CalNetAD Security Subcommittee

April 9, 2002

Updated: 04/10/2002

Agenda

1. What restrictions, if any do we want for off campus logons? Several options come to mind: nothing, block all IPs, require IPSEC, or allow SMB over IP but block NBT (the latter two options would exclude pre-windows2000 clients from logging in remotely).

2. What authentication methods do we want to allow, require block, on the domain controllers? LM, NTLM, and/or NTLMv2?

3. Do we want to push an authentication method out in a domain GPO for non-DC traffic and update Win95 and later machines? LM, NTLM and/or NTLMv2

4. Do we want the DCs to support IPSEC, never, when requested, always?

5. Update on Eric's host-based IDS testing.

6. Certificate Services

7. Workstation templates

8. Class on IIS Security

Notes

Attending: John Ives, Robert Lozano, Forrest Smalley, Mike Friedman, Karl Grose, Eric Chamberlain, Mike Blasingame, Michael Quan, Michael Logan

Restrictions for off-campus logons

The committee discussed restrictions for off-campus logons, including the use of VPN gateways by departments.. More feedback from the current CalNetAD administrators is needed in order to determine their current infrastructure (95, 98, and NT machines) and requirements for off-campus access.

Authentication Methods

There was general agreement that workstations should use NTLMv2 for authentication.

IPSEC

The committee agreed that IPSEC should be used to secure communications between DCs. It was suggested that IPSEC network cards be used in the DCs to off-load the IPSEC overhead from the CPUs.

IDS Testing

Eric reported on his testing of IDS software from Okena. The IDS software is role based (versus signature based). It can generate rules and policies by observing a system. Okena's StormFront records the activity on the target machine: registry, COM, network, and application activity. At the end of the recording period, it analyzes the activity and generates reports/policies based on the observed activity. It has a web interface for management. User agents communicate back to the server to get rule updates. The pricing is very favorable until June.

Certificate Services

John started the discussion by describing Chemistry's needs for certificates for VPN tunneling for an employee who needs to be able to work from home while on medical leave as well as for some web server services the college will be offering. The CalNetAD team informed the Committee that money has been requested for servers to support a central Microsoft Certificate Service which could be used for his purposes. The CalNetAD team will be using the service for the Enterprise Admin smart cards as well as the IPSEC traffic between DCs.

Workstation Templates

John is asking for volunteers to work with him to develop workstation security templates.

Class on IIS Security

John said he is close to having the materials ready for his class in IIS security. He hopes to have the material finished and a room scheduled by next month.