managing cern desktops with systems management server (sms 2003)
DESCRIPTION
Managing CERN Desktops with Systems Management Server (SMS 2003). Michel Christaller Internet Services Group Department of Information Technology CERN May 2005. Summary. CERN infrastructure Managing assets Deploying programs with SMS Deploying security patches with SMS Conclusion. - PowerPoint PPT PresentationTRANSCRIPT
Managing CERN Desktops Managing CERN Desktops with Systems Management with Systems Management
Server (SMS 2003)Server (SMS 2003)
Michel ChristallerMichel ChristallerInternet Services GroupInternet Services Group
Department of Information TechnologyDepartment of Information TechnologyCERNCERN
May 2005May 2005
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SummarySummary
• CERN infrastructureCERN infrastructure
• Managing assetsManaging assets
• Deploying programs with SMSDeploying programs with SMS
• Deploying security patches with SMSDeploying security patches with SMS
• ConclusionConclusion
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SummarySummary
• CERN infrastructureCERN infrastructure- What is SMS ?What is SMS ?- SMS History at CERNSMS History at CERN- Server ArchitectureServer Architecture
• Managing assetsManaging assets• Deploying programs with SMSDeploying programs with SMS• Deploying security patches with SMSDeploying security patches with SMS• ConclusionConclusion
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
What is SMS?What is SMS?
• Microsoft Microsoft SSystems ystems MManagement anagement SServererver- software deploymentsoftware deployment- software and hardware inventorysoftware and hardware inventory- software meteringsoftware metering- remote controlremote control
• Additional Features (SUS Feature Pack)Additional Features (SUS Feature Pack)- Windows Security Updates Scan ToolWindows Security Updates Scan Tool- Microsoft Office Security Updates Scan ToolMicrosoft Office Security Updates Scan Tool- Extended Security Tool (non-MBSA patches)Extended Security Tool (non-MBSA patches)
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SMS ArchitectureSMS Architecture
Site & Database ServerDesktop Clients
run from
the share
Distribution Points
new package?
Management Points
Inventory
Remote Clients(VPN, GPRS, Dial-in)
download (BITS)run locally
new package?
Inventory
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SMS History at CERNSMS History at CERN
• SMS 2.0 used from 2001SMS 2.0 used from 2001
• SMS 2003 deployed Summer 2004SMS 2003 deployed Summer 2004
• SMS 2003 SP1 deployed Autumn 2004SMS 2003 SP1 deployed Autumn 2004
• More MPs needed due to More MPs needed due to patch deploymentspatch deployments- 3 MPs with NLB3 MPs with NLB
• 10Gb database now10Gb database now
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Server InfrastructureServer Infrastructure
• Native Windows 2003 Active Directory (3 DCs)Native Windows 2003 Active Directory (3 DCs)- Heavy use of Groups, Group Policies and startup scriptsHeavy use of Groups, Group Policies and startup scripts
• SMS infrastructure (Windows 2003, SMS 2003 SP1)SMS infrastructure (Windows 2003, SMS 2003 SP1)- 1 Site server, 3 Distribution Points, 3 Management Points1 Site server, 3 Distribution Points, 3 Management Points
• Other servers (mostly Windows 2003 SP1)Other servers (mostly Windows 2003 SP1)- ~30 file servers~30 file servers- ~180 servers total, 50Tb disk space ~180 servers total, 50Tb disk space
(Mail, Web, Terminal servers, etc..)(Mail, Web, Terminal servers, etc..)• Web-based administration interface (Web-based administration interface (
http://cern.ch/winhttp://cern.ch/win))• ~6000 managed desktops~6000 managed desktops
- 1/4 Windows 20001/4 Windows 2000- 3/4 Windows XP3/4 Windows XP
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SummarySummary
• CERN infrastructureCERN infrastructure• Managing assetsManaging assets
- Desktops installationDesktops installation- Computer Management (web site)Computer Management (web site)- Hardware & Software inventoryHardware & Software inventory
• Deploying programs with SMSDeploying programs with SMS• Deploying security patches with SMSDeploying security patches with SMS• ConclusionConclusion
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Desktop InstallationDesktop Installation
• DianeCD on WinPEDianeCD on WinPE- Windows Pre-Installation Environment: Windows Pre-Installation Environment:
stripped-down Windowsstripped-down Windows- Includes latest drivers Includes latest drivers
-> no need for DOS network drivers-> no need for DOS network drivers- Available on bootable CD Available on bootable CD - Configures HCP onlyConfigures HCP only- Copies model-dependent drivers to local diskCopies model-dependent drivers to local disk- Launches installation through networkLaunches installation through network- Permits to forbid LM hash authentication Permits to forbid LM hash authentication
(was needed by DOS network layer)(was needed by DOS network layer)
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Computer ManagementComputer Management
• User-oriented web-based User-oriented web-based administration administration
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Hardware & Software Hardware & Software inventoryinventory
• Inventory by SMS:Inventory by SMS:- HardwareHardware- Software (programs installed)Software (programs installed)- FilesFiles
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SummarySummary
• CERN infrastructureCERN infrastructure
• Managing assetsManaging assets
• Deploying programs with SMSDeploying programs with SMS- XP SP2 deploymentXP SP2 deployment- .Net Framework deployment.Net Framework deployment
• Deploying security patches with SMSDeploying security patches with SMS
• ConclusionConclusion
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
XP SP2 deploymentXP SP2 deployment
• XP SP2 offers enhanced securityXP SP2 offers enhanced security- Firewall, IE6 SP2Firewall, IE6 SP2
• 90% of XP SP1 computers upgraded to SP290% of XP SP1 computers upgraded to SP2• Recurrent SMS PackageRecurrent SMS Package
- Pop-ups the user every day for one monthPop-ups the user every day for one month- Forced installation if user not responsiveForced installation if user not responsive- Launches the XPSP2.exe upgradeLaunches the XPSP2.exe upgrade- Distributed to XP SP1 computers, gradually by Distributed to XP SP1 computers, gradually by
departmentsdepartments• Coupled with Office XP upgrade to Office 2003Coupled with Office XP upgrade to Office 2003• Almost no incompatibilities seen Almost no incompatibilities seen
(but for some engineering applications)(but for some engineering applications)• Goal:Goal: S Support only Windows XP SP2 / Office 2003 upport only Windows XP SP2 / Office 2003
by end of yearby end of year
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
.Net Framework .Net Framework deploymentdeployment
• .Net Framework 1.1 needed to deploy .Net Framework 1.1 needed to deploy next generation applications like new next generation applications like new CERN NewsreaderCERN Newsreader
• SMS PackageSMS PackageCombining .NetFramework 1.1, SP1 and hotfix Combining .NetFramework 1.1, SP1 and hotfix 886903886903
• Deployed on all XP SP2 computersDeployed on all XP SP2 computers• 25 chances to install at will, then forced25 chances to install at will, then forced
• Program deployment with SMS often needs Program deployment with SMS often needs VB scripting to establish a user interfaceVB scripting to establish a user interface
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SummarySummary
• CERN infrastructureCERN infrastructure• Managing assetsManaging assets• Deploying programs with SMSDeploying programs with SMS• Deploying security patchesDeploying security patches with SMSwith SMS
- Why patching ?Why patching ?- Patching PolicyPatching Policy- SUS Feature PackSUS Feature Pack- Non-MS patchesNon-MS patches- ReportingReporting
• ConclusionConclusion
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Why Patching ?Why Patching ?
• Exploits are often made public before patchesExploits are often made public before patches• Un-patched computers get virusesUn-patched computers get viruses• Which install backdoorsWhich install backdoors• Which comes with key-loggers and root-kitsWhich comes with key-loggers and root-kits• Root-kits are really difficult to clean up or even Root-kits are really difficult to clean up or even
detectdetect• And used for illegal activities (spamming, file And used for illegal activities (spamming, file
exchange, DOS attack etc..)exchange, DOS attack etc..)• CERN severely affected by an unmanaged CERN severely affected by an unmanaged
computer hacked in May 2004computer hacked in May 2004
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Patching PolicyPatching Policy
• How to maximize coverage and minimize reboots ?How to maximize coverage and minimize reboots ?• Group patches by productsGroup patches by products
- System-related by OS versionSystem-related by OS version- Other products : Messenger, Media Player, Acrobat, Putty etc..Other products : Messenger, Media Player, Acrobat, Putty etc..
• Deploy first as ‘advertised’ (installation not forced) Deploy first as ‘advertised’ (installation not forced) for some timefor some time- One package for latest patches, all OS versionsOne package for latest patches, all OS versions
• Second deployment: forced installation and rebootSecond deployment: forced installation and reboot- One baseline package by OS versionOne baseline package by OS version
• Recurrent every day on all computers missing patchesRecurrent every day on all computers missing patches
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SUS Feature PackSUS Feature Pack
• Based on MBSA detection toolBased on MBSA detection tool- Windows patches, IE patches, SQL, Exchange, IIS, Windows patches, IE patches, SQL, Exchange, IIS,
MSXML, MDACMSXML, MDAC- MS Office patches with Office UpdatesMS Office patches with Office Updates
• Uses a mssecure.xml fileUses a mssecure.xml file• Wrapper Wrapper patchinstallpatchinstall provides for user provides for user
interfaceinterface
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
SUS Feature PackSUS Feature Pack
MicrosoftMicrosoftDownload CenterDownload Center
SMS 2003 Site Server
MSSecure.xmlMSSecure.xml
Sync ToolMSSecure.xmlupdate requestPatches, QFEs, SPs
Scan Tool
Hardware Inventory
Advertisement
Installation Status
Limitation!Works only with updatesmanaged by MBSA 1.2 (not all products involved)
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Products not detected by Products not detected by MBSAMBSA
• Extended Security ToolExtended Security Tool- Workaround to deploy some MS product patches Workaround to deploy some MS product patches
• Windows Messenger & MSN MessengerWindows Messenger & MSN Messenger• Media PlayerMedia Player• .Net Framework.Net Framework
- Similar to SUSFP (XML file and Similar to SUSFP (XML file and patchinstall patchinstall wrapper)wrapper)- Will be merged to SUSFP in the futureWill be merged to SUSFP in the future
• Non-MS productsNon-MS products- Make a VB script for User Interface, deployment Make a VB script for User Interface, deployment
based on inventory (file versions / programs based on inventory (file versions / programs installed)installed)
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Reports on security Reports on security updatesupdates
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Patch Deployment of MS05-019
0
1000
2000
3000
4000
5000
6000
Apr-13
Apr-14
Apr-15
Apr-16
Apr-17
Apr-18
Apr-19
Apr-20
Apr-21
Apr-22
Apr-23
Apr-24
Apr-25
Apr-26
Apr-27
Apr-28
Date
Co
mp
ute
rs
Installed Total
Deployment Status of Deployment Status of MS05-019MS05-019
• Graph from SMS Graph from SMS patch status datapatch status data
• Patch publishedPatch publishedby Microsoft by Microsoft on 12on 12thth of May of May Forced deployment started
Patch advertised to all CERN computers
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
ConclusionConclusion
• Reaching 100% coverage is a dreamReaching 100% coverage is a dream• Always a computer without disk space, broken files etc.. Always a computer without disk space, broken files etc..
• SMS 2003 makes infrastructure much better SMS 2003 makes infrastructure much better managedmanaged• Hardware & software inventoryHardware & software inventory• Pushed software installationsPushed software installations
GP ‘Assign to computer’ was running only at startupGP ‘Assign to computer’ was running only at startup• patch deployment and statuspatch deployment and status
• DrawbacksDrawbacks• Heavy inventory phasesHeavy inventory phases
annoying for slow computers annoying for slow computers • Packaging steps may be necessaryPackaging steps may be necessary
deployment of non-MS products often require VB scriptingdeployment of non-MS products often require VB scripting
Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS
Questions ?Questions ?
• Visit usVisit ushttp://cern.ch/winhttp://cern.ch/win