310 likes | 509 Views
WIN.MIT.EDU MIT Enterprise Windows Services. IS&T Network & Infrastructure Services Team. WIN.MIT.EDU: MIT’s Central Windows Domain. Audience Description Case Studies Architecture Features/Benefits Sub-services Security Support. Presented at ITPartners by Richard Edelson. Audience.
E N D
WIN.MIT.EDUMIT Enterprise Windows Services IS&T Network & Infrastructure Services Team
WIN.MIT.EDU: MIT’s Central Windows Domain • Audience • Description • Case Studies • Architecture • Features/Benefits • Sub-services • Security • Support Presented at ITPartners by Richard Edelson
Audience • Academic Departments • Classrooms, Clusters, Labs, Staff, Servers • Application, File and Print Services, Database, Web • Research Departments • Labs, Staff, Servers • Application, File and Print Services, Database, Web • Administrative Departments • Staff, Servers • Application, File and Print Services, Database, Web
Description • win.mit.edu provides a centrally managed Windows environment for the MIT campus. It is integrated with MIT's Kerberos realm, Moira database and MIT's standard DNS namespace. Users logon with single sign-on to many MIT resources. • Departments can seamlessly share resources across the Institute with other faculty, staff and students. Departments are given control of their environments to customize in many ways while leveraging the added value IS&T has built into the platform. Departments no longer need to provision and manage user accounts, handle patch management or manage operating system licensing. • Over the past year the domain has been used by over 60 departments and 10,000 users. These include faculty, staff, and students in academic, administrative and research departments.
Case Studies: Academic Departments • Department of Urban Studies and Planning • Cluster/Classroom environments • Desktop Environment for Faculty and Staff • File Servers • Chemical Engineering • Specialized cluster/lab environment with customized applications • Teal Classrooms • Classroom/Cluster environment • IS&T Academic Computing • Classroom/Cluster environment • High performance computing environment featuring AutoCAD, ArcView GIS, Mathematica, MatLab, Adobe applications and more
Case Studies: Research Departments • Bionet: Biology, Bio Engineering and more • 54 labs in 18 DLCs using shared high performance storage on NetApp file appliances joined the win.mit.edu Active Directory. • High performance storage required for generation of Genome research computational data. • Desktop and Lab PC/Instrument environments • Windows File and Print Servers • Some Workstation Environments are behind Firewall on Private Subnet • Users make use of DFS home directories for personal space • CMSE-SEF – Electron Microscope Lab • Desktop and Lab PC/Instrument environments • Windows File and Print Servers • Secure Web site using IIS for external data sharing
Case Studies: Administrative Departments • Controller's Accounting Office • Desktop, Windows File and Print Server Environments, Secure SAP check printing • Human Resources • Desktop, Windows File and Print Server Environments, Kiosk Workstations • Office of Sponsored Programs • Desktop, Windows File and Print Server Environments • Campus Police • Desktop, Windows File and Print Server Environments, IPSec • Card Office • Desktop, Windows File and Print Server Environments, Access Management via Citrix • Parking Office • Desktop, Windows File and Print Server Environments • Application Servers for Parking Gate Management • Resource Development • Desktop, File and Print Server Environments • Specialized Database Application Environment via Citrix • Student Financial Services • Desktop, Windows File and Print Server Environments • Financial Aid Database Server with IPSec
Architecture: Active Directory • Cross-Realm Trust • Trust of MIT Kerberos Realm by WIN.MIT.EDU allows single sign-on to multiple resources. • Delegated User Management - MIT Kerberos accounts – departments control resources by managing group membership and ACL's • Single Domain/Forest Model • Model in use by large schools, corporations and ISP’s • Delegation of Containers (OU’s) – “Islands of Control” • Departmental container administrators have many tools to build their workstation and server environments. Each department builds and customizes their own environment. • Container administrators control machines and access to their resources instead of the users directly • Group policy • Software distribution, Security, Registry, and other feature settings can be assigned on a container basis. ACL’s via Moira groups. Custom group policy settings written by IS&T • Standard MIT DNS Services • win.mit.edu uses MIT’s UNIX based DNS services instead of Microsoft’s • LDAP Directory populated by data from: • Moira – User, Group, and Container data • Populator –Moira host to container mapping, Data Warehouse, spn
WIN.MIT.EDU Architecture Moira Populator MIT Kerberos KDC’s WIN.MIT.EDU DC’s MITnet DNS Data Warehouse DFS Storage Query Data Feed
Architecture: Moira Data Feed – “Incremental” • The Moira incremental update is used to keep the WIN.MIT.EDU domain synchronized to the Moira database. The Moira incremental will create and maintain the following in Active Directory: • User accounts (MIT Kerberos ID’s – principal’s), and profile options • Account status changes such as activation/deactivation • Lists and Groups with their memberships • Container Hierarchy • The Moira incremental is a UNIX executable image and resides on the Moira server and runs continuously. This application uses Kerberos V5 authentication to establish an LDAP connection with the Windows domain to perform the updates. It has been completely integrated into Moira operations. • When relevant changes to users groups and containers are made in Moira the incremental is triggered and the change is propagated to Active Directory. • The Moira incremental will distinguish between list and groups when propagating them in Active Directory: • Lists = Distribution groups • Groups = Security groups • Do not write directly to AD to create Domain groups or security descriptors • The data may be over-written • Make these changes in Moira • Local groups can be managed directly via Windows
Architecture: User Experience Single Sign-on: User Accounts via the Moira incremental • A corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principal • Profile and Home directory options are written to the users account data along with Office location, phone and email • A random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDC’s. • Windows Service exists to refresh random passwords every 30 days • Webform to set the users Windows password to a known value for use with special applications where required
DFS: User Profiles/Home directory • Default is roaming profile in DFS • Configurable via web form • .winprofile is created in the users DFS homedir • Copied to local drive at logon • NTFS user quotas • H: is mapped to the users DFS home directory • 2 GB User quota by default • Previous Versions support • Accessed over network as needed • Used for folder redirection of Windows homedir • WinData directory is created in DFS for user data • My Documents • Application Data • Favorites • Quickstation utility for public machines
DFS: Previous Versions • Uses VSS: Windows Server 2003 Shadow copy services for user Home directories • Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past. • Recover files that were accidentally deleted or overwritten. • Compare versions of file while working. • Self service file restore capability for the end user. • Snapshots are made every 4 AM. Versions of up to 64 days are available. • Shadow copies are read-only. You cannot edit the contents of a shadow copy.
Sub-services • Citrix • Hosted Business applications • http://citrix.mit.edu/citrix/about.html • Citrix Staging • MIT WAUS: • MIT Windows Automatic Update Services Site for MIT approved Windows Updates, load balanced via Big IP • http://web.mit.edu/ist/topics/windows/updates/ • Contract Administrative Services via IS&T’s DITR Team • WIN.MIT.EDU Group Policy and Container Management • Desktop Management and Support • Server Management and Support • Server Collocation Services in W91
Features/Benefits • Container Management • Delegation of Account Management • Container Wide Job Scheduling • Web forms • Group Policy • Storage • Printing • Laptops • Network Boot Installation Services
Container Management Containers (OU’s) – “Islands of Control” • Departments can administer their workstations and servers independently almost as if they were running a separate domain • Seamless ability to share resources with other departments • Departments control machines and access to their resources instead of the users directly • Domain Administrators can be removed from Administrators Group on all workstations and servers • Container Administrators have the ability override default domain group policy settings • Containers have ACL’s in Moira defining who may administer them and auto creation of groups to set ACL’s on machine accounts within their containers
Delegation of Account Management benefits • MIT Kerberos accounts – departments control resources by managing group membership and ACL's • All students and staff have Kerberos ID’s • Delegation of password management • Save time and money • Web forms for some user tasks • Easy to use, self service • Departments only need to manage their groups • Save time and money • Seamless ability to share resources with other departments
Container Wide Job Scheduling - SelfMaint • Container based scheduling service called SelfMaint is provided in addition to the Windows Task Scheduler service. • Runs under the SYSTEM account • Can reboot, defrag disks or run custom scripts • Scripts reside on the network and will continue to run if the OS is reinstalled or a new computer is added to the container • A script can either wait until no user is logged in to run or run unconditionally. • Web request form • Microsoft Hotfixes not supported by WSUS can be installed. • Certain scripts run domain wide
Web forms – for Users • https://wince.mit.edu - Uses MIT Certificates • User and Container Administrator tasks User Web forms • Change Your Active Directory Password. • https://wince.mit.edu/changepasswd/index.jsp • For users: under certain circumstances, it might be necessary to set your native WIN domain password. • Change Profile and Home directory options. • https://wince.mit.edu/changeprofile/index.jsp • A user can change their default DFS roaming profile and home directory locations to a local profile and home directory or to a path on a departmental server
Web Forms - Container Administrator Forms • Opt into/out of various domain-wide deployments • https://wince.mit.edu/optoutrollout/index.jsp • A container administrator can opt out of certain deployments until you are ready or to opt into test deployments early before they are released domain-wide. Containers and/or individual machines can opt-in or opt-out. • Submit a Container Maintenance Job • https://wince.mit.edu/containermaint/index.jsp • Schedule a container reboot, defrag, or custom script. Selfmaint scripts can wait until a user is logged out in order to not disturb normal machine use. • Delete a Machine from Active Directory • https://wince.mit.edu/deletemachine/index.jsp • A convenient tool if other tools are not available. To reinstall a computer, it’s machine account must first be deleted from Active Directory, but NOT from Moira. • RIS or Join Computer Page • https://wince.mit.edu/getrisaccount/index.jsp • a container administrator or a container membership administrator, you may use this service to obtain a short-term account and password to be used while adding machines to WIN.MIT.EDU (the Moira host information should already exist)
Group Policy • Container ACL's –admins control group policy • Container admins only use computer settings • Software deployment - MSI • Assign startup/shutdown scripts • Assign security settings • Customizable Auditing • Configure registry-based software settings
Storage • Decentralized Storage Model • NTFS: Departments are encouraged to use local departmental servers for their shared data storage needs • DFS Home directory: Holds user profiles and home directory data by default, can be changed to be local via a web form • DFS common space: generally is used for data used domain wide such as scripts and software packages. • Supports multiple writable replicas • Supports virtual links to departmental file servers • Writable replicas not recommended for highly volatile data
Printing • Flexible Printing Model • Windows Server Print queue • Direct printing – TCP/IP or DLC • Queue Published in Active Directory • KLPR (configured as local machine ports) • Samba • WIN.MIT.EDU group policy extensions • “Install these Network Printers” • “Install these KLPR Printers” • Microsoft Server 2003 R2 Print Extensions
Laptops • Supported in a number of scenarios: • Directly connected to MITnet – normal operation • Wireless on MITnet – normal operation • Remote Broadband – VPN / Enhanced settings • Laptop with additional opt-in settings • Remote Dialup – Similar to Remote Broadband • Disconnected – Cached logon. Will prompt user for Kerberos password if later connected • Workgroup (non-Domain machine) – Users can map to domain file servers using native windows password from web form
Network Boot Installation Services • PXE – included in most new hardware • MITnet DHCP will route PXE requests to WIN.MIT.EDU – RIS • For more information see http://web.mit.edu/ist/topics/windows/server/winmitedu/RIS.html
Security • “Defense in Depth” Measures • Layered approach to system security • IPSec and Windows Firewall • Domain • Kerberos V5 Authentication • No anonymous enumeration of Active Directory, including via LDAP • User • Password resides on Kerberos KDC while 127 character random password is written to Active Directory • Service refreshes random passwords every 30 days • Client Machine • Patch management via WSUS • No anonymous access to local SAM by default • Local administrator denied access over the network by default • Logons audited by client system and domain controller • Central syslog server
IPSec • Selectively Block IP traffic • Native to Windows 2000 and up operating systems • Block all incoming and outgoing traffic except allowed subnets or ports • Block all incoming and/or outgoing traffic except allowed ports (all IP’s) • Allow a port outgoing only or incoming only • Can effectively firewall particular servers or applications • Confirms to RFC standards – not proprietary • Already in use in WIN.MIT.EDU by a few departments • Configurable locally or via group policy • Configurable per network interface • Encrypt Data Communication between Servers and Workstations • To protect sensitive data and resources • Supports Kerberos V5 Authentication • 3DES by default, configurable key regeneration intervals
Windows Firewall • Available on Windows XP SP2 and Server 2003 SP1 • Exceptions configured on a by port basis, only IPSec can manage all traffic on a by subnet basis. • Blocks incoming traffic only • Outgoing traffic blocking available in Windows Vista • Supports IP ACL’s for individual ports or executables • Configurable locally or via group policy • Configurable per network interface
Layered Security Overview Service Authentication SMB ports blocked by MIT Border Routers IPSec Windows Firewall Patching of System Services Blocking of Anonymous NetBIOS queries Network Based Application Security Local administrator denied access over the network Domain account 127 character random password Kerberos V5 Authentication
Support • Departmental Admin – Escalation from Users • Container Administrator is responsible for their users and computers, but can draw on NIST resources for technical advice if issue is domain based, also peer support is encouraged • DITR – SLA based Escalation - Dept Admin, User • Some departments may contract DITR to assist or even take place of container administrators depending on the departments needs • ACIS – Not SLA based but some support for Admins • Usually highly involved in Academic cluster, lab, group implementations with emphasis on application deployment in the Academic space. Training of local administrators but no official ongoing support contract • NIST – Escalations from DITR, Container Admins, ACIS • Supports the domain infrastructure, container administrators, DITR, ACST • PSS – Microsoft Support at discretion of NIST