Transcript No Slide Title

Windows Terminal Server
& Citrix MetaFrame
Stanford Linear Accelerator Center
NT Support Group
www.slac.stanford.edu/comp/winnt
Gregg Daly [email protected]
Supported by U.S. D.O.E. contract
DE-AC03-76SF005515
General Information
• Stanford University operated - U.S.D.O.E
funded unclassified research center
• Heterogeneous computing environment
supporting high-energy physics research
• 3800 hosts (1400 Windows networking),
Solaris, Mac OS, Linux & numerous other
operating systems
• Exponential growth at the facility
Responding to ‘98 Security Incident
•Hackers compromised 25 systems and 50 user accounts
•Perform data & service analysis on areas of the network
•Decision to safeguard critical HR and Financial Data on
PeopleSoft and Oracle
•Safeguard personnel data in Human Resource database
•Safeguard purchasing and budget data in Financial database
Options to securing data
• Corporate type lock down including limiting access to
and from the Internet and other research facilities
•Two physical networks - one SLAC only & other
Internet accessible
•Moving the data (but not the people) into a highly
secured zone. Use encrypted access and extensive
monitoring
Business Services Network
• Created a highly secure “machine/data only” network
• Created a user/workstation network to access the secure
network
•Secure all aspects of data access
•Secured workstations
•Encrypted application access via Citrix’s Secure ICA
•Encrypted host connections via Secure Shell (3DES/Blowfish)
•Two Phase authentication process for secure domain login
PeopleSoft WTS-MetaFrame Farm
Data
MetaFrame Farm
Data
Data
Data
Oracle
Secure BSDnet
MS Windows Terminal Server
Citrix MetaFrame
MetaFrame Load Balance
Secure ICA
MS Windows Terminal Server
Citrix MetaFrame
MetaFrame Load Balance
Secure ICA
PeopleSoft
Connection: Secure ICA
(future 2-factor authentication)
Business Services Division
BSD Domain
Workstation
BSDnet
Workstation
Workstation
Workstation
Workstation
Workstation
SLAC
Internet
Secure Business System
MetaFrame Farm
Data
Data
Data
Data
Sun 450
Oracle
Business Services Division
Extremely Private Network
MetaFrame Load Balance MetaFrame Load Balance
Business Services Division
BSD Domain
Workstation
SLAC
Workstation
Workstation
Workstation
Internet
Workstation
Workstation
Secure BSDnet
UserMC
BIS
Data
Web Server
Warehouse
User01
BSDnet
Rest of SLAC
Gigabit Ethernet
Prod
Test
WTS
PeopleSoft
PeopleSoft
+Citrix Farm
File
Server
UserYY
SMS,
BDC
UserXX
BSD
“Air Gap”
PDC
“Air Gap”
SLAC BSD Extremely Private Network Diagram
FSys
HSys
Parsley
Overlord
NT 4.0 PDC
Security Dymanics
Midway
WTS / MetaFrame 1.8
Production
Alexandria
NT 4.0 File Server
Maginot
Bastonge
WTS / MetaFrame 1.8 WTS / MetaFrame 1.8
Production
Production
Jericho
WTS / MetaFrame 1.8
Production
Master Configuration
Dreadnaught
MetaFrame 1.8
Master ICA Browser
Normandy
MetaFrame 1.8
Secondary ICA Browser
BSD-EPN
BSD Workstation
Thermopylae
Development
PeopleSoft 6.x
SWH-NT
BadTolz
Development
PeopleSoft 7.x
Coronado
Training
Multi-Instance
PeopleSoft
Lessons of the implementation
•SLAC’s business process application, PEOPLESOFT is not native
to the Windows Terminal Server/Citrix Metaframe environment
•Increased session security incompatible with cross-platform access
•3rd Party applications (Crystal Reports) has to be reconfigured to
not only run on WTS but also run with a non-standard
implementation of a “multi-user” PeopleSoft
•Securing the application servers running WTS
•Staff intensive installation and troubleshooting
Securing WTS/MetaFrame
•Physical security critical - “Log on Locally” to all users
•Restrict anonymous connections
•Separate %rootdrive% and %systemroot% from %apps%
•Apply Microsoft ZAK for WTS
•Create bin folder on %apps% with system32 user apps
•Remove “everyone” access from everywhere file & registry
•Apply security based Service Packs and hot fixes immediately
•Recommend encrypted client
•Run highest NT authentication hash compatible with your site
Securing Business Services
•
•
•
•
•
•
•
Standardized workstations
Add’l filtering router on business subnet
Secure application publishing - MetaFrame
Two phase authentication
Encrypted host, app & remote access
Active monitoring
“Air gap” fail-safe measure in the event of
intrusion
General Use App Farm
• Goal: To provide non-Windows clients access to
Windows applications; encourage single
platform clients
• Based on Dell Dual PII-400, 1/2 GB RAM,
RAID 0 servers
• “Master” to clone maintenance plan
• Provide most every app needed/requested by users
General Use App Farm
• Strong support for LINUX and Solaris clients
• Beware of potential “bad apps” on WTS
• NetMeeting (www.shenton.org/~chris/nasa-hq/netmeeting)
• DOS applications
• Using Basic encryption for general sessions, considering
128-bit SecureICA for all access to both farms
Future of Thin Client
• Windows 2000 servers “natively” support thin client
- Watch for more features in MS’ RDP clients
• Windows 2000 Applications Deployment Services
• “Rental applications”
• Watch for significant changes in licensing requirements and
fees from Microsoft and other software vendors
• Microsoft’s 2000 logo program “requires” WTS compliance
• Return to the mainframe-like methodology with Win2K and
thin client solutions
WTS/Citrix Paper
NT Security in an Open Academic Environment - SLAC 8172
• Find the document at :
http://www.slac.stanford.edu/pubs/fastfind.html
•http://www.slac.stanford.edu/pubs/slacpubs/8000/slac-pub8172.html
HEPNT ‘99
Questions
www.slac.stanford.edu/comp/winnt
[email protected]