CalNetAD Planning Committee

December 10, 2002

Room 60, Barrows Hall, 10-12 PM

Updated: 12/13/2002

Agenda

1. CalNet Directory integration status

2. Macintosh integration

3. Certificate Server status

4. Member server security template

5. SANS - Securing Windows 2000

6. Okena Intrusion Detection status

7. Logon script for MIT Kerberos ticket cache

8. Windows Update GPO

9. Winter Holiday coverage 2002-2003

10. Other Business

Notes

CalNet Directory integration status

The integration process between CalNet and Active Directory has been running for some time now. The only problem to appear has been some non-ASCII characters that have been entered into some accounts, but steps to remedy this problem on the CalNet side will be taken. The integration process is undergoing internal improvements to add some administrative features. IBM has acquired the Metamerge product but has continued to license the product to universities for free.

Macintosh integration

The Workstation & Microcomputer Facilities is currently testing the process of integrating the Macintosh OS X operating system with the campus CalNet AD. Due to the requirement of having a home directory for users, we needed the flexibility of specifying this path on each computer.

To do this with Active Directory would have required the attribute to be the same for every single user on campus which was not feasible. Our solution has been to use iPlanet where we could specify a specific attribute for just this purpose. This would allow us to use a specific directory on our computers without it affecting other users on the campus. This may not be necessary for other campus users who may use their own servers to designate the home directory.

Even though we still have more testing to do, the results have been very positive thus far.

Certificate Server Status

The PKI layout is available. The test infrastructure is in place in the VMware test environment. The production environment should be in place before the end of the month. The PKI environment is still in the early planning stages. At this point, it is being implemented for the Smartcard project. Future uses could include: IPSEC, code signing, signing e-mail, encryption, user authentication, machine authentication, and intra-campus SSL server certificates.

Member server security template

The UCB Member Server security template is similar to the Domain Controller security template, without the Domain Controller specific components. It is available on the website.

SANS - Securing Windows 2000

SNS (System and Network Security), the central IT security unit on campus reporting directly to CIO Jack McCredie, has purchased an annual site license for the highly praised SANS Consensus Guides.

These security guides are created by computer security professionals sharing techniques they have found to be effective, integrating the techniques into step-by-step plans and then subjecting the plans, in detail, to the close scrutiny of other experts.

The process continues until consensus is reached, hence the name SANS Consensus Guides.

Currently there are seven guides: Solaris Security, Securing Linux Part 1, Securing Linux Part 2, Windows NT Security, Securing Windows 2000, Incident Handling, and Disaster Recovery.

These guides exist in PDF format and can be found at:

http://sec-info.berkeley.edu/cgi-bin/consensus-login.pl

A new verison of the Securing Windows 2000 Concensus Guide should be available this summer.

Okena Intrusion Detection status

Okena is installed on all the test and production CalNetAD servers, in IDS or test mode. This mode logs traffic without blocking anything. With the new certificate servers, more testing of settings is needed. The current time line is to begin blocking traffic to the domain controllers in production in another month or two.

Logon script for MIT Kerberos ticket cache

A proposal was made and generally approved to investigate and implement a mechanism (via, for example, GPO, logon script element, etc.) to be made available for general domain use and designed to make the Kerberos TGT ticket stored in the Microsoft Kerberos cache available for applications that need to use tickets in the MIT ticket cache. One such application would be the pending future version of the CalAgenda client software, extending true single sign-on to our campus calendaring system.

Windows Update GPO

A proposal was made and generally approved to develop and implement a GPO template for OU administrators that would set the Automatic Windows Update settings. There was also interest for a centralized Windows Update server on campus, to reduce traffic to and from the Microsoft Windows Update sites.

Winter Holiday coverage 2002-2003

CalNetAD will be up, but system support will be reduced from 5:00 PM, Monday, December 23 through 8:00 AM, Thursday, December 26, and from 5:00 PM, Monday, December 30, through 8:00 AM, Thursday, January 2. CalNetAD will be monitored for security, however, if other system problems develop during hours of reduced support, they will not be fixed until normal operations resume.

To report a system problem, please call the Trouble Desk (642-4920).

Other Business

.NET Server 2003 - CalNetAD plans are to install RC2 in the test environment and begin to monitor it. .NET Server 2003 would be put into production when Service Pack 1 is released. This could work out to be the Summer 2004 time frame. Standalone and member servers could upgrade sooner. The Committee was asked if anyone anticipated having a need to upgrade to .NET Server 2003 before the Summer 2004 time frame. No indication was given.

Blocking NETBIOS Traffic - A discussion arose in response to a question to block NETBIOS traffic at the campus border. Blocking such traffic would make remote access to campus resources an issue. Mike Sinatra indicated that it needs to be addressed by the development of a campus policy.