PC Manager Meeting

1
PC Manager Meeting

• February 22, 2006

2
Today

• Updates
• Next Meeting
• Windows Policy
• EMail
• Licensing/Training
• Security
• Tool Of The Month
• DOE Microsoft Tech Day
• This Month
• OS App Baselines Whats it All About? Jack
  Schmidt
• LUA More ways and tools to run as LUA Ken
  Fidler

3
Next Meeting

• Mar. 22nd
• Windows/Mac Software Licensing
• Emily Pahlavan
• InDiCo Agenda
• John Bellendir/Jack Schmidt

4
Windows Policy Committee

• Next Meeting
• Mar 1st, 130-230pm, WH5SW
• Agenda
• Outstanding Account Requests
• NTP- Does anyone really know what time it is?
• Desktop Baseline Checklist New Domain GPOs?

5
Email Update

• Spam Cop (Weve been busted!)
• Greylisting- Next Generation Spam Fighting
• Kevin Hill

6
Spam Cop

• Spam Cop started blacklisting the email gateways
  on 2/14/06.
• We complained. No response was given on why we
  were blacklisted but we were removed on 2/16/06
• We were added again on 2/17/06!
• A few sites had us blacklisted for back-scatter
  
• What we are doing is RFC compliant but that
  doesnt always help!

7
Spam Cop

• Back-scatter
• Backscatter occurs when an email system accepts a
  message for delivery and then the system
  determines that the message can not be delivered
  and sends an undeliverable mail notification.
• What to do?
• Request that fnal.gov be added to the white list
  at remote site.
• CD changing email system to prevent back-scatter
  (enabled 2/21)
• CD Implementing greylisting soon!

8
Greylisting
9
What It Does

• Requires all email from unknown servers to retry
  sending their message a short time later.
• Virus infected computers spewing spam (and
  viruses) wont retry. (yet).
• Many system administrators report up to 90 spam
  reduction.

10
How Messages Go
Remote IP smtp42.somelab.org Env Sender
John.smith_at_somelab.org Env Recpient
helpdesk_at_fnal.gov Combination unseen before
Temprarily Reject Message
Remote Server retries delivery at a later time,
at least 5 minutes later.
Remote IP smtp42.somelab.org Env Sender
John.smith_at_somelab.org Env Recpient
helpdesk_at_fnal.gov Combination in Database
Message Accepted
11
Who uses it

• University of Bergen - the Norwegian university
  of Bergen is using greylisting on their mail
  server.
• Texas AM University - This Texas university is
  using greylisting www.tamu.edu/network-services/s
  mtp-relay/greylisting.html
• Leibniz Rechen Zentrum - LRZ is a major German
  internet hub for academic institutions in
  southern Germany. They started using greylisting
  as a method of limiting spam a couple of months
  ago www.lrz-muenchen.de/aktuell/ali2052/
• APNIC (Asia Pacific Network Information Centre) -
  This organisation, one of the five major internet
  registries of the world, is also using
  greylisting www.apnic.net/info/contact/greylistin
  g.html
• RWTH - RWTH is a large German University. They
  have a page on their greylisting (german) here
  www.rz.rwth-aachen.de/infodienste/email/greylistin
  g.php

12
How It Works

• Records a triplet consisting of remote server ip
  address, envelope sender, and envelope recipient.
• If that triplet hasnt been seen before, enter it
  in the database and reject the message with a
  temporary failure code.
• If the triplet has been seen more than 5 minutes
  before, and less than the expire time for
  entries, accept the message.

13
Possible Fallout

• Some people will see a delay getting email from
  someone new. This will be between 5 minutes and
  however long the remote server takes to retry
  delivery. Generally not more than 1 hour.
• A few sites wont retry. They are broken, but
  need to be dealt with.

14
Solutions

• Most greylist packages provide downloadable
  whitelists of known broken/good email servers.
• Local whitelists are maintainable.
• Greylisting package we are looking at has
  Automatic Whitelists.
• We can maintain an opt-out list, for people who
  prefer to get more spam.

15
Our recommended Implementation

• Use SQLGREY for Postfix.
• Uses Mysql for storage of greylist triplets, auto
  whitelist tables, and opt-out lists.
• Initial greylist retry wait time is 5 minutes.
• Message must be resent within 24 hours or new 5
  minute wait will be instituted.
• After 2 successful emails from a Server/Sender
  Domain pair, that pair is added to the
  Auto-Whitelist.
• Auto-whitelist entries expire after 60 days
  without mail from that server/sender domain.

16
Rollout Timeline

• Upgrade Hepa machines version of Postfix and
  install local mysql server. 1 day (Done)
• Install sqlgrey Greylisting service. Configure
  postfix to warn only (in the mail logs) to
  prebuild databases. 15-30 days
• Monitor Logs for legit mail that isnt getting
  through. Ongoing
• Turn greylisting on for real.
• Hepa machines currently have enough capacity to
  upgrade/install one while the other handles all
  incoming mail, so no downtime required.

17
Licensing/Training
18
License Updates

• VMWare vs Virtual PC
• VMWare Workstation v5 License
• Electronic Download Distribution - 189
• Packaged Distribution - 199
• Upgrade - 99 (Requires serial number)
• Virtual PC
• Year 1 - 108.87
• Year 2 - 90.55
• Year 3 - 72.24 ?
• Note We have not been able to get this to work
  with SLF!

19
License Updates

• Added to Vista Beta!
• Caveat
• Not approved for FERMI Domain
• May need its own baseline!

20
EA Training
Division/Section Days of Training
ACC 16
BSS 5
CD 22
CDF 1
D0 0
DIR 1
LSS 1
ESH 1
FESS 4
PPD 4
TD 5

• Expires in Oct!
• Consolidate single days?
• http//computing.fnal.gov/pcmanagers/licensing/tra
  ining/
• (password required)

21
Security Updates
22
February Patches

• MANDATORY Patches
• Due Date None at this time
• RECOMMENDED Patches
• Due Date 3-15-2006
• The following is a link to the February Microsoft
  list of critical and important patches.
• http//www.microsoft.com/technet/security/bulletin
  /ms06-feb.mspx
• SMS Information available at
• http//www-win2k/private/sms/patchrollup/
• If you need the patches, you can also obtain them
  from \\pseekits\fermi-rollup

23
Cool Tool of The Month

• Paint.Net (thanks to Don Poll!)
• http//www.eecs.wsu.edu/paint.net/
• FREE!!! Image and photo manipulation software
  designed to be used on computers that run Windows
  2000, XP, Vista, or Server 2003.
• Much like PaintShop Pro
• Requires .NET Framework

24
Cool Tool of The Month (cont)
25
DOE Microsoft Tech Day

• Where Argonne
• When April 11th
• Time ???
• The purpose of this day would be to go over (at a
  very technical level) new products and futures
  coming from Microsoft (Vista, SQL, Exhchange,
  etc).
• Attendance list required(email to follow)

26
Main Topic

• OS Application Baselines- Whats It All About?
• Jack Schmidt

27
Whats A Baseline?

• A baseline is a document or set of documents that
  outlines minimum security requirements for an
  application, network device or OS to be allowed
  on the FNAL Network
• Office of Management and Budget tells DOE. They
  tell us!

28
Existing Baselines

• OS Baselines
• OSX Desktop
• Scientific Linux Fermi
• Sun Solaris 9
• Windows 2000 XP
• Windows 2000 2003 Server

29
Existing Baselines

• Application Baselines
• Anti-virus (draft form)
• Oracle
• Postgres
• SQL
• Network Baseline
• Cisco Firewall
• Cisco Router

30
Baselines We Still Need

• OS
• FreeBSD
• Generic OS
• OSX Server
• Application
• Generic Web Server (covers Apache and IIS)
• Generic Web Application
• Samba

31
Baseline Basics

• Baseline built on NIST and CIS Benchmark
  documents
• Checklists.
• Tools coming to help check systems!

32
Baseline Questions

• Does my desktop/server meet the baseline?
• Fermi domain systems, Fermi Windows built systems
  and SLF built systems.
• I cant meet the baseline requirements!
• Talk with your GCSC
• I cant find my OS/App listed!
• Check with your GCSC. In most cases, following
  the generic baseline will work

33
Baseline Questions

• Who writes them?
• You Do!
• Who approves them?
• FCSC
• What Apps need a baseline?
• Defined by DOE
• Do Application baselines include OS requirements?
  
• No!
• App Baseline OS Baseline Approved Design
• App Baseline NO OS Baseline ? Approved Design

34
Main Topic

• Least-Privileged User Account -More ways and
  tools to run as LUA.
• Ken Fidler CSS-CSI(WST)

35
LUA Run IE/E-mail tools Safely

• Running as local admin privilege is dangerous!
  
• Special case users require admin privileges
• How do you get best of both worlds?

36
LUA Run Network browser/E-mail tools Safer

• For limited protection, restrict key
  internet-facing applications to run as non-admin
• XP and Server 2003 add new Software Restriction
  Policy (SAFER)
• Allows running applications as non-admin by
  stripping out certain SIDs and privileges from
  the application's token.

37
How do you know you are running apps as non-admin?

• look at the token associated with the process.
• Process Explorer from Sysinternals
• Good FREE replacement for Task Manager
• PrivBar
• Free tool that displays User level that IE or
  Explorer is running at

38
IE Run as Normal User
39
IE running as local admin
40
LUA - PrivBar
41
LUA - PrivBar
42
LUA DropMyRights.exe

• Free tool from Microsoft
• Similar to runas tool
• dropmyrights.exe "c\program files\internet
  explorer\iexplore.exe"
• Can be used on all sorts of applications (e-mail
  clients like Outlook/Outlook Express, browsers
  like IE and Firefox, and Instant messaging
  clients)

43
LUA DropMyRights Install
44
LUA DropMyRights DEMO
45
LUA Dropmyrights Pros and Cons

• Pros
• Simple to use and setup (MSI package)
• Cons
• Some Web sites that spawn a new web might not
  start-up as a reduced privilege
• Can easily run program as a privileged level

46
LUA SAFER

• New Software Restriction Policy (SAFER)
• XP and 2003 only
• Software restriction policies allow you to
  control the ability of software to run on your
  local computer.
• By Default, only 2 levels exist (disallowed and
  Unrestricted). A simple change allows adding new
  levels

47
LUA SAFER Policy

• There are in fact three other SAFER security
  levels beyond Disallow and Unrestricted
• Normal User (also named Basic User)
• Constrained (also named Restricted)
• Untrusted
• Basic user is what we want to use. The others are
  too restrictive and break many apps.

48
LUA SAFER Policy

• Simple Registry tweak to expose the levels
• Add a DWORD value named Levels set to 0x20000 to
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
  dows\Safer\CodeIdentifiers

49
LUA GPOs to run apps safely
50
LUA - GPOs
51
LUA SAFER DEMO
52
LUA SAFER (Limitations)

• Can not run Windows Update (known issue Microsoft
  plans to fix, and there is a way around this.)
• User could copy application to alternate path and
  run application as administrator

53
LUA Other Possibilities

• Create a GPO in your OU to deploy LUA
• Protect against known malware
• Add the path/name of the program to the SAFER
  policy (additional rules) and set the Security
  Level to Disallow
• Prep software on machines but keep users from
  running it until you want them to.

54
LUA - Summary

• DropMyRights or Using SAFER based policies is no
  replacement for running as a non-admin, but still
  much better than giving the loaded gun of full
  local admin privilege to your users!

55
LUA and VISTA

• Standard User Privileges
• View system clock and calendar
• Change time zone
• Change display settings
• Change power management settings
• Install fonts
• Add printers and other devices that have the
  required drivers installed
• Download and install updates using User Account
  Control compatible installer

56
LUA and VISTA (contd)

• Admin Approval Mode Right Privilege at the Right
  Time
• Allow admins to run apps as basic user
• Over-the-Shoulder (OTS) Credentials
• Prompt user when Admin Privs needed
• File System and Registry Virtualization
• Create a copy in user profile area

57
LUA More Info

• DropMyRights and PrivBAR
• http//msdn.microsoft.com/library/en-us/dncode/htm
  l/secure11152004.asp
• SAFER
• http//msdn.microsoft.com/library/en-us/dncode/htm
  l/secure01182005.asp
• BLOG on LUA
• http//weblogs.asp.net/aaron_margosis
• Process Explorer
• http//www.sysinternals.com/
• \\PSEEKITS\DesktopTools\Utilities\LUA