WIN MIT EDU Container Administrator Training p Architecture

WIN. MIT. EDU Container Administrator Training p Architecture Overview p Container maintenance n p Lab User features n Lab p Disconnected operation p RIS: Remote Installation Services p Security and using Windows Server p Windows Vista n Labs

Architecture: Active Directory p Cross-Realm Trust n n p Trust of MIT Kerberos Realm by WIN. MIT. EDU allows single sign-on to multiple resources. Delegated User Management - MIT Kerberos accounts – departments control resources by managing group membership, machines and ACL's Single Domain/Forest Model n n Model in use by many large schools, corporations and ISP’s Delegation of Containers (OU’s) – “Islands of Control” p p n Group policy p n Software distribution, Security, Registry, and other feature settings can be assigned on a container basis. ACL’s via Moira groups. Custom group policy settings written by IS&T Standard MIT DNS Services p p Departmental container administrators have many tools to build their workstation and server environments. Each department builds and customizes their own environment. Container administrators control machines and access to their resources instead of the users directly win. mit. edu uses MIT’s UNIX based DNS services instead of Microsoft’s LDAP Directory populated by data from: n n Moira – User, Group, and Container data Populator –Moira host to container mapping, Data Warehouse, spn

WIN. MIT. EDU Architecture Moira Populator MIT Kerberos KDC’s WIN. MIT. EDU DC’s MITnet DNS DFS Storage Query Data Feed Data Warehouse

Architecture: Moira Data Feed – “Incremental” p The Moira incremental update is used to keep the WIN. MIT. EDU domain synchronized to the Moira database. The Moira incremental will create and maintain the following in Active Directory: n User accounts (MIT Kerberos ID’s – principal’s), and profile options p n n Account status changes such as activation/deactivation Lists and Groups with their memberships Container Hierarchy p The Moira incremental is a UNIX executable image and resides on the Moira server and runs continuously. This application uses Kerberos V 5 authentication to establish an LDAP connection with the Windows domain to perform the updates. It has been completely integrated into Moira operations. p When relevant changes to users groups and containers are made in Moira the incremental is triggered and the change is propagated to Active Directory. p The Moira incremental will distinguish between list and groups when propagating them in Active Directory: n n p Lists = Distribution groups Groups = Security groups We do not write directly to AD to create Domain groups n n n The data may be over-written Make these changes in Moira Local groups can be managed directly via Windows

Container maintenance: Web forms for container administrators p Opt into/out of various domain-wide deployments n n p Submit a Container Maintenance Job: Self. Maint n n p https: //wince. mit. edu/containermaint/index. jsp Schedule a container reboot, defrag, or custom script. Selfmaint scripts can wait until a user is logged out in order to not disturb normal machine use. Delete a Machine from Active Directory n n p https: //wince. mit. edu/optoutrollout/index. jsp A container administrator can opt out of certain deployments until you are ready or to opt into test deployments early before they are released domain-wide. Containers and/or individual machines can opt-in or opt-out. https: //wince. mit. edu/deletemachine/index. jsp A convenient tool if other tools are not available. To reinstall a computer, it’s machine account must first be deleted from Active Directory, but NOT from Moira. RIS or Join Computer Page n n https: //wince. mit. edu/getrisaccount/index. jsp a container administrator or a container membership administrator, you may use this service to obtain a short-term account and password to be used while adding machines to WIN. MIT. EDU (the Moira host information should already exist)

Container maintenance: Joining a machine p One-time considerations for new hosts and users: n n n p General instructions: n n p Is there a Moira record for the machine which has propagated to the MITnet DNS? Has the machine been assigned to a container? (Stella) Is your Kerberos password up-to-date? If reinstalling or rejoining, use the web form located on the Domain Machine Management page to delete the old machine account Remove existing (non-WIN) MIT Kerberos software and reboot; Verify correct IP and DNS settings, join machine to domain and reboot. If no packages are downloaded, reboot a second time due to the XP fast boot default. Using the "tempjoin" Account: n n Regular user accounts in WIN do not have rights to create new machine accounts, a requirement when joining a machine or using RIS. The web form requires MIT certificates. It creates a Windows account with your username, followed by ". tempjoin. " A temporary password, which is valid for 48 hours, is displayed on the screen. This is the appropriate username and password to use while joining the machine to the domain or authenticating to the RIS server.

Container maintenance: Moira Tools Stella – machine management p One-time Assignment of the Machine to a Container n n n p To check if a host already has been assigned to a container use the -lcn option: n p stella my-machine -lcn Machine: my-machine Container: Machines/my-container If the machine has not been assigned to a container, you will not get any output from the command. To assign the machine to a container use the -acn option: n p In order for a machine to get group policies and MSI packages it requires to function properly in the domain, it must be assigned, in Moira, to a container that is within the "Machines" container in AD. If there is no assignment, the machine will appear in the "Orphans/Machines" container, and not get the group policy objects it needs. You can use the stella command to assign the container, stella hostname -lcn lists the container if one has been assigned, the -dcn option removes an existing machine-to-container assignment, and -acn adds one. Perhaps this query is a good candidate for a future web application. If a machine needs to be reinstalled or replaced, the Moira container mapping does not have to be deleted. Only the AD machine account needs to be deleted via the web form. stella my-machine -acn Machines/my-container If the machine already has been assigned to a container, but you wish to move it to another one, you must first delete the old container assignment using the -dcn option, then assign it to the new container with -acn: n n stella my-machine -dcn Machines/my-container stella my-machine -acn Machines/my-other-container

Container maintenance: Moira Tools Mitch – container management p You can use mitch to get container info n n p You can use mitch to set container properties n n n p Memacl: who can add a machine to the container –MA Set the description: mitch Machines/my-container -d “My Container” Modify the contact: mitch Machines/my-container -c my-list You can also use mitch to map and un-map machines from your container n n p Basic info: mitch machines/my-container List sub-containers: mitch machines/my-container –ls List machines in the container: mitch machines/my-container –lm Use the recursive switch –r to get subcontainer info Add a machine: mitch Machines/my-container -am my-machine Remove a machine: mitch Machines/my-container -am my-machine Do not use the rename function n This function does not work properly if there are subcontainers involved GPO object names do not get changed along with the container If you need to do a rename, send mail to the network team with your request

Container maintenance: Moira Tools Blanche – group management p You can use blanche to add and remove members from groups: n n p Add / remove users based on a file: n n p Blanche groupname –a (add) Blanche groupname –d (remove) user Blanche groupname –al (add) filename Blanche groupname –dl (remove) filename Modify the description, owner and memacl information n -d “My Description”, -o owner, -MA memacl p Always make sure the –G group option is used for Security groups in Active Directory, (referred to as AFS group on the list creation request form). p Use the recursive switch –r to expand nested group memberships p You can use qgrep on your win. mit. edu machine to search a list for a member: n p Blanche my-very-big-list –r | qgrep myusername A webform is also a available for group creation and management (requires MIT certificates): n https: //webmoira. mit. edu/newwebm/

Container maintenance: Lab p Lab: 1: Using Moira tools and joining a machine

Container maintenance: Group Policy Objects p GPO’s are created and stored in SYSVOL n n DFS share replicated to each domain controller SYSVOL is a file system, a new directory is created for each GPO, not for each container A GPO may be linked to multiple containers AD ACL’s may be used to control who can read a GPO or which users or machines it can be applied to p GPO inheritance favors the lower level GPO unless the override bit is set (called enforce in gpmc) p GPO’s are created when a container is requested. n n The default configuration is one parent container with server and workstation subcontainers Individual GPO’s are created for each of these containers Additional subcontainers and GPO’s may be requested Additional GPO links may be requested

Container maintenance: Group Policy Management Tools p Group Policy Management Console – gpmc. msc n n n p Resultant Set of Policy – rsop. msc n p Launched by gpmc or dsa, edit settings and a new preferences section for Vista Gpupdate - Command line utility n p Views and info of containers and machines Group Policy Editor – gpedit. msc n p Diagnostic tool to view how GP inheritance is working AD Users and Computers – dsa. msc n p Preferred GP Management tool. An add-on MSI for XP, installed by default on Vista. There is also an add-on MSU for Vista with updated tools for administration of Server 2008 View GPO settings and permissions Can launch gpeditor Refresh group policy GPFind – win. mit. edu command line script n Search by GPO name and launch the gpeditor

Container maintenance: Group Policy. adm and. admx files p The SYSVOL share contains ASCII files with the. adm extension that define administrative template group policy settings. n n Within win. mit. edu, updated template versions are propagated across SYSVOL to insure consistency across containers. New versions are released by Microsoft with every new service pack p IS&T has written custom. adm templates to augment group policy options p Windows Vista and above employs an XML file format using the. admx extension. Existing. adm settings still apply to Vista machines where applied p Settings particular to the. admx file format need to be managed from a machine running Windows Vista or above p Some new. admx settings have the ability to apply only to Vista and not XP if the administrator chooses. They employ. ini files on the GPO’s directory in SYSVOL to track desired behavior p New SYSVOL storage options are available to optimize storage utilization. All . admx files can be stored centrally instead of being replicated in each GPO directory

Container maintenance: Group Policy Settings - Software p The Software section is where MSI based applications are assigned to a container. p The assigned MSI should be referenced via a UNC path p Transforms and ACL’s may be assigned to an MSI via the “Modifications” tab on the MSI properties p Software policy processing occurs only at boot time p Packages may be assigned to upgrade existing packages p Do not use your GPO to upgrade a package currently opted in using the web form since the Software Distribution GPO uses the no override option. If you need to do this, remove the opt-in via the webform. p Packages assigned domain wide: n n Active. Perl MIT Hesiod client p n n MIT Kerberos for Windows 2. 6. 5 MIT Logon. Before Provider p n n Print queue resolution Was for disconnected operations – being phased out MIT Moira client MIT Self Maintenance MIT Syslog client Previous Versions Client p XP and 2003 only, built into Windows Vista

Container maintenance: Group Policy Settings – Security p Recommended uses of the security section: n Startup scripts n User Rights Assignments p n This will be covered in more detail in the server section Restricted groups p You may use addmin. exe as a non-exclusive alternative to this setting n System Services n IPSec (this must be sent to the network team as a request)

Windows Vista: MIT Kf. W and the UAC p WIN. MIT. EDU uses a different Kf. W 2. 6. 5 installer then the on the software download site. Unlike the download site installer, our 2. 6. 5 installer is fully Vista compatible. Therefore there are no pressing reasons for users to upgrade to version 3. 2. 2. p Since the latest release of Kf. W does not fix the Vista UAC issue, we are waiting for a later release which is UAC compatible to upgrade WIN. MIT. EDU machines. When such a version is released, we will announce a schedule for the upgrade. The decision to wait on this upgrade was made by consensus with us and the Kerberos Development Team months before version 3. 2. 2 was released. p Our current workaround for Kf. W has been to disable the UAC by default, then Kf. W 2. 6. 5 functions normally. However, those who wish to enable the UAC in their containers may do so by applying the settings to their container policies. When a UAC compliant version of Kf. W is available, we will consider changing the default UAC settings back to Microsoft's setting of enabled.

Container maintenance: Group Policy– Administrative Template Settings p Windows Components section highlights: n n n n p System Section highlights: n n n p User Profiles Scripts Logon Disk Quotas Group Policy Network Section highlights: n n n p Net. Meeting RSS Feeds Task Scheduler Windows Messenger Windows Media Digital Rights Management Windows Movie Maker Windows Update - patching Windows Media Player DNS Client Offline Files Network Connections Qo. S Packet Scheduler SNMP Background Intelligent Transfer Service Win. mit. edu settings n n Pictured on the left IE, Sendbug and Logoff settings will be phased out shortly

New: Preferences section p New server 2008 management tools available for Vista n n p Many features that IS&T had to build custom tools for have now been built in by Microsoft Registry keys can be deployed here instead of using Regpoledit Scheduled tasks can be deployed via group policy as an alternate to Selfmaint Network and local printers can be deployed here instead of using the win. mit. edu custom settings Other new features: n Computer based control panel settings such as power options, local accounts and folder options

Container maintenance: Group Policy – win. mit. edu Printer settings p p p Microsoft did not have a machine based group policy option to assign printers prior to Server 2003 R 2/Windows Vista. When Windows 2000 was released, IS&T developed custom printer extensions for win. mit. edu. When Windows XP is closer to being phased out, we plan to phase out these custom settings. The new Microsoft settings are available today for Vista users IS&T is phasing out Kerberized printing, the KLPR packages are no longer being maintained. The KLPR packages do not support Windows Vista. New Microsoft GP settings for Vista are available. Two types of printers may be assigned using the win. mit. edu extensions: n “KLPR” Printers: Queues that require Kerberos authentication p p Use the MIT Hesiod client installed on the machine for queue resolution Currently the KLP MSI is deployed by default There is an opt-in for the newer LPNG MSI There is a specific list of supported drivers § additional drivers can be added but in some cases are not compatible with the UNIX print queue p n Network Printers: Standard Microsoft Network Printers assigned per machine p n An opt-out of all Kerberized printer clients is available Uses standard UNC path name Both options have the ability to assign a default printer to the machine

Container maintenance: Group Policy - Custom registry keys p IS&T developed a utility called regpoledit to edit the binary. pol file allowing us to manually insert custom registry keys without having to extend the. adm templates. p Sets of custom registry keys are applied to win. mit. edu machines for the following applications: n n Cross-realm MIT Kerberos logon Internet Explorer Windows Explorer Eventsyslogger p These keys can be viewed in the Administrative Template/Extra Registry Keys section of the RSo. P utility p If container administrators require custom keys the network team can be contacted for assistance

Container maintenance: Selfmaint p The Selfmaint package is an MIT developed MSI that is installed on all domain machines. p Selfmaint is a container based scheduling service that is provided in addition to the Windows Task Scheduler service, and runs under the SYSTEM account. It’s main features are: n n n Schedule one job for an entire container and subcontainers or individual machines. Can reboot, defrag disks, or run custom scripts Scripts reside on the network and will continue to run if the OS is reinstalled or a new computer is added to the container p A script can either wait until no user is logged in to run or run unconditionally. p A web request form exists to have job setup for your container. You may choose common tasks or provide your custom scripts. The available scheduling options are built into the form. We recommend using Perl or VB if you are submitting a custom script. p Microsoft Hotfixes not supported by WSUS can be installed. p Certain scripts run domain wide, such as mirror-distrib. p Scripts reside on DFS, the Selfmaint service checks for new jobs and maintains a logfile with the most recent time a particular script ran in %programfiles%MITShared Filesselfmaint. log. n At bootup (or service start) the logfile is checked for any scripts that are overdue to run and Selfmaint runs them immediately

Container maintenance: Scripts “Mirror-distrib” p At first startup machines in win. mit. edu apply group policy and install assigned MSI applications which restart the computer afterward installation. Once this is done WSH and Perl scripts assigned via group policy begin running. p When a machine is booted up it looks locally for a script that synchronizes the local script and utility cache. If the script does not exist locally it will run off a network path. Startup and logon scripts also will run from a local copy as first preference but can run from the network copy as a fallback. p The script that initially creates, than later synchronizes the local script and utility cache with DFS is a Perl script called mirror-distrib. p The local cache is in %Program. Files%MITmirrordistrib. After the initial first time bootstrapping when the cache is created, this script continues to run both at startup and daily as a Selfmaint job to propagate any updates to these scripts to client machines. p To troubleshoot the bootstrap process, first check that the machine is in it’s proper container. If it is, run gpupdate /force and reboot, then check if the default MSI installations went successfully. If the Perl MSI fails to install, mirror-distrib and other scripts cannot run.

Container maintenance: Scripts Main Startup Script Operations p p Script operations are logged to the system Application log Group policy tells the machine to check locally for the script, then run it from DFS if it is not found locally: n Example: myscript. pl – the GPO is set to run cmd. exe with these parameters p p /c if exist "%programfiles%mitmirrordistribmyscript. pl” ("%programfiles%mitmirrordistribmyscript. pl") else (\win. mit. edudfsopsdistribmyscript. pl) Startup Scripts n Mirror-distrib (. pl): p p n Checks for local script cache and creates it if necessary, otherwise syncs the contents with DFS Adds the local cache directory to the system path if its not already there Startup (. wsf) p p Sets a machine environment variable with the domain name Checks if the machine is connected to MITnet and runs the following operations § § § § § p Checks if the machine is in the proper container Win. mit. edu – remote event-log settings are enforced Win. mit. edu – root password settings are enforced Win. mit. edu – printer settings are enabled Fix system path script is run Local Administrator is denied access to the machine over the network Tempjoin accounts are denied interactive logon If not already set earlier by the populator service, the service principal name is set in AD Athena sys variable is set for AFS compatibility If the machine is not running Vista or higher, default root of C: drive permission lock downs are enforced

Container maintenance: Eventsyslogger and OS Groups p The Eventsyslogger package is an MIT developed MSI that is installed on all domain machines. n n p Eventsyslogger is a Windows syslog client that runs as a service under the SYSTEM account. Event logs are sent to a central syslog server, three default filters are setup by the installer and their settings are enforced by group policy. Additional filters may be added and logs from those filters can be sent to the syslog server of your choice. The application can be administered via a control panel Description of the OS Groups Service: A service named "OS Groups" runs as part of the Populator services. It automatically populates the following groups in Active Directory: n n n n n Win 2 KPro. group : Machines running Windows 2000 Professional Win 2 KSrv. group : Machines running Windows 2000 Server Win 2 K. group : Machines running Windows 2000 Professional or Server Win. XPPro. group : Machines running Windows XP Professional Win. Srv 2003. group : Machines running Windows Server 2003 Win. Vista. group : Machines running Windows Vista Win. Srv 2008. group : Machines running Windows Server 2008 Win. Other. group : Machines running another OS or an unknown OS Note: These are not Moira groups. They exist only in the Active Directory When a new machine enters the domain or an existing machine upgrades its OS, it is automatically added to the proper group. These groups can therefore be placed on access control lists in Active Directory. This is especially useful for GPO application and MSI software installation, and it eliminates the need for separate containers for XP Professional, Vista, and Server 2003 machines

Container maintenance: Lab: 2: Using Group Policy Management tools

User features: Logon p Single Sign-on: p User Accounts via the Moira incremental n n n A corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principal Profile and Home directory options are written to the users account data along with Office location, phone and email A random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDC’s. Windows Service exists to refresh random passwords every 30 days Webform to set the users Windows password to a known value for use with special applications where required To logon to a Vista computer with a local account enter machinenameusername in the username field.

User features: Web forms for users p Change your Kerberos Password. n p Change Your Active Directory Password. n n p https: //wserv. mit. edu/fcgi-bin/cpw https: //wince. mit. edu/changepasswd/index. jsp For users: under certain circumstances, it might be necessary to set your native WIN domain password, but in most cases this is not necessary and should only be used when needed. Change Profile and Home directory options. n n https: //wince. mit. edu/changeprofile/index. jsp A user can change their default DFS roaming profile and home directory locations to a local profile and home directory or to a path on a departmental server

User features: Profiles and Home directories p p Default is roaming profile in DFS n Configurable via web form n . winprofile (or. winprofile. V 2) is created in the users DFS home directory n Copied to local drive at logon n NTFS user quotas Drive H: is mapped to the users DFS home directory n Currently 2 GB User quota by default n Previous Versions support. This is a self service feature where users can retrieve old versions of files and folders up to 64 days back n Accessed over network as needed n Used for folder redirection of Windows home directory n The H: Win. Data directory is created in DFS for redirected user data to minimize the amount of data that is copied at logon and logoff p p p My Documents Application Data Favorites

Windows Vista: Default Vista Desktop p When logging on with a domain account to a Vista machine for the first time, a default profile is downloaded from a network share p When logging on with a local machine account for the first time, the local profile is generated from the Default profile on the local computer. This is the Microsoft default Vista profile p When logging on with a domain account that does not use roaming profiles, the domain default profile will still be used. The logon scripts will detect these cases and if not already done, set the directory structure to the Microsoft defaults. Possible cases where this will happen are: n n n Disconnected operation The account is set to local profiles via the web form The container is set to local profiles only p The ability to display the Aero interface will depend on the graphics card of the computer. p Users will be able to enable Aero if supported by the hardware and the video driver p Profiles are no longer stored in the Documents and Settings folder, the new location is in the Users folder off the root of the system drive

User features: Folder Redirection – Windows XP p By default, all users and machines use both roaming profiles and folder redirection. p Computers download the default user profile from a DFS share. p For the Windows XP environment, WIN. MIT. EDU redirects the following folders: n n Application Data = H: Win. DataApplication Data My Documents = %HOMESHARE%Win. DataMy Documents My Pictures = %HOMESHARE%Win. DataMy DocumentsMy Pictures Favorites = %HOMESHARE%Win. DataFavorites p %HOMESHARE% is the location of the users home directory as specified by the user account properties in Active Directory. These properties are managed by Moira and can be modified via the change profile options webform. p Machines opted into the disconnected operations laptop policy mapped H: to their local user profile in C: Documents and Settings instead of the users DFS home directory. These machines do not use roaming profiles. p Users who used the change profile options webform to set their account to local profiles and no folder redirection see similar behavior to those who use machines covered under the laptop policy.

Windows Vista: Folder redirection p By default, all users and machines use both roaming profiles and folder redirection. p Computers download the default user profile from a DFS share. p For the Windows Vista environment, WIN. MIT. EDU redirects the following folders: n n n App. Data(Roaming) = %HOMESHARE%Win. DataApplication Data Contacts = %HOMESHARE%Win. DataMy DocumentsContacts Documents = %HOMESHARE%Win. DataMy Documents Downloads = %HOMESHARE%Win. DataMy DocumentsDownloads Music = %HOMESHARE%Win. DataMy DocumentsMy Music Videos = %HOMESHARE%Win. DataMy DocumentsMy Videos Pictures = %HOMESHARE%Win. DataMy DocumentsMy Pictures Saved Games = %HOMESHARE%Win. DataMy DocumentsSaved Games Searches = %HOMESHARE%Win. DataMy DocumentsSearches Favorites = %HOMESHARE%Win. DataFavorites Links = %HOMESHARE%Win. DataFavoritesLinks p The redirected paths for Vista were chosen in such a way as to preserve the continuity of user experience from XP. p Both XP and Vista share the same My Documents and Favorites folder. Documents don’t exist in two locations. If the user has chosen local profiles only via the web form, there will be no drive H: mapping. p p Folder redirection is disabled when the machine is logged into disconnected operations. If the machine is on MITnet when the user logs on, drive H: will be mapped to the users network based home directory. If the machine is not connected to MITnet at logon, there will be no drive H: mapping.

Windows Vista: Roaming Profiles p Vista roaming profiles are not compatible with XP profiles. Microsoft added code in Vista to create a new profile directory in the users home directory with a. V 2 extension: n n p Desktop-Sync: In order to preserve consistency of the desktop files and shortcuts for users logging into both XP and Vista machines, WIN. MIT. EDU synchronizes the desktop folders of both profiles when a user logs on: n n n p p XP: H: . winprofile Vista: H: . winprofile. V 2 Each profile has its own desktop folder: e. g. , XP’s is H: . winprofiledesktop If you have certificates in your XP profile, you will still need to get them separately for Vista Files saved to an XP desktop will appear on the Vista desktop. Files saved to a Vista desktop will appear on the XP desktop. If a file is updated on one of the desktops, the other desktop will receive the updated version at the next user logon regardless of which OS they logon to. Important! A cached roaming profile may only be deleted via the system control panel. If the files are deleted manually, the roaming profile will fail to load. To fix this the relevant registry keys will have to be deleted from HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrent. VersionProfile. List Upgrades: If a machine is upgraded to Vista, the upgraded cached copy of a roaming profile should be copied to a new folder via the system control panel and not used (more about this in the folder redirection topic). n n A local logon should be used for the upgrade and immediately after the upgrade to rename the old cached profile. Upgraded versions of non-roaming profiles can be preserved and do not need to be modified.

Windows Vista: User Files Directory View p The user’s files folder is a programmatically merged view of the local cached profile and the redirected folders. n n p It’s possible to view duplicate entries if a directory exists in each location. We reported this to Microsoft, but action was taken to remediate the issue. We implemented our own workaround to the user file view issue: n n n The default domain Vista roaming profile which is the source for the cached profiles has the folders which are redirected removed. Users in the domain who use a local profile either on a desktop by opting out of roaming profiles or using a computer opted into disconnected operation (laptop policy) have the removed directories recreated at logon when the profile is first created. New logon scripts include logic to detect whether the user is roaming or not and create the directories if they do not exist.

Windows Vista: Changes to “App. Data” p p p In XP, all application data was redirected to the home directory Vista still redirects most application data to the home directory, but now also stores some settings data and certificates in the roaming profile In XP, non-roaming data was stored in the “Local Settings” directory Vista stores non-roaming data in App. DataLocal Vista has a new store for low security data called App. DataLocal. Low. This is used by IE running in protected mode. This data does not roam.

User features: Previous Versions p Uses VSS: Windows Server 2003 Shadow copy services for user Home directories n n p p Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past. Recover files that were accidentally deleted or overwritten. Compare versions of file while working. Self service file restore capability for the end user. Snapshots are made every 4 AM. Versions of up to 64 days are available. Shadow copies are read-only. You cannot edit the contents of a shadow copy.

User features: Scripts Main Logon Script Operations p p Group policy tells the machine to check locally for the script, then run it from DFS if it is not found locally. These checks are similar to startup scripts. Logon Scripts n Logonbefore (. wsf) (only runs if the AFS client is installed and running) p Is launched by the AFS service before explorer. exe p Checks if the machine is connected to MITnet and runs the following operations § Map drive z: to \afsall § If specified in win. mit. edu AFS Settings, map the selected drive letter to the users AFS home directory. Drive I: is commonly used. n Logonafter (. wsf) p Is launched by the operating system after explorer. exe p p Checks if the machine is connected to MITnet and runs the following operations § Checks if Windows XP home directory mapping should be turn off for disconnected operations (not needed for Vista) § Enforces win. mit. edu default machine printer settings if they are set On XP, maps drive H: to the local profile if not mapped to any network based home directory. This is for disconnected operations or the local profile option in the user profile options web form (XP only, not run for Vista). Runs Desktop-Sync (this will be covered in the Vista section) Imports user Kerberos tickets from the MS LSA cache to the MIT Kerberos cache

Disconnected operation: Laptop support p p p p p Requires opt-in of the machine or container via a web form Domain wide scripts have internal checks for network based operations, they test for RPC availability to win. mit. edu over port 445, if there is no connectivity the operation is skipped. If a machine boots with no network connectivity the user logs on using their domain account with cached credentials. Roaming profiles and folder redirection are disabled for disconnected users, by default all files are saved to the local disk. When using disconnected operations with Vista, drive H: will not be mapped to the local profile as in XP. If the machine is connected to MITnet at logon, the drive will be mapped to the network home directory specified in AD. (XP only): People using laptops that are frequently used remotely over a broadband connection should install the MIT VPN client. (XP only): Note about Intel Proset Wireless management software: This software is currently packaged with many laptops, including those from Dell. We recommend that you uninstall this portion of the software via the add/remove programs control panel for use with disconnected operations within win. mit. edu. While it is possible to set this software to use the Microsoft client to manage wireless connections, this setting won’t be preserved across system reboots. To logon/logoff without the VPN we currently recommend that it not be connected to the home network until after the Windows logon so the operating system understands it is doing a disconnected logon. This can be done by disconnecting a network cable, or using a function key to disable integrated wireless (F 2 on most Dell laptops). This is because Windows detects network connectivity and attempts to authenticate with a domain controller. VPN logon can be started after reconnection to the network. Vista users should disable IPV 6 before using the MIT VPN client 5. 0 or greater.

RIS: Remote Installation Services p Requirements n n p PXE support enabled for subnet and the computer BIOS Moira record should exist for machine and already be mapped to container If reinstalling, the previous computer object in Active Directory must be removed Tempjoin credentials are used for the installation Execution n p Boot with Network Boot option (using F 12) Access to Windows XP images by default, there is an ACL for Server 2003 images Machines automatically join the domain RIS Info n n RIS will format and install the OS on the first physical disk Images exist for particular Dell and IBM models p n n If a new model is commonly used, a new image can be requested Generic images exist as well that can be used for Virtual Machines WDS (Windows Deployment Services) will soon replace RIS. WDS will support Vista and Server 2008

User features: Lab p Lab 3: Using Previous Versions on the Home directory p Lab 4: Desktop Sync

Server Security Recommendations: Common Security policies to implement for server p Logon restrictions: Computer Configuration/Windows Settings/Security Settings/User Rights Assignment n Allow logon through Terminal Services p n (Allow) Logon Locally p n p It is recommended to deny the local Administrator account logon over Terminal Services. This way, the local Administrator account can only be used when physically in front of the machine. We already deny this account access to the machine over the network, this setting is a logical extension of the same precaution. Do not use groups or known security principles without understanding their scope p n Generally restricted to the local Administrators group but sometimes a service account may require this right depending on the application Deny Logon through Terminal services p n Generally restricted to the local Administrators group Authenticated Users, which includes both local and domain users, but not anonymous Local Users, which by default includes the Domain Users group Always implement the Windows Firewall and only open necessary ports to relevant subnets If possible, implement Microsoft IPSec Resource Management and Administration n Use NTFS ACL’s, not Share permissions for more granular security p p p n Use one or two top level shares and set NTFS ACL’s on the sub-folders instead of creating many shares Avoid disabling of inheritance, as it will tend to yield unexpected results if not well documented Avoid granting Full Control (which allows users to change permissions) over resources, use the Modify right. Use local Groups containing Moira groups or at least moira groups on NTFS ACL’s p p Do not assign NTFS permissions or rights to users directly, use the group membership When a user leaves the department rights can be easily removed by removing their group memberships in moira

Server Security Recommendations: Least Privilege Access & Minimize Attack Surface p Least Privilege Access (Authorization) n Security Principle p p p Assign only the necessary permissions for application service accounts, refrain from granting Administrator privileges if possible Limit the rights granted to an account, use multiple accounts for different services Limit how application service accounts can be used § deny logon interactively § deny logon through terminal services, § only allow logon to specific computers p Minimize Attack Surface n n Ensure machines are up-to-date on patches (using WSUS) Disable all unnecessary services (using group policies) Only open necessary ports to appropriate networks (using a combination of IPSec and Firewall) or use a hardware firewall if necessary. Utilize Encryption, such as SSL over HTTP on web server or IPSec for other applications

Server 2003 Security Recommendations: Windows Firewall p Supports n n n p Limitations n n p Available on Windows XP SP 2, Server 2003 SP 1 and higher Can be configured to block incoming connections Allows exceptions based on Ports (UDP/TCP) and Applications Can apply to all or some Network Connections Scopes to limit exceptions to specified Hosts or Subnets Cannot create an exception for a range of ports (but a host/subnet scope can be defined) Does only block incoming not outgoing traffic (Outgoing traffic blocking available in Windows Vista/Server 2008) Domain defaults n n n For Windows XP we use the Microsoft default, the firewall is on The firewall can be enabled by setting Computer Settings/Administrative Templates/Network Connections: Prohibit use of Internet Connection Firewall on your DNS domain network = Disabled. Then the firewall can be configured locally or via group policy. Vista’s default Firewall settings depend on the location chosen when the network for first setup (Home, Work or Public). Due to the nature of the MIT network Public is the recommended selection.

Server 2003 Security Recommendations: IPSec Features p p p p Microsoft IPSec has been a built-in component since the release of Windows 2000. It can be used to create an encrypted channel between two machines, or it can be leveraged to implement simple IP based block/allow policies Encrypted channels can be established either by Kerberos V 5 authentication or via a shared key. 3 DES keys are used by default when doing Kerberos authentication. Policies can be configured either to try to establish a secure channel but fall back if not supported, or to enforce secure channel communications only The most common use of IPSec are the IP based block/allow rules. Rules can be host or subnet based, include all traffic or only specific ports or protocols. An IPSec implementation consists of Policies that contain Rules, which are based on Filters & Actions IPSec Policies can be created and assigned locally, imported and exported to a file, or assigned through group policy Assigning an IPSec policy via group policy must be done via a request to the network team

Server 2003 and Security Recommendations: IPSec filters and policies p p p p IPSec can be managed locally on a computer using the IP Security Policy Management MMC snap-in. Multiple policies and filters may be stored on a machine, but only one policy at a time may be assigned Leaving the Default Response filter enabled opens port 88 for Kerberos. If not using Kerberos to authenticate for an encrypted channel, this filter may be disabled A filter may have only one filter action assigned, but it may have multiple items in the filter list to control multiple host, subnet and protocol connections Filter items which require the same filter action should be grouped into one filter when possible for best practices Group policy assignments override local IPSec policy assignments Avoid reusing filters on multiple policies since the local machine stores these filters. If an existing filter is reused to create a policy it will overwrite that filter on another policy

Server 2003 and Security Recommendations: Using the MIT Windows Update Services p Overview n n p Currently running Microsoft WSUS 3. 0 Internal repository of patches synchronized with Microsoft Only patches approved and tested by IS&T Microsoft are available through WSUS Applied by default on all WIN. MIT. EDU machines – auto download and auto install F 5 Load balancers WSUS Servers Options n Domain default – Option 4: auto download and auto install any day @ 2: 00 AM p p n Custom setting – Option 4: Auto download and auto install on custom schedule p n n Action – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates to Option 4: Auto download and notify for install, and set custom schedule below Custom setting – Option 3: Auto download and notify for install p n Action – nothing Usually good for simple file and print servers, simple web servers Action – Set Computer Settings/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates to Option 3: Auto download and notify for install Do not set/reset the WSUS server name, this is already done When using option 3, a balloon window notification will appear when new patches are available. p p Patch install can be run manually from this interface If the administrator wishes, certain patch may be skipped using the client interface

Windows Vista: Connecting via Remote Desktop p Similar to disconnected operations, IS&T is awaiting a hotfix from Microsoft that will remove the requirement of using the UPN (a user principal name: i. e. username@REALMNAME) format to connect via remote desktop HKEY_CURRENT_USERSoftwareMicros oftTerminal Server ClientServers This issue was resolved when IS&T worked with Microsoft regarding XP SP 1 and the fix was rolled into SP 2. Unfortunately, this code was not ported to the Vista release and we are awaiting the Kerberos regression hotfixes from Microsoft to be re-released for Vista p The Remote Desktop client will not store the UPN format when it makes connections to Vista machines the way it does to XP and 2003. We are reporting this behavior to Microsoft as well p The Windows Aero interface cannot be displayed over Remote Desktop

Windows Server 2008 p Support in WIN. MIT. EDU p p p Behavior of roaming profiles and folder redirection is the same as Vista p p p Computers running Server 2008 may be joined to Active Directory Support for OS groups has been added for software installation assignments The. winprofile. V 2 directory used by Vista is also used by Server 2008 Disable IPV 6 p Like Vista, Server 2008 enables IPV 6 by default. We recommend that IPV 6 be turned off for network connections on MITnet. Like Vista requires Activation p p Vista uses a DNS based KMS activation for volume media for computers within MITnet. DNS based activation will be integrated for Server 2008 during the Spring term. In the interim activation may be done manually: p c: windowssystem 32slmgr. vbs -skms 2008. mit. edu p c: windowssystem 32slmgr. vbs –ato

Looking forward for 2009 p Continued deployment and enhancements to Altiris n n Hardware and Software inventory and asset management (current) Software deployment via task scheduling (planned) p WDS: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS enables the deployment of Microsoft Windows operating systems, particularly Windows Vista and Windows Server 2008 p Mc. Afee e. Policy Orchestrator (e. PO): e. PO is an integrated management platform that manages the security needs of your client computers n Web console, deploy Mc. Afee agents, DAT’s, Mc. Afee products, configuration policy manager, reporting

Security and using Server 2003: Lab p Lab 5: Using IPSec and the Windows Firewall