ouhsc information security update
DESCRIPTION
OUHSC Information Security Update. IT, Information Security Services Randy Moore Nathan Gibson Greg Bostic. Security Project Update. Active Directory Cleanup Project “Cleaning the house” -- getting rid of old computer accounts Active Directory GPO project Establishing a security baseline - PowerPoint PPT PresentationTRANSCRIPT
OUHSC Information Security UpdateOUHSC Information Security Update
IT, Information Security Services
Randy Moore
Nathan Gibson
Greg Bostic
IT, Information Security Services
Randy Moore
Nathan Gibson
Greg Bostic
Security Project UpdateSecurity Project Update
– Active Directory Cleanup Project• “Cleaning the house” -- getting rid of old computer accounts
– Active Directory GPO project• Establishing a security baseline
– E-Policy Orchestrator Project• Mirroring ePO with AD • Centrally Managing• Using the tools we have available
– Active Directory Cleanup Project• “Cleaning the house” -- getting rid of old computer accounts
– Active Directory GPO project• Establishing a security baseline
– E-Policy Orchestrator Project• Mirroring ePO with AD • Centrally Managing• Using the tools we have available
Active Directory CleanupActive Directory Cleanup
PurposePurpose
• GPOs cannot be applied on the computers container
• ePO Sync would be inaccurate• Hard to manage with erroneous accounts present
• GPOs cannot be applied on the computers container
• ePO Sync would be inaccurate• Hard to manage with erroneous accounts present
Current StatusCurrent Status
• 1200 inactive computer accounts disabled and moved into the disabled.comps OU
• Computer Accounts have been moved from the Computers container into the UnAssigned.Comps OU
• GPO w/ login script applied to UnAssigned.Comps OU
• 1200 inactive computer accounts disabled and moved into the disabled.comps OU
• Computer Accounts have been moved from the Computers container into the UnAssigned.Comps OU
• GPO w/ login script applied to UnAssigned.Comps OU
New ProceduresNew Procedures
• All new computers should have account created prior to joining domain.
• Computer Account Lifecycle procedure– 30 days UnAssigned.Comp – Active
– 30 days disabled.comps – Inactive
– On the 60th day Computer Account deleted
• New Computer Checklist
• All new computers should have account created prior to joining domain.
• Computer Account Lifecycle procedure– 30 days UnAssigned.Comp – Active
– 30 days disabled.comps – Inactive
– On the 60th day Computer Account deleted
• New Computer Checklist
Cleaning Your OUCleaning Your OU
• Weed out old Computer Accounts– Use Active Directory Users and Computers – Go to “View” in the MMC – Check “Advanced Features” – Go to “View” and choose “Add/Remove Columns” – In the left hand “Available columns” table choose
“Modified” and click “Add ->” – Hit OK
• Weed out old Computer Accounts– Use Active Directory Users and Computers – Go to “View” in the MMC – Check “Advanced Features” – Go to “View” and choose “Add/Remove Columns” – In the left hand “Available columns” table choose
“Modified” and click “Add ->” – Hit OK
McAfee E-Policy Orchestrator Project(ePO)McAfee E-Policy Orchestrator Project(ePO)
ePOePO
McAfee E Policy Orchestrator• Provides a way to centrally manage Anti Virus
protection on all managed devices• Syncs with Active Directory• Automatically installs/uninstalls AV• Automatic DAT updates• Customizable policies• Notification Capabilities• Report Generation
McAfee E Policy Orchestrator• Provides a way to centrally manage Anti Virus
protection on all managed devices• Syncs with Active Directory• Automatically installs/uninstalls AV• Automatic DAT updates• Customizable policies• Notification Capabilities• Report Generation
TrainingTraining
Greg Bostic
2nd Annual Cyber Security Day
October 24, 2007
10:00 am
Greg Bostic
2nd Annual Cyber Security Day
October 24, 2007
10:00 am
Cyber Security DayCyber Security Day
• Tier 1 Training• Business Manager Briefings• End User Briefings
• Tier 1 Training• Business Manager Briefings• End User Briefings
Security Baseline Security Baseline
Active Directory GPO ProjectActive Directory GPO Project
GPO ReviewGPO Review
• Group Policy Objects:1. Allows you to configure baseline settings to ensure all
resources have the same settings
2. Ease the administrative overhead in applying and modifying end user device and servers.
3. “One-Stop-Shop” for demonstrating policy compliance
• Group Policy Objects:1. Allows you to configure baseline settings to ensure all
resources have the same settings
2. Ease the administrative overhead in applying and modifying end user device and servers.
3. “One-Stop-Shop” for demonstrating policy compliance
AD GPO ProjectAD GPO Project
• Round 2 SettingsSetting 1-
HSC-IT-Automatic Updates (Workstation Only)– Enable Windows Updates Power management to automatically wake up the system:
Enabled– 4- Auto Download and Schedule the Install– Schedule Install Day: 0-Everyday– Scheduled Install Time: 0300
Setting 2-
HSC-IT-No Display Last User Login– Interactive logon: do not display last user name: Enabled
• Round 2 SettingsSetting 1-
HSC-IT-Automatic Updates (Workstation Only)– Enable Windows Updates Power management to automatically wake up the system:
Enabled– 4- Auto Download and Schedule the Install– Schedule Install Day: 0-Everyday– Scheduled Install Time: 0300
Setting 2-
HSC-IT-No Display Last User Login– Interactive logon: do not display last user name: Enabled
No Last User Name ImpactNo Last User Name Impact
Screen Saver ImpactScreen Saver Impact
House Cleaning HelpHouse Cleaning Help
• Standardize GPO naming scheme– Dept-XXXX– Delete Old GPOs– Combine GPOs If possible– Remove GPOs with settings applied at higher lever
• Standardize GPO naming scheme– Dept-XXXX– Delete Old GPOs– Combine GPOs If possible– Remove GPOs with settings applied at higher lever
FUTURE GPO SettingsFUTURE GPO Settings
• Event Logging– Account Management: Success
– Account Logon/Logoff: Success/Failure
– Policy Change: Success
– System Events: Success/Failure
• Screen Saver– Hide Screen Saver Tab: Enabled
– Screen Saver: Enabled
– Password protect the Screen Saver: Enabled
– Screen Saver Timeout: 600(900?)
• Event Logging– Account Management: Success
– Account Logon/Logoff: Success/Failure
– Policy Change: Success
– System Events: Success/Failure
• Screen Saver– Hide Screen Saver Tab: Enabled
– Screen Saver: Enabled
– Password protect the Screen Saver: Enabled
– Screen Saver Timeout: 600(900?)
Let’s TalkLet’s Talk
Questions & Concerns
???http://it.ouhsc.edu/services/infosecurity/Projects.asp