240 likes | 424 Views
Managing CERN Desktops with Systems Management Server (SMS 2003). Michel Christaller Internet Services Group Department of Information Technology CERN May 2005. Summary. CERN infrastructure Managing assets Deploying programs with SMS Deploying security patches with SMS Conclusion.
E N D
Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May 2005
Summary • CERN infrastructure • Managing assets • Deploying programs with SMS • Deploying security patches with SMS • Conclusion
Summary • CERN infrastructure • What is SMS ? • SMS History at CERN • Server Architecture • Managing assets • Deploying programs with SMS • Deploying security patches with SMS • Conclusion
What is SMS? • Microsoft Systems Management Server • software deployment • software and hardware inventory • software metering • remote control • Additional Features (SUS Feature Pack) • Windows Security Updates Scan Tool • Microsoft Office Security Updates Scan Tool • Extended Security Tool (non-MBSA patches)
Distribution Points download (BITS) run locally run from the share Remote Clients (VPN, GPRS, Dial-in) new package? new package? Site & Database Server Desktop Clients Inventory Inventory Management Points SMS Architecture
SMS History at CERN • SMS 2.0 used from 2001 • SMS 2003 deployed Summer 2004 • SMS 2003 SP1 deployed Autumn 2004 • More MPs needed due to patch deployments • 3 MPs with NLB • 10Gb database now
Server Infrastructure • Native Windows 2003 Active Directory (3 DCs) • Heavy use of Groups, Group Policies and startup scripts • SMS infrastructure (Windows 2003, SMS 2003 SP1) • 1 Site server, 3 Distribution Points, 3 Management Points • Other servers (mostly Windows 2003 SP1) • ~30 file servers • ~180 servers total, 50Tb disk space (Mail, Web, Terminal servers, etc..) • Web-based administration interface (http://cern.ch/win) • ~6000 managed desktops • 1/4 Windows 2000 • 3/4 Windows XP
Summary • CERN infrastructure • Managing assets • Desktops installation • Computer Management (web site) • Hardware & Software inventory • Deploying programs with SMS • Deploying security patches with SMS • Conclusion
Desktop Installation • DianeCD on WinPE • Windows Pre-Installation Environment: stripped-down Windows • Includes latest drivers -> no need for DOS network drivers • Available on bootable CD • Configures HCP only • Copies model-dependent drivers to local disk • Launches installation through network • Permits to forbid LM hash authentication (was needed by DOS network layer)
Computer Management • User-oriented web-based administration
Hardware & Software inventory • Inventory by SMS: • Hardware • Software (programs installed) • Files
Summary • CERN infrastructure • Managing assets • Deploying programs with SMS • XP SP2 deployment • .Net Framework deployment • Deploying security patches with SMS • Conclusion
XP SP2 deployment • XP SP2 offers enhanced security • Firewall, IE6 SP2 • 90% of XP SP1 computers upgraded to SP2 • Recurrent SMS Package • Pop-ups the user every day for one month • Forced installation if user not responsive • Launches the XPSP2.exe upgrade • Distributed to XP SP1 computers, gradually by departments • Coupled with Office XP upgrade to Office 2003 • Almost no incompatibilities seen (but for some engineering applications) • Goal: Support only Windows XP SP2 / Office 2003 by end of year
.Net Framework deployment • .Net Framework 1.1 needed to deploy next generation applications like new CERN Newsreader • SMS PackageCombining .NetFramework 1.1, SP1 and hotfix 886903 • Deployed on all XP SP2 computers • 25 chances to install at will, then forced • Program deployment with SMS often needs VB scripting to establish a user interface
Summary • CERN infrastructure • Managing assets • Deploying programs with SMS • Deploying security patcheswith SMS • Why patching ? • Patching Policy • SUS Feature Pack • Non-MS patches • Reporting • Conclusion
Why Patching ? • Exploits are often made public before patches • Un-patched computers get viruses • Which install backdoors • Which comes with key-loggers and root-kits • Root-kits are really difficult to clean up or even detect • And used for illegal activities (spamming, file exchange, DOS attack etc..) • CERN severely affected by an unmanaged computer hacked in May 2004
Patching Policy • How to maximize coverage and minimize reboots ? • Group patches by products • System-related by OS version • Other products : Messenger, Media Player, Acrobat, Putty etc.. • Deploy first as ‘advertised’ (installation not forced) for some time • One package for latest patches, all OS versions • Second deployment: forced installation and reboot • One baseline package by OS version • Recurrent every day on all computers missing patches
SUS Feature Pack • Based on MBSA detection tool • Windows patches, IE patches, SQL, Exchange, IIS, MSXML, MDAC • MS Office patches with Office Updates • Uses a mssecure.xml file • Wrapper patchinstall provides for user interface
MicrosoftDownload Center Sync Tool MSSecure.xml MSSecure.xml update request Patches, QFEs, SPs Limitation! Works only with updates managed by MBSA 1.2 (not all products involved) SMS 2003 Site Server Scan Tool Hardware Inventory Advertisement Installation Status SUS Feature Pack
Products not detected by MBSA • Extended Security Tool • Workaround to deploy some MS product patches • Windows Messenger & MSN Messenger • Media Player • .Net Framework • Similar to SUSFP (XML file and patchinstall wrapper) • Will be merged to SUSFP in the future • Non-MS products • Make a VB script for User Interface, deployment based on inventory (file versions / programs installed)
Deployment Status of MS05-019 • Graph from SMS patch status data • Patch publishedby Microsoft on 12th of May Forced deployment started Patch advertised to all CERN computers
Conclusion • Reaching 100% coverage is a dream • Always a computer without disk space, broken files etc.. • SMS 2003 makes infrastructure much better managed • Hardware & software inventory • Pushed software installationsGP ‘Assign to computer’ was running only at startup • patch deployment and status • Drawbacks • Heavy inventory phasesannoying for slow computers • Packaging steps may be necessarydeployment of non-MS products often require VB scripting
Questions ? • Visit ushttp://cern.ch/win