managed workstations: uw nebula
DESCRIPTION
Managed Workstations: UW Nebula. Brian Arkills Software Engineer, LDAP geek, AD guy, Chief Troublemaking Officer Windows HiEd Conference 2006. Goal and Philosophy. Goal: To provide easily-supported, reliable, secure, flexible, networked computing to end users - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/1.jpg)
Brian Arkills Software Engineer, LDAP geek, AD guy, Chief Troublemaking OfficerWindows HiEd Conference 2006
Managed Workstations: UW Nebula
Managed Workstations: UW Nebula
![Page 2: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/2.jpg)
Goal and PhilosophyGoal and Philosophy
Goal: To provide easily-supported, reliable, secure, flexible, networked computing to end users
Philosophy: Solve general problems, rather than specialized problems: “economy of scale.”
Nebula isn’t for everyone
![Page 3: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/3.jpg)
Core ComponentsCore Components
• Support Infrastructure• Governance• Service Model Definitions• Software Distribution Mechanism• Patching Mechanism• Popular Application Service Offerings• Detailed Reporting• Tools and Infrastructure Glue
![Page 4: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/4.jpg)
Support InfrastructureSupport Infrastructure
• Support Groups (SGs) for Client Interactions– Experts at workstation support and people skills
• Engineering Group for Escalation– Experts at tools, infrastructure glue, and
troubleshooting non-simplistic problems
![Page 5: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/5.jpg)
GovernanceGovernance
• A planning or governance group helps prevent a number of problems.
• Membership:– Each Support Group has one member on Planning group– Engineering sends as many as needed– One additional Support Group member serves as a
facilitator– Managers of each group can attend
• Policy document (and exceptions)
![Page 6: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/6.jpg)
• Standardization=clarity=supportable expectations• Two general categories of models
– Managed • Gold workstation• Kiosk• Managed servers
– Loosely managed• Bronze workstation• Local servers• Loosely managed servers• Mac workstations
Service Model DefinitionsService Model Definitions
![Page 7: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/7.jpg)
NumbersNumbers
• 1 SG member per 250 workstations• 1 engineer per 1000 workstations• 1 software package per week• 2800 computers in domain, 2200 users, 1200 groups; 1 sister
domain• Cost:
– $52/month:gold desktop (2055)– $58/month:gold laptop (329)– $26/month:bronze (135)
Doesn’t include hardware, add ~$30/month for hardware• 4.53 terabytes of file storage, 2.95 terabytes in use
![Page 8: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/8.jpg)
Software DistributionSoftware Distribution
• Nebula provides:– Core apps that everyone wants (office, email, calendaring,
etc.)– Any app that more than 5 computers need and meets our
definition for “packagable”• Part-time students create software packages • SG members:
– sponsor each package– provide installation settings desired– ensure that adequate testing happens
![Page 9: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/9.jpg)
Patching MechanismPatching Mechanism
• Doesn’t matter what you use, as long as:– You have some kind of reporting for clients that haven’t
gotten the patches– You have some kind of reporting for clients that haven’t
been talking to your patch solution for awhile• Nebula uses WSUS with custom-written code that
generates these reports– http://viewpoint.cac.washington.edu/blogs/wsus
![Page 10: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/10.jpg)
Application Service OfferingsApplication Service Offerings
User need determines our offerings. We usually consume a service offering from central IT.
• Stuff we consume:– Calendaring– Mailing lists– SQL hosting– BlackBerry
• Stuff that we float just for Nebula:– File services with 2 week user-retrievable snapshots– Print services– Unix shell account– VPN
![Page 11: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/11.jpg)
• Reporting is as important as features• Focus is:
1. General info for troubleshootingComputer or user specific web-based queries with department awareness
2. Policy exceptionsEmail-based report that warns of problem
3. Security exceptionsEmail-based report that warns of problem and possible implications
• All our code is available under an apache-style license
Detailed ReportingDetailed Reporting
![Page 12: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/12.jpg)
Web-based ReportsWeb-based Reports
• Computer info query: Name, IP address, MAC, support group, test group, purchase date, dept, last user, chassis, model
• Department summary: number per model, number per service, warranty end
• Software package assignments• Up-to-the-minute patch status• Installed application query• Service and program classification query• AU configuration for all servers in domain• Oracle calendar usage reports• Billing reports
![Page 13: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/13.jpg)
Email-based ReportsEmail-based Reports
• Patching Status: Not Seen in 14 days• Bronze Missing Managedby• Missing or Unknown LAG members• Computers with remote management issues• Unused Nebula Accounts• Old OS
![Page 14: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/14.jpg)
Email-based ReportsEmail-based Reports
• Port scan• System Services• Missing Patches• Prohibited Programs• VirusScan DAT version
![Page 15: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/15.jpg)
Report Code LogicReport Code Logic
For each SG (Support Group)grabAllComputersUnder(SG)—sorted by dept
For each computer– gatherComputerInfo– checkForException– addExceptionToReport
mailExceptions(SG)
![Page 16: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/16.jpg)
Report: “adminCheck”Report: “adminCheck”
• Checks LAG group of every computer for:– Expected: domain admins, SG admins (context specific),
local admin– Prohibited: authenticated users, anonymous logon,
domain users, everyone, unresolved sid, any principals outside domain
• Uses winnt: provider. Syntax Example: "winnt://NEBULA2/domain admins“
• Adds/Removes members as needed
![Page 17: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/17.jpg)
Report: Prohibited ProgramsReport: Prohibited Programs
• Uses a DB to store:– List of installed programs per computer across all of nebula—this is
the basis for a web report– List of permitted/prohibited programs per model and per computer
and per computer group
• Uses the registry to find installed programs• Reports evil and unknown on managed• Reports evil on unmanaged
![Page 18: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/18.jpg)
Tools and Infrastructure GlueTools and Infrastructure Glue
• Calendaring service + AD + Unix requires “glue”: a DB to link them
• Functionality add-ons: – UW white pages sync– dell warranty info harvesting– automatic wireless MAC registration
![Page 19: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/19.jpg)
The EndThe End
Brian [email protected]://viewpoint.cac.washington.edu/blogs/winauth Author of LDAP Directories Explained
![Page 20: Managed Workstations: UW Nebula](https://reader033.vdocuments.site/reader033/viewer/2022061618/56813328550346895d9a14be/html5/thumbnails/20.jpg)