ouhsc information security update
DESCRIPTION
OUHSC Information Security Update. IT, Information Security Services Randy Moore Nathan Gibson Greg Bostic. Security Project Update. Active Directory Cleanup Project “Cleaning the house” -- getting rid of old computer accounts Active Directory GPO project Establishing a security baseline - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/1.jpg)
OUHSC Information Security UpdateOUHSC Information Security Update
IT, Information Security Services
Randy Moore
Nathan Gibson
Greg Bostic
IT, Information Security Services
Randy Moore
Nathan Gibson
Greg Bostic
![Page 2: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/2.jpg)
Security Project UpdateSecurity Project Update
– Active Directory Cleanup Project• “Cleaning the house” -- getting rid of old computer accounts
– Active Directory GPO project• Establishing a security baseline
– E-Policy Orchestrator Project• Mirroring ePO with AD • Centrally Managing• Using the tools we have available
– Active Directory Cleanup Project• “Cleaning the house” -- getting rid of old computer accounts
– Active Directory GPO project• Establishing a security baseline
– E-Policy Orchestrator Project• Mirroring ePO with AD • Centrally Managing• Using the tools we have available
![Page 3: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/3.jpg)
Active Directory CleanupActive Directory Cleanup
![Page 4: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/4.jpg)
PurposePurpose
• GPOs cannot be applied on the computers container
• ePO Sync would be inaccurate• Hard to manage with erroneous accounts present
• GPOs cannot be applied on the computers container
• ePO Sync would be inaccurate• Hard to manage with erroneous accounts present
![Page 5: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/5.jpg)
Current StatusCurrent Status
• 1200 inactive computer accounts disabled and moved into the disabled.comps OU
• Computer Accounts have been moved from the Computers container into the UnAssigned.Comps OU
• GPO w/ login script applied to UnAssigned.Comps OU
• 1200 inactive computer accounts disabled and moved into the disabled.comps OU
• Computer Accounts have been moved from the Computers container into the UnAssigned.Comps OU
• GPO w/ login script applied to UnAssigned.Comps OU
![Page 6: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/6.jpg)
New ProceduresNew Procedures
• All new computers should have account created prior to joining domain.
• Computer Account Lifecycle procedure– 30 days UnAssigned.Comp – Active
– 30 days disabled.comps – Inactive
– On the 60th day Computer Account deleted
• New Computer Checklist
• All new computers should have account created prior to joining domain.
• Computer Account Lifecycle procedure– 30 days UnAssigned.Comp – Active
– 30 days disabled.comps – Inactive
– On the 60th day Computer Account deleted
• New Computer Checklist
![Page 7: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/7.jpg)
Cleaning Your OUCleaning Your OU
• Weed out old Computer Accounts– Use Active Directory Users and Computers – Go to “View” in the MMC – Check “Advanced Features” – Go to “View” and choose “Add/Remove Columns” – In the left hand “Available columns” table choose
“Modified” and click “Add ->” – Hit OK
• Weed out old Computer Accounts– Use Active Directory Users and Computers – Go to “View” in the MMC – Check “Advanced Features” – Go to “View” and choose “Add/Remove Columns” – In the left hand “Available columns” table choose
“Modified” and click “Add ->” – Hit OK
![Page 8: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/8.jpg)
McAfee E-Policy Orchestrator Project(ePO)McAfee E-Policy Orchestrator Project(ePO)
![Page 9: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/9.jpg)
ePOePO
McAfee E Policy Orchestrator• Provides a way to centrally manage Anti Virus
protection on all managed devices• Syncs with Active Directory• Automatically installs/uninstalls AV• Automatic DAT updates• Customizable policies• Notification Capabilities• Report Generation
McAfee E Policy Orchestrator• Provides a way to centrally manage Anti Virus
protection on all managed devices• Syncs with Active Directory• Automatically installs/uninstalls AV• Automatic DAT updates• Customizable policies• Notification Capabilities• Report Generation
![Page 10: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/10.jpg)
TrainingTraining
Greg Bostic
2nd Annual Cyber Security Day
October 24, 2007
10:00 am
Greg Bostic
2nd Annual Cyber Security Day
October 24, 2007
10:00 am
![Page 11: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/11.jpg)
Cyber Security DayCyber Security Day
• Tier 1 Training• Business Manager Briefings• End User Briefings
• Tier 1 Training• Business Manager Briefings• End User Briefings
![Page 12: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/12.jpg)
Security Baseline Security Baseline
Active Directory GPO ProjectActive Directory GPO Project
![Page 13: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/13.jpg)
GPO ReviewGPO Review
• Group Policy Objects:1. Allows you to configure baseline settings to ensure all
resources have the same settings
2. Ease the administrative overhead in applying and modifying end user device and servers.
3. “One-Stop-Shop” for demonstrating policy compliance
• Group Policy Objects:1. Allows you to configure baseline settings to ensure all
resources have the same settings
2. Ease the administrative overhead in applying and modifying end user device and servers.
3. “One-Stop-Shop” for demonstrating policy compliance
![Page 14: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/14.jpg)
AD GPO ProjectAD GPO Project
• Round 2 SettingsSetting 1-
HSC-IT-Automatic Updates (Workstation Only)– Enable Windows Updates Power management to automatically wake up the system:
Enabled– 4- Auto Download and Schedule the Install– Schedule Install Day: 0-Everyday– Scheduled Install Time: 0300
Setting 2-
HSC-IT-No Display Last User Login– Interactive logon: do not display last user name: Enabled
• Round 2 SettingsSetting 1-
HSC-IT-Automatic Updates (Workstation Only)– Enable Windows Updates Power management to automatically wake up the system:
Enabled– 4- Auto Download and Schedule the Install– Schedule Install Day: 0-Everyday– Scheduled Install Time: 0300
Setting 2-
HSC-IT-No Display Last User Login– Interactive logon: do not display last user name: Enabled
![Page 15: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/15.jpg)
No Last User Name ImpactNo Last User Name Impact
![Page 16: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/16.jpg)
Screen Saver ImpactScreen Saver Impact
![Page 17: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/17.jpg)
House Cleaning HelpHouse Cleaning Help
• Standardize GPO naming scheme– Dept-XXXX– Delete Old GPOs– Combine GPOs If possible– Remove GPOs with settings applied at higher lever
• Standardize GPO naming scheme– Dept-XXXX– Delete Old GPOs– Combine GPOs If possible– Remove GPOs with settings applied at higher lever
![Page 18: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/18.jpg)
FUTURE GPO SettingsFUTURE GPO Settings
• Event Logging– Account Management: Success
– Account Logon/Logoff: Success/Failure
– Policy Change: Success
– System Events: Success/Failure
• Screen Saver– Hide Screen Saver Tab: Enabled
– Screen Saver: Enabled
– Password protect the Screen Saver: Enabled
– Screen Saver Timeout: 600(900?)
• Event Logging– Account Management: Success
– Account Logon/Logoff: Success/Failure
– Policy Change: Success
– System Events: Success/Failure
• Screen Saver– Hide Screen Saver Tab: Enabled
– Screen Saver: Enabled
– Password protect the Screen Saver: Enabled
– Screen Saver Timeout: 600(900?)
![Page 19: OUHSC Information Security Update](https://reader036.vdocuments.us/reader036/viewer/2022062720/56813328550346895d9a1544/html5/thumbnails/19.jpg)
Let’s TalkLet’s Talk
Questions & Concerns
???http://it.ouhsc.edu/services/infosecurity/Projects.asp