Transcript arch
WIN.MIT.EDU MIT Enterprise Windows Services IS&T Network & Infrastructure Services Team WIN.MIT.EDU: MIT’s Central Windows Domain Audience Description Case Studies Architecture Features/Benefits Sub-services Security Support Presented at ITPartners by Richard Edelson Audience Academic Departments Research Departments Classrooms, Clusters, Labs, Staff, Servers Application, File and Print Services, Database, Web Labs, Staff, Servers Application, File and Print Services, Database, Web Administrative Departments Staff, Servers Application, File and Print Services, Database, Web Description win.mit.edu provides a centrally managed Windows environment for the MIT campus. It is integrated with MIT's Kerberos realm, Moira database and MIT's standard DNS namespace. Users logon with single sign-on to many MIT resources. Departments can seamlessly share resources across the Institute with other faculty, staff and students. Departments are given control of their environments to customize in many ways while leveraging the added value IS&T has built into the platform. Departments no longer need to provision and manage user accounts, handle patch management or manage operating system licensing. Over the past year the domain has been used by over 60 departments and 10,000 users. These include faculty, staff, and students in academic, administrative and research departments. Case Studies: Academic Departments Department of Urban Studies and Planning Chemical Engineering Specialized cluster/lab environment with customized applications Teal Classrooms Cluster/Classroom environments Desktop Environment for Faculty and Staff File Servers Classroom/Cluster environment IS&T Academic Computing Classroom/Cluster environment High performance computing environment featuring AutoCAD, ArcView GIS, Mathematica, MatLab, Adobe applications and more Case Studies: Research Departments Bionet: Biology, Bio Engineering and more 54 labs in 18 DLCs using shared high performance storage on NetApp file appliances joined the win.mit.edu Active Directory. High performance storage required for generation of Genome research computational data. Desktop and Lab PC/Instrument environments Windows File and Print Servers Some Workstation Environments are behind Firewall on Private Subnet Users make use of DFS home directories for personal space CMSE-SEF – Electron Microscope Lab Desktop and Lab PC/Instrument environments Windows File and Print Servers Secure Web site using IIS for external data sharing Case Studies: Administrative Departments Controller's Accounting Office Human Resources Desktop, Windows File and Print Server Environments Application Servers for Parking Gate Management Resource Development Desktop, Windows File and Print Server Environments, Access Management via Citrix Parking Office Desktop, Windows File and Print Server Environments, IPSec Card Office Desktop, Windows File and Print Server Environments Campus Police Desktop, Windows File and Print Server Environments, Kiosk Workstations Office of Sponsored Programs Desktop, Windows File and Print Server Environments, Secure SAP check printing Desktop, File and Print Server Environments Specialized Database Application Environment via Citrix Student Financial Services Desktop, Windows File and Print Server Environments Financial Aid Database Server with IPSec Architecture: Active Directory Cross-Realm Trust Trust of MIT Kerberos Realm by WIN.MIT.EDU allows single sign-on to multiple resources. Delegated User Management - MIT Kerberos accounts – departments control resources by managing group membership and ACL's Single Domain/Forest Model Model in use by large schools, corporations and ISP’s Delegation of Containers (OU’s) – “Islands of Control” Group policy Software distribution, Security, Registry, and other feature settings can be assigned on a container basis. ACL’s via Moira groups. Custom group policy settings written by IS&T Standard MIT DNS Services Departmental container administrators have many tools to build their workstation and server environments. Each department builds and customizes their own environment. Container administrators control machines and access to their resources instead of the users directly win.mit.edu uses MIT’s UNIX based DNS services instead of Microsoft’s LDAP Directory populated by data from: Moira – User, Group, and Container data Populator –Moira host to container mapping, Data Warehouse, spn WIN.MIT.EDU Architecture Moira Populator MIT Kerberos KDC’s WIN.MIT.EDU DC’s MITnet DNS DFS Storage Query Data Feed Data Warehouse Architecture: Moira Data Feed – “Incremental” The Moira incremental update is used to keep the WIN.MIT.EDU domain synchronized to the Moira database. The Moira incremental will create and maintain the following in Active Directory: User accounts (MIT Kerberos ID’s – principal’s), and profile options Account status changes such as activation/deactivation Lists and Groups with their memberships Container Hierarchy The Moira incremental is a UNIX executable image and resides on the Moira server and runs continuously. This application uses Kerberos V5 authentication to establish an LDAP connection with the Windows domain to perform the updates. It has been completely integrated into Moira operations. When relevant changes to users groups and containers are made in Moira the incremental is triggered and the change is propagated to Active Directory. The Moira incremental will distinguish between list and groups when propagating them in Active Directory: Lists = Distribution groups Groups = Security groups Do not write directly to AD to create Domain groups or security descriptors The data may be over-written Make these changes in Moira Local groups can be managed directly via Windows Architecture: User Experience Single Sign-on: User Accounts via the Moira incremental A corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principal Profile and Home directory options are written to the users account data along with Office location, phone and email A random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDC’s. Windows Service exists to refresh random passwords every 30 days Webform to set the users Windows password to a known value for use with special applications where required DFS: User Profiles/Home directory Default is roaming profile in DFS Configurable via web form .winprofile is created in the users DFS homedir Copied to local drive at logon NTFS user quotas H: is mapped to the users DFS home directory 2 GB User quota by default Previous Versions support Accessed over network as needed Used for folder redirection of Windows homedir WinData directory is created in DFS for user data My Documents Application Data Favorites Quickstation utility for public machines DFS: Previous Versions Uses VSS: Windows Server 2003 Shadow copy services for user Home directories Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past. Recover files that were accidentally deleted or overwritten. Compare versions of file while working. Self service file restore capability for the end user. Snapshots are made every 4 AM. Versions of up to 64 days are available. Shadow copies are read-only. You cannot edit the contents of a shadow copy. Sub-services Citrix Hosted Business applications http://citrix.mit.edu/citrix/about.html Citrix Staging MIT WAUS: MIT Windows Automatic Update Services Site for MIT approved Windows Updates, load balanced via Big IP http://web.mit.edu/ist/topics/windows/updates/ Contract Administrative Services via IS&T’s DITR Team WIN.MIT.EDU Group Policy and Container Management Desktop Management and Support Server Management and Support Server Collocation Services in W91 Features/Benefits Container Management Delegation of Account Management Container Wide Job Scheduling Web forms Group Policy Storage Printing Laptops Network Boot Installation Services Container Management Containers (OU’s) – “Islands of Control” Departments can administer their workstations and servers independently almost as if they were running a separate domain Seamless ability to share resources with other departments Departments control machines and access to their resources instead of the users directly Domain Administrators can be removed from Administrators Group on all workstations and servers Container Administrators have the ability override default domain group policy settings Containers have ACL’s in Moira defining who may administer them and auto creation of groups to set ACL’s on machine accounts within their containers Delegation of Account Management benefits MIT Kerberos accounts – departments control resources by managing group membership and ACL's Delegation of password management Easy to use, self service Departments only need to manage their groups Save time and money Web forms for some user tasks All students and staff have Kerberos ID’s Save time and money Seamless ability to share resources with other departments Container Wide Job Scheduling - SelfMaint Container based scheduling service called SelfMaint is provided in addition to the Windows Task Scheduler service. Runs under the SYSTEM account Can reboot, defrag disks or run custom scripts Scripts reside on the network and will continue to run if the OS is reinstalled or a new computer is added to the container A script can either wait until no user is logged in to run or run unconditionally. Web request form Microsoft Hotfixes not supported by WSUS can be installed. Certain scripts run domain wide Web forms – for Users https://wince.mit.edu - Uses MIT Certificates User and Container Administrator tasks User Web forms Change Your Active Directory Password. https://wince.mit.edu/changepasswd/index.jsp For users: under certain circumstances, it might be necessary to set your native WIN domain password. Change Profile and Home directory options. https://wince.mit.edu/changeprofile/index.jsp A user can change their default DFS roaming profile and home directory locations to a local profile and home directory or to a path on a departmental server Web Forms - Container Administrator Forms Opt into/out of various domain-wide deployments Submit a Container Maintenance Job https://wince.mit.edu/containermaint/index.jsp Schedule a container reboot, defrag, or custom script. Selfmaint scripts can wait until a user is logged out in order to not disturb normal machine use. Delete a Machine from Active Directory https://wince.mit.edu/optoutrollout/index.jsp A container administrator can opt out of certain deployments until you are ready or to opt into test deployments early before they are released domain-wide. Containers and/or individual machines can opt-in or opt-out. https://wince.mit.edu/deletemachine/index.jsp A convenient tool if other tools are not available. To reinstall a computer, it’s machine account must first be deleted from Active Directory, but NOT from Moira. RIS or Join Computer Page https://wince.mit.edu/getrisaccount/index.jsp a container administrator or a container membership administrator, you may use this service to obtain a short-term account and password to be used while adding machines to WIN.MIT.EDU (the Moira host information should already exist) Group Policy Container ACL's –admins control group policy Container admins only use computer settings Software deployment - MSI Assign startup/shutdown scripts Assign security settings Customizable Auditing Configure registry-based software settings Storage Decentralized Storage Model NTFS: Departments are encouraged to use local departmental servers for their shared data storage needs DFS Home directory: Holds user profiles and home directory data by default, can be changed to be local via a web form DFS common space: generally is used for data used domain wide such as scripts and software packages. Supports multiple writable replicas Supports virtual links to departmental file servers Writable replicas not recommended for highly volatile data Printing Flexible Printing Model Windows Server Print queue Direct printing – TCP/IP or DLC Queue Published in Active Directory KLPR (configured as local machine ports) Samba WIN.MIT.EDU group policy extensions “Install these Network Printers” “Install these KLPR Printers” Microsoft Server 2003 R2 Print Extensions Laptops Supported in a number of scenarios: Directly connected to MITnet – normal operation Wireless on MITnet – normal operation Remote Broadband – VPN / Enhanced settings Laptop with additional opt-in settings Remote Dialup – Similar to Remote Broadband Disconnected – Cached logon. Will prompt user for Kerberos password if later connected Workgroup (non-Domain machine) – Users can map to domain file servers using native windows password from web form Network Boot Installation Services PXE – included in most new hardware MITnet DHCP will route PXE requests to WIN.MIT.EDU – RIS For more information see http://web.mit.edu/ist/topics/windows/server/winmitedu/RIS.html Security “Defense in Depth” Measures Domain Kerberos V5 Authentication No anonymous enumeration of Active Directory, including via LDAP User Layered approach to system security IPSec and Windows Firewall Password resides on Kerberos KDC while 127 character random password is written to Active Directory Service refreshes random passwords every 30 days Client Machine Patch management via WSUS No anonymous access to local SAM by default Local administrator denied access over the network by default Logons audited by client system and domain controller Central syslog server IPSec Selectively Block IP traffic Native to Windows 2000 and up operating systems Block all incoming and outgoing traffic except allowed subnets or ports Block all incoming and/or outgoing traffic except allowed ports (all IP’s) Allow a port outgoing only or incoming only Can effectively firewall particular servers or applications Confirms to RFC standards – not proprietary Already in use in WIN.MIT.EDU by a few departments Configurable locally or via group policy Configurable per network interface Encrypt Data Communication between Servers and Workstations To protect sensitive data and resources Supports Kerberos V5 Authentication 3DES by default, configurable key regeneration intervals Windows Firewall Available on Windows XP SP2 and Server 2003 SP1 Exceptions configured on a by port basis, only IPSec can manage all traffic on a by subnet basis. Blocks incoming traffic only Outgoing traffic blocking available in Windows Vista Supports IP ACL’s for individual ports or executables Configurable locally or via group policy Configurable per network interface Layered Security Overview Service Authentication SMB ports blocked by MIT Border Routers IPSec Windows Firewall Patching of System Services Network Based Application Security Blocking of Anonymous NetBIOS queries Local administrator denied access over the network Domain account 127 character random password Kerberos V5 Authentication Support Departmental Admin – Escalation from Users DITR – SLA based Escalation - Dept Admin, User Usually highly involved in Academic cluster, lab, group implementations with emphasis on application deployment in the Academic space. Training of local administrators but no official ongoing support contract NIST – Escalations from DITR, Container Admins, ACIS Some departments may contract DITR to assist or even take place of container administrators depending on the departments needs ACIS – Not SLA based but some support for Admins Container Administrator is responsible for their users and computers, but can draw on NIST resources for technical advice if issue is domain based, also peer support is encouraged Supports the domain infrastructure, container administrators, DITR, ACST PSS – Microsoft Support at discretion of NIST