CalNetAD Security Subcommittee

January 15, 2002

Updated: 01/29/2002

Agenda

1. Site Group Policy Objects (GPOs)

2. Certificate Services

3. Encrypted Files Services (EFS)

Notes

Attending: John Ives, Ryan Means, Robert Lozano, Forrest Smalley, Ken Tanaka, Mike Friedman, Karl Grose, Eric Chamberlain, Mike Blasingame, Angela Pardo, Burke Bundy, Michael Quan

Site Group Policy Objects (GPOs)

Eric discussed the proposed list of Group Policy Objects he has compiled. He used the NSA guidelines as the basis for the GPOs. His goal is to have as few GPOs as possible in order to minimize impact on logins. The documentation for the GPOs and the security templates are on the CalNetAD web site.

Some of the more major GPOs that have been implemented are:

• NTLMv2 and kerberos authentication (not ntlm)
• Auto log file
• Clear page file
• Require ctrl-alt-delete for logon
• Turning off the fax service
• Turning off the telnet service
• Turning off IIS

The subcommittee recommended that pre-generated GPO templates for OUs be created. It was also recommended that documentation for known problems should be developed for OU administrators.

Certificate Services

There was a general discussion of Certificates. Certificates are needed for:

• DNS updates
• Authorization for access from home
• Local Projects (Chemistry)
• Encrypted File Services (EFS)

The status of the UCOP certificate effort is unclear. The Police Department is looking into smart card technology.It was agreed that Active Directory could serve as a test bed for certificate use and management.

Encrypted Files Services (EFS)

Until certificate issues can be worked out, EFS will be disabled with the override option.

When EFS is implemented, the local OU administrator as well as the Enterprise Administrator will serve as recovery agents.