IS JEDI?

• The DIA sponsored Joint Enterprise DoDIIS
  Infrastructure (JEDI) program was a joint effort
  between DIA, Microsoft and the Air Force to
  rapidly deploy a highly secure Windows
  infrastructure baseline within the defense
  intelligence community.
• JEDI provides
• Common Security and Infrastructure Baseline to
  meet the requirements of the DoDIIS community.
• Secure, cross-platform, interoperable,
  communications and enterprise management
• Helps achieve DCID 6/3 Compliance (PL2 HI HA)
• DoDIIS Tested Approved Baseline of Tools and
  Services
• DEC/DoDIIS Certificate to Field
• On-site Installation and Integration Assistance
  (GDIP Sites)
• Easy installation via Microsoft RIS install
  capabilities or disk cloning

12
JEDI 2.1 FOR WINDOWS

• Supports W2K, XP, and Windows 2003 Server
• CERTIFIED, v. 2.0 fielding now.
• Security Baseline
• Based on NSA STIGs for 2000 and XP
• W2K3 lockdown based on Microsoft/DIA/JEDI
  collaboration
• Additional Tools
• Graphical Configuration Utility (MMC Plug-Ins)
  for utilities
• Secure Print Utility PostScript, PCL duplexing
  
• COTS DeviceLock Lockout
• DoDIIS FSD Integration
• Improved Installation GUIs
• Improved Documentation

13
INVESTMENT TEAM

• Program Manager Dr. Ryan Durante, Ph.D., MCSE,
  CISSP, APDP Level III
• Deputy Program Manager 1 Lt Brian Chapeau, MCSE,
  CISSP
• Chief Engineers
• Mr. Norm Leach, GS-12, MCSE, APDP Level III
• Mr. Kevin Dyer (NG-DMS)
• Mr. Doug Massey (NG-DMS)
• Executive Agent Air Force C2ISR Center
• Technical Team AFRL/IFEB
• Contractors NG-DMS, MITRE, BAE, BAH, SI, C3I

14
JEDI 2.1 IN THE RSC

• JEDI provides the security infrastructure for
  the Defense Intelligence community
• J2W provides the RSC server security baseline
  build
• J2W will provide the RSC client infrastructure
  build for fat clients
• J2W is providing infrastructure baseline to JDISS
  and DIA

15
JEDI DEPLOYMENT
16
JEDI DEPLOYMENT
17
COMMUNITY SUPPORT

• US State Department
• US Department of Energy, Los Alamos National Labs
• DPOC
• DCGS 10.2
• JDISS
• AF Mobile Command Control Center (MCCC)
• JASSM
• IBS
• NIMA International Sites
• Army (37 sites)
• JBC
• GUARDRAIL
• JSIMS
• SPAWAR
• USAFE
• 7th AF
• Transformation Center
• AOC WS
• JEFX-04

• USTRANSCOM
• USPACOM
• USEUCOM
• USJFCOM
• USSOUTHCOM
• USSOCOM
• USNORTHCOM
• USSTRATCOM
• USSTRICOM
• Goodfellow AFB
• FORSCOM
• AFSOC
• GISA
• ONI-53
• PASS-K
• PASS-E
• PASS-J
• Airborne Common Sensor (ACS)
• Targets Under Trees (TUT)

• Marine Corps Intelligence Activity (MCIA)
• Air Force Combat Climatology Center (AFCCC)
• M3
• COMNAVSPECWARDEVGRU
• National Ground Intelligence Center (NGIC)
• USA - Information Assessment Test Tool (IATT)
• 480th Intelligence Group
• DESS
• USA JTC/SIL, Redstone Arsenal
• NSA WARGODDESS
• USA Special Operations Command (SASOC, DCS, G-2,
  AOIN-SEA)

18
COMMUNITY SUPPORT

• CENTAF-AUAB/TBMCS at Al Udeid Qatar
• Jaycor at Albuquerque NM
• Titan Systems at Albuquerque NM
• Assurance Technology Corporation at Alexandria VA
• Virtual Technology Corp at Alexandria VA
• Veridian System at Ann Arbor MI
• Raytheon at Annapolis Junction MD
• SAIC at Arlington VA
• AFCCC at Asheville NC
• NGIT at Baltimore MD
• 13 IS at Beale AFB CA
• 48 IS at Beale AFB CA
• 9 IS at Beale AFB CA
• DGS-2 at Beale AFB CA

• ITEK at Beale AFB CA
• MITRE at Bedford MA
• NGIT at Bellevue NE
• AFIAA at Bolling AFB DC
• DIA at Bolling AFB DC
• JIVA at Bolling AFB DC
• Data Exploitation RDDC/DRDC at Canada
• NIMA at Chantilly VA
• Veridian System at Chantilly VA
• SPAWAR at Charleston SC
• CTA Inc. at Colorado Springs CO
• Lockheed Martin at Colorado Springs CO
• ManTech Aegis Research Corporation at Colorado
  Springs CO
• NGIT at Colorado Springs CO
• Raytheon at Dallas TX

• NSWDG at Dam Neck, VA
• 66MI at Darmstadt Germany
• 612 AIS/INY at Davis Monthan AFB AZ
• NAIC at Dayton OH
• SAIC at Dayton OH
• Lockheed Martin at Denver CO
• Defence Science Technology Organisation at
  Edinburgh Australia
• 53 CSS/SCN at Eglin AFB FL

19
COMMUNITY SUPPORT

• Raytheon at El Segundo CA
• BTG - JSIMMS at Fairfax VA
• Titan - IBS at Fairfax VA
• Titan Systems / RIS at Fairfax VA
• Raytheon at Falls Church VA
• JSIMS at Felts Field FL
• I2WD / Army at Fort Monmouth NJ
• ISSO at Fort Washington MD
• HQ US Army INSCOM at Ft Belvoir VA
• GISA at Ft Bragg NC
• Ft Buchanan PR
• Army OTC at Ft Hood TX
• FORSCOM at Ft McPherson GA

• 694 SPTS/SCBNS at Ft Meade MD
• Prophet at Ft Monmouth NJ
• Ft Shafter HI
• DIA at Ft Washington MD
• GLACIER at GLACIER
• Lockheed Martin at Gaithersburg MD
• Raytheon at Garland TX
• 17 CS/SCBBA at Goodfellow AFB TX
• 17TRG at Goodfellow AFB TX
• 17TRSS at Goodfellow AFB TX
• AETC at Goodfellow AFB TX
• Northrop Grumman at Goodfellow AFB TX
• Lockheed Martin at Goodyear AZ

• Modern Technology Corporation at Hampton VA
• ESC at Hanscom AFB MA
• ESC/IN at Hanscom AFB MA
• ESC/SR at Hanscom AFB MA
• Blackbird Technologies at Herndon VA
• 56th IWF at Hickam AFB HI
• PACAF PAS at Hickam AFB HI
• PACAF PAS at Honolulu HI
• PEO Air Missile Defense at Huntsville AL
• US Army Threats System Management at Huntsville
  AL
• HQ AFSOC at Hurlburt Field FL

20
COMMUNITY SUPPORT

• INS Office of HQ AFSOC at Hurlburt Field FL
• Lockheed Martin at King of Prussia PA
• AFRL at Kirtland AFB NM
• Phillips Lab at Kirtland AFB NM
• 10TH IS at Langley AFB VA
• 27IS at Langley AFB VA
• 27IS/INYN at Langley AFB VA
• 27IS/INYO at Langley AFB VA
• 480 IG at Langley AFB VA
• 480 IG/SCTM at Langley AFB VA
• 83 CS at Langley AFB VA
• ACC / INSC at Langley AFB VA
• ACC INYS at Langley AFB VA
• AFC2ISRC at Langley AFB VA
• CAOC-X at Langley AFB VA

• ESC / AC - OL - L at Langley AFB VA
• ITEK at Langley AFB VA
• SAIC at Langley AFB VA
• Unknown at Langley AFB VA
• Northrop Grumman at Linthicum MD
• 123IS/SC at Little Rock AFB AR
• Lockheed Martin at Littleton CO
• RAF Storm Shadow Implementation Team at London UK
• USCENTCOM at MacDill AFB FL
• USSOCOM at MacDill AFB FL
• Harris Corporation at Melbourne FL
• BAE Systems at Newington VA
• ESCS RHG/DCGS at Newport News VA

• 20IS at Offutt AFB NE
• 55 MCCS at Offutt AFB NE
• 55th MCIS at Offutt AFB NE
• AFWA at Offutt AFB NE 5
• General Dynamics - Decision Systems at Orlando FL
• JSIMS at Orlando FL
• Lockheed Martin at Orlando FL
• NGIT (JSIMS/WARSIM) at Orlando FL

21
COMMUNITY SUPPORT

• US Army/STRICOM at Orlando FL
• 607th Air Intelligence Squadron at Osan AFB ROK
• 7 IWF AIA/ACC at Osan AFB ROK
• 751 CS at Osan AFB ROK
• National Defence at Ottawa ON CAN
• Radar Applications and Space Technologies at
  Ottawa ON CAN
• 4CACS/MAOSO at Peterson AFB CO
• USSPACECOM/NORTHCOM at Peterson AFB CO
• Lockheed Martin at Philadelphia PA
• Epoch Software at Phoenix AZ
• JAC at RAF Molesworth UK

• BAE Systems at Ramstein AB GE
• HQ USAFE at Ramstein AB GE
• USAFE CSS at Ramstein AB GE
• USAFE ESS at Ramstein AB GE
• USAFE IFSA at Ramstein AB GE
• NGIT at Redding MA
• 152 Intelligence Squadron (IS) at Reno NV
• Lockheed Martin at Reston VA
• NIMA at Reston VA
• Warner-Robins Air Logistics Center at Robins AFB
  GA
• BAE Systems at Rome Research Site NY
• Dolphin Technology Inc. at Rome Research Site NY
• TWR at Sacramento CA

• L-3 Communications at Salt Lake City UT
• L-3Com at Salt Lake City UT
• BAE Systems at San Diego CA
• BAE Systems, Mission Solutions at San Diego CA
• Booz Allen Hamilton at San Diego CA
• SPAWAR at San Diego CA
• Lockheed Martin at San Jose CA
• General Dynamics - Decision Systems at Scottsdale
  AZ
• ASPO Depot at Seal Beach CA
• General Dynamics at Seal Beach CA
• 609 AIS/GD at Shaw AFB SC 3

22
COMMUNITY SUPPORT

• Raytheon at State College PA
• Joint Warfighting Center at Suffolk VA
• ONI at Suitland MD
• CENTCOM J2 at Tampa FL
• General Dynamics at Tempe AZ
• General Dynamics at Thousand Oaks CA
• General Dynamics Advanced Information Systems at
  Thousand Oaks CA
• Thundercloud
• Davis-Monthan AFB at Tucson AZ
• Titan Systems at Tysons Corners VA
• MITRE at Unknown
• Lockheed Martin at Valley Forge PA
• Vanderberg AFB CA

• Titan Systems at Virginia Beach VA
• MAOSO at Warren AFB WY
• DIA at Washington DC
• Lockheed Martin at Washington DC
• Marine Corp Intelligence Activity (MCIA) at
  Washington DC
• NGIT at Washington DC
• NIMA at Washington DC
• NMIC at Washington DC
• Veridian System at Washington DC
• ASC/RAB at Wright-Patterson AFB OH
• NAIC at Wright-Patterson AFB OH
• NAIC/DXMS at Wright-Patterson AFB OH
• SAIC at Wright-Patterson AFB OH

• 374 CS at Yokota JP
• Titan Systems at Yorktown VA
• 160th Special Operations Aviation Regiment, Ft.
  Campbell, KY

23
SUPPORTED PLATFORMS
24
CUSTOM INSTALLATION

• New improved installation interface
• Wise Installer based
• More granular level of control, allows trusted
  users maximum control
• msi packaged for easy installation

25
JMC

• JEDI Management Console (JMC) Snap-In is
  installed within the Microsoft Management Console
  (MMC)
• A standard, centralized interface for JEDI
  configuration

Management Console
26
CLEAR TEMP

• Ensures that no data is left in any unsecured
  directories
• Clear Temp Tool
• Deletes all files in designated directories upon
  each user logout, and optionally upon user
• Automatically executes the MS Disk Cleanup tool
• Disk Cleanup Tool
• Microsoft Disk Cleanup tool (cleanmgr.exe)
• Scans a designated drive or location removes
  all instances of particular file types

Utilities
27
DEADMAN

• Monitors and restricts access after a specified
  period of inactivity
• Tracks the length of time a system is left idle
• Performs actions to secure the system from
  unauthorized access
• Displays a secure screensaver
• Notifies the user of pending timeout
• Sends a notification via email
• Terminates the current session
• Runs a custom script or batch file

Utilities
28
EVENT BACKUP

• Collects logs from Windows systems across a
  domain for storage in a central location
• Copies the log files from each system and
  optionally clears the original logs
• Fully configurable

Utilities
29
ISD

• Infrastructure Service Daemon
• Maintains and administers JEDI Windows system
  from a JEDI Solaris administrative system
• Allows the Windows system to accept
  communications only from authorized Solaris hosts
• Automatically executes at system startup as a
  service

Utilities
30
LOGON CONSENT

• Requires authenticated users to agree to a
  legally binding monitoring and usage agreement
  before gaining system access
• Audit records are produced with each user action
• Customizable based on site requirements

Utilities
31
PASSWORD FILTER

• Strengthens password integrity through the
  enforcement of password construction rules
• Configurable to enforce additional password
  restrictions
• Gives the ability to create a custom dictionary
  file
• Meets new AR 25-2 requirements

Utilities
32
PRINT UTILITY

• Provides the capability to add security markings
  to all hardcopy printouts on local and network
  print devices
• Grants certain print privileges to each user

Utilities
33
SECURITY BANNER

• Displays a read-only label that appears at the
  top (and optionally at the bottom) of the
  computer screen
• Provides security markings for the system
• Settings are contained in the Windows Registry
  and are configurable through the Security Banner
  JMC Snap-In interface or the Security Banner
  Administrative Template

Utilities
34
WATCHDOG

• Monitors the Windows System Event Log for any
  failed and restarted services
• In the event of a service failure, Watchdog takes
  pre-determined actions to alert the current user
• Relies on the native Windows Service Utility to
  restart failed services
• Settings are contained in the Windows Registry
  and are configurable via the Watchdog JMC Snap-In

Utilities
35
DEVICE LOCK 5.7

• COTS Tool
• DoDIIS Enterprise Licensed
• Provides system administrators control over which
  users can access certain devices on a local
  computer
• Protects the network by locking unauthorized user
  access to Wi-Fi, Bluetooth, USB, FireWire,
  CD-ROMs, floppy drives, serial and parallel
  ports, other Plug and Play devices
• Requires Windows NT 4.0, Windows 2000, Windows XP
  or Windows Server 2003

Utilities
36
DoDIIS FSD

• DoDIIS Full Service Directory Interface
• Populates the Active Directory schema with FSD
  attributes.
• Provides a local user interface for FSD fields.

Advanced Utilities
37
AD INTEGRATION

• JEDI Administrative Templates (ADMs) provide
  allow for the configuration of utilities through
  Windows Group Policy
• JEDI automatically applies the appropriate
  standalone ".inf" files
• Manually apply additional incremental ".inf"
  files to support additional server roles
• Provides a custom ".inf" file to support group
  policy settings not implemented through the JEDI
  ADMs

Advanced Utilities
38
DOCUMENTATION
Version Description Document
System Security Authorization Agreement
User Manual
Interface Definition Document
Training Management Plan
Extensive Documentation 1,162 pages of it for
J2W
Installation Configuration Guide
Trusted Facility Manual
Master Security Requirements Traceability Matrix
Software Security Test Description
Documentation
39
WEB PAGE
https//extranet.rl.af.mil/jedi http//ife.rl.af.
smil.mil/jedi http//web1.rome.ic.gov/jedi All
administration, security documentation
templates are available on-line.
40
SUMMARY

• JEDI provides the Security and Infrastructure
  baseline to meet DIA and DoDIIS SCI Requirements
• DEC endorsed
• JEDI 2.0 is available NOW
• JEDI 2.1 has integrated many of the requirements
  and services that the community asked for last
  year available Jun 05
• Deployment migration is rapidly moving forward
• JEDI is providing the baseline to JDISS and DIA
• Ensuring we are all interoperable
• Goal ONE infrastructure, one baseline