WIN'MIT'EDU Container Administrator Training

1
WIN.MIT.EDU Container Administrator Training

• Architecture Overview
• Container maintenance
• Lab
• User features
• Lab
• Disconnected operation
• RIS Remote Installation Services
• Security and using Server 2003
• Lab
• Windows Vista
• Lab

2
Architecture Active Directory

• Cross-Realm Trust
• Trust of MIT Kerberos Realm by WIN.MIT.EDU allows
  single sign-on to multiple resources.
• Delegated User Management - MIT Kerberos accounts
  departments control resources by managing group
  membership, machines and ACL's
• Single Domain/Forest Model
• Model in use by many large schools, corporations
  and ISPs
• Delegation of Containers (OUs) Islands of
  Control
• Departmental container administrators have many
  tools to build their workstation and server
  environments. Each department builds and
  customizes their own environment.
• Container administrators control machines and
  access to their resources instead of the users
  directly
• Group policy
• Software distribution, Security, Registry, and
  other feature settings can be assigned on a
  container basis. ACLs via Moira groups. Custom
  group policy settings written by IST
• Standard MIT DNS Services
• win.mit.edu uses MITs UNIX based DNS services
  instead of Microsofts
• LDAP Directory populated by data from

3
WIN.MIT.EDU Architecture
Moira
Populator
MIT Kerberos KDCs
WIN.MIT.EDU DCs
Data Warehouse
MITnet DNS
DFS Storage
Query
Data Feed
4
Architecture Moira Data Feed Incremental

• The Moira incremental update is used to keep the
  WIN.MIT.EDU domain synchronized to the Moira
  database. The Moira incremental will create and
  maintain the following in Active Directory
• User accounts (MIT Kerberos IDs principals),
  and profile options
• Account status changes such as activation/deactiva
  tion
• Lists and Groups with their memberships
• Container Hierarchy
• The Moira incremental is a UNIX executable image
  and resides on the Moira server and runs
  continuously. This application uses Kerberos V5
  authentication to establish an LDAP connection
  with the Windows domain to perform the updates.
  It has been completely integrated into Moira
  operations.
• When relevant changes to users groups and
  containers are made in Moira the incremental is
  triggered and the change is propagated to Active
  Directory.
• The Moira incremental will distinguish between
  list and groups when propagating them in Active
  Directory
• Lists Distribution groups
• Groups Security groups
• We do not write directly to AD to create Domain
  groups
• The data may be over-written
• Make these changes in Moira
• Local groups can be managed directly via Windows

5
Container maintenance Web forms for container
administrators

• Opt into/out of various domain-wide deployments
• https//wince.mit.edu/optoutrollout/index.jsp
• A container administrator can opt out of certain
  deployments until you are ready or to opt into
  test deployments early before they are released
  domain-wide. Containers and/or individual
  machines can opt-in or opt-out.
• Submit a Container Maintenance Job SelfMaint
• https//wince.mit.edu/containermaint/index.jsp
• Schedule a container reboot, defrag, or custom
  script. Selfmaint scripts can wait until a user
  is logged out in order to not disturb normal
  machine use.
• Delete a Machine from Active Directory
• https//wince.mit.edu/deletemachine/index.jsp
• A convenient tool if other tools are not
  available. To reinstall a computer, its machine
  account must first be deleted from Active
  Directory, but NOT from Moira.
• RIS or Join Computer Page
• https//wince.mit.edu/getrisaccount/index.jsp
• a container administrator or a container
  membership administrator, you may use this
  service to obtain a short-term account and
  password to be used while adding machines to
  WIN.MIT.EDU (the Moira host information should
  already exist)

6
Container maintenance Joining a machine

• One-time considerations for new hosts and users
• Is there a Moira record for the machine which has
  propagated to the MITnet DNS?
• Has the machine been assigned to a container?
  (Stella)
• Is your Kerberos password up-to-date?
• General instructions
• If reinstalling or rejoining, use the web form
  located on the Domain Machine Management page to
  delete the old machine account
• Remove existing (non-WIN) MIT Kerberos software
  and reboot
• Verify correct IP and DNS settings, join machine
  to domain and reboot.
• If no packages are downloaded, reboot a second
  time due to the XP fast boot default.
• Using the "tempjoin" Account
• Regular user accounts in WIN do not have rights
  to create new machine accounts, a requirement
  when joining a machine or using RIS.
• The web form requires MIT certificates. It
  creates a Windows account with your username,
  followed by ".tempjoin." A temporary password,
  which is valid for 48 hours, is displayed on the
  screen. This is the appropriate username and
  password to use while joining the machine to the
  domain or authenticating to the RIS server.

7
Container maintenance Moira Tools Stella
machine management

• One-time Assignment of the Machine to a Container
  
• In order for a machine to get group policies and
  MSI packages it requires to function properly in
  the domain, it must be assigned, in Moira, to a
  container that is within the "Machines" container
  in AD. If there is no assignment, the machine
  will appear in the "Orphans/Machines" container,
  and not get the group policy objects it needs.
• You can use the stella command to assign the
  container, stella hostname -lcn lists the
  container if one has been assigned, the -dcn
  option removes an existing machine-to-container
  assignment, and -acn adds one. Perhaps this query
  is a good candidate for a future web application.
  
• If a machine needs to be reinstalled or replaced,
  the Moira container mapping does not have to be
  deleted. Only the AD machine account needs to be
  deleted via the web form.
• To check if a host already has been assigned to a
  container use the -lcn option
• stella my-machine -lcn
• Machine my-machine Container
  Machines/my-container
• If the machine has not been assigned to a
  container, you will not get any output from the
  command.
• To assign the machine to a container use the -acn
  option
• stella my-machine -acn Machines/my-container
• If the machine already has been assigned to a
  container, but you wish to move it to another
  one, you must first delete the old container
  assignment using the -dcn option, then assign it
  to the new container with -acn
• stella my-machine -dcn Machines/my-container
• stella my-machine -acn Machines/my-other-container
  

8
Container maintenance Moira Tools Mitch
container management

• You can use mitch to get container info
• Basic info mitch machines/my-container
• List sub-containers mitch machines/my-container
  ls
• List machines in the container mitch
  machines/my-container lm
• Use the recursive switch r to get subcontainer
  info
• You can use mitch to set container properties
• Memacl who can add a machine to the container
  MA
• Set the description mitch Machines/my-container
  -d My Container
• Modify the contact mitch Machines/my-container
  -c my-list
• You can also use mitch to map and un-map machines
  from your container
• Add a machine mitch Machines/my-container -am
  my-machine
• Remove a machine mitch Machines/my-container
  -am my-machine
• Do not use the rename function
• This function does not work properly if there are
  subcontainers involved
• GPO object names do not get changed along with
  the container
• If you need to do a rename, send mail to the
  network team with your request

9
Container maintenance Moira Tools Blanche
group management

• You can use blanche to add and remove members
  from groups
• Blanche groupname a (add)
• Blanche groupname d (remove) user
• Add / remove users based on a file
• Blanche groupname al (add) filename
• Blanche groupname dl (remove) filename
• Modify the description, owner and memacl
  information
• -d My Description, -o owner, -MA memacl
• Always make sure the G group option is used for
  Security groups in Active Directory, (referred to
  as AFS group on the list creation request form).
• Use the Use the recursive switch r to expand
  nested group memberships
• You can use qgrep on your win.mit.edu machine to
  search a list for a member
• Blanche my-very-big-list r qgrep myusername
• A webform is also a available for group creation
  and management (requires MIT certificates)

10
Container maintenance Lab

• Lab 1 Using Moira tools and joining a machine

11
Container maintenance Group Policy Objects

• GPOs are created and stored in SYSVOL
• DFS share replicated to each domain controller
• SYSVOL is a file system, a new directory is
  created for each GPO, not for each container
• A GPO may be linked to multiple containers
• AD ACLs may be used to control who can read a
  GPO or which users or machines it can be applied
  to
• GPO inheritance favors the lower level GPO unless
  the override bit is set (called enforce in gpmc)
• GPOs are created when a container is requested.
• The default configuration is one parent container
  with server and workstation subcontainers
• Individual GPOs are created for each of these
  containers
• Additional subcontainers and GPOs may be
  requested
• Additional GPO links may be requested

12
Container maintenance Group Policy Management
Tools

• Group Policy Management Console gpmc.msc
• Preferred GP Management tool. An add-on MSI for
  XP, installed by default on Vista
• View GPO settings and permissions
• Can launch gpeditor
• Resultant Set of Policy rsop.msc
• Diagnostic tool to view how GP inheritance is
  working
• AD Users and Computers dsa.msc
• Views and info of containers and machines
• Group Policy Editor gpedit.msc
• Launched by gpmc or dsa, edit settings
• Gpupdate - Command line utility
• Refresh group policy
• GPFind win.mit.edu command line script
• Search by GPO name and launch the gpeditor

13
Container maintenance Group Policy .adm and
.admx files

• The SYSVOL share contains ASCII files with the
  .adm extension that define administrative
  template group policy settings.
• Within win.mit.edu, updated template versions are
  propagated across SYSVOL to insure consistency
  across containers.
• New versions are released by Microsoft with every
  new service pack
• IST has written custom .adm templates to augment
  group policy options
• Windows Vista and above employs an XML file
  format using the .admx extension. Existing .adm
  settings still apply to Vista machines where
  applied
• Settings particular to the .admx file format need
  to be managed from a machine running Windows
  Vista or above
• Some new .admx settings have the ability to apply
  only to Vista and not XP if the administrator
  chooses. They employ .ini files on the GPOs
  directory in SYSVOL to track desired behavior
• New SYSVOL storage options are available to
  optimize storage utilization. All .admx files can
  be stored centrally instead of being replicated
  in each GPO directory

14
Container maintenance Group Policy Settings -
Software

• The Software section is where MSI based
  applications are assigned to a container.
• The assigned MSI should be referenced via a UNC
  path
• Transforms and ACLs may be assigned to an MSI
  via the Modifications tab on the MSI properties
• Software policy processing occurs only at boot
  time
• Packages may be assigned to upgrade existing
  packages
• Do not use your GPO to upgrade a package
  currently opted in using the web form since the
  Software Distribution GPO uses the no override
  option. If you need to do this, remove the opt-in
  via the webform.
• Packages assigned domain wide
• ActivePerl
• MIT Hesiod client
• Print queue resolution
• MIT Kerberos for Windows 2.6.5
• MIT LogonBefore Provider
• Was for disconnected operations being phased
  out

15
Container maintenance Group Policy Settings
Security

• Recommended uses of the security section
• Startup scripts
• User Rights Assignments
• This will be covered in more detail in the server
  2003 section
• Restricted groups
• You may use addmin as a non-exclusive alternative
  to this setting
• System Services
• IPSec (this must be sent to the network team as a
  request)

16
Container maintenance Group Policy
Administrative Template Settings

• Windows Components section highlights
• NetMeeting
• RSS Feeds
• Task Scheduler
• Windows Messenger
• Windows Media Digital Rights Management
• Windows Movie Maker
• Windows Update - patching
• Windows Media Player
• System Section highlights
• User Profiles
• Scripts
• Logon
• Disk Quotas
• Group Policy
• Network Section highlights
• DNS Client
• Offline Files
• Network Connections

17
Container maintenance Group Policy
win.mit.edu Printer settings

• Microsoft did not have a machine based group
  policy option to assign printers prior to Server
  2003 R2/Windows Vista.
• When Windows 2000 was released, IST developed
  custom printer extensions for win.mit.edu. When
  Windows XP is closer to being phased out, we plan
  to phase out these custom settings. The new
  Microsoft settings are available today for Vista
  users
• Two types of printers may be assigned using the
  win.mit.edu extensions
• KLPR Printers Queues that require Kerberos
  authentication
• Use the MIT Hesiod client installed on the
  machine for queue resolution
• Currently the KLP MSI is deployed by default
• There is an opt-in for the newer LPNG MSI
• There is a specific list of supported drivers
• additional drivers can be added but in some cases
  are not compatible with the UNIX print queue
• An opt-out of all Kerberized printer clients is
  available
• Network Printers Standard Microsoft Network
  Printers assigned per machine
• Uses standard UNC path name
• Both options have the ability to assign a default
  printer to the machine
• IST is phasing out Kerberized printing, the KLPR
  packages are no longer being maintained. The KLPR
  packages do not support Windows Vista.

18
Container maintenance Group Policy - Custom
registry keys

• IST developed a utility called regpoledit to
  edit the binary .pol file allowing us to manually
  insert custom registry keys without having to
  extend the .adm templates.
• Sets of custom registry keys are applied to
  win.mit.edu machines for the following
  applications
• Cross-realm MIT Kerberos logon
• Internet Explorer
• Windows Explorer
• Eventsyslogger
• These keys can be viewed in the Administrative
  Template/Extra Registry Keys section of the RSoP
  utility
• If container administrators require custom keys
  the network team can be contacted for assistance

19
Container maintenance ScriptsMirror-distrib

• At first startup machines in win.mit.edu apply
  group policy and install assigned MSI
  applications which restart the computer afterward
  installation. Once this is done WSH and Perl
  scripts assigned via group policy begin running.
• When a machine is booted up it looks locally for
  a script that synchronizes the local script and
  utility cache. If the script does not exist
  locally it will run off a network path. Startup
  and logon scripts also will run from a local copy
  as first preference but can run from the network
  copy as a fallback.
• The script that initially creates, than later
  synchronizes the local script and utility cache
  with DFS is a Perl script called mirror-distrib.
• The local cache is in ProgramFiles\MIT\mirror\di
  strib. After the initial first time bootstrapping
  when the cache is created, this script continues
  to run both at startup and daily as a Selfmaint
  job to propagate any updates to these scripts to
  client machines.
• To troubleshoot the bootstrap process, first
  check that the machine is in its proper
  container. If it is, run gpupdate /force and
  reboot, then check if the default MSI
  installations went successfully. If the Perl MSI
  fails to install, mirror-distrib and other
  scripts cannot run.

20
Container maintenance Scripts Main Startup
Script Operations

• Script operations are logged to the system
  Application log
• Group policy tells the machine to check locally
  for the script, then run it from DFS if it is not
  found locally
• Example myscript.pl the GPO is set to run
  cmd.exe with these parameters
• /c if exist "programfiles\mit\mirror\distrib\mys
  cript.pl ("programfiles\mit\mirror\distrib\mysc
  ript.pl") else (\\win.mit.edu\dfs\ops\distrib\mysc
  ript.pl)
• Startup Scripts
• Mirror-distrib (.pl)
• Checks for local script cache and creates it if
  necessary, otherwise syncs the contents with DFS
• Adds the local cache directory to the system path
  if its not already there
• Startup (.wsf)
• Sets a machine environment variable with the
  domain name
• Checks if the machine is connected to MITnet and
  runs the following operations
• Checks if the machine is in the proper container
• Win.mit.edu remote event-log settings are
  enforced
• Win.mit.edu root password settings are enforced
• Win.mit.edu printer settings are enabled
• Fix system path script is run
• Local Administrator is denied access to the
  machine over the network
• Tempjoin accounts are denied interactive logon
• If not already set earlier by the populator
  service, the service principal name is set in AD

21
Container maintenance Selfmaint

• The Selfmaint package is an MIT developed MSI
  that is installed on all domain machines.
• Selfmaint is a container based scheduling service
  that is is provided in addition to the Windows
  Task Scheduler service, and runs under the SYSTEM
  account. Its main features are
• Schedule one job for an entire container and
  subcontainers or individual machines.
• Can reboot, defrag disks, or run custom scripts
• Scripts reside on the network and will continue
  to run if the OS is reinstalled or a new computer
  is added to the container
• A script can either wait until no user is logged
  in to run or run unconditionally.
• A web request form exists to have job setup for
  your container. You may choose common tasks or
  provide your custom scripts. The available
  scheduling options are built into the form. We
  recommend using Perl or VB if you are submitting
  a custom script.
• Microsoft Hotfixes not supported by WSUS can be
  installed.
• Certain scripts run domain wide, such as
  mirror-distrib.
• Scripts reside on DFS, the Selfmaint service
  checks for new jobs and maintains a logfile with
  the most recent time a particular script ran in
  programfiles\MIT\Shared Files\selfmaint.log.
• At bootup (or service start) the logfile is
  checked for any scripts that are overdue to run
  and Selfmaint runs them immediately

22
Container maintenance Eventsyslogger and OS
Groups

• The Eventsyslogger package is an MIT developed
  MSI that is installed on all domain machines.
• Eventsyslogger is a Windows syslog client that
  runs as a service under the SYSTEM account.
• Event logs are sent to a central syslog server,
  three default filters are setup by the installer
  and their settings are enforced by group policy.
• Additional filters may be added and logs from
  those filters can be sent to the syslog server of
  your choice.
• The application can be administered via a control
  panel
• Description of the OS Groups Service A service
  named "OS Groups" runs as part of the Populator
  services. It automatically populates the
  following groups in Active Directory
• Win2KPro.group Machines running Windows 2000
  Professional
• Win2KSrv.group Machines running Windows 2000
  Server
• Win2K.group Machines running Windows 2000
  Professional or Server
• WinXPPro.group Machines running Windows XP
  Professional
• WinSrv2003.group Machines running Windows
  Server 2003 (note, this OS is supported yet under
  test in the domain)
• WinVista.group Machines running Windows Vista
• WinOther.group Machines running another OS or
  an unknown OS
• Note These are not Moira groups. They exist only
  in the Active Directory
• When a new machine enters the domain or an
  existing machine upgrades its OS, it is
  automatically added to the proper group. These
  groups can therefore be placed on access control
  lists in Active Directory. This is especially
  useful for GPO application and MSI software
  installation, and it eliminates the need for
  separate containers for XP Professional, 2000
  Professional, and 2000 Server machines

23
Container maintenance Lab

• Lab 2 Using Group Policy Management tools

24
User featuresLogon

• Single Sign-on
• User Accounts via the Moira incremental
• A corresponding user is created in Active
  Directory and automatically mapped to the MIT
  Kerberos principal
• Profile and Home directory options are written to
  the users account data along with Office
  location, phone and email
• A random 127 character password is generated and
  stored in the user properties in Active Directory
  so the password does not need to be propagated.
  Cross-Realm authentication will verify the users
  password directly from the MIT Kerberos KDCs.
• Windows Service exists to refresh random
  passwords every 30 days
• Webform to set the users Windows password to a
  known value for use with special applications
  where required

25
User featuresWeb forms for users

• Change Your Active Directory Password.
• https//wince.mit.edu/changepasswd/index.jsp
• For users under certain circumstances, it might
  be necessary to set your native WIN domain
  password.
• Change Profile and Home directory options.
• https//wince.mit.edu/changeprofile/index.jsp
• A user can change their default DFS roaming
  profile and home directory locations to a local
  profile and home directory or to a path on a
  departmental server

26
User featuresProfiles and Home directories

• Default is roaming profile in DFS
• Configurable via web form
• .winprofile is created in the users DFS homedir
• Copied to local drive at logon
• NTFS user quotas
• H is mapped to the users DFS home directory
• Currently 2 GB User quota by default
• Previous Versions support. This is a self service
  feature where users can retrieve old versions of
  files and folders up to 64 days back
• Accessed over network as needed
• Used for folder redirection of Windows homedir

27
User featuresFolder Redirection Windows XP

• By default, all users and machines use both
  roaming profiles and folder redirection.
• Computers download the default user profile from
  a DFS share.
• For the Windows XP environment, WIN.MIT.EDU
  redirects the following folders
• Application Data H\WinData\Application Data
• My Documents HOMESHARE\WinData\My Documents
• My Pictures HOMESHARE\WinData\My Documents\My
  Pictures
• Favorites HOMESHARE\WinData\Favorites
• HOMESHARE is the location of the users home
  directory as specified by the user account
  properties in Active Directory. These properties
  are managed by Moira and can be modified via the
  change profile options webform.
• Machines opted into the disconnected operations
  laptop policy mapped H to their local user
  profile in C\Documents and Settings instead of
  the users DFS home directory. These machines do
  not use roaming profiles.
• Users who used the change profile options webform
  to set their account to local profiles and no
  folder redirection see similar behavior to those
  who use machines covered under the laptop policy.

28
User featuresPrevious Versions

• Uses VSS Windows Server 2003 Shadow copy
  services for user Home directories
• Point-in-time copies of files. View, Copy or
  Restore files and folders as they existed at
  points of time in the past.
• Recover files that were accidentally deleted or
  overwritten.
• Compare versions of file while working.
• Self service file restore capability for the end
  user.
• Snapshots are made every 4 AM. Versions of up to
  64 days are available.
• Shadow copies are read-only. You cannot edit the
  contents of a shadow copy.

29
User features Scripts Main Logon Script
Operations

• Group policy tells the machine to check locally
  for the script, then run it from DFS if it is not
  found locally. These checks are similar to
  startup scripts.
• Logon Scripts
• Logonbefore (.wsf) (only runs if the AFS client
  is installed and running)
• Is launched by the AFS service before
  explorer.exe
• Checks if the machine is connected to MITnet and
  runs the following operations
• Map drive z to \\afs\all
• If specified in win.mit.edu AFS Settings, map the
  selected drive letter to the users AFS home
  directory. Drive I is commonly used.
• Logonafter (.wsf)
• Is launched by the operating system after
  explorer.exe
• Checks if the machine is connected to MITnet and
  runs the following operations
• Checks if Windows XP home directory mapping
  should be turn off for disconnected operations
  (not needed for Vista)
• Enforces win.mit.edu default machine printer
  settings if they are set
• On XP, maps drive H to the local profile if not
  mapped to any network based home directory. This
  is for disconnected operations or the local
  profile option in the user profile options web
  form (XP only, not run for Vista).
• Runs Desktop-Sync (this will be covered in the
  Vista section)
• Imports user Kerberos tickets from the MS LSA
  cache to the MIT Kerberos cache

30
Disconnected operationLaptop support

• Requires opt-in of the machine or container via a
  web form
• Domain wide scripts have internal checks for
  network based operations, they test for RPC
  availability to win.mit.edu over port 445, if
  there is no connectivity the operation is
  skipped.
• If a machine boots with no network connectivity
  the user logs on using their domain account with
  cached credentials.
• People using laptops that are frequently used
  remotely over a broadband connection should
  install the MIT VPN client. If you boot your
  laptop while connected to a home network with
  broadband, you should set the VPN client to allow
  VPN logon before Windows logon.
• Note about Intel Proset Wireless management
  software This software is currently packaged
  with many laptops, including those from Dell. We
  recommend that you uninstall this portion of the
  software via the add/remove programs control
  panel for use with disconnected operations within
  win.mit.edu. While it is possible to set this
  software to use the Microsoft client to manage
  wireless connections, this setting wont be
  preserved across system reboots.
• To logon/logoff without the VPN we currently
  recommend that it not be connected to the home
  network until after the Windows logon so the
  operating system understands it is doing a
  disconnected logon. This can be done by
  temporarily sliding out the wireless LAN card,
  disconnecting a network cable, or using a
  function key to disable integrated wireless (F2
  on most Dell laptops). This has nothing to do
  with scripts, Windows merely detects network
  connectivity and attempts to authenticate with a
  domain controller.
• Windows Vista users should logon as
  username_at_ATHENA.MIT.EDU when doing a cached
  logon. There is an open bug with Microsoft to fix
  this issue, we will be deploying a hotfix when
  this is available.
• When using disconnected operations with Vista,
  drive H will not be mapped to the local profile
  as in XP. If the machine is connected to MITnet
  at logon, the drive will be mapped to the network
  home directory specified in AD.

31
RIS Remote Installation Services

• Requirements
• PXE support enabled for subnet and the computer
  BIOS
• Moira record should exist for machine and already
  be mapped to container
• If reinstalling, the previous computer object in
  Active Directory must be removed
• Tempjoin credentials are used for the
  installation
• Execution
• Boot with Network Boot option (using F12)
• Access to Windows XP images by default, there is
  an ACL for Server 2003 images
• Machines automatically join the domain
• RIS Info
• RIS will format and install the OS on the first
  physical disk
• Images exist for particular Dell and IBM models
• If a new model is commonly used, a new image can
  be requested
• Generic images exist as well that can be used
  for Virtual Machines
• WDS (Windows Deployment Services) will soon
  replace RIS. WDS will support Vista and Server
  2008

32
User featuresLab

• Lab 3 Using Previous Versions on the Home
  directory

33
Server 2003 Security RecommendationsCommon
Security policies to implement for server

• Logon restrictions Computer Configuration/Windows
  Settings/Security Settings/User Rights
  Assignment
• Allow logon through Terminal Services
• Generally restricted to the local Administrators
  group
• (Allow) Logon Locally
• Generally restricted to the local Administrators
  group but sometimes a service account may require
  this right depending on the application
• Deny Logon through Terminal services
• It is recommended to deny the local Administrator
  account logon over Terminal Services. This way,
  the local Administrator account can only be used
  when physically in front of the machine. We
  already deny this account access to the machine
  over the network, this setting is a logical
  extension of the same precaution.
• Do not use groups or known security principles
  without understanding their scope
• Authenticated Users, which includes both local
  and domain users, but not anonymous
• Local Users, which by default includes the Domain
  Users group
• Always implement the Windows Firewall and only
  open necessary ports to relevant subnets
• If possible, implement Microsoft IPSec
• Resource Management and Administration
• Use NTFS ACLs, not Share permissions for more
  granular security
• Use one or two top level shares and set NTFS
  ACLs on the sub-folders instead of creating many
  shares
• Avoid disabling of inheritance, as it will tend
  to yield unexpected results if not well
  documented
• Avoid granting Full Control (which allows users
  to change permissions) over resources, use the
  Modify right.
• Use local Groups containing Moira groups or at
  least moira groups on NTFS ACLs
• Do not assign NTFS permissions or rights to users
  directly, use the group membership

34
Server 2003 Security RecommendationsLeast
Privilege Access Minimize Attack Surface

• Least Privilege Access (Authorization)
• Security Principle
• Assign only the necessary permissions for
  application service accounts, refrain from
  granting Administrator privileges if possible
• Limit the rights granted to an account, use
  multiple accounts for different services
• Limit how application service accounts can be
  used
• deny logon interactively
• deny logon through terminal services,
• only allow logon to specific computers
• Minimize Attack Surface
• Ensure machines are up-to-date on patches (using
  WSUS)
• Disable all unnecessary services (using group
  policies)
• Only open necessary ports to appropriate networks
  (using a combination of IPSec and Firewall)or
  use a hardware firewall if necessary.
• Utilize Encryption, such as SSL over HTTP on web
  server or IPSec for other applications

35
Server 2003 Security Recommendations Windows
Firewall

• Supports
• Available on Windows XP SP2, Server 2003 SP1 and
  higher
• Can be configured to block incoming connections
• Allows exceptions based on Ports (UDP/TCP) and
  Applications
• Can apply to all or some Network Connections
• Scopes to limit exceptions to specified Hosts or
  Subnets
• Limitations
• Cannot create an exception for a range of ports
  (but a host/subnet scope can be defined)
• Does only block incoming not outgoing
  traffic(Outgoing traffic blocking available in
  Windows Vista/Server 2008)
• Domain defaults
• For Windows XP we use the Microsoft default, the
  firewall is on
• Server 2003 uses the old domain default where it
  is off. The firewall can be enabled by setting
  Computer Settings/Administrative
  Templates/Network/Network Connections Prohibit
  use of Internet Connection Firewall on your DNS
  domain network Disabled. Then the firewall can
  be configured locally or via group policy.
• Microsofts default for server 2003 is to have
  the firewall off, so even after making the
  setting above, the firewall will need to be
  turned of locally or via group policy
• Vistas default Firewall settings depend on the
  location chosen when the network for first setup
  (Home, Work or Public). Due to the nature of the
  MIT network Public is the recommended selection.

36
Server 2003 Security RecommendationsIPSec
Features

• Microsoft IPSec has been a built-in component
  since the release of Windows 2000. It can be used
  to create an encrypted channel between two
  machines, or it can be leveraged to implement
  simple IP based block/allow policies
• Encrypted channels can be established either by
  Kerberos V5 authentication or via a shared key.
  3DES keys are used by default when doing Kerberos
  authentication.
• Policies can be configured either to try to
  establish a secure channel but fall back if not
  supported, or to enforce secure channel
  communications only
• The most common use of IPSec are the IP based
  block/allow rules.
• Rules can be host or subnet based, include all
  traffic or only specific ports or protocols.
• An IPSec implementation consists of Policies that
  contain Rules, which are based on Filters
  Actions
• IPSec Policies can be created and assigned
  locally, imported and exported to a file, or
  assigned through group policy
• Assigning an IPSec policy via group policy must
  be done via a request to the network team

37
Server 2003 and Security RecommendationsIPSec
filters and policies

• IPSec can be managed locally on a computer using
  the IP Security Policy Management MMC snap-in.
• Multiple policies and filters may be stored on a
  machine, but only one policy at a time may be
  assigned
• Leaving the Default Response filter enabled opens
  port 88 for Kerberos. If not using Kerberos to
  authenticate for an encrypted channel, this
  filter may be disabled
• A filter may have only one filter action
  assigned, but it may have multiple items in the
  filter list to control multiple host, subnet and
  protocol connections
• Filter items which require the same filter action
  should be grouped into one filter when possible
  for best practices
• Group policy assignments override local IPSec
  policy assignments
• Avoid reusing filters on multiple policies since
  the local machine stores these filters. If an
  existing filter is reused to create a policy it
  will overwrite that filter on another policy

38
Server 2003 and Security RecommendationsUsing
the MIT Windows Update Services

• Overview
• Currently running Microsoft WSUS 3.0
• Internal repository of patches synchronized with
  Microsoft
• Only patches approved and tested by IST are
  available through WSUS
• Applied by default on all WIN.MIT.EDU machines
  auto download and auto install

F5 Load balancers
WSUS Servers
Microsoft

• Options
• Domain default Option 4 auto download and auto
  install any day _at_ 200 AM
• Action nothing
• Usually good for simple file and print servers,
  simple web servers
• Custom setting Option 4 Auto download and auto
  install on custom schedule
• Action Set Computer Settings/Administrative
  Templates/Windows Components/Windows
  Update/Configure Automatic Updates to Option 4
  Auto download and notify for install, and set
  custom schedule below
• Custom setting Option 3 Auto download and
  notify for install
• Action Set Computer Settings/Administrative
  Templates/Windows Components/Windows
  Update/Configure Automatic Updates to Option 3
  Auto download and notify for install
• Do not set/reset the WSUS server name, this is
  already done
• When using option 3, a balloon window
  notification will appear when new patches are
  available.
• Patch install can be run manually from this
  interface
• If the administrator wishes, certain patch may be
  skipped using the client interface

39
Security and using Server 2003 Lab

• Lab 4 Using IPSec and the Windows Firewall

40
Windows VistaDefault Vista Desktop

• When logging on with a domain account to a Vista
  machine for the first time, a default profile is
  downloaded from a DFS share
• When logging on with a local machine account for
  the first time, the local profile is generated
  from the Default profile on the local computer.
  This is the Microsoft default Vista profile
• When logging on with a domain account that does
  not use roaming profiles, the domain default
  profile will still be used. The logon scripts
  will detect these cases and if not already done,
  set the directory structure to the Microsoft
  defaults. Possible cases where this will happen
  are
• Disconnected operation
• The account is set to local profiles via the web
  form
• The container is set to local profiles only
• The domain default Vista profile looks very
  similar to the XP desktop
• It is still not the classic XP desktop, it is the
  Windows Standard interface, the new explorer
  interface is used
• This hybrid desktop is a good default for users
  moving from XP to Vista. It allows them to
  explore some of the new Vista functionality while
  preserving much of the familiar organization
  found in XP
• The ability to display the Aero interface will
  depend on the graphics card of the computer.
• Users will be able to enable Aero if supported by
  the hardware and the video driver
• Profiles are no longer stored in the Documents
  and Settings folder, the new location is in the
  Users folder off the root of the system drive

41
Windows VistaRoaming Profiles

• Vista roaming profiles are not compatible with XP
  profiles. Microsoft added code in Vista to create
  a new profile directory in the users home
  directory with a .V2 extension
• XP H\.winprofile
• Vista H\.winprofile.V2
• Each profile has its own desktop folder e.g.,
  XPs is H\.winprofile\desktop
• If you have certificates in your XP profile, you
  will still need to get them separately for Vista
• Desktop-Sync In order to preserve consistency of
  the desktop files and shortcuts for users logging
  into both XP and Vista machines, WIN.MIT.EDU
  synchronizes the desktop folders of both profiles
  when a user logs on
• Files saved to an XP desktop will appear on the
  Vista desktop.
• Files saved to a Vista desktop will appear on the
  XP desktop.
• If a file is updated on one of the desktops, the
  other desktop will receive the updated version at
  the next user logon regardless of which OS they
  logon to.
• Important! A cached roaming profile may only be
  deleted via the system control panel. If the
  files are deleted manually, the roaming profile
  will fail to load.
• Upgrades If a machine is upgraded to Vista, the
  upgraded cached copy of a roaming profile should
  be copied to a new folder via the system control
  panel and not used (more about this in the folder
  redirection topic).
• A local logon should be used for the upgrade and
  immediately after the upgrade to rename the old
  cached profile.
• Upgraded versions of non-roaming profiles can be
  preserved and do not need to be modified.

42
Windows VistaFolder redirection

• By default, all users and machines use both
  roaming profiles and folder redirection.
• Computers download the default user profile from
  a DFS share.
• For the Windows Vista environment, WIN.MIT.EDU
  redirects the following folders
• AppData(Roaming) HOMESHARE\WinData\Application
  Data
• Contacts HOMESHARE\WinData\My
  Documents\Contacts
• Documents HOMESHARE\WinData\My Documents
• Downloads HOMESHARE\WinData\My
  Documents\Downloads
• Music HOMESHARE\WinData\My Documents\My Music
• Videos HOMESHARE\WinData\My Documents\My
  Videos
• Pictures HOMESHARE\WinData\My Documents\My
  Pictures
• Saved Games HOMESHARE\WinData\My
  Documents\Saved Games
• Searches HOMESHARE\WinData\My
  Documents\Searches
• Favorites HOMESHARE\WinData\Favorites
• Links HOMESHARE\WinData\Favorites\Links
• The redirected paths for Vista were chosen in
  such a way as to preserve the continuity of user
  experience from XP.

43
Windows VistaUser Files Directory View

• The users files folder is a programmatically
  merged view of the local cached profile and the
  redirected folders.
• Its possible to view duplicate entries if a
  directory exists in each location.
• We reported this to Microsoft, but action was
  taken to remediate the issue.
• We implemented our own workaround to the user
  file view issue
• The default domain Vista roaming profile which is
  the source for the cached profiles has the
  folders which are redirected removed.
• Users in the domain who use a local profile
  either on a desktop by opting out of roaming
  profiles or using a computer opted into
  disconnected operation (laptop policy) have the
  removed directories recreated at logon when the
  profile is first created.
• New logon scripts include logic to detect whether
  the user is roaming or not and create the
  directories if they do not exist.

44
Windows VistaChanges to AppData

• In XP, all application data was redirected to the
  home directory
• Vista still redirects most application data to
  the home directory, but now also stores some
  settings data and certificates in the roaming
  profile
• In XP, non-roaming data was stored in the Local
  Settings directory
• Vista stores non-roaming data in AppData\Local
• Vista has a new store for low security data
  called AppData\LocalLow. This is used by IE
  running in protected mode. This data does not
  roam.

45
Windows VistaMIT KfW and the UAC

• WIN.MIT.EDU uses a different KfW 2.6.5 installer
  then the one on the software download site.
  Unlike the download site installer, our 2.6.5
  installer is fully Vista compatible. Therefore
  there are no pressing reasons for users to
  upgrade to version 3.2.2.
• Since the latest release of KfW does not fix the
  Vista UAC issue, we are waiting for a later
  release which is UAC compatible to upgrade
  WIN.MIT.EDU machines. When such a version is
  released, we will announce a schedule for the
  upgrade. The decision to wait on this upgrade was
  made by consensus with us and the Kerberos
  Development Team months before version 3.2.2 was
  released.
• Our current workaround for KfW has been to
  disable the UAC by default, then KfW 2.6.5
  functions normally. However, those who wish to
  enable the UAC in their containers may do so by
  applying the settings to their container
  policies. When a UAC compliant version of KfW is
  available, we will consider changing the default
  UAC settings back to Microsoft's setting of
  enabled.

46
Windows VistaConnecting via Remote Desktop

• Similar to disconnected operations, IST is
  awaiting a hotfix from Microsoft that will remove
  the requirement of using the UPN (a user
  principal name i.e. username_at_REALMNAME) format
  to connect via remote desktop
• This issue was resolved when IST worked with
  Microsoft regarding XP SP1 and the fix was rolled
  into SP2. Unfortunately, this code was not ported
  to the Vista release and we are awaiting the
  Kerberos regression hotfixes from Microsoft to be
  re-released for Vista
• The Remote Desktop client will not store the UPN
  format when it makes connections to Vista
  machines the way it does to XP and 2003. We are
  reporting this behavior to Microsoft as well
• The Windows Aero interface cannot be displayed
  over Remote Desktop

47
Windows VistaLab

• Lab 5 Managing Desktop Sync