pc manager meeting january 23, 2008. agenda next meeting training windows policy main topic:...
TRANSCRIPT
PC MANAGER MEETING
January 23, 2008
Agenda
Next Meeting Training Windows Policy Main Topic: Windows AV Service Review
Next Meeting
Feb 20th
Week Early! Andy Rader – Talk on Networking diagnostic
tools
Training
Office 2007 classes? Pidgin classes
Windows Policy
Exemption Requests Reviewing Captive and Service account
definitions. Moving to new forms software
Beta Service Packs/OSes and the Fermi Domain No! Naada! Bad System Admin!https://plone4.fnal.gov/P1/WinPol/policies/
Approved-os/
Main Topic
Windows AV Service Review Why The Review? Baseline Requirements Current Implementation Open Discussion regarding service
Why The Review?
AV Service has been available for over 1 year in present state
AV Baseline states:“All systems connected to the Fermilab
network must follow the appropriate FNAL operating system or application baseline requirements for Anti Virus services.”
…updating OSX and Linux baselines…
Baseline Requirements
Major Application The service must be defined in a Moderate
level Major Application Support
99.9% uptime for both server hardware and software
Contingency plan outlining client maintenance for extended outages
24 x7 emergency signature update push and manual scans
Baseline Requirements
Server Updates Signature/threat updates and program updates
from Service Provider minimum 4 times per day
Logging Information Clients and server must retain logging and
history data for 30 days. AV Service must interface with the Fermi
Enterprise Management System AV System must participate in central logging,
alert and notification systems
Baseline Requirements
FNAL Managed Client Settings Signature and program updates check FNAL AV
Service or Service Provider minimum 2 times per day If FNAL Service is unavailable or client cannot access
FNAL network, client must automatically check Service Provider
Clients must be configured for a full scan weekly. Cancelled or failed scans must be logged to the central AV Service.
Scans should check for spyware and adware The software should attempt to clean the infection
then quarantine it
Baseline Requirements
Real time protection must be enabled, but exclusions may be defined for special cases
Alerts must be generated to the local client and to the AV service
Clients must report virus scanning activity and alerts to the central AV service in real time.
Current Implementation
Ken Fidler
Antivirus – Central Facility
To support the majority of the Lab we have a Windows Cluster to run the Central AV infrastructure
A Central AV report server with a SQL database is also used to consolidate data from Beams and our servers
Custom code was created to enhance the central reports and alerting
PRT-AV-CLUST
Antivirus – Alert Flow
Client
Central AV Server
CLOGGER
Cd-sav-rpt
\\prt-av-clust\av_logsListserv
E-mail Alerts
sql
Virus Definitions
Antivirus - Interfaces
Various tools/interfaces are available to Desktop Admins System Center Console Central AV Report Server Client Logs E-mail Alerts Activity logs
Antivirus – Central Console
Central Report Server
Antivirus – Mail Lists
---- Warning ------- ' A VIRUS was reported to our Central anti-virus facility. ' ' Alert: Risk Repaired Computer: Bobs-pc Date: 1/20/2008 Time: 1:53:50 PM Severity: Warning Source: “C:\users\bob\mydocs\Diablo II\diablo2noCD108all\DLoad.exe" User: bob-admin Action Taken: "Leave Alone" Virus that was found: "Backdoor.Graybird" '
Antivirus – Mail Lists
Allows us to target key desktop support groups for their supported systems
Each major group has an assigned mail list AV-ALERT-xx
All alerts go to the master list AV-ALERT-ALL
Mail lists are archived Mail Lists can be configured for Digest
Antivirus - Log files
Antivirus - Logs
Antivirus - History
CD has been using Symantec (formerly Norton) AV software since 1998
Initially AV software only on Servers Besides CD, CD also supported
Directorate, CDF, ESH, FESS, and LSS (now WDRS)
Individual Dept servers were the AV Parent Servers
Antivirus – SAV version 10
Symantec announces version 10 in Spring 2005
Version 10 had built-in features to report and centralize services
CD began plans to build a centralized AV system
CD worked with CST on our configuration (many DOE audits underway)
Antivirus – Upgrade to Ver. 10 Summer 2005 - Setup new central
cluster FALL 2005 - Created central log files, and
alert system to accommodate various desktop support groups
Early 2006 - Migrated CD, Directorate, ESH, FESS, LSS (now WDRS)
March 2006 - Symantec announces 10.1 – (Central Report Server)
Antivirus – SAV 10.1
Summer 2006 – Began migration to 10.1 and migrated PPD, TD, and Dzero to our central facility
Summer 2006 – Began testing Report Server
Fall 2006 – Migration complete Early 2007 – Production Report Server
activated with Beams AV connected in Late 2007 - Symantec announces
version 11
Antivirus – Documentation
AV Baseline cd-doc-1460 Major Application
AV Risk Assessment cd-doc-1529 AV Contingency Plan cd-doc-1531 AV Security Plan cd-doc-1530
Central AV Website http://www-css.fnal.gov/csi/win-av/
Open Discussion
Some Thoughts Apply policies based on Active Directory
structure Delegation of console interface Small footprint One package/console for all supported OS
Likes Dislikes Suggestions?