dartmouth college landesk security standards program case presentation from compromised to...
TRANSCRIPT
Dartmouth College LANDesk Security
Standards Program Case Presentation
From Compromise
d to Confidence
An Introduction to Dartmouth College
• Member of the Ivy League • Located in Hanover, New Hampshire • The nation's ninth-oldest college - founded in 1769• Private, four-year, coeducational (since 1972)
undergraduate college• Graduate schools of business, engineering and medicine
and 16 graduate programs in the arts and sciences.• Colors are Dartmouth Green and white - nicknamed
“The Big Green”• Famous Alumni:
– Daniel Webster (1801) – U.S. Supreme Court Chief Justice Salmon P. Chase (1826)– Poet Robert Frost (1896) – Kanichi Asakawa, the founder of Asian Studies in the United
States (1899)– E.E. Just, pioneering biologist (1907)– Theodor "Dr. Seuss" Geisel (1925) – Vice President Nelson Rockefeller (1930)– Former U.S. Surgeon General C. Everett Koop M.D. (1937)– Former U.S. Labor Secretary Robert Reich (1968)– Louise Erdrich, writer (1976)
From Compromise to Confidence:the beginnings of the Standards Program
• Standards Program initiated 2 years ago
• Beginning scope to create a standardized build of computers centrally managed via LANDesk (Administrative Computers and public kiosks) .
• Infrastructure began with:– A DBMS Server (MSSQL)
– A Core Server
– Roll out clients Windows 2000 clients and Mac Clients (OS has changed since origination)
Idealized Preconceptions Hit Reality
The Administrator’s Perspective:
• Having migrated from a corporate to a college environment, I was thrust into a world with the following pre-existing conditions:– No border firewall!– No uniformed system build!– No security standards on
machines!– No personal firewalls on servers
or workstations!– No patch solution!
“I thought initially I would roll out the core, database and clients, build some packages and create a single image to deploy to my users using LANDesk. And just keep things orderly etc… Then I found out some things that shook my world.”
Tim ChiacchiraEnterprise Administrator
Dartmouth College
“I thought initially I would roll out the core, database and clients, build some packages and create a single image to deploy to my users using LANDesk. And just keep things orderly etc… Then I found out some things that shook my world.”
Tim ChiacchiraEnterprise Administrator
Dartmouth College
So what’s next?
• Set up the LANDesk core and database server, right?
But something kept happening to my server… I could not figure it out. – Services would stop…– The system kept rebooting… on and on…
“What have I done wrong? … I have done this type of rollout in a larger environment. I swore someone was tampering with my boxes…” Tim Chiacchira
“What have I done wrong? … I have done this type of rollout in a larger environment. I swore someone was tampering with my boxes…” Tim Chiacchira
RX for the Pre-Existing Condition?
Who has an administrative account on my systems!!!!
An inventory scan on for every exe on both my LANDesk and Database servers revealed DameWare!
RX for the Pre-Existing Condition: LANDesk!
•Goal - Remove DameWare •How? Initiated a policy in LANDesk that when the DameWare application detected by LANDesk’s Software Licensing Monitor component:
stop DameWare’s execution & run the DameWare
removal package. •Next, install LANDesk client on all the Windows servers
Who has an administrative account on my systems!!!!
RX for the Pre-Existing Condition: LANDesk
Who has an administrative account on my systems!!!!
Outcome:• LANDesk discovered a severe compromise! • Movie pirates had been in existence for at least 1 year
prior to my arrival at Dartmouth with 11 servers in all affected including the domain controller…
• The LANDesk policy removed and blocked the execution of the DameWare program!• Pirates continued to actively attempt
reinstallation to substantiate their claim on our network.
RX for the Pre-Existing Condition: LANDesk
Who has an administrative account on my systems!!!!
Outcome (continued):• While we had no firewall on
the border and windows ports were accessible (and the exe and files could be placed back on the server) with every new pirate attempt DameWare execution was thwarted and removed thanks to LANDesk.
• The next step, we did purchase a border firewall and Sygate personal firewall.
• LANDesk was already making our environment safer - but this was just the beginning.
Wanted!More Than An Ounce of Prevention
• LANDesk needed on all our most critical
desktops.
• 1,189 LANDesk clients on Administrative
computers and public Kiosk machines
• At this time did not have LANDesk Security
and Patch Management (A.K.A. LANDesk
Security Suite.)
I Policy-based Management• After LANDesk was deployed on all
the Standards machines, we did the following:– Built an standardized image that
included Sygate firewall, LANDesk and ensured it was NTFS.
– A duel approach of deploying Sygate, using LANDesk to detect rogue EXE’s such as PWD.exe (Password Dump), Scan for remnants of virus infection with removal tools from Symantec deployed via LANDesk and blocking applications using softmon.exe - the software monitoring agent.
– Utilized LANDesk to change security policy via registry change thus disallowing anonymous connections and enumeration of security accounts.
The foundation: OSD at a Glance
• Next phase = upgrade everyone's image
• Result accomplished easily using OSD (Operating Systems Deployment).
• LANDesk provides two core ways to image or capture an image of a desktop.
1. PXE (Pre Execution Environment)
2. Agent-based OSD
The Foundation Improved
• The uses of LANDesk up to this point:– OSD of a new more secure image– Inventory scanning provides information as
to malicious executables on workstations.. – LANDesk to deploy patches and
applications. – Remote control and support – In the last 7
months we have logged over 1,006 hours of remote control assistance.
– Reporting is very flexible and powerful. And I can produce amazingly useful reports via LANDesk
“I have used other inventory tools and have found them wanting… And newer things coming out in LANDesk 8.6 are going to make reporting so wonderful… “
Tim Chiacchira
LANDesk Security Suite Arrives
• I never knew how much I was missing in my environment until I implemented Security Suite in my Standards Program machines.
• Dartmouth was formerly 100 percent vulnerable (spyware, malware, virus leftovers, security issues such as blank passwords, null shares, blank SA accounts on SQL servers, etc.)
“I just was one person trying to patch on the fly and do what I could. But this tool.. well…, LANDesk Security Suite showed me that one person cannot do it alone without such a tool as this.”
Tim Chiacchira
Vulnerable Systems Pre-LANDesk Security Suite Code RED
“If I were to show you a chart of my vulnerable systems when I implemented LANDesk Security Suite, I would show you a red pie chart with no blue in it… The red indicating a 100% vulnerable system.”
Tim Chiacchira
Vulnerability
The State of Vulnerability 3 Days Post Deployment
LANDesk Security SuiteWithin 3 days of implementing LANDesk Security Suite into our infrastructure:
– All machines with the exclusion of 12 stubborn machines (no fault of LANDesk) were patched (see remaining red below)
– Spyware removed– Reports on security issues sent out and resolved – “I was proud, but also thankful as it could not have been accomplished
without LANDesk.” Tim Chiacchira
Vulnerableproblemmachines=12Post-LANDesk
Even still…
• While machines are potentially vulnerable, they don’t remain in that vulnerable state but for an instant. That’s all the time it takes to remove cookies and patch them quickly by pushing out a new patch.
• If Spyware is involved, it is summarily removed quickly - and if Spyware cannot be removed, support is dispatched. A desktop support representative is dispatched after having an email sent to them with the spec on the vulnerable machine.
• “I just love it.”
Some Q & A
Q. How many total computers campus-wide at Dartmouth?
R. 7,300 about 200 of which are servers.
Q. How many of those have LANDesk Management Suite?
A. 1236 including 87 Servers
Q. How many have LANDesk Security Suite?
A. Currently 608 will be 6000 by the end of term.
Q. Can you attach a dollar figure to anything in terms of savings?
A. Thousands of patches deployed at once in one day.. Value = priceless... These tools have easily saved us from hiring 2 more techs.
A Summary of the Standards Program Success
• This system demonstrated as completely effective. LANDesk, as one of
Dartmouth College’s multi-layered security changes, has made our
Standards environment stable.
• The environment has now been extended to our Students, Staff and
Faculty.
• We purchased 6000 LANDesk Security Suite nodes to take advantage
of this tremendous enterprise management toolset.
• Our first 900 machines should be in the database working right now to
give our client a stable working environment.