400 likes | 900 Views
UNCLASSIFIED. DIA/DODIIS Implementation of Microsoft Technology. JEDI PMO Comm: 315-330-7657 • DSN: 587 Email: jedi@rl.af.mil. JEDI for Windows. OBJECTIVE. Provide a brief overview of the Windows 2003 implementation & lockdown in the Defense Intelligence community Why a DoDIIS Baseline?
E N D
UNCLASSIFIED DIA/DODIIS Implementation of Microsoft Technology JEDI PMO Comm: 315-330-7657 • DSN: 587 Email: jedi@rl.af.mil JEDI for Windows
OBJECTIVE • Provide a brief overview of the Windows 2003 implementation & lockdown in the Defense Intelligence community • Why a DoDIIS Baseline? • Who Is Building It? • Workstation Baseline • Server Baseline • Provide points of contact
Why a DoDIIS Baseline? • Facilitate FSD / dodiis.ic.gov; the DoDIIS Enterprise • Provide a well-engineered reference implementation • DoDIIS Integrators Guide compliant • ITA Certified • Fully documented, including SSAA package • Promote interoperability through common core tools • Provide a common baseline target for integration, testing, and deployment of mission apps • Set a precedent for JWICS that can be shared for use on other DoD and coalition networks • Reduce duplication of similar integration / security work
DIA Global Enterprise Services (GES) Roles: Windows Server Builds Documentation DoDIIS FSD Guidance AFRL/JEDI Roles: Security Templates (DCID 6/3 & DITSCAP) JEDI Tools Deployment support to sites ONI-4 Roles: Windows Terminal Server Build Windows XP Client Build JDISS JPO Testing & CM support ITA / RITF Certification support JDISS JPO Deployments to Joint and Allied Customers Microsoft and Citrix COTS foundation! Who Is Building It? DoDIIS Baseline Charter MOA, signed 21 Mar 05 (DIA CIO, ONI-4, JEDI PM).
DoDIIS Baseline Components • Windows 2003 Server Builds / Configurations • Member Server • Domain Controller • MS Exchange 2003 Server • Windows Terminal Server (WTS) • Internet Information Server (IIS) • SharePoint Server • Windows XP Professional (SP2) Build • Thick Client / Standalone / Laptop – all same build • Includes DoDIIS Core Applications set (listed on next slide) • Will supercede JDISS v4.X Baseline • All builds implement JEDI security templates • All builds up-to-date on service packs and hot fixes
Adobe Acrobat Reader v6.0.2 Adobe SVG Viewer v3.0.1 Apple QuickTime v6.5 JEDI Security / Utilities v2.0 Macromedia Flash v7.0.1.9.0 Macromedia Shockwave v10 mIRC v6.1.6 Chat MS Internet Explorer v6.0 MS .Net Framework v1.1 MS Media Player v10.0 MS Messenger v5.0 MS Office 2003 Prof. Ent. (SP1) Netscape Communicator v7.2 RealPlayer v10.0 Sentinel Client Activator v2.2 Sentinel License Manager v7.2 Symantec AntiVirus Corp v9.0.1 Windows Support Tools MS MDAC v2.8 MS Remote Desktop MS Windows Installer v3.0 MS Visio 2003 Viewer MSXML v4.0 (SP2) I2 Link Chart Reader v6.0 NicMak WinZip v9.0 Sun JRE v1.4.2_06 Kixtart Scripting Language USAF NT Toolbox v2.01 Outlook Classification Tool Build 21 WS_FTP (LE version) DoDIIS Core Applications Windows XP Professional OS, Service Pack 2 (SP2)
XP Desktop Build Details • Windows XP unattended with SP2 slipstreamed and automatic kickoff of Automated build script. • Build script written in VBScript • Insures each baseline build is identical facilitating better enterprise management of patches and application deployment. • Automation checks all return codes from silent installs and reports any errors. • All DoDIIS Core applications installed with built-in silent mechanisms or packaged to be silent.
Server Build Details • Microsoft Windows Server 2003 OS • IAVA Patches • JEDI Security Templates and Tools • WinZip • Symantec Antivirus • Tested Hardware • HP DL580 and HP DL380 • Standard automated build script for Windows 2003 Member Server • Automation of Domain Controllers, Exchange, WTS/CITRIX, Sharepoint, and IIS is underway • OPSWARE to maintain patches and track changes
Enterprise Management • OPSWARE (W2K3 Server Management) • SMS Server 2003 (XP Management) • Application Deployment • Software Update Services (SUS) Patches • Group Policy Software Restrictions • Application ADM Templates • Citrix Installation Manager (WTS Server Management)
Availability • Late Summer or Fall 2005 • Undergoing ITA certification notionally this Summer • How to get Media & Documentation… • JDISS JPO will distribute media and documentation for both server and workstation components of the DoDIIS Baseline • Order media on-line via JDISS Web Site on JWICS • http://jdiss.nmic.ic.gov • Download documents, patches, and mission applications via JDISS Web Site • Note: Cannot download DoDIIS Baseline infrastructure (i.e. WinXP / 2003 Baseline)
The DIA sponsored Joint Enterprise DoDIIS Infrastructure (JEDI) program was a joint effort between DIA, Microsoft and the Air Force to rapidly deploy a highly secure Windows infrastructure baseline within the defense intelligence community. JEDI provides: Common Security and Infrastructure Baseline to meet the requirements of the DoDIIS community. Secure, cross-platform, interoperable, communications and enterprise management Helps achieve DCID 6/3 Compliance (PL2 HI HA) DoDIIS Tested & Approved Baseline of Tools and Services DEC/DoDIIS Certificate to Field On-site Installation and Integration Assistance (GDIP Sites) Easy installation via Microsoft RIS install capabilities or disk cloning WHAT IS JEDI?
JEDI 2.1 FOR WINDOWS • Supports W2K, XP, and Windows 2003 Server • CERTIFIED, v. 2.0 fielding now. • Security Baseline • Based on NSA STIGs for 2000 and XP • W2K3 lockdown based on Microsoft/DIA/JEDI collaboration • Additional Tools • Graphical Configuration Utility (MMC Plug-Ins) for utilities • Secure Print Utility: PostScript, PCL & duplexing • COTS “DeviceLock” Lockout • DoDIIS FSD Integration • Improved Installation GUIs • Improved Documentation
INVESTMENT TEAM • Program Manager: Dr. Ryan Durante, Ph.D., MCSE, CISSP, APDP Level III • Deputy Program Manager: 1 Lt Brian Chapeau, MCSE, CISSP • Chief Engineers: • Mr. Norm Leach, GS-12, MCSE, APDP Level III • Mr. Kevin Dyer (NG-DMS) • Mr. Doug Massey (NG-DMS) • Executive Agent: Air Force C2ISR Center • Technical Team: AFRL/IFEB • Contractors: NG-DMS, MITRE, BAE, BAH, SI, C3I
JEDI 2.1 IN THE RSC • JEDI provides the security infrastructure for the Defense Intelligence community • J2W provides the RSC server security baseline build • J2W will provide the RSC client infrastructure build for fat clients • J2W is providing infrastructure baseline to JDISS and DIA
COMMUNITY SUPPORT • US State Department • US Department of Energy, Los Alamos National Labs • DPOC • DCGS 10.2 • JDISS • AF Mobile Command & Control Center (MCCC) • JASSM • IBS • NIMA International Sites • Army (37 sites) • JBC • GUARDRAIL • JSIMS • SPAWAR • USAFE • 7th AF • Transformation Center • AOC WS • JEFX-04 • USTRANSCOM • USPACOM • USEUCOM • USJFCOM • USSOUTHCOM • USSOCOM • USNORTHCOM • USSTRATCOM • USSTRICOM • Goodfellow AFB • FORSCOM • AFSOC • GISA • ONI-53 • PASS-K • PASS-E • PASS-J • Airborne Common Sensor (ACS) • Targets Under Trees (TUT) • Marine Corps Intelligence Activity (MCIA) • Air Force Combat Climatology Center (AFCCC) • M3 • COMNAVSPECWARDEVGRU • National Ground Intelligence Center (NGIC) • USA - Information Assessment Test Tool (IATT) • 480th Intelligence Group • DES&S • USA JTC/SIL, Redstone Arsenal • NSA WARGODDESS • USA Special Operations Command (SASOC, DCS, G-2, AOIN-SEA)
COMMUNITY SUPPORT • CENTAF-AUAB/TBMCS at Al Udeid Qatar • Jaycor at Albuquerque NM • Titan Systems at Albuquerque NM • Assurance Technology Corporation at Alexandria VA • Virtual Technology Corp at Alexandria VA • Veridian System at Ann Arbor MI • Raytheon at Annapolis Junction MD • SAIC at Arlington VA • AFCCC at Asheville NC • NGIT at Baltimore MD • 13 IS at Beale AFB CA • 48 IS at Beale AFB CA • 9 IS at Beale AFB CA • DGS-2 at Beale AFB CA • ITEK at Beale AFB CA • MITRE at Bedford MA • NGIT at Bellevue NE • AFIAA at Bolling AFB DC • DIA at Bolling AFB DC • JIVA at Bolling AFB DC • Data Exploitation RDDC/DRDC at Canada • NIMA at Chantilly VA • Veridian System at Chantilly VA • SPAWAR at Charleston SC • CTA Inc. at Colorado Springs CO • Lockheed Martin at Colorado Springs CO • ManTech Aegis Research Corporation at Colorado Springs CO • NGIT at Colorado Springs CO • Raytheon at Dallas TX • NSWDG at Dam Neck, VA • 66MI at Darmstadt Germany • 612 AIS/INY at Davis Monthan AFB AZ • NAIC at Dayton OH • SAIC at Dayton OH • Lockheed Martin at Denver CO • Defence Science & Technology Organisation at Edinburgh Australia • 53 CSS/SCN at Eglin AFB FL
COMMUNITY SUPPORT • Raytheon at El Segundo CA • BTG - JSIMMS at Fairfax VA • Titan - IBS at Fairfax VA • Titan Systems / RIS at Fairfax VA • Raytheon at Falls Church VA • JSIMS at Felts Field FL • I2WD / Army at Fort Monmouth NJ • ISSO at Fort Washington MD • HQ US Army INSCOM at Ft Belvoir VA • GISA at Ft Bragg NC • Ft Buchanan PR • Army OTC at Ft Hood TX • FORSCOM at Ft McPherson GA • 694 SPTS/SCBNS at Ft Meade MD • Prophet at Ft Monmouth NJ • Ft Shafter HI • DIA at Ft Washington MD • GLACIER at GLACIER • Lockheed Martin at Gaithersburg MD • Raytheon at Garland TX • 17 CS/SCBBA at Goodfellow AFB TX • 17TRG at Goodfellow AFB TX • 17TRSS at Goodfellow AFB TX • AETC at Goodfellow AFB TX • Northrop Grumman at Goodfellow AFB TX • Lockheed Martin at Goodyear AZ • Modern Technology Corporation at Hampton VA • ESC at Hanscom AFB MA • ESC/IN at Hanscom AFB MA • ESC/SR at Hanscom AFB MA • Blackbird Technologies at Herndon VA • 56th IWF at Hickam AFB HI • PACAF PAS at Hickam AFB HI • PACAF PAS at Honolulu HI • PEO Air & Missile Defense at Huntsville AL • US Army Threats System Management at Huntsville AL • HQ AFSOC at Hurlburt Field FL
COMMUNITY SUPPORT • INS Office of HQ AFSOC at Hurlburt Field FL • Lockheed Martin at King of Prussia PA • AFRL at Kirtland AFB NM • Phillips Lab at Kirtland AFB NM • 10TH IS at Langley AFB VA • 27IS at Langley AFB VA • 27IS/INYN at Langley AFB VA • 27IS/INYO at Langley AFB VA • 480 IG at Langley AFB VA • 480 IG/SCTM at Langley AFB VA • 83 CS at Langley AFB VA • ACC / INSC at Langley AFB VA • ACC INYS at Langley AFB VA • AFC2ISRC at Langley AFB VA • CAOC-X at Langley AFB VA • ESC / AC - OL - L at Langley AFB VA • ITEK at Langley AFB VA • SAIC at Langley AFB VA • Unknown at Langley AFB VA • Northrop Grumman at Linthicum MD • 123IS/SC at Little Rock AFB AR • Lockheed Martin at Littleton CO • RAF Storm Shadow Implementation Team at London UK • USCENTCOM at MacDill AFB FL • USSOCOM at MacDill AFB FL • Harris Corporation at Melbourne FL • BAE Systems at Newington VA • ESCS RHG/DCGS at Newport News VA • 20IS at Offutt AFB NE • 55 MCCS at Offutt AFB NE • 55th MCIS at Offutt AFB NE • AFWA at Offutt AFB NE: 5 • General Dynamics - Decision Systems at Orlando FL • JSIMS at Orlando FL • Lockheed Martin at Orlando FL • NGIT (JSIMS/WARSIM) at Orlando FL
COMMUNITY SUPPORT • US Army/STRICOM at Orlando FL • 607th Air Intelligence Squadron at Osan AFB ROK • 7 IWF AIA/ACC at Osan AFB ROK • 751 CS at Osan AFB ROK • National Defence at Ottawa ON CAN • Radar Applications and Space Technologies at Ottawa ON CAN • 4CACS/MAOSO at Peterson AFB CO • USSPACECOM/NORTHCOM at Peterson AFB CO • Lockheed Martin at Philadelphia PA • Epoch Software at Phoenix AZ • JAC at RAF Molesworth UK • BAE Systems at Ramstein AB GE • HQ USAFE at Ramstein AB GE • USAFE CSS at Ramstein AB GE • USAFE ESS at Ramstein AB GE • USAFE IFSA at Ramstein AB GE • NGIT at Redding MA • 152 Intelligence Squadron (IS) at Reno NV • Lockheed Martin at Reston VA • NIMA at Reston VA • Warner-Robins Air Logistics Center at Robins AFB GA • BAE Systems at Rome Research Site NY • Dolphin Technology Inc. at Rome Research Site NY • TWR at Sacramento CA • L-3 Communications at Salt Lake City UT • L-3Com at Salt Lake City UT • BAE Systems at San Diego CA • BAE Systems, Mission Solutions at San Diego CA • Booz Allen Hamilton at San Diego CA • SPAWAR at San Diego CA • Lockheed Martin at San Jose CA • General Dynamics - Decision Systems at Scottsdale AZ • ASPO Depot at Seal Beach CA • General Dynamics at Seal Beach CA • 609 AIS/GD at Shaw AFB SC: 3
COMMUNITY SUPPORT • Raytheon at State College PA • Joint Warfighting Center at Suffolk VA • ONI at Suitland MD • CENTCOM J2 at Tampa FL • General Dynamics at Tempe AZ • General Dynamics at Thousand Oaks CA • General Dynamics Advanced Information Systems at Thousand Oaks CA • Thundercloud • Davis-Monthan AFB at Tucson AZ • Titan Systems at Tysons Corners VA • MITRE at Unknown • Lockheed Martin at Valley Forge PA • Vanderberg AFB CA • Titan Systems at Virginia Beach VA • MAOSO at Warren AFB WY • DIA at Washington DC • Lockheed Martin at Washington DC • Marine Corp Intelligence Activity (MCIA) at Washington DC • NGIT at Washington DC • NIMA at Washington DC • NMIC at Washington DC • Veridian System at Washington DC • ASC/RAB at Wright-Patterson AFB OH • NAIC at Wright-Patterson AFB OH • NAIC/DXMS at Wright-Patterson AFB OH • SAIC at Wright-Patterson AFB OH • 374 CS at Yokota JP • Titan Systems at Yorktown VA • 160th Special Operations Aviation Regiment, Ft. Campbell, KY
CUSTOM INSTALLATION • New & improved installation interface • Wise Installer based • More granular level of control, allows trusted users maximum control • msi packaged for easy installation
JMC • JEDI Management Console (JMC) Snap-In is installed within the Microsoft Management Console (MMC) • A standard, centralized interface for JEDI configuration Management Console
CLEAR TEMP • Ensures that no data is left in any unsecured directories Clear Temp Tool • Deletes all files in designated directories upon each user logout, and optionally upon user • Automatically executes the MS Disk Cleanup tool Disk Cleanup Tool • Microsoft Disk Cleanup tool (cleanmgr.exe) • Scans a designated drive or location & removes all instances of particular file types Utilities
DEADMAN • Monitors and restricts access after a specified period of inactivity • Tracks the length of time a system is left idle • Performs actions to secure the system from unauthorized access • Displays a secure screensaver • Notifies the user of pending timeout • Sends a notification via email • Terminates the current session • Runs a custom script or batch file Utilities
EVENT BACKUP • Collects logs from Windows systems across a domain for storage in a central location • Copies the log files from each system and optionally clears the original logs • Fully configurable Utilities
ISD • Infrastructure Service Daemon • Maintains and administers JEDI Windows system from a JEDI Solaris administrative system • Allows the Windows system to accept communications only from authorized Solaris hosts • Automatically executes at system startup as a service Utilities
LOGON CONSENT • Requires authenticated users to agree to a legally binding monitoring and usage agreement before gaining system access • Audit records are produced with each user action • Customizable based on site requirements Utilities
PASSWORD FILTER • Strengthens password integrity through the enforcement of password construction rules • Configurable to enforce additional password restrictions • Gives the ability to create a custom dictionary file • Meets new AR 25-2 requirements Utilities
PRINT UTILITY • Provides the capability to add security markings to all hardcopy printouts on local and network print devices • Grants certain print privileges to each user Utilities
SECURITY BANNER • Displays a read-only label that appears at the top (and optionally at the bottom) of the computer screen • Provides security markings for the system • Settings are contained in the Windows Registry and are configurable through the Security Banner JMC Snap-In interface or the Security Banner Administrative Template Utilities
WATCHDOG • Monitors the Windows System Event Log for any failed and restarted services • In the event of a service failure, Watchdog takes pre-determined actions to alert the current user • Relies on the native Windows Service Utility to restart failed services • Settings are contained in the Windows Registry and are configurable via the Watchdog JMC Snap-In Utilities
DEVICE LOCK 5.7 • COTS Tool • DoDIIS Enterprise Licensed • Provides system administrators control over which users can access certain devices on a local computer • Protects the network by locking unauthorized user access to Wi-Fi, Bluetooth, USB, FireWire, CD-ROMs, floppy drives, serial and parallel ports, & other Plug and Play devices • Requires Windows NT 4.0, Windows 2000, Windows XP or Windows Server 2003 Utilities
DoDIIS FSD • DoDIIS Full Service Directory Interface • Populates the Active Directory schema with FSD attributes. • Provides a local user interface for FSD fields. Advanced Utilities
AD INTEGRATION • JEDI Administrative Templates (ADMs) provide allow for the configuration of utilities through Windows Group Policy • JEDI automatically applies the appropriate standalone ".inf" files • Manually apply additional incremental ".inf" files to support additional server roles • Provides a custom ".inf" file to support group policy settings not implemented through the JEDI ADMs Advanced Utilities
ICG MSRTM TFM IDD UM VDD SSAA IDD SSTD DOCUMENTATION Version Description Document System Security Authorization Agreement User Manual Interface Definition Document Training Management Plan Extensive Documentation 1,162 pages of it for J2W Installation & Configuration Guide Trusted Facility Manual Master Security Requirements Traceability Matrix Software & Security Test Description Documentation
WEB PAGE https://extranet.rl.af.mil/jedi http://ife.rl.af.smil.mil/jedi http://web1.rome.ic.gov/jedi All administration, security documentation & templates are available on-line.
SUMMARY • JEDI provides the Security and Infrastructure baseline to meet DIA and DoDIIS SCI Requirements • DEC endorsed • JEDI 2.0 is available NOW • JEDI 2.1 has integrated many of the requirements and services that the community asked for last year – available Jun 05 • Deployment migration is rapidly moving forward • JEDI is providing the baseline to JDISS and DIA • Ensuring we are all interoperable • Goal: ONE infrastructure, one baseline