windows terminal server & citrix metaframe
DESCRIPTION
Windows Terminal Server & Citrix MetaFrame. Stanford Linear Accelerator Center NT Support Group www.slac.stanford.edu/comp/winnt Gregg Daly [email protected] Supported by U.S. D.O.E. contract DE-AC03-76SF005515. General Information. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/1.jpg)
Windows Terminal Server& Citrix MetaFrame
Stanford Linear Accelerator Center
NT Support Group
www.slac.stanford.edu/comp/winnt
Gregg Daly [email protected]
Supported by U.S. D.O.E. contractDE-AC03-76SF005515
![Page 2: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/2.jpg)
General Information • Stanford University operated - U.S.D.O.E
funded unclassifiedunclassified research center
• Heterogeneous computing environment supporting high-energy physics research
• 3800 hosts (1400 Windows networking), Solaris, Mac OS, Linux & numerous other operating systems
• Exponential growth at the facility
![Page 3: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/3.jpg)
Responding to ‘98 Security Incident
•Hackers compromised 25 systems and 50 user accounts
•Perform data & service analysis on areas of the network
•Decision to safeguard critical HR and Financial Data on PeopleSoft and Oracle
•Safeguard personnel data in Human Resource database
•Safeguard purchasing and budget data in Financial database
![Page 4: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/4.jpg)
Options to securing data
• Corporate type lock down including limiting access to and from the Internet and other research facilities
•Two physical networks - one SLAC only & other Internet accessible
•Moving the data (but not the people) into a highly secured zone. Use encrypted access and extensive monitoring
![Page 5: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/5.jpg)
Business Services Network• Created a highly secure “machine/data only” network
• Created a user/workstation network to access the secure network
•Secure all aspects of data access
•Secured workstations
•Encrypted application access via Citrix’s Secure ICA
•Encrypted host connections via Secure Shell (3DES/Blowfish)
•Two Phase authentication process for secure domain login
![Page 6: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/6.jpg)
PeopleSoft WTS-MetaFrame Farm
Secure BSDnetSecure BSDnet
Oracle
Data
Data Data
Data
MetaFrame Farm
MS Windows Terminal ServerCitrix MetaFrameMetaFrame Load BalanceSecure ICA
Business Services DivisionBSD Domain
Workstation
Workstation
Workstation
Workstation
Workstation
Workstation
InterneInternet
SLACSLAC
BSDnetBSDnet
Connection: Secure ICA(future 2-factor authentication)
MS Windows Terminal ServerCitrix MetaFrame
MetaFrame Load BalanceSecure ICAPeopleSoft
![Page 7: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/7.jpg)
Secure Business System
Business Services DivisionBSD Domain
M etaFram e Load Balance
Sun 450O racle
Data
Data Data
DataMetaFrame Farm
M etaFram e Load Balance
W orkstation
W orkstation
W orkstation
W orkstation
W orkstation
Internet
SLAC
Business Services DivisionExtremely Private Network
W orkstation
![Page 8: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/8.jpg)
BSDnet
Secure BSDnet
Rest of SLAC
WTS+Citrix Farm
DataWarehouse
BISWeb Server
TestPeopleSoft
ProdPeopleSoft
Gigabit Ethernet
“Air Gap”
“Air Gap”
User01
UserMC
UserYY UserXX
BSDPDC
SMS,BDC
FileServer
![Page 9: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/9.jpg)
DreadnaughtMetaFram e 1.8
Master ICA Browser
Norm andyMetaFram e 1.8
Secondary ICA Browser
SW H -N T
JerichoW TS / MetaFram e 1.8
ProductionMaster Configuration
M idwayW TS / MetaFram e 1.8
Production
MaginotW TS / MetaFram e 1.8
Production
Therm opylaeDevelopm ent
PeopleSoft 6.x
BastongeW TS / MetaFram e 1.8
Production
BadTolzDevelopm ent
PeopleSoft 7.x
CoronadoTraining
Multi-InstancePeopleSoft
BSD W orkstation
A lexandriaNT 4.0 F ile Server
OverlordNT 4.0 PDC
Security Dym anics
FSysHSys
Pars ley
BSD-EPN
SLAC BSD Extremely Private Netw ork Diagram
![Page 10: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/10.jpg)
Lessons of the implementation
•SLAC’s business process application, PEOPLESOFT is not native to the Windows Terminal Server/Citrix Metaframe environment
•Increased session security incompatible with cross-platform access
•3rd Party applications (Crystal Reports) has to be reconfigured to not only run on WTS but also run with a non-standard implementation of a “multi-user” PeopleSoft
•Securing the application servers running WTS
•Staff intensive installation and troubleshooting
![Page 11: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/11.jpg)
Securing WTS/MetaFrame
•Physical security critical - “Log on Locally” to all users
•Restrict anonymous connections
•Separate %rootdrive% and %systemroot% from %apps%
•Apply Microsoft ZAK for WTS
•Create bin folder on %apps% with system32 user apps
•Remove “everyone” access from everywhere file & registry
•Apply security based Service Packs and hot fixes immediately
•Recommend encrypted client
•Run highest NT authentication hash compatible with your site
![Page 12: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/12.jpg)
Securing Business Services
• Standardized workstations
• Add’l filtering router on business subnet
• Secure application publishing - MetaFrame
• Two phase authentication
• Encrypted host, app & remote access
• Active monitoring
• “Air gap” fail-safe measure in the event of intrusion
![Page 13: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/13.jpg)
General Use App Farm
• Goal: To provide non-Windows clients access to Windows applications; encourage single platform clients
• Based on Dell Dual PII-400, 1/2 GB RAM, RAID 0 servers
• “Master” to clone maintenance plan
• Provide most every app needed/requested by users
![Page 14: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/14.jpg)
General Use App Farm
• Strong support for LINUX and Solaris clients
• Beware of potential “bad apps” on WTS
• NetMeeting (www.shenton.org/~chris/nasa-hq/netmeeting)
• DOS applications
• Using Basic encryption for general sessions, considering 128-bit SecureICA for all access to both farms
![Page 15: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/15.jpg)
Future of Thin Client
• Windows 2000 servers “natively” support thin client- Watch for more features in MS’ RDP clients
• Windows 2000 Applications Deployment Services
• “Rental applications”
• Watch for significant changes in licensing requirements and fees from Microsoft and other software vendors
• Microsoft’s 2000 logo program “requires” WTS compliance
• Return to the mainframe-like methodology with Win2K and thin client solutions
![Page 16: Windows Terminal Server & Citrix MetaFrame](https://reader036.vdocument.in/reader036/viewer/2022082417/56812e06550346895d936def/html5/thumbnails/16.jpg)
WTS/Citrix Paper
NT Security in an Open Academic Environment - SLAC 8172
• Find the document at : http://www.slac.stanford.edu/pubs/fastfind.html
•http://www.slac.stanford.edu/pubs/slacpubs/8000/slac-pub-8172.html