Transcript Document
York Secure Scan
vs
Microsoft Windows
Our story and how we dealt with it
Introduction
Presenter:
Leonard Chow
Supervisor / Technical Analyst, Client Services
Computing and Network Services
York University
Toronto ON Canada
[email protected]
http://www.yorku.ca
2
This Presentation…
Tuesday, June 24 2008
Presentation 5A: 9:00 - 10:00 AM – Singer Bldg Rm 151
York Secure Scan vs Microsoft Windows - our story
and how we dealt with it
Clients want to get ResNet Internet service - ResNet Network Administrators want a secure and safe
network - and our ResNet Support Team is right in the middle of it!
This is the story of how we dealt with York Secure Scan, the application on the York University ResNet
network that grants permission to registration for Microsoft Windows workstations.
First, a brief introduction to the history of the York University ResNet service will be done outlining the
important role our York Secure Scan application takes to only allow clean secured workstations onto the
our ResNet service. Next, there will be some discussion into the problems that were reported by clients
(missing MS OS patches, problems loading MS OS patches, etc). Lastly, some solutions to the problems
that we faced will be presented (how to get patches loaded) and our procedures for dealing with some of
our more problematic clients/students.
This is not a presentation about how to build and implement an application such as York Secure Scan, this
is only the Client Services perspective of how we did our jobs.
This MS Powerpoint presentation is currently available at http://www.yorku.ca/lchow/
3
York University
Computing Support
-Specific Faculties - Technical Support
-Specific Admin./Bus. Dept. - Technical Support
-Central Computing Services
-Infrastructure
-Network
-Server Administration
-Information Security
-etc.
-Client Services
-Residence Support
(ResNet Support / In-Residence Support)
4
York University ResNet Service...
-DHCP - assigned IP and DNS information
-MAC authentication
-Registration through browser and student authentication
-Registration/authentication VLAN vs actual Internet service
VLAN
-9 York undergrad/dorm residence buildings or areas
-14 York apartment/suite residence buildings or 3 areas
-Approx. 50,000 students attend York University over 2
campuses (main campus and Glendon campus)
-Approx. 6000 ResNet jacks/beds in all the buildings
-Approx. 5000 ResNet clients/users registered and they
have their “own” computers running MS Windows, Mac OS,
and Linux typically
5
Back then, in a perfect world...
To get ResNet Internet Service
1. Clients/students comes with their
laptop/computer and plugs into the ResNet
service jack with their network cable; the
computer will get an IP/DNS via DHCP for
'registration/authentication VLAN'
2. The client/student authenticates themselves and
registers onto the ResNet service via browser
3. After registration finishes, then there's Internet
service (IP/DNS via DHCP)
6
ResNet before being registered…
7
Back then, it wasn't a perfect world...
-There were many improvements that need to be
made
-Not sure what the problem was
-Network device (Cisco Switch) problems
-Rogue problems
-Virus problems
-Client/end-user problems (OS problems?)
-WHY WOULDN'T THINGS JUST WORK!
8
In came Information Security...
-York Secure Scan (yss.exe) was introduced into the process
So in the new world...
To get ResNet Internet Service
1. Clients/students comes with their laptop/computer and plugs into
the ResNet service jack with their network cable; the computer
will get an IP/DNS via DHCP for 'registration/authentication
VLAN'
2. If the computer is a MS Windows computer, then it will be forced
to go through the York Secure Scan
3. In order to pass York Secure Scan and continue onto
client/student authentication for ResNet Registration, the MS
Windows computer must have all Critical Updates/Patches and
must have Symantec Antivirus with up to date virus definitions
4. The client/student authenticates themselves and registers onto
the ResNet service
5. After registration finishes, then there's Internet service (IP/DNS
via DHCP)
9
The new features...
-Secured 'registration/authentication VLAN'
-Proxy to allow clients to get MS Windows Critical
Updates/Patches
-Proxy to allow clients to get Symantec Antivirus
virus definition updates
-Things improved drastically!
-Cut down on client-end OS related problems
10
York Secure Scan
http://resnet.yorku.ca/secure_scan.html
11
The new problems...
-Illegal/cracked copies of MS Windows OS
-Critical Updates/Patches that aren't really loaded
-Language Versions of MS Windows OS that aren't
supported by YSS
-3rd party firewalls and security suite programs
-Corrupted MS Windows OS
-They don't like our Symantec Antivirus
12
For Illegal/cracked copies of MS
Windows OS clients...
-Get a legal valid copy/service key of the MS
Windows OS
-Student discount on-campus, but it's still a lot of
pain for the client
Warn them...
-Backup data (personal pictures, music, documents,
homework, etc.)
-Format/reload very often means everything will be
deleted
-This is between the client and the computer
store/vendor
13
For clients where there are critical
updates/patches issues...
-Go and download the missing patch from Microsoft
-Load the same update/patch again
-Uninstall the specific update/patch and load it again
-Go and download the York Antivirus CD (which has
MS patches on it)
Warn them...
-This is between the client and the computer
store/vendor
-Backup data (personal pictures, music, documents,
homework, etc.)
14
For clients with Non-English Language
Versions of MS Windows OS that are not
supported by YSS
-Escalate it to Information Security so that they're
aware
-There's a workaround version of York Secure Scan
15
For clients running 3rd party Firewalls
and security suite programs...
-Shut the 3rd party software off
-Advise client to uninstall the security suite program
that's expired
Warn them...
-This is between the client and the computer
store/vendor
-Backup data (personal pictures, music, documents,
homework, etc.)
16
For clients who don't like our Symantec
Antivirus program...
-They MUST use our version of Symantec Antivirus if
they're running MS Windows OS if they're going to
pass York Secure Scan
Warn them...
-Uninstall the existing antivirus software fully, and
restart the computer, before installing a new antivirus
software
-This is between the client and the computer
store/vendor
-Backup data (personal pictures, music, documents,
homework, etc.)
17
After 2 years, York Secure Scan ver. 2
came out...
-Now runs new MBSA engine
-Now accepts other popular antivirus software e.g.
Norton, McAfee, etc.
18
The new York Secure Scan ver. 2, new
issues...
-MBSA errors
-Languages Versions of MS Windows OS that aren't
supported by YSS
-3rd party firewalls and security suite programs
(LiveOne Care)
Same old problems...
-Can't load a patch
-Patch is not there, but it says that it's loaded
-Corrupted MS Windows OS
-The antivirus software is not recognized
19
For clients who get an MBSA errors...
-Escalate it to Information Security if necessary
-Download MBSA standalone from Microsoft and if it
doesn’t pass this test, then the system is corrupted
http://technet.microsoft.com/en-us/security/cc184924.aspx
-Rebuild/reload the system
Warn them...
-This is between the client and the computer
store/vendor
-Backup data (personal pictures, music, documents,
homework, etc.)
20
For clients who get end up with no
IP/DNS with LiveOne Care
-Trial versions of LiveOne Care gave this problem;
advise the client to uninstall this software or get the
full version
-Full licensed versions of LiveOne Care were less
troublesome
-Use a SOHO router
Warn them...
-This is between the client and the computer
store/vendor
-Backup data (personal pictures, music, documents,
homework, etc.)
21
Our other rarely advised solutions?
-Use a SOHO router (~$50) and find a non-MS
Windows OS computer to register
-Use a Linux live CD (e.g. Knoppix, Ubuntu)
-There are other Internet services available on
campus
22
End of presentation
Questions?
Thanks for coming to this presentation.
23