1 / 24

Managing CERN Desktops with Systems Management Server (SMS 2003)

Managing CERN Desktops with Systems Management Server (SMS 2003). Michel Christaller Internet Services Group Department of Information Technology CERN May 2005. Summary. CERN infrastructure Managing assets Deploying programs with SMS Deploying security patches with SMS Conclusion.

dorjan
Download Presentation

Managing CERN Desktops with Systems Management Server (SMS 2003)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May 2005

  2. Summary • CERN infrastructure • Managing assets • Deploying programs with SMS • Deploying security patches with SMS • Conclusion

  3. Summary • CERN infrastructure • What is SMS ? • SMS History at CERN • Server Architecture • Managing assets • Deploying programs with SMS • Deploying security patches with SMS • Conclusion

  4. What is SMS? • Microsoft Systems Management Server • software deployment • software and hardware inventory • software metering • remote control • Additional Features (SUS Feature Pack) • Windows Security Updates Scan Tool • Microsoft Office Security Updates Scan Tool • Extended Security Tool (non-MBSA patches)

  5. Distribution Points download (BITS) run locally run from the share Remote Clients (VPN, GPRS, Dial-in) new package? new package? Site & Database Server Desktop Clients Inventory Inventory Management Points SMS Architecture

  6. SMS History at CERN • SMS 2.0 used from 2001 • SMS 2003 deployed Summer 2004 • SMS 2003 SP1 deployed Autumn 2004 • More MPs needed due to patch deployments • 3 MPs with NLB • 10Gb database now

  7. Server Infrastructure • Native Windows 2003 Active Directory (3 DCs) • Heavy use of Groups, Group Policies and startup scripts • SMS infrastructure (Windows 2003, SMS 2003 SP1) • 1 Site server, 3 Distribution Points, 3 Management Points • Other servers (mostly Windows 2003 SP1) • ~30 file servers • ~180 servers total, 50Tb disk space (Mail, Web, Terminal servers, etc..) • Web-based administration interface (http://cern.ch/win) • ~6000 managed desktops • 1/4 Windows 2000 • 3/4 Windows XP

  8. Summary • CERN infrastructure • Managing assets • Desktops installation • Computer Management (web site) • Hardware & Software inventory • Deploying programs with SMS • Deploying security patches with SMS • Conclusion

  9. Desktop Installation • DianeCD on WinPE • Windows Pre-Installation Environment: stripped-down Windows • Includes latest drivers -> no need for DOS network drivers • Available on bootable CD • Configures HCP only • Copies model-dependent drivers to local disk • Launches installation through network • Permits to forbid LM hash authentication (was needed by DOS network layer)

  10. Computer Management • User-oriented web-based administration

  11. Hardware & Software inventory • Inventory by SMS: • Hardware • Software (programs installed) • Files

  12. Summary • CERN infrastructure • Managing assets • Deploying programs with SMS • XP SP2 deployment • .Net Framework deployment • Deploying security patches with SMS • Conclusion

  13. XP SP2 deployment • XP SP2 offers enhanced security • Firewall, IE6 SP2 • 90% of XP SP1 computers upgraded to SP2 • Recurrent SMS Package • Pop-ups the user every day for one month • Forced installation if user not responsive • Launches the XPSP2.exe upgrade • Distributed to XP SP1 computers, gradually by departments • Coupled with Office XP upgrade to Office 2003 • Almost no incompatibilities seen (but for some engineering applications) • Goal: Support only Windows XP SP2 / Office 2003 by end of year

  14. .Net Framework deployment • .Net Framework 1.1 needed to deploy next generation applications like new CERN Newsreader • SMS PackageCombining .NetFramework 1.1, SP1 and hotfix 886903 • Deployed on all XP SP2 computers • 25 chances to install at will, then forced • Program deployment with SMS often needs VB scripting to establish a user interface

  15. Summary • CERN infrastructure • Managing assets • Deploying programs with SMS • Deploying security patcheswith SMS • Why patching ? • Patching Policy • SUS Feature Pack • Non-MS patches • Reporting • Conclusion

  16. Why Patching ? • Exploits are often made public before patches • Un-patched computers get viruses • Which install backdoors • Which comes with key-loggers and root-kits • Root-kits are really difficult to clean up or even detect • And used for illegal activities (spamming, file exchange, DOS attack etc..) • CERN severely affected by an unmanaged computer hacked in May 2004

  17. Patching Policy • How to maximize coverage and minimize reboots ? • Group patches by products • System-related by OS version • Other products : Messenger, Media Player, Acrobat, Putty etc.. • Deploy first as ‘advertised’ (installation not forced) for some time • One package for latest patches, all OS versions • Second deployment: forced installation and reboot • One baseline package by OS version • Recurrent every day on all computers missing patches

  18. SUS Feature Pack • Based on MBSA detection tool • Windows patches, IE patches, SQL, Exchange, IIS, MSXML, MDAC • MS Office patches with Office Updates • Uses a mssecure.xml file • Wrapper patchinstall provides for user interface

  19. MicrosoftDownload Center Sync Tool MSSecure.xml MSSecure.xml update request Patches, QFEs, SPs Limitation! Works only with updates managed by MBSA 1.2 (not all products involved) SMS 2003 Site Server Scan Tool Hardware Inventory Advertisement Installation Status SUS Feature Pack

  20. Products not detected by MBSA • Extended Security Tool • Workaround to deploy some MS product patches • Windows Messenger & MSN Messenger • Media Player • .Net Framework • Similar to SUSFP (XML file and patchinstall wrapper) • Will be merged to SUSFP in the future • Non-MS products • Make a VB script for User Interface, deployment based on inventory (file versions / programs installed)

  21. Reports on security updates

  22. Deployment Status of MS05-019 • Graph from SMS patch status data • Patch publishedby Microsoft on 12th of May Forced deployment started Patch advertised to all CERN computers

  23. Conclusion • Reaching 100% coverage is a dream • Always a computer without disk space, broken files etc.. • SMS 2003 makes infrastructure much better managed • Hardware & software inventory • Pushed software installationsGP ‘Assign to computer’ was running only at startup • patch deployment and status • Drawbacks • Heavy inventory phasesannoying for slow computers • Packaging steps may be necessarydeployment of non-MS products often require VB scripting

  24. Questions ? • Visit ushttp://cern.ch/win

More Related