CalNetAD Security Subcommittee

December 4, 2002

Updated: 12/04/2002

Agenda

1. Okena Intrusion Detection status

2. CalnetAD Certificate Server status

3. CalNetAD Member Server Security Template

4. SANS Securing Windows 2000 document

5. Logon script for MIT Kerberos ticket cache?

6. Windows Update GPO?

7. Other

Notes

Attending: John Ives, Karl Grose, Mike Friedman, Ryan Means, Michael Quan, Forrest Smalley, Ken Tanaka, Kevin Burney, Eric Chamberlain, Mike Blasingame

Okena Intrusion Detection status

Eric reported that IST-CCS has purchased and installed Okena licenses for CCS managed workstations and servers. These include the CalNetAD Domain Controllers. The Okena software can be run in two modes: 1) logging and 2) blocking. The Okena software is currently in logging mode in order to capture access information that can be used to develop the policies that will be used by the Okena software when blocking mode is turned on.

CalnetAD Certificate Server status

Eric reported on his progress in implementing certificate services in the CalNetAD test environment. The implementation is based upon VMware virtual machines. The root CA virtual machine is on a DVD which is stored in a safe in a secure location.

John expressed concern about the use of virtual machines noting that if the host machine itself is compromised, all of the virtual machines could be accessible. Budgetary constraints do not allow for individual boxes for each of the CAs, so methods to protect the host machine will be explored (e.g., use of a firewall).

This test CA implementation will be used to explore the issuance and management of the various types of certs and to identify areas where policies will be required.

Various subcommittee members expressed interest in being able to use certificates for IIS servers, IPSEC encryption, and code signing.

CalNetAD Member Server Security Template

Eric announced the development of a security template for CalNetAD member servers. It has been posted on the web at: http://calnetad.berkeley.edu/documentation/technical/configuration_files/ucb_server/

SANS Securing Windows 2000 document

SNS has made the SANS Windows 2000 security concensus guide (v1.5) available to campus members. John informed the committee that version 2 of the concensus guide should be out by this summer.

Logon script for MIT Kerberos ticket cache?

Karl described the effort underway to transition CalAgenda to the new Oracle-based architecture. The Oracle Agenda could be a client that could use the MIT Kerberos ticket cache. He asked the subcommittee if there was any interest in developing a GPO that would copy the Windows ticket cache to the MIT cache.

The subcommittee agreed that this would be an interesting project to bring before the Planning Committee.

Windows Update GPO?

Eric asked the subcommittee if there was any interest in a GPO to implement the Windows Update feature for workstations.

The subcommittee agreed that this would be an interesting project to bring before the Planning Committee

Other

Domain Controller Firewalls - John asked if any consideration has been given to putting the CalNetAD DCs behind a firewall. Eric responded that there have been discussions to place the DCs behind a firewall being implemented by IST-CCS-ACS. The firewall will have redundancy and fail-over capabilities and will be ready by mid to late January.

Personal Firewalls - Karl reported on the WSS investigation of Semantic's personal firewall software. The software would be available to workstations for $6.00 per workstation. WSS has been working on software deployment issues. Karl asked anyone interested in participating in the testing of the deployment software to send him email.

Windows .NET Server 2003 - John asked what the CalNetAD plans were for implementing Microsoft's .NET Server 2003. Eric responded that the plans are to install RC2 in the test environment and begin to monitor it. Mike asked if anyone had any deadline by which they needed to have .NET Server 2003 installed. If there is no deadline, then CalNetAD plans to test and monitor .NET Server 2003 in the test environment and implement it in production when Service Pack 1 is released. This could work out to be in the December 2003 or Summer 2004 time frame. Standalone and member servers could upgrade sooner.