《SMS2003DeploymentandManagingWindowsSecurity幻灯片》由会员分享,可在线阅读,更多相关《SMS2003DeploymentandManagingWindowsSecurity幻灯片(21页珍藏版)》请在金锄头文库上搜索。
1、SMS 2003 Deployment and Managing Windows Security,Rafal Otto Internet Services Group Department of Information Technology CERN 31 May 2019,HEPiX October 2004,Rafal Otto (CERN IT/IS),Agenda,SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Direc
2、tory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions,HEPiX October 2004,Rafal Otto (CERN IT/IS),What is SMS?,Microsoft Systems Management Server serves centrally managed software deployment sof
3、tware and hardware inventory software metering remote control Additional Features Windows Security Updates Scan Tool Microsoft Office Security Updates Scan Tool Supported (managed) platforms Windows 98, NT SMS Legacy Clients (none at CERN) Windows 2000, XP, 2003 SMS Advanced Clients (6000) SMS is no
4、t designed for system monitoring!,HEPiX October 2004,Rafal Otto (CERN IT/IS),Architecture,Site Server,Remote Clients (VPN, GPRS, Dial-in),Desktop Clients,Distribution Points,HEPiX October 2004,Rafal Otto (CERN IT/IS),Deployment,HEPiX October 2004,Rafal Otto (CERN IT/IS),Rights Policy,HEPiX October 2
5、004,Rafal Otto (CERN IT/IS),Agenda,SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclu
6、sions,HEPiX October 2004,Rafal Otto (CERN IT/IS),Background,Software deployment at CERN is currently based on the Group Policy Objects applied on the security groups when one wants to install certain software (i.e. MS Office 2003) on her/his computer, needs to make her/his computer account a member
7、of certain security group (i.e. CERNGP Apply Office 2003) then, after the reboot machine receives a new installation package To manage memberships of the groups we have a single entry point, which is a WinServices website, in particular a service called Group Manager,HEPiX October 2004,Rafal Otto (C
8、ERN IT/IS),AD System Discovery,HEPiX October 2004,Rafal Otto (CERN IT/IS),CERN System Group Discovery,SMS Site Server,HEPiX October 2004,Rafal Otto (CERN IT/IS),Agenda,SMS 2003 Infrastructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Mana
9、ging Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions,HEPiX October 2004,Rafal Otto (CERN IT/IS),SUS Feature Pack,MSSecure.xml,HEPiX October 2004,Rafal Otto (CERN IT/IS),Reports on security updates,HEPiX October 200
10、4,Rafal Otto (CERN IT/IS),Updating Servers,130 Windows servers (DCs, WINS, DFS, SMS, Exchange servers, web servers, file servers, custom servers) Most of the updates need a reboot at the end of the installation There are groups of servers that at least one machine from the group has to be online at
11、any time (i.e. 3 domain controllers) We do not want to trust SMS scheduler on rebooting the servers Our approach We deploy patches with an option “postpone reboot forever” Use our mechanism to reboot servers pending reboot by hand The “pending reboot” status of the machine is taken directly from SMS
12、 database,HEPiX October 2004,Rafal Otto (CERN IT/IS),Rebooting servers,HEPiX October 2004,Rafal Otto (CERN IT/IS),Updating Desktops (1),SUS Feature Pack is used for the supported patches (those supported by MBSA 1.2) SMS Packages are based on the operating system One package (Adv) used for new patch
13、es published but not assigned Second package contains all baseline patches and is assigned to run each day,HEPiX October 2004,Rafal Otto (CERN IT/IS),Updating Desktops (2),Patches not supported by SUS Feature Pack Packages are manually created for each patch Depending on the severity are assigned or
14、 published Need of the wrapper, which notifies the user in a more clear way then the standard SMS notification and allows to postpone the installation for many times With new versions of MBSA more and more products should be supported,HEPiX October 2004,Rafal Otto (CERN IT/IS),Agenda,SMS 2003 Infras
15、tructure What is SMS? Architecture Deployment Rights Policy Enhancements in SMS and Active Directory Integration Managing Windows Security Updates with SMS 2003 SUS Feature Pack Updating Servers Updating Desktops Other security related actions Conclusions,HEPiX October 2004,Rafal Otto (CERN IT/IS),O
16、ther security related actions,Windows XP SP2 deployment (pilot) additional firewall features new Internet Explorer and Outlook Express attachment Execution Service, HTML images add-ons manager pop-up blocker DCOM and RPC improved security Get rid of weak LM hashes (soon) used by Windows 95 clients, not patched Windows 98, old samba, NICE XP installation floppy etc. since Windows NT 3.5 NTLM authentication is used (NTLM hash is much stronger),HEPiX October 2004,Rafal Otto (CERN I
