beams division local administrators meeting 1/11/2002 brian drendel

Beams Division Local Beams Division Local Administrators MeetingAdministrators Meeting

1/11/20021/11/2002

Brian DrendelBrian Drendel

Today’s topic SecurityToday’s topic Security Quick overview of Computer Security Quick overview of Computer Security

VulnerabilitiesVulnerabilities Virus attack on Beamssrv1Virus attack on Beamssrv1 How to avoid future attacksHow to avoid future attacks

– User EducationUser Education– Virus ProtectionVirus Protection– Protecting PasswordsProtecting Passwords– Operating System configuration and patchesOperating System configuration and patches– Application configuration and patchesApplication configuration and patches

Local admin access to IP/License databaseLocal admin access to IP/License database FileMaker Pro IP/License database labFileMaker Pro IP/License database lab

What happens when your What happens when your computer is hacked?computer is hacked?

Capture your password(s).Capture your password(s). Read files off of your computer.Read files off of your computer. Copy files to your computer.Copy files to your computer. Modify or delete files off of your computer.Modify or delete files off of your computer. Execute code on your computer.Execute code on your computer. Use your computer to attack other Use your computer to attack other

computers.computers. Use your computer to create unwanted Use your computer to create unwanted

network traffic.network traffic.

Security VulnerabilitiesSecurity Vulnerabilities

What are some ways that What are some ways that computers get compromised?computers get compromised?– User ActionsUser Actions– VirusVirus– Stolen passwordsStolen passwords– Operating System vulnerabilities or Operating System vulnerabilities or

misconfigurationsmisconfigurations– Applications vulnerabilities or Applications vulnerabilities or

misconfigurationsmisconfigurations

Beamssrv1 attackBeamssrv1 attack 12-11-01: Beamssrv1 and other computers 12-11-01: Beamssrv1 and other computers

were attacked by a virus.were attacked by a virus.– Beamssrv1 offline for 24 hoursBeamssrv1 offline for 24 hours– BD/Network resources expended for entire week.BD/Network resources expended for entire week.– Local administrators had to rebuild desktops.Local administrators had to rebuild desktops.

12-18-0112-18-01– Smaller-scale repeat performance of same Smaller-scale repeat performance of same

attack.attack.– BD/Network resources expended for another two BD/Network resources expended for another two

daysdays– Local administrator needed rebuild computer.Local administrator needed rebuild computer.

Hacked-Desktop1Hacked-Desktop1

Hacked-Desktop1 :Hacked-Desktop1 :– This computer was the first computer This computer was the first computer

to be compromised by this attack.to be compromised by this attack.– 12:12-12:25: NAV 5.0 quarantined 12:12-12:25: NAV 5.0 quarantined

666 infected files.666 infected files.– Started attacking other computers Started attacking other computers

looking for operating system and IIS looking for operating system and IIS vulnerabilities and shares that it could vulnerabilities and shares that it could use to spread itself.use to spread itself.

Hacked-Desktop1Hacked-Desktop1 What went wrong?What went wrong?

– Operating system service packs were 1½ years out Operating system service packs were 1½ years out of date and was running an unpatched IE.of date and was running an unpatched IE.

Allowed the computer to be compromised.Allowed the computer to be compromised.

– It was using an unsupported NAV that does not It was using an unsupported NAV that does not report back to our SSC console. report back to our SSC console.

This increased the response time.This increased the response time. This computer was compromised by 12:30pmThis computer was compromised by 12:30pm Our first indication of a problem wasn’t until after 2:30pmOur first indication of a problem wasn’t until after 2:30pm

– Open sharesOpen shares Used these shares to attempt to spread virus.Used these shares to attempt to spread virus.

– Also infected with a Spyware trojan horseAlso infected with a Spyware trojan horse Probably unrelated to this incidentProbably unrelated to this incident

Hacked-Desktop1Hacked-Desktop1 User’s Beams account had admin privileges and he left User’s Beams account had admin privileges and he left

himself logged in while he was on vacation.himself logged in while he was on vacation.– Administrator privileges allowed the attack to compromise the Administrator privileges allowed the attack to compromise the

unpatched system.unpatched system.– Allowed virus to create more open shares to spread itself.Allowed virus to create more open shares to spread itself.– When the user returned, he started executing tasks on the When the user returned, he started executing tasks on the

compromised system, which triggered the attack.compromised system, which triggered the attack. User never logged out after his roaming profile was disabled.User never logged out after his roaming profile was disabled.

– Allowed virus to try to spread itself to \\beamssrv1\profilesAllowed virus to try to spread itself to \\beamssrv1\profiles User’s Beams account also had admin privileges on other User’s Beams account also had admin privileges on other

computerscomputers– Allowed other computers to be compromised.Allowed other computers to be compromised.

Root of each drive was shared for local backups with poorly Root of each drive was shared for local backups with poorly setup permissions.setup permissions.– Contributed to compromise of entire systemContributed to compromise of entire system


What was done correct?What was done correct?– User had up-to-date virus definitions User had up-to-date virus definitions

(on an old version of Norton Antivirus) (on an old version of Norton Antivirus) that prevented further spread.that prevented further spread.

– User notified us via voicemail when User notified us via voicemail when they discovered the problem.they discovered the problem.

Hacked-Desktop2Hacked-Desktop2 This computer did local backups by This computer did local backups by

attaching to the root of every drive on attaching to the root of every drive on three desktop computers.three desktop computers.

13:16: Event viewer shows that the 13:16: Event viewer shows that the security policy was changed on this security policy was changed on this computer.computer.– Security policy was actually locked out and Security policy was actually locked out and

could not be viewed or changed.could not be viewed or changed. 14:25 – 14:33 NAV stopped infected files 14:25 – 14:33 NAV stopped infected files

from being written to all share directories from being written to all share directories and subdirectories.and subdirectories.


What was done correctly?What was done correctly?– Win2k SP2 + hotfixesWin2k SP2 + hotfixes– Updated IEUpdated IE– Had NAV CE 7.51 with updated virus Had NAV CE 7.51 with updated virus

definitionsdefinitions Stopped infected files from being written Stopped infected files from being written

to the computer’s sharesto the computer’s shares

– No open sharesNo open shares

Hacked-Desktop2Hacked-Desktop2 What went wrong?What went wrong?

– The user from Hacked-Desktop1 was in the The user from Hacked-Desktop1 was in the administrators group on this PC.administrators group on this PC.

– The administrator of this PC was away from the The administrator of this PC was away from the lab, but left himself logged into the localadmin lab, but left himself logged into the localadmin account.account.

So any actions taken from this PC were done with admin So any actions taken from this PC were done with admin privileges.privileges.

– This PC had “Full Control” access to the root of This PC had “Full Control” access to the root of each drive on three other computers for backups.each drive on three other computers for backups.

Included Hacked-Desktop1Included Hacked-Desktop1 Provided a path to two addditional computers (Lucky-Provided a path to two addditional computers (Lucky-

Desktop1 and Hacked-Desktop3).Desktop1 and Hacked-Desktop3).

Lucky-Computer1Lucky-Computer1

One of the desktops that was backed up One of the desktops that was backed up by Hacked-Desktop2 was turned off so it by Hacked-Desktop2 was turned off so it was not compromised.was not compromised.

It had very poorly configured sharesIt had very poorly configured shares– Beams Key Access and Department global Beams Key Access and Department global

groups had “Full Control” to the root of the groups had “Full Control” to the root of the drives.drives.

Had this computer been powered up Had this computer been powered up during the attack, it would have been during the attack, it would have been compromised.compromised.

Attacked-ConsoleAttacked-Console

14:16 NAV stopped infected files 14:16 NAV stopped infected files from being written to D:\public from being written to D:\public open share.open share.

Was a controls console at CHL.Was a controls console at CHL. User logged into FileMaker Pro User logged into FileMaker Pro

database on Beamsappsrv1database on Beamsappsrv1– Gave virus knowledge of Gave virus knowledge of

Beamsappsrv1 protected share.Beamsappsrv1 protected share.

Attacked-WebServerAttacked-WebServer

Individual Web server supported Individual Web server supported by one of the BD Departments.by one of the BD Departments.

14:21 NAV stopped infected files 14:21 NAV stopped infected files from being written to D:\public from being written to D:\public open share.open share.

This gave the virus knowledge of This gave the virus knowledge of shares on two other computers shares on two other computers managed by this group (Attacked-managed by this group (Attacked-Desktop1 and Attacked-Desktop3).Desktop1 and Attacked-Desktop3).

Attacked-Desktop1Attacked-Desktop1

This is a user desktop computerThis is a user desktop computer 14:22 NAV stopped infected files 14:22 NAV stopped infected files

from being written to from being written to c:\”username” open share.c:\”username” open share.


Another user desktop computer.Another user desktop computer. 14:22 NAV stopped infected files 14:22 NAV stopped infected files

from being written to c:\public from being written to c:\public open share.open share.


14:37 NAV stopped infected files 14:37 NAV stopped infected files from being written to c:\imsi open from being written to c:\imsi open share and all of its subdirectories.share and all of its subdirectories.– Share created by an application Share created by an application

installation.installation.– Administrators need to lock down Administrators need to lock down

shares created to share application shares created to share application data.data.

Beamsappsrv1Beamsappsrv1

This server run Key Access, is a license This server run Key Access, is a license server and is a FileMaker 4.1 server.server and is a FileMaker 4.1 server.– All of which were not available for about 24 All of which were not available for about 24

hours due to the attack.hours due to the attack. 14:32 NAV stopped infected files from 14:32 NAV stopped infected files from

being written to protected share which being written to protected share which housed a FMPro databasehoused a FMPro database– Attacked-Console was logged into this Attacked-Console was logged into this

database to give the virus knowledge of this database to give the virus knowledge of this share.share.


Another desktop computer.Another desktop computer. 14:34 NAV stopped infected files 14:34 NAV stopped infected files

from being written to c:\public from being written to c:\public share.share.

Beamssrv1Beamssrv1 14:36-15:06 NAV stopped infected files 14:36-15:06 NAV stopped infected files

from being written to protected from being written to protected \\beamssrv1\profiles\\beamssrv1\profiles protected share. protected share.– Knowledge of this share was made available Knowledge of this share was made available

through the Hacked-Desktop1 user’s roaming through the Hacked-Desktop1 user’s roaming profile.profile.

– Even though the user did not have a roaming Even though the user did not have a roaming profile, he had not logged out since the profile profile, he had not logged out since the profile was changed to local, so the local computer still was changed to local, so the local computer still was attached to the profile directory.was attached to the profile directory.

15:06 Beamssrv1 was removed from the 15:06 Beamssrv1 was removed from the network.network.


15:25 to 15:30 NAV stopped infected 15:25 to 15:30 NAV stopped infected files from being written the hard drive.files from being written the hard drive.

Virus accessed computer via the root Virus accessed computer via the root drive shares used by Hacked-drive shares used by Hacked-Desktop2’s backup system.Desktop2’s backup system.– Share was Authenticated Users = Full Share was Authenticated Users = Full

ControlControl– Drives were FAT, not NTFSDrives were FAT, not NTFS

NAV failed, when the drive ran out of NAV failed, when the drive ran out of disk space while quarantining files.disk space while quarantining files.

Beamssrv1Beamssrv1 17:15 Virus Definitions said that they were 17:15 Virus Definitions said that they were

the most recent, however, the date on them the most recent, however, the date on them showed a date that was three weeks earlier.showed a date that was three weeks earlier.– Manually downloaded definitions and burnt them Manually downloaded definitions and burnt them

to CD.to CD.– Applied them to Beamsssrv1 manually from the Applied them to Beamsssrv1 manually from the

CD.CD.– Dwhwizrd.exe process started eating CPU cycles Dwhwizrd.exe process started eating CPU cycles

and Beamssrv1 hung.and Beamssrv1 hung. 17:30 Beamssrv1 rebooted and reapplied 17:30 Beamssrv1 rebooted and reapplied

virus definitions from CDROM.virus definitions from CDROM.

Beamssrv1Beamssrv1

17:45 Began a manual virus scan of 17:45 Began a manual virus scan of Beamssrv1Beamssrv1– NAV was flagging hundreds of C:\WinNT\NAV was flagging hundreds of C:\WinNT\

dwh****.tmp files as being infected.dwh****.tmp files as being infected. All were created after Beamssrv1 was All were created after Beamssrv1 was

disconnected from the network around the time disconnected from the network around the time that the virus definitions were loaded.that the virus definitions were loaded.

– While Beamssrv1 was scanning we tracked While Beamssrv1 was scanning we tracked down the other infected computers, shutoff down the other infected computers, shutoff their network ports, and began to visit them their network ports, and began to visit them to investigate the problem.to investigate the problem.

Beamssrv1Beamssrv1

19:30 Beamssrv1 still scanning19:30 Beamssrv1 still scanning Attempted to call NAV Gold Card Attempted to call NAV Gold Card

tech support, but they are only tech support, but they are only open from 5am to 5pm Pacific open from 5am to 5pm Pacific Time.Time.

Midnight: Did all that we could do Midnight: Did all that we could do at that point. Went home and let at that point. Went home and let Beamssrv1 scan overnight.Beamssrv1 scan overnight.

Beamssrv1Beamssrv1 8am to Noon the next day:8am to Noon the next day:

– Worked with Andy Romero from CDWorked with Andy Romero from CD– Talked to NAV SupportTalked to NAV Support

DHW****.tmp files were created by a corrupt set of virus DHW****.tmp files were created by a corrupt set of virus definitions.definitions.

Beamssrv1 was not compromised.Beamssrv1 was not compromised.

– Manually scanned Beamssrv1 from a hardened serverManually scanned Beamssrv1 from a hardened server Placed both servers on an isolated hubPlaced both servers on an isolated hub Completed a network scan from the hardened server to Completed a network scan from the hardened server to

Beamssrv1.Beamssrv1.

Noon: Computing Security gives permission to Noon: Computing Security gives permission to put Beamssrv1 and Beamappsrv1 back on the put Beamssrv1 and Beamappsrv1 back on the network.network.

CleanupCleanup The next few days were spend.The next few days were spend.

– Gathering information from the infected computersGathering information from the infected computers– Documenting the incident for computer SecurityDocumenting the incident for computer Security– Monitoring Beamssrv1 for further suspicious activityMonitoring Beamssrv1 for further suspicious activity– Educating Local Administrators and Users on the Educating Local Administrators and Users on the

hazards of hazards of Open sharesOpen shares Unpatched systemsUnpatched systems

Local administrators needed to rebuild.Local administrators needed to rebuild.– Hacked-Desktop1Hacked-Desktop1– Hacked-Desktop2Hacked-Desktop2– Hacked-Desktop3Hacked-Desktop3

Lucky-Desktop2Lucky-Desktop2

Two days after the attack:Two days after the attack:– The Wednesday administrative NAV scan The Wednesday administrative NAV scan

found and quarantined infected files in an found and quarantined infected files in an open share.open share.

– How did the files get there?How did the files get there? The computer had an open shareThe computer had an open share NAV Real-time protection was turned off on this NAV Real-time protection was turned off on this

computer.computer.

– Luckily the user did not execute the infected Luckily the user did not execute the infected files before NAV quarantined the files.files before NAV quarantined the files.

Repeat performance?Repeat performance?

One week later:One week later:– One protected Beamssrv1 user share was One protected Beamssrv1 user share was

being attacked with the same virus files.being attacked with the same virus files.– NAV stopped files from being written to NAV stopped files from being written to

Beamssrv1.Beamssrv1.– PDC/BDC event log showed that that user PDC/BDC event log showed that that user

had logged into three different computers had logged into three different computers during the time of the attack.during the time of the attack.

Took those computers off the networkTook those computers off the network– Attempted file writes to Beamssrv1 stoppedAttempted file writes to Beamssrv1 stopped

Began visiting the computersBegan visiting the computers


The user’s primary desktop.The user’s primary desktop. NAV stopped viruses from being NAV stopped viruses from being

written to two “Open Shares” that written to two “Open Shares” that had the same names as the shares had the same names as the shares being written to on Beamssrv1.being written to on Beamssrv1.

Macintosh?Macintosh?

Other share accessed by this user Other share accessed by this user account was on a Macintosh:account was on a Macintosh:– User setup a Dave SMB file share on User setup a Dave SMB file share on

his Macintosh for access form his PC.his Macintosh for access form his PC.– NAV was installed on this MAC and it NAV was installed on this MAC and it

was scanned. No virus files were was scanned. No virus files were found.found.


Windows 98 PCWindows 98 PC No NAV installedNo NAV installed Many open shares with the same names Many open shares with the same names

as those on the user’s Z: drive and on as those on the user’s Z: drive and on Lucky-Desktop3.Lucky-Desktop3.

Computer infected files in every Computer infected files in every subdirectorysubdirectory

This computer was compromised and This computer was compromised and needed to be rebuilt.needed to be rebuilt.

Summary: Who was Summary: Who was involvedinvolved

Hacked Desktops = 3Hacked Desktops = 3 Attacked but not hacked = 3Attacked but not hacked = 3 Attacked Controls System Console = 1Attacked Controls System Console = 1 Infected but virus not executed = 2Infected but virus not executed = 2 Macintosh =1Macintosh =1 Local backup systems involved =1Local backup systems involved =1 Local web servers involved =1Local web servers involved =1 Domain Servers involved= 2 Domain Servers involved= 2

How did this happen?How did this happen? Most of the damage could have been avoided and Most of the damage could have been avoided and

was due to the following mistakes, all of which was due to the following mistakes, all of which violate our documented setup and usage violate our documented setup and usage procedures.procedures.– Operating System Service Packs were out of dateOperating System Service Packs were out of date– Users and Administrators created Open SharesUsers and Administrators created Open Shares– Users were sharing files from their workstation instead of Users were sharing files from their workstation instead of

using Beamssrv1using Beamssrv1– Users were doing their work from an account that has Users were doing their work from an account that has

administrative privilegesadministrative privileges– Users were not logging outUsers were not logging out– NAV real-time protection was turned off on one computerNAV real-time protection was turned off on one computer– NAV was not installed on another computer.NAV was not installed on another computer.

User EducationUser Education– It is important that we encourage users to use their It is important that we encourage users to use their

computer in a way that will not make it likely to cause computer in a way that will not make it likely to cause a security problem:a security problem:

Do not open unknown email attachments.Do not open unknown email attachments. Do not respond to virus hoax emails without consulting an Do not respond to virus hoax emails without consulting an

expert first.expert first. Do not create Open SharesDo not create Open Shares Don’t give your password to other peopleDon’t give your password to other people Lock your screen when you leave your deskLock your screen when you leave your desk Logout at nightLogout at night Leave your computer on at nightLeave your computer on at night

– This is hard to control at times because the average This is hard to control at times because the average user is not a computer expert and does not user is not a computer expert and does not understand the consequences of their actions. They understand the consequences of their actions. They are only trying to do their job.are only trying to do their job.

User Education: User Education: Computing Division’s Computing Division’s

ApproachApproach

Computing Division has two monthly talks.Computing Division has two monthly talks.– PC Manager’s Meeting:PC Manager’s Meeting:

http://www-csi.fnal.gov/talks/http://www-csi.fnal.gov/talks/

– Security Roundtable Security Roundtable http://computing.fnal.gov/security/RoundTables/index.htmlhttp://computing.fnal.gov/security/RoundTables/index.html

CD also offers periodic training classesCD also offers periodic training classeshttp://fnalpubs.fnal.gov/train-dev/index.html http://fnalpubs.fnal.gov/train-dev/index.html

CDs Philosophy is to push the management CDs Philosophy is to push the management as close to the desktop as possible.as close to the desktop as possible.

User Education: Beams User Education: Beams Division ApproachDivision Approach

Beams Division tries to pass on the Beams Division tries to pass on the information from the Computing Division information from the Computing Division talks to all of the departments and talks to all of the departments and groups throughgroups through– Regular Emails sent to:Regular Emails sent to:

Local AdministratorsLocal Administrators Departement HeadsDepartement Heads Group LeadersGroup Leaders

– The local administrator meetingsThe local administrator meetings To review slides from recent talks, see:To review slides from recent talks, see:

http://www-bdnew.fnal.gov/network/localadmin-http://www-bdnew.fnal.gov/network/localadmin-meetings.htm meetings.htm

User Education: Beam User Education: Beam Division’s ApproachDivision’s Approach

Beams Division also provides Beams Division also provides documentation to help the user setup documentation to help the user setup and use their Beams Accountand use their Beams Account

The Domain Users Guide can be viewed The Domain Users Guide can be viewed at:at:

http://www-bdnew.fnal.gov/network/WinNT%20Userhttp://www-bdnew.fnal.gov/network/WinNT%20User%20Docs.htm%20Docs.htm

The Beams Account setup document The Beams Account setup document can be viewed at:can be viewed at:

http://www-bdnew.fnal.gov/network/WinNT%20Userhttp://www-bdnew.fnal.gov/network/WinNT%20User%20Setup.htm %20Setup.htm

Virus ThreatsVirus Threats

Different CategoriesDifferent Categories– Virus – Computer Programs that spread from Virus – Computer Programs that spread from

one file to another via human action.one file to another via human action.– Worm – Computer Programs that is designed Worm – Computer Programs that is designed

to copy itself from one computer to another to copy itself from one computer to another over the network without human intervention.over the network without human intervention.

– Trojan Horse – Computer code hidden at the Trojan Horse – Computer code hidden at the end of another computer program that when end of another computer program that when executed performs tasks at whatever executed performs tasks at whatever permission level the user has.permission level the user has.

Virus IncidentsVirus Incidents

We average between 3 and 6 identified We average between 3 and 6 identified virus incidents a week.virus incidents a week.– Each incident takes time to investigate to Each incident takes time to investigate to

ensure that the local computer is not infected.ensure that the local computer is not infected. Many of the virus incidents that we see Many of the virus incidents that we see

are the result of users downloading virus are the result of users downloading virus files while connected to offsite mail files while connected to offsite mail servers.servers.– This used to be against computing policyThis used to be against computing policy– It is now an acceptable practice It is now an acceptable practice

Virus HoaxesVirus Hoaxes Virus hoaxes are spread via email.Virus hoaxes are spread via email.

– They tell users to take unnecessary and sometime They tell users to take unnecessary and sometime harmful actions.harmful actions.

– Usually tell users to send to everyone they knowUsually tell users to send to everyone they know I deal with about 1 of these per week.I deal with about 1 of these per week.

Time and resources defusing and recovering from any Time and resources defusing and recovering from any unnecessary action taken.unnecessary action taken.

One user called Computer Security over a virus hoax and One user called Computer Security over a virus hoax and they had him disconnect his computer from the network they had him disconnect his computer from the network until the next morning!until the next morning!

There are so many virus hoaxes that Symantec There are so many virus hoaxes that Symantec has a virus hoax encyclopedia athas a virus hoax encyclopedia athttp://www.sarc.com/avcenter/hoax.html http://www.sarc.com/avcenter/hoax.html

Computing Division Virus Computing Division Virus ApproachApproach

How is Computing Division trying to How is Computing Division trying to protect us from virus infections:protect us from virus infections:– Mail Gateway (smtp.fnal.gov) has virus Mail Gateway (smtp.fnal.gov) has virus

protectionprotection– Mail Servers (Imapserver1, etc..) have virus Mail Servers (Imapserver1, etc..) have virus

protectionprotection– Encouraging users to have virus protection Encouraging users to have virus protection

on their desktops.on their desktops.– Encouraging groups to implement Norton’s Encouraging groups to implement Norton’s

SSC managementSSC management

SSC implementations SSC implementations labwidelabwide

Last year I gave a talk to CD on Last year I gave a talk to CD on implementing the NAV Server. See implementing the NAV Server. See slides at slides at

http://www-bdnew.fnal.gov/network/Local%20Admihttp://www-bdnew.fnal.gov/network/Local%20Admin%20Talks/PC%20Managers%201-23-01_files/framen%20Talks/PC%20Managers%201-23-01_files/frame.htm.htm

Since then other divisions have adopted Since then other divisions have adopted the Norton SSC Console as a standard.the Norton SSC Console as a standard.

Virus Protection: Beams Virus Protection: Beams Division ImplementationDivision Implementation

There are three layers of virus There are three layers of virus protection when you read you lab email.protection when you read you lab email.– The FNAL Mail Server filters your email for The FNAL Mail Server filters your email for

virusesviruses– Beamssrv1 filters your email for viruses if Beamssrv1 filters your email for viruses if

you have your Netscape profile on the you have your Netscape profile on the serverserver

– Your local client computer should have Your local client computer should have Norton AntivirusNorton Antivirus

Beams Division: NAV Beams Division: NAV implemenation implemenation

Provide a Norton Antivirus installation Provide a Norton Antivirus installation point on Beamssrv1 for workstation point on Beamssrv1 for workstation installations.installations.

Provide Local administrator installation Provide Local administrator installation instructions on our web page: instructions on our web page: – Win2k:Win2k:

http://www-bdnew.fnal.gov/network/Win2K%20Admin%20http://www-bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#NAVSetup.htm#NAV

– WinNTWinNThttp://www-bdnew.fnal.gov/network/WinNT%20Adminhttp://www-bdnew.fnal.gov/network/WinNT%20Admin

%20Setup.htm#NAV%20Setup.htm#NAV

Beams Division: NAV Beams Division: NAV implementationimplementation

BD User setup instructions inform BD User setup instructions inform users never to turn off real-time users never to turn off real-time protection. See the following for protection. See the following for details.details.http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/

WinNT%20User%20Setup.htm#NAVWinNT%20User%20Setup.htm#NAV

Beams-nav-srvBeams-nav-srv

How will we manage NAV installation and updates?•New COMPAQ Proliant ML370 server

•Dual 1GHz processor•1GB RAM•Will upgrade to GigE network connection.

Symantec System CenterSymantec System Center

•Beams-nav-srv will run the Norton Symantec System Center to manage the virus definitions.

SSC Main ScreenSSC Main Screen

SSC Virus DetectionSSC Virus Detection

•When a virus is detected by a workstation, it sends this information to the SSC server. The SSC will be able to see:

•Which workstations are infected•What virus was detected•What file(s) were infected•What action was taken by NAV

SSC logfilesSSC logfilesNorton Antivirus logfiles can show virus history for that any computer that is managed by the SSC.

SSC logfilesSSC logfilesEvent Log: Shows any configuration changes, virus definition downloads, and any files not scanned.

SSC logfilesSSC logfiles

SSC logfiles can also show when virus scans are completed

SSC Management TasksSSC Management Tasks

The SSC Console can also edit properties or complete common tasks for one, multiple or all computers managed by the SSC.


•Can set real-time protection options from the SSC console•More options are available from the ADVANCED tab


Advanced OptionsAdvanced Options


You can manually start a NAV virus scan on any workstation from the SSC console


We can set the virus scan schedule for all of the workstations from the SSC console


We can view a list of detectable viruses for any workstation from the SSC console


We can manage the virus definition updates from the SSC console

PasswordsPasswords

Password protection is the basis Password protection is the basis for Computing Divisions Kerberos for Computing Divisions Kerberos implementation.implementation.– Don’t want non-kerberos passwords Don’t want non-kerberos passwords

going over the network.going over the network. For details, see the strong For details, see the strong

authentication webpage.authentication webpage.http://www.fnal.gov/docs/strongauth/http://www.fnal.gov/docs/strongauth/

Passwords: Kerberos in Passwords: Kerberos in BeamsBeams

Kerberos for Windows was the Kerberos for Windows was the topic of the last local administrator topic of the last local administrator meeting. The slides to this talk meeting. The slides to this talk can be reviewed at:can be reviewed at:http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/

Local%20Admin%20Talks/LocalLocal%20Admin%20Talks/Local%20Admin%20Meeting%2011-20-%20Admin%20Meeting%2011-20-2001.htm2001.htm

Kerberos Exemptions Kerberos Exemptions ClarifiedClarified

CD has pronounced the site kerberized CD has pronounced the site kerberized as of 1-1-02.as of 1-1-02.

Any node offering non-kerberos services Any node offering non-kerberos services on the network needs an exemption on the network needs an exemption from Computing Security.from Computing Security.

Exemptions were supposed to be filed Exemptions were supposed to be filed by 1-1-02.by 1-1-02.

Computing Division will be scanning for Computing Division will be scanning for non-compliance.non-compliance.

Windows ExemptionWindows Exemption

Windows NT/2000 computers use Windows NT/2000 computers use NTLM to login to the Windows NT NTLM to login to the Windows NT domain. domain. – NTLM is less secure than kerberosNTLM is less secure than kerberos

The Windows exemption covers:The Windows exemption covers:– Domain login to the Windows NT 4.0 Domain login to the Windows NT 4.0

domaindomain– Lasts only as long as the Win2k migration Lasts only as long as the Win2k migration

schedule permitsschedule permits

Windows ExemptionWindows Exemption

After the Win2k Migration:After the Win2k Migration:– Win2k Workstations logging into the Win2k Win2k Workstations logging into the Win2k

Domain will use kerberos for authentication.Domain will use kerberos for authentication.– WinNT Workstations will be forced to WinNT Workstations will be forced to

upgrade their authentication to NTLMv2.upgrade their authentication to NTLMv2.– The migration is not complete until all users, The migration is not complete until all users,

workstations and servers are moved to the workstations and servers are moved to the Win2k domain.Win2k domain.

The Win2k migration schedule can be The Win2k migration schedule can be viewed at:viewed at:

http://www-win2k.fnal.gov/http://www-win2k.fnal.gov/

What Windows and What Windows and Macintoshes need Macintoshes need

exemptions?exemptions? Any computer that runs an FTP server or Any computer that runs an FTP server or

equivalent.equivalent. Any computer that runs a Telnet server or Any computer that runs a Telnet server or

equivalent.equivalent. Running remote control software that other Running remote control software that other

computers can connect to:computers can connect to:– TimbuktuTimbuktu– PC AnywherePC Anywhere– VNCVNC– WinCenterWinCenter– Terminal ServerTerminal Server– Any other remote control softwareAny other remote control software

What Windows and What Windows and Macintoshes need Macintoshes need

exemptions?exemptions?

Any file sharesAny file shares on a PC or Macintosh. on a PC or Macintosh.– Every user who wants a file share on their PC will Every user who wants a file share on their PC will

have to file for an exemption!!!have to file for an exemption!!!– Win2k/NT Central File Server shares will still be Win2k/NT Central File Server shares will still be

allowed as per the Win2k migration guidelines.allowed as per the Win2k migration guidelines.– After the Win2k migration, all access to the After the Win2k migration, all access to the

Win2k Central File Server shares will need to use Win2k Central File Server shares will need to use kerberos, or possibly NTLM v2 for a limited time.kerberos, or possibly NTLM v2 for a limited time.

Computer Security says that administrative Computer Security says that administrative shares such as C$, D$, ADMIN$, etc… do not shares such as C$, D$, ADMIN$, etc… do not need exemptions.need exemptions.

Exemptions: Computing Exemptions: Computing Division ScansDivision Scans

Computing Division has started scanning Computing Division has started scanning for non-kerberos services offered on the for non-kerberos services offered on the network. So far this includes.network. So far this includes.– FTP ServersFTP Servers– Telnet ServersTelnet Servers– An old version of SSH that has a security hole, An old version of SSH that has a security hole,

but will soon be scanning for any non-but will soon be scanning for any non-kerberized ssh.kerberized ssh.

Computing Division plans on expanding the Computing Division plans on expanding the scope of this scan over the next year to scope of this scan over the next year to search for more non-kerberized services.search for more non-kerberized services.

Filing ExemptionsFiling Exemptions How do you file an exemption?How do you file an exemption? Go to Go to

http://www.fnal.gov/docs/strongauth/misc/http://www.fnal.gov/docs/strongauth/misc/exemption.htmlexemption.html

Copy the form off of the web pageCopy the form off of the web page Email the answers to our Assistant GCSC Email the answers to our Assistant GCSC

(General Computer Security Coordinator), (General Computer Security Coordinator), Tim Zingelman at Tim Zingelman at [email protected]@fnal.gov

Tim should also be able to answer any Tim should also be able to answer any questions you have concerning exemptions.questions you have concerning exemptions.

Operating System Operating System Vulnerabilities or Vulnerabilities or MisconfiguratoinsMisconfiguratoins

Unpatched operating systems or poorly Unpatched operating systems or poorly configured operating systems are easy configured operating systems are easy targets for viruses and hackers to targets for viruses and hackers to compromise your computer.compromise your computer.

Recall that the attack on Beamssrv1 Recall that the attack on Beamssrv1 earlier in the talk was started with a earlier in the talk was started with a computer being compromised because computer being compromised because it had out of date service packs.it had out of date service packs.

OS Vulnerabilities: OS Vulnerabilities: Computing Division Computing Division

ResponseResponse Computer Security informs us that we have to Computer Security informs us that we have to

keep our systems patched and configured keep our systems patched and configured properly.properly.– Patches are available on PCKits, but most users don’t Patches are available on PCKits, but most users don’t

have FNAL Domain accounts.have FNAL Domain accounts.– No Centrally managed mechanism to handle patches.No Centrally managed mechanism to handle patches.

Computing Division is starting to implement Computing Division is starting to implement security scans to look for non-compliant nodes:security scans to look for non-compliant nodes:– Problems: Problems:

Windows Scans are not recentWindows Scans are not recent– SP3 is more than years oldSP3 is more than years old

They tried to do too much too soon without fully They tried to do too much too soon without fully understanding what packets their scanner was outputting.understanding what packets their scanner was outputting.

Beams Division Operating Beams Division Operating System ConfigurationSystem Configuration

Microsoft Operating systems are not Microsoft Operating systems are not secure with the default settings.secure with the default settings.

We have complete setup instructions to We have complete setup instructions to ensure a secure setup located at:ensure a secure setup located at:– Win2K Administrative SetupWin2K Administrative Setup

http://www-bdnew.fnal.gov/network/Win2K%20Adminhttp://www-bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm%20Setup.htm

– WinNT Administrative SetupWinNT Administrative Setuphttp://www-bdnew.fnal.gov/network/WinNT%20Adminhttp://www-bdnew.fnal.gov/network/WinNT%20Admin

%20Setup.htm %20Setup.htm

OS Vulnerabilities: Service OS Vulnerabilities: Service Packs and HotfixesPacks and Hotfixes

Microsoft Operating systems have Microsoft Operating systems have service pack updates every 6 service pack updates every 6 months to a year.months to a year.– Service packs patch security holes and Service packs patch security holes and

fix software bugs and incompatibilitiesfix software bugs and incompatibilities In between service pack releases, In between service pack releases,

Microsoft releases patches called Microsoft releases patches called hotfixes.hotfixes.

Latest Service Pack Latest Service Pack InformationInformation

Latest service pack and hotfix Latest service pack and hotfix information can be found on our information can be found on our web page at:web page at:

http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/latest-os-service-packs.htmlatest-os-service-packs.htm

What is the current Win2k What is the current Win2k Service Pack and Hotfix Service Pack and Hotfix

levellevel SP2SP2 MS00-077-Q299796MS00-077-Q299796

MS01-007-Q285851MS01-007-Q285851MS01-007-Q285851MS01-007-Q285851MS01-013-Q285156MS01-013-Q285156MS01-022-rbupdateMS01-022-rbupdateMS01-025-Q296185MS01-025-Q296185MS01-031-Q299553MS01-031-Q299553MS01-033-Q300972MS01-033-Q300972MS01-037-Q302755MS01-037-Q302755MS01-040-Q292435MS01-040-Q292435MS01-041-Q298012MS01-041-Q298012MS01-046-q252795MS01-046-q252795

Win2K Service PacksWin2K Service Packs

• How do you check what service packs and hotfixes you have?• Check service pack level by doing a

"winver" from the command prompt. • Check hotfix levels by looking the

registry in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix.

What is the current WinNT What is the current WinNT Service Pack and Hotfix Service Pack and Hotfix

levellevel

SP6aSP6a HotfixesHotfixes

– Q299444 rollupQ299444 rollup– ms01-022-rbupdate ms01-022-rbupdate – Q305399Q305399

WinNT Service PacksWinNT Service Packs

1. Check service pack level by 1. Check service pack level by doing a "winver" from the doing a "winver" from the command prompt. 2. Check hotfix command prompt. 2. Check hotfix levels by looking the registry in levels by looking the registry in HKLM\Software\Microsoft\Windows HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\NT\CurrentVersion\Hotfix\

Beams Division Service Beams Division Service Pack and Hotfix ScriptsPack and Hotfix Scripts

A reboot is required after a service A reboot is required after a service pack installation to load the drivers. pack installation to load the drivers.

A reboot is also usually required A reboot is also usually required after each individual hotfix after each individual hotfix application.application.– Required because hotfix application Required because hotfix application

must be done in the correct order, since must be done in the correct order, since some patches override changes made some patches override changes made in earlier patchsin earlier patchs


Beams Division maintains service Beams Division maintains service pack installation scripts that:pack installation scripts that:– Install the latest Service PacksInstall the latest Service Packs– Install the latest hotfixesInstall the latest hotfixes– Run a QCHAIN utility to ensure that all Run a QCHAIN utility to ensure that all

of the patches get applied to the OS in of the patches get applied to the OS in the correct order.the correct order.

– A single reboot at the end of the script.A single reboot at the end of the script.

Beams Division Service Beams Division Service Pack InstallationPack Installation

Beams Division has all of the Service Pack Beams Division has all of the Service Pack scripts available on Beamssrv1 with shortcuts scripts available on Beamssrv1 with shortcuts located at \\beamssrv1\win2k-setup or \\located at \\beamssrv1\win2k-setup or \\beamssrv1\winnt-setup. beamssrv1\winnt-setup.

Installation instructions are located on our web Installation instructions are located on our web page at:page at:– Win2K:Win2K:

http://www-bdnew.fnal.gov/network/Win2K%20Adminhttp://www-bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#SP2%20Setup.htm#SP2

– WinNT:WinNT:http://www-bdnew.fnal.gov/network/WinNT%20Adminhttp://www-bdnew.fnal.gov/network/WinNT%20Admin

%20Setup.htm#ServicePack%20Setup.htm#ServicePack


Each time we update a service pack or hotfix, we Each time we update a service pack or hotfix, we send out an email notification to all of the local send out an email notification to all of the local administrators.administrators.

It is important to apply the service packs and It is important to apply the service packs and hotfixes as they become available.hotfixes as they become available.

Latest data shows that active attacks are started Latest data shows that active attacks are started on average 2 weeks after an exploit is revealed. on average 2 weeks after an exploit is revealed.

Fermilab is probed everyday.Fermilab is probed everyday. Computers have been hacked within hours of Computers have been hacked within hours of

them being added to the network.them being added to the network. Our goal is to start central management of Service Our goal is to start central management of Service

Packs and hotfix patches.Packs and hotfix patches.

Beams-nav-srvBeams-nav-srv

Goal is to centrally manage Goal is to centrally manage service packs and hotfixes service packs and hotfixes with Gravity Storm Service with Gravity Storm Service Pack manager.Pack manager.

Plan to use Beams-nav-srv Plan to use Beams-nav-srv to complete this task.to complete this task.

Testing shows that Norton Testing shows that Norton SSC and Gravity Storm SSC and Gravity Storm Service Pack Manager can Service Pack Manager can be run on the same server.be run on the same server.

Service Pack Manager: Service Pack Manager: Opening ScreenOpening Screen

SP Manager Net QuerySP Manager Net QueryShows SP and hotfixes for each selected computer

SP Manager Export DataSP Manager Export DataBEAMS\LESIAK NT 4.0 SP6a Enhanced Encryption: 128bit Workstation

[MS01-048] Windows NT4.0 Security Patch: Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail Q305399[MS01-044] Cumulative Patch for IIS: SSI Privilege Elevation VulnerabilityQ301625[MS01-043] Multiple NNTP Posts can consume MemoryQ304876[MS NONE] Windows NT4 Security Rollup Package (Core OS + IIS 4.0 + Index Server + FrontPage Srv Extensions)Q299444[MS01-033] CODE RED Patch: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server CompromiseQ300972[MS01-026] Pattern-Matching Function Can Cause Access Violation on FTP ServerQ295534[MS01-022] Security Vulnarability: WebDAV Service Provider Can Allow Scripts to Levy Requests as a UserQ296441[MS01-009] Windows NT Security Patch: Malformed PPTP Packet Stream can Cause Kernel ExhaustionQ283001[MS01-008] Windows NT Security Patch: Patch Available for NTLMSSP Privilege Elevation Vulnerability Q280119[MS01-044] Windows NT4 IIS4 Security Patch: File Fragment Reading via .HTR Vulnerability Q285985[MS01-003] Windows NT4.0 Security Patch: Winsock Mutex VulnerabilityQ279336[MS00-095] Registry Permissions Vulnerability Q265714[MS00-097] Windows Media Services 4.1 Security Patch: Severed Windows Media Server Connection Vulnerability Q281256[MS00-094] Windows NT 4.0 Security Patch: Phone Book Service Buffer Overflow Vulnerability Q276575[MS00-091] Windows NT 4.0 Security Patch: Incomplete TCP/IP Packet Vulnerability Q275567[MS00-083] Windows NT 4.0 Security Patch: Netmon Protocol Parsing Vulnerability Q274835[MS00-070] Security Patch for Numerous Vulnerabilities in the LPC Port System CallsQ266433[MS00-063] Windows NT 4.0 Security Patch: Invalid URL vulnerability Q271652[MS00-086] Windows NT IIS 4.0: Canonicalization Error IssueQ269862[MS00-052] Windows NT Security Patch: Relative Shell Path Vulnerability Q269049[MS00-047] NetBIOS Name Server Protocol Spoofing VulnerabilityQ269239[MS00-040] Windows NT4 Security Patch: Remote Registry Access Authentication Vulnerability Q264684[MS00-007] Windows NT4 Security Patch: Recyle Bin Creation Vulnerability Q248399[MS NONE] High-Encryption Configuration Prevents Outlook Express RepliesQ263305[MS00-036] Windows NT4 Security Patch: Reset Browser Frame & Host Announcment Flooding Vulnerabilities Q262694[MS00-029] Windows NT 4.0 Security Patch: IP Fragment Reassembly Vulnerability Q259728[MS00-027] Windows NT 4.0 Security Patch: Malformed Environment Variable Vulnerability Q259622[MS00-024] Windows NT 4.0 Workstation/Server Security Tool Available for OffloadModExpo Registry Permissions Vulnerability (Intel) Q259496[MS00-021] Windows NT 4.0 Workstation/Server/Server/Enterprise Security Patch: Malformed TCP/IP Print Request Vulnerability (Intel)Q257870[MS00-004] Windows NT 4.0 (Intel x86) Security Patch: RDISK Registry Enumeration File Vulnerability Q249108[MS00-005] Windows 95/98/NT 4.0 Security Patch: Malformed RTF Control Word Vulnerability Q249973[MS00-003] Windows NT 4.0 Security Patch: Spoofed LPC Port RequestQ247869[MS NONE] RAS Server Stops Responding to New PPP Connection RequestsQ246467[MS NONE] Windows NT Appears to Hang When You Log Off After Installing Windows NT 4.0 Service Pack 6Q245148[MS99-056] Windows NT 4.0 Security Patch: Syskey Keystream Reuse Vulnerability Q248183[MS99-046] Windows NT 4.0 Service Pack 6 (SP6) Security Patch: Predictable TCP Initial Sequence Number Vulnerability Q243835[MS99-055] Windows NT 4.0 Security Patch: Malformed Resource Enumeration Request Vulnerability (RFPoison) Q246045[MS NONE] Fixes Required in TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6aQ244599[MS99-047] Windows NT 4.0 Security Patch: Unchecked Print Spooler Buffer May Expose System VulnerabilityQ243649[MS99-041] Tool Available for RASMAN Security Descriptor Vulnerability Q242294

The Export Data option lets you save all of the service pack information to an Excel Spreadsheet for further analysis.

Analyize DataAnalyize Data1 BEAMS\DARIA WinNT 4.0 SP3 1/3/20022 BEAMS\KRSMMI WinNT 4.0 SP3 1/3/20023 BEAMS\MIBLT WinNT 4.0 SP3 1/3/20024 BEAMS\PSYCHE WinNT 4.0 SP3 1/3/20025 BEAMS\SHILTSEV WinNT 4.0 SP3 1/3/20026 BEAMS\ANESTANDER WinNT 4.0 SP4 1/3/20027 BEAMS\AYRESPC WinNT 4.0 SP4 1/3/20028 BEAMS\BDRFIME WinNT 4.0 SP4 1/3/20029 BEAMS\CJAMESPC WinNT 4.0 SP4 1/3/2002

10 BEAMS\MINJECTOR WinNT 4.0 SP4 1/3/200211 BEAMS\PACE WinNT 4.0 SP4 1/3/200212 BEAMS\RICHARDSON WinNT 4.0 SP4 1/3/200213 BEAMS\ADMX09 WinNT 4.0 SP4 1/3/200214 BEAMS\AESOOKPC WinNT 4.0 SP4 1/3/200215 BEAMS\BDRFIJVB WinNT 4.0 SP4 1/3/200216 BEAMS\OEDIPUS WinNT 4.0 SP4 1/3/20021 BEAMS\BDESH01 WinNT 4.0 SP5 1/3/20022 BEAMS\BDRFIBC WinNT 4.0 SP5 1/3/20023 BEAMS\BDRFIDAM WinNT 4.0 SP5 1/3/20024 BEAMS\BDRFIRP WinNT 4.0 SP5 1/3/20025 BEAMS\BDRFITB WinNT 4.0 SP5 1/3/20026 BEAMS\COOLER WinNT 4.0 SP5 1/3/20027 BEAMS\MUONCOLLIDER3 WinNT 4.0 SP5 1/3/20028 BEAMS\PENELOPE WinNT 4.0 SP5 1/3/20029 BEAMS\STEFANSKI-LAPTP WinNT 4.0 SP5 1/3/2002

10 BEAMS\TBARNES WinNT 4.0 SP5 1/3/200211 BEAMS\AURORA WinNT 4.0 SP5 1/3/200212 BEAMS\GEMINI WinNT 4.0 SP5 1/3/2002

•You can then sort the data. •In this example I sorted computer by Service Pack to show you the worst offenders of the WinNT 4.0 computers.•These computers are all potentially security threats.

0

20

40

60

80

100

120

140

Number of Computers

1

Service Pack Level

Windows Nt 4.0 Workstation Service Pack Audit

SP0

SP1

SP2

SP3

SP4

SP5

Sp6

Unknown

Analyze WinNT Service Analyze WinNT Service Pack DataPack Data

Results are far better than 6 months ago, but we still have a way to go.

SP3 SP4 SP5 SP6a

Analyze Win2k Service Analyze Win2k Service Pack DataPack Data

020406080

100120

Number of Computers

1

Service Pack Level

Windows 2000 Professional Service Pack Audit

Sp0

Sp1

Sp2

Unknown

Win2k Data is surprisingly bad!

SP Manager: Install Service SP Manager: Install Service PackPack

We will show how to install a service pack to a workstation using Service Pack manager run from Beams-nav-srv


•Select the computer or computers that you want to install a service pack to.•Select the service pack that you wish to install•Right-click and choose to install the service pack.


Start Win2k SP2 install to \\saugeye from \\beams-nav-srv


Files are copied from \\beams-nav-srv to \\saugeye


Task manager on \\saugeye shows that CPU usage jumps up to 30-40% while the service pack installation files are being copied from \\beams-nav-srv


\\beams-nav-srv finishes copying files to \\saugeye


Service Pack installation begins on \\saugeye


File Extraction and Task Manager show activity on \\saugeye


Service Pack installation begins on \\saugeye


After installation, SP Manager reboots \\saugeye


After the reboot, you can run NetQuery to verify installation


NetQuery after the service pack installation shows that the service pack was installed properly.

SP Manager: Install SP Manager: Install hotfixeshotfixes

Here is an example of installing hotfixes to two computers


•Select the computer(s) to update•Select the hotfixes to install•Right-click and select to install to selected computers


Countdown timer starts


After installation is complete, a popup window appears informing you that the task is done.


Green indicators shows that hotfixes have been installed

What we do to prevent What we do to prevent application compromisesapplication compromises Application security compromises are Application security compromises are

becoming a large concern.becoming a large concern. A poorly configured or unpatched application A poorly configured or unpatched application

can lead to a system compromise the same can lead to a system compromise the same way that a poorly configured or unpatched way that a poorly configured or unpatched operating system can.operating system can.

To maintain a secure system, it is important To maintain a secure system, it is important to:to:– Keep recent and patched applications on your Keep recent and patched applications on your

computer.computer.– Follow our setup instructions when installing and Follow our setup instructions when installing and

configuring applications on your computer.configuring applications on your computer.

Application VulnerabilitiesApplication Vulnerabilities

Common targets include:Common targets include:– Internet ExplorerInternet Explorer– Outlook ExpressOutlook Express– OutlookOutlook– NetscapeNetscape– Adobe AcrobatAdobe Acrobat– IIS and Peer Web ServicesIIS and Peer Web Services

Latest Applications and Latest Applications and their patchestheir patches

To simplify this process, we keep a To simplify this process, we keep a web page that lists the latest web page that lists the latest applications along with the applications along with the required patch level at:required patch level at:

http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/latest-software-versions.htmlatest-software-versions.htm

Latest Supported SoftwareLatest Supported Software

Acrobat 5.0 readerAcrobat 5.0 reader Diskeeper 7Diskeeper 7 Exceed 7 with 7.0.0.12 patchExceed 7 with 7.0.0.12 patch FileZilla 1.5aFileZilla 1.5a Ghostview 4/Ghostscript 7Ghostview 4/Ghostscript 7 IE 6 + MS01-058_q313675IE 6 + MS01-058_q313675 Leash32 2.0.1.0Leash32 2.0.1.0 Meeting Maker 7.0.1Meeting Maker 7.0.1

Latest Supported SoftwareLatest Supported Software

Microsoft Office 2000 sr1a + Sp2 + Microsoft Office 2000 sr1a + Sp2 + Q288266 + Q306603 + Q306604 Q288266 + Q306603 + Q306604 (Disc 1 and 2)(Disc 1 and 2)

Netscape 4.77Netscape 4.77 Norton Antivirus 7.6Norton Antivirus 7.6 WinZIP 8.0WinZIP 8.0

Installation InstructionsInstallation Instructions

Installation shortcuts for all of our Installation shortcuts for all of our applications exist at \\beamssrv1\winnt-applications exist at \\beamssrv1\winnt-setup or \\beamsssrv1\win2k-setup. setup or \\beamsssrv1\win2k-setup.

Installation instructions exist at:Installation instructions exist at:– Win2kWin2k

http://www-bdnew.fnal.gov/network/Win2Khttp://www-bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#Part_4%20Admin%20Setup.htm#Part_4

– WinNTWinNThttp://www-bdnew.fnal.gov/network/WinNThttp://www-bdnew.fnal.gov/network/WinNT

%20Admin%20Setup.htm#Part_4%20Admin%20Setup.htm#Part_4

Application Setup Application Setup InstructionsInstructions

In addition, some application In addition, some application require special configurations to require special configurations to ensure that they are secure. ensure that they are secure. These instructions are located at:These instructions are located at:http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/

WinNT%20User%20Setup.htmWinNT%20User%20Setup.htm

Application PatchesApplication Patches

One goal of ours is to centrally One goal of ours is to centrally manage the application patches in manage the application patches in the way that we are starting to the way that we are starting to manage the operating system manage the operating system patches. patches.

SP Manager has the start of SP Manager has the start of application patch management application patch management built in.built in.

SP Manager: Application SP Manager: Application PatchesPatches

Service Pack Manager will allow you to install patches on the above applications, but will not let you do a version upgrade.

SP Manager ApplicationsSP Manager ApplicationsHere is an example of a IE patch scan

Application Vulnerabilities: Application Vulnerabilities: Future Future

As application vulnerabilities become As application vulnerabilities become more frequent, we may wish to move more frequent, we may wish to move on to a more aggressive application on to a more aggressive application management plan.management plan.

Both SMS or Win2K active directory Both SMS or Win2K active directory allow mechanisms for pushing allow mechanisms for pushing application installations to the application installations to the desktops.desktops.

License DatabaseLicense Database Recently we merged our software license database Recently we merged our software license database

with our existing IP Database.with our existing IP Database. This is a FileMaker Pro DatabaseThis is a FileMaker Pro Database

– Currently runs on v4.0Currently runs on v4.0– Soon will be upgraded to version 5.5Soon will be upgraded to version 5.5

To simplify the update process, we are granting To simplify the update process, we are granting local administrators access to certain fields inside local administrators access to certain fields inside of this database.of this database.

If you do not have FileMaker Pro 4.1 on your If you do not have FileMaker Pro 4.1 on your computer, you can use the following steps to computer, you can use the following steps to access the database.access the database.

When we convert to FileMaker 5.5, you will need to do a local When we convert to FileMaker 5.5, you will need to do a local installation of FileMaker 5.5.installation of FileMaker 5.5.

FileMaker Pro: SetupFileMaker Pro: Setup

•First, go to the FileMaker Pro directory on Beamssrv1•Drag a shortcut to your desktop

FileMaker Pro: SetupFileMaker Pro: Setup

•The first time that you enter FileMaker Pro, you will have to configure it•Hit Cancel at the opening screen

FileMaker Pro SetupFileMaker Pro Setup

•From the file menu, select Edit->Preferences->Application•Select TCP/IP as the network protocol•Click Done•The above steps only need to be completed the first time you use FileMaker Pro

FileMaker Pro: Open the FileMaker Pro: Open the DatabaseDatabase

•Close down, then re-open FileMaker Pro•Select to Open an existing file, then click OK.


Click the Hosts button

FileMakerPro: Open the FileMakerPro: Open the DatabaseDatabase

•Single-click on Beamsappsrv1 in the local hosts menu

FileMaker: Open DatabaseFileMaker: Open Database

Double-click on ADNET IP Database.fp3 to open the database


•Type secret password to access the FileMaker Pro IP Database controls.•Click OK

FileMaker: Open the FileMaker: Open the DatabaseDatabase

•The IP Database is now open!•Click on Edit/Browse Records Detail Format to begin

FileMaker Pro: Default FileMaker Pro: Default ViewView

FileMaker: Navigating the FileMaker: Navigating the DatabaseDatabase

Do a Mode->Find from the filemenu or a Cntl-F to initiate a search.

FileMaker: Navigating FileMaker: Navigating DatabaseDatabase

•Next, type what you want to search for (* is wildcard)•Nodename field is the name of the computer

FileMaker: Navigating FileMaker: Navigating DatabaseDatabase

•After typing your search, click ENTER to complete the search

FileMaker Navigating FileMaker Navigating DatabaseDatabase

•The records field will show how many matches there were to your search.•Click on the top page of the notepad to go up one entry•Click on the bottom page of the notepad to go down one entry•Type a number in below the notepad to go to a specific entry.


•Clicking on Go To List format shows you all of your search matches in a list•Clicking on Go To Detail format takes you back


Here is a properly filled out entry

Search FieldsSearch Fields

•You can view, but not edit these fields:•IP address = the registered IP address •Nodename = the computer name•Username = the primary user•Admin name = the local administrator

•To change them, fill out a network connection request at:

http://www-bdnew.fnal.gov/network/net%20connection.asp

Search FieldsSearch Fields

More entries that you can view or More entries that you can view or search on, but can not edit.search on, but can not edit.

Editing DatabaseEditing Database

•The group field is department or group that owns the PC.•Hint: If the group name is the same for all of your computers, it becomes an easy field to search to quickly review all of your computers.


•The Domain/Cluster is the Domain for Windows computers•With the Windows 2000 migration merging the Beams Domain with FNAL, it will be important to:

•Identify which computers have migrated to the Win2k win.fnal.gov domain.•Move controls system computer from the Beams Domain to the BD-Controls domain.


•The operating system that we have discovered with the Gravity Storm service pack manager software.•Used the format:

•WinNT 4.0•WinNT 4.0 Server•Win2k•Win2k Server

•Change this field as you update the operating system on your computers.


•This is the service pack that we discovered with Gravity Storm Service pack manager•Update this field anytime you apply service packs.•You may want to enter the date you installed the hotfixes for your own reference.


•Enter information into this field when you install Microsoft Office on your computer.•The old Office 97 installations are no longer secure.•Office 2000 + sr1 +sp2 + q288266 + q306603 + q306604 without keyserver is the currently supported version.


•Enter information into this field when you update your Internet Explorer installations.•There are only two supported IE versions:

•IE 6 + Q313675 patch•IE 5.5 SP2 + Q313675 patch

•All other versions should be upgraded due to security reasons.


•Update this field when you update your Netscape installations•Netscape versions earlier than 4.75 should be upgraded for security reasons.


Update this field if you intstall Norton Antivirus.You could put the virus definition dates if you wish to keep track of that.Versions prior to 7.0* are not supported under any operating system and should be upgraded.Versions prior to 7.5* need to be upgraded if you are running Win2k.


•Diskeeper 7 is faster and more efficient than earlier versions.•Modify this field when you upgrade Diskeeper.


•Modify this field when updating Exceed versions•Exceed 7.0 was the first version to support kerberos•The Exceed 7.0.0.12 patch is required to make the Exceed usable.•Exceed 7.1 changed its installation and has problems in our environment, so it is not supported yet.


Anytime you edit any field in the database, please put a date and initials in these fields.

Licensing IssuesLicensing Issues

All computers with lab software need to be All computers with lab software need to be added to this databaseadded to this database– This includes home PCsThis includes home PCs– Most software no longer uses concurent licensing.Most software no longer uses concurent licensing.

Please send email to bd-net-Please send email to [email protected] with information on any [email protected] with information on any computers that are not in the database that computers that are not in the database that have laboratory software installed on them.have laboratory software installed on them.– We will add these entries for you to maintain.We will add these entries for you to maintain.

beams division local administrators meeting 1/11/2002 brian drendel

Documents

compromised system

admin privileges

unpatched system

infected files

patcheslocal admin access

administrator privileges

copy files

pmopen shares