Скачать презентацию PC Manager Meeting January 24 th 2007 Скачать презентацию PC Manager Meeting January 24 th 2007

ff7a3b84c468465f102674137b78c54a.ppt

  • Количество слайдов: 28

PC Manager Meeting January 24 th , 2007 Company LOGO PC Manager Meeting January 24 th , 2007 Company LOGO

Today § Updates Next Meeting Training License Jinitiator Upgrade Meeting Maker Windows Policy Security Today § Updates Next Meeting Training License Jinitiator Upgrade Meeting Maker Windows Policy Security § get_cert Replacement, A Look At Net. IDMgr– Jack Schmidt

Next Meeting § February 28 th Key Management Service Next Meeting § February 28 th Key Management Service

Training Update § Understanding and Using Digital Certificates (PKI) Feb 15 th , 2007 Training Update § Understanding and Using Digital Certificates (PKI) Feb 15 th , 2007 § Excel 2003: Advanced Feb. 27 & March 1, 2007 (am only) § Word 2003: Advanced Feb. 27 & March 1, 2007 (pm only)

Licensing § EA Training vouchers expire March/April § FNAL Website: http: //www-css. fnal. gov/csg/licensing/training/ Licensing § EA Training vouchers expire March/April § FNAL Website: http: //www-css. fnal. gov/csg/licensing/training/ § Help redeeming Training Vouchers: licensemgr@fnal. gov Div/Sec Days AD 16 D 0 0 MIS 5 ESH 1 CD 17 FESS 4 CDF 1 PPD 4 TD 5

Jinitiator § Update required for DST compliance Feb/Mar 2007 timeframe § See PC Manager Jinitiator § Update required for DST compliance Feb/Mar 2007 timeframe § See PC Manager archives for detailed email. § MIS package available for download or via SMS § Instructions available at: http: //bss-support. fnal. gov/Products/SNP_BOOK. nsf/Ref/712114619

Meeting Maker MMCO § Microsoft DST patch (KB 928388) breaks Outlook connector The error Meeting Maker MMCO § Microsoft DST patch (KB 928388) breaks Outlook connector The error displayed is "Cannot connect to current session“ Working with vendor. Don’t install DST patch on systems with outlook connector for now. If the DST patch is already installed on your computer it can be uninstalled to return MMCO functionality.

Meeting Maker 8. 6 § MM Upgrade mandatory? Does it correct DST problem with Meeting Maker 8. 6 § MM Upgrade mandatory? Does it correct DST problem with MMCO? Required for DST time change? Full upgrade: § MM server, MM Native client, MM web server, MM MMCO client § MM Upgrade changes Sync tool. Requires a new server with a Web component and database component § Working with Meeting Maker and Notify link to answer questions.

Windows Policy Committee § Vista Update Updating baseline KMS up and validating systems! § Windows Policy Committee § Vista Update Updating baseline KMS up and validating systems! § Working out issues (documentation, SRV records) Testing new GPOs in Fermibeta Vista-users mail list § Next Meeting Feb 7 th 1: 30 -2: 30 pm, WH 5 SW

Security Updates § MANDATORY Patches: MS 07 -004 Due Date: 1 -19 -2007 § Security Updates § MANDATORY Patches: MS 07 -004 Due Date: 1 -19 -2007 § RECOMMENDED Patches: Due Date: 2 -15 -2007 § The following is a link to the January Microsoft list of critical and important patches. http: //www. microsoft. com/technet/security/ bulletin/ms 07 -jan. mspx

Security Updates § New Fermi Windows CD available soon! Security Updates § New Fermi Windows CD available soon!

Main Topic § Net. IDMgr – Jack Schmidt Main Topic § Net. IDMgr – Jack Schmidt

Agenda § § § Background Definitions Requirements Solution Demo Rollout Agenda § § § Background Definitions Requirements Solution Demo Rollout

Background § Kerberos has provided good central supported service for telnet, ftp, etc § Background § Kerberos has provided good central supported service for telnet, ftp, etc § Unfortunately many applications are unlikely to be Kerberized § Multiplicity of passwords not solved by Kerberos, still need some single sign on mechanism for applications § We need to choose a mechanism to establish identity for other apps

Definitions (sorry) § Public Key Encryption Asymmetric encryption: public key and private key § Definitions (sorry) § Public Key Encryption Asymmetric encryption: public key and private key § PKI Public Key Infrastructure A system of public key encryption using digital certificates from Certificate Authorities that verify and authenticate the validity of each party involved in an electronic transaction. § Digital Certificate Includes your name, serial number, expiration dates, your public key, digital signature of the CA

Definitions § CA: Certificate Authority verify the identity of entities and issue digital certificates Definitions § CA: Certificate Authority verify the identity of entities and issue digital certificates attesting to that identity. § X. 509 is the international standard for Digital Certificates (not all conform)

Definitions § KCA: Kerberos Certificate Authority Leverages Kerberos authentication infrastructure Short-lived (current ticket lifetime Definitions § KCA: Kerberos Certificate Authority Leverages Kerberos authentication infrastructure Short-lived (current ticket lifetime up to 7 days) Requires FNAL realm Kerberos principal § kx 509 is a client program that talks to the KCA to obtain a short-lived X. 509 certificate

Motivation To Use Certificates § Single sign on for applications § Eliminate application passwords Motivation To Use Certificates § Single sign on for applications § Eliminate application passwords in clear Attacks are moving more toward applications rather than OS § Central revocation of authorization Allows centralized auditing of user accounts § Next slide indicates scope of problem with clear passwords

Inbound passwords in clear text Inbound passwords in clear text

Benefits § KCA Certs Strong identity verification Read or publish information User privileges can Benefits § KCA Certs Strong identity verification Read or publish information User privileges can be revoked No password vulnerability Restricts usage to FNAL only Requires frequent renewal

Strategy § Move to single sign on by adopting certificates for all applications § Strategy § Move to single sign on by adopting certificates for all applications § Build get_cert tools for each OS

Get_cert § Windows users find current implementation a bit klunky § Issue with logon Get_cert § Windows users find current implementation a bit klunky § Issue with logon name

Replacement Tool Requirements § On login to FERMI domain or via ‘user’@FNAL. GOV § Replacement Tool Requirements § On login to FERMI domain or via ‘user’@FNAL. GOV § § Automatically get FNAL. GOV ticket Automatically get KCA certificate and load into supported browsers* Use existing krb 5. conf One place to change passwords Ease of credential renew Code must be supportable

Solution § Pay Company to build new tool http: //www. secure-endpoints. com § Use Solution § Pay Company to build new tool http: //www. secure-endpoints. com § Use existing Net. IDMgr/KFW software Create kca plugin Comes with AFS plugin! § Maintained Opensource § W 2000/XP/Vista support § Terminal Server support

Take a spin… Take a spin…

Rollout § FNAL package available on pseekits \pseekitsdesktoptoolsnetidmgr § SMS package available for distribution Rollout § FNAL package available on pseekits \pseekitsdesktoptoolsnetidmgr § SMS package available for distribution § Requires AFS 1. 5. 14 MSI can be installed via SMS Issue if existing version installed via. EXE

AFS Tip! § Don’t mount drives via AFS Control Panel! Map Network Drive and AFS Tip! § Don’t mount drives via AFS Control Panel! Map Network Drive and UNC path \afsfnal. gov

References § Cd-doc-1380. CD Briefing on SSL Certificates, March 2006, Mark Leininger & Jack References § Cd-doc-1380. CD Briefing on SSL Certificates, March 2006, Mark Leininger & Jack Schmidt § Net. IDMgr User Documentation (pdf) § Kerberos For Windows § Open. AFS for Windows