sms 2003 deployment and managing windows security

SMS 2003 Deployment and Managing Windows SecurityRafal OttoInternet Services GroupDepartment of Information TechnologyCERN*

AgendaSMS 2003 InfrastructureWhat is SMS?ArchitectureDeploymentRights Policy Enhancements in SMS and Active Directory IntegrationManaging Windows Security Updates with SMS 2003SUS Feature PackUpdating ServersUpdating DesktopsOther security related actionsConclusions

What is SMS?Microsoft Systems Management Server servescentrally managed software deploymentsoftware and hardware inventorysoftware meteringremote controlAdditional FeaturesWindows Security Updates Scan ToolMicrosoft Office Security Updates Scan ToolSupported (managed) platformsWindows 98, NT SMS Legacy Clients (none at CERN)Windows 2000, XP, 2003 SMS Advanced Clients (~6000)SMS is not designed for system monitoring!

Architecture

Deployment

Rights Policy

BackgroundSoftware deployment at CERN is currently based on the Group Policy Objects applied on the security groupswhen one wants to install certain software (i.e. MS Office 2003) on her/his computer, needs to make her/his computer account a member of certain security group (i.e. CERN\GP Apply Office 2003)then, after the reboot machine receives a new installation packageTo manage memberships of the groups we have a single entry point, which is a WinServices website, in particular a service called Group Manager

AD System Discovery

CERN System Group DiscoverySMS Site Server

SUS Feature Pack

Reports on security updates

Updating Servers~130 Windows servers (DCs, WINS, DFS, SMS, Exchange servers, web servers, file servers, custom servers)Most of the updates need a reboot at the end of the installationThere are groups of servers that at least one machine from the group has to be online at any time (i.e. 3 domain controllers)We do not want to trust SMS scheduler on rebooting the serversOur approachWe deploy patches with an option postpone reboot foreverUse our mechanism to reboot servers pending reboot by handThe pending reboot status of the machine is taken directly from SMS database

Rebooting servers

Updating Desktops (1)SUS Feature Pack is used for the supported patches (those supported by MBSA 1.2)SMS Packages are based on the operating systemOne package (Adv) used for new patches published but not assignedSecond package contains all baseline patches and is assigned to run each day

Updating Desktops (2)Patches not supported by SUS Feature PackPackages are manually created for each patchDepending on the severity are assigned or publishedNeed of the wrapper, which notifies the user in a more clear way then the standard SMS notification and allows to postpone the installation for many timesWith new versions of MBSA more and more products should be supported

Other security related actionsWindows XP SP2 deployment (pilot)additional firewall featuresnew Internet Explorer and Outlook Expressattachment Execution Service, HTML imagesadd-ons managerpop-up blockerDCOM and RPC improved securityGet rid of weak LM hashes (soon)used by Windows 95 clients, not patched Windows 98, old samba, NICE XP installation floppy etc. since Windows NT 3.5 NTLM authentication is used (NTLM hash is much stronger)

Other security related actionsLocal administrator password resetperiodic (3 months)web interface to change it again (available for main responsible for the machine)Local administrators group (plan)in the past each user was a member of local administrators group on his/her machinewill not be mandatoryweb interface to become a member (available for main responsible for the machine)

ConclusionsSMS 2003 makes infrastructure much better managedsecurity scans + patch deploymentsoftware inventoryOther improvements in security were doneWindows XP SP2 deploymentNew policy for local admin password and local administrators group

sms 2003 deployment and managing windows security

Documents

sms packages

sms scheduler

sms advanced clients

standard sms notification

security groupswhen

nt sms legacy clients

groups of servers

reboot machine