Managing CERN Desktops with Systems Management Server (SMS 2003)

Managing CERN Desktops Managing CERN Desktops with Systems Management with Systems Management

Server (SMS 2003)Server (SMS 2003)

Michel ChristallerMichel ChristallerInternet Services GroupInternet Services Group

Department of Information TechnologyDepartment of Information TechnologyCERNCERN

May 2005May 2005

Michel Christaller – CERN IT/ISMichel Christaller – CERN IT/IS

SummarySummary

• CERN infrastructureCERN infrastructure

• Managing assetsManaging assets

• Deploying programs with SMSDeploying programs with SMS

• Deploying security patches with SMSDeploying security patches with SMS

• ConclusionConclusion


SummarySummary

• CERN infrastructureCERN infrastructure- What is SMS ?What is SMS ?- SMS History at CERNSMS History at CERN- Server ArchitectureServer Architecture

• Managing assetsManaging assets• Deploying programs with SMSDeploying programs with SMS• Deploying security patches with SMSDeploying security patches with SMS• ConclusionConclusion


What is SMS?What is SMS?

• Microsoft Microsoft SSystems ystems MManagement anagement SServererver- software deploymentsoftware deploymentsoftware and hardware inventorysoftware and hardware inventorysoftware meteringsoftware metering- remote controlremote control

• Additional Features (SUS Feature Pack)Additional Features (SUS Feature Pack)- Windows Security Updates Scan ToolWindows Security Updates Scan Tool- Microsoft Office Security Updates Scan ToolMicrosoft Office Security Updates Scan Tool- Extended Security Tool (non-MBSA patches)Extended Security Tool (non-MBSA patches)


SMS ArchitectureSMS Architecture

Site & Database ServerDesktop Clients

run from

the share

Distribution Points

new package?

Management Points

Inventory

Remote Clients(VPN, GPRS, Dial-in)

download (BITS)run locally

new package?

Inventory


SMS History at CERNSMS History at CERN

• SMS 2.0 used from 2001SMS 2.0 used from 2001

• SMS 2003 deployed Summer 2004SMS 2003 deployed Summer 2004

• SMS 2003 SP1 deployed Autumn 2004SMS 2003 SP1 deployed Autumn 2004

• More MPs needed due to More MPs needed due to patch deploymentspatch deployments- 3 MPs with NLB3 MPs with NLB

• 10Gb database now10Gb database now


Server InfrastructureServer Infrastructure

• Native Windows 2003 Active Directory (3 DCs)Native Windows 2003 Active Directory (3 DCs)- Heavy use of Groups, Group Policies and startup scriptsHeavy use of Groups, Group Policies and startup scripts

• SMS infrastructure (Windows 2003, SMS 2003 SP1)SMS infrastructure (Windows 2003, SMS 2003 SP1)- 1 Site server, 3 Distribution Points, 3 Management Points1 Site server, 3 Distribution Points, 3 Management Points

• Other servers (mostly Windows 2003 SP1)Other servers (mostly Windows 2003 SP1)- ~30 file servers~30 file servers- ~180 servers total, 50Tb disk space ~180 servers total, 50Tb disk space

(Mail, Web, Terminal servers, etc..)(Mail, Web, Terminal servers, etc..)• Web-based administration interface (Web-based administration interface (

http://cern.ch/winhttp://cern.ch/win))• ~6000 managed desktops~6000 managed desktops

- 1/4 Windows 20001/4 Windows 2000- 3/4 Windows XP3/4 Windows XP

http://cern.ch/win


SummarySummary

• CERN infrastructureCERN infrastructure• Managing assetsManaging assets

- Desktops installationDesktops installation- Computer Management (web site)Computer Management (web site)- Hardware & Software inventoryHardware & Software inventory

• Deploying programs with SMSDeploying programs with SMS• Deploying security patches with SMSDeploying security patches with SMS• ConclusionConclusion


Desktop InstallationDesktop Installation

• DianeCD on WinPEDianeCD on WinPE- Windows Pre-Installation Environment: Windows Pre-Installation Environment:

stripped-down Windowsstripped-down Windows- Includes latest drivers Includes latest drivers

-> no need for DOS network drivers-> no need for DOS network drivers- Available on bootable CD Available on bootable CD - Configures HCP onlyConfigures HCP only- Copies model-dependent drivers to local diskCopies model-dependent drivers to local disk- Launches installation through networkLaunches installation through network- Permits to forbid LM hash authentication Permits to forbid LM hash authentication

(was needed by DOS network layer)(was needed by DOS network layer)


Computer ManagementComputer Management

• User-oriented web-based User-oriented web-based administration administration


Hardware & Software Hardware & Software inventoryinventory

• Inventory by SMS:Inventory by SMS:- HardwareHardware- Software (programs installed)Software (programs installed)- FilesFiles


SummarySummary

• CERN infrastructureCERN infrastructure

• Managing assetsManaging assets

• Deploying programs with SMSDeploying programs with SMS- XP SP2 deploymentXP SP2 deployment- .Net Framework deployment.Net Framework deployment

• Deploying security patches with SMSDeploying security patches with SMS



XP SP2 deploymentXP SP2 deployment

• XP SP2 offers enhanced securityXP SP2 offers enhanced security- Firewall, IE6 SP2Firewall, IE6 SP2

• 90% of XP SP1 computers upgraded to SP290% of XP SP1 computers upgraded to SP2• Recurrent SMS PackageRecurrent SMS Package

- Pop-ups the user every day for one monthPop-ups the user every day for one month- Forced installation if user not responsiveForced installation if user not responsive- Launches the XPSP2.exe upgradeLaunches the XPSP2.exe upgrade- Distributed to XP SP1 computers, gradually by Distributed to XP SP1 computers, gradually by

departmentsdepartments• Coupled with Office XP upgrade to Office 2003Coupled with Office XP upgrade to Office 2003• Almost no incompatibilities seen Almost no incompatibilities seen

(but for some engineering applications)(but for some engineering applications)• Goal:Goal: S Support only Windows XP SP2 / Office 2003 upport only Windows XP SP2 / Office 2003

by end of yearby end of year


.Net Framework .Net Framework deploymentdeployment

• .Net Framework 1.1 needed to deploy .Net Framework 1.1 needed to deploy next generation applications like new next generation applications like new CERN NewsreaderCERN Newsreader

• SMS PackageSMS PackageCombining .NetFramework 1.1, SP1 and hotfix Combining .NetFramework 1.1, SP1 and hotfix 886903886903

• Deployed on all XP SP2 computersDeployed on all XP SP2 computers• 25 chances to install at will, then forced25 chances to install at will, then forced

• Program deployment with SMS often needs Program deployment with SMS often needs VB scripting to establish a user interfaceVB scripting to establish a user interface


SummarySummary

• CERN infrastructureCERN infrastructure• Managing assetsManaging assets• Deploying programs with SMSDeploying programs with SMS• Deploying security patchesDeploying security patches with SMSwith SMS

- Why patching ?Why patching ?- Patching PolicyPatching Policy- SUS Feature PackSUS Feature Pack- Non-MS patchesNon-MS patches- ReportingReporting



Why Patching ?Why Patching ?

• Exploits are often made public before patchesExploits are often made public before patches• Un-patched computers get virusesUn-patched computers get viruses• Which install backdoorsWhich install backdoors• Which comes with key-loggers and root-kitsWhich comes with key-loggers and root-kits• Root-kits are really difficult to clean up or even Root-kits are really difficult to clean up or even

detectdetect• And used for illegal activities (spamming, file And used for illegal activities (spamming, file

exchange, DOS attack etc..)exchange, DOS attack etc..)• CERN severely affected by an unmanaged CERN severely affected by an unmanaged

computer hacked in May 2004computer hacked in May 2004


Patching PolicyPatching Policy

• How to maximize coverage and minimize reboots ?How to maximize coverage and minimize reboots ?• Group patches by productsGroup patches by products

- System-related by OS versionSystem-related by OS version- Other products : Messenger, Media Player, Acrobat, Putty etc..Other products : Messenger, Media Player, Acrobat, Putty etc..

• Deploy first as ‘advertised’ (installation not forced) Deploy first as ‘advertised’ (installation not forced) for some timefor some time- One package for latest patches, all OS versionsOne package for latest patches, all OS versions

• Second deployment: forced installation and rebootSecond deployment: forced installation and reboot- One baseline package by OS versionOne baseline package by OS version

• Recurrent every day on all computers missing patchesRecurrent every day on all computers missing patches


SUS Feature PackSUS Feature Pack

• Based on MBSA detection toolBased on MBSA detection tool- Windows patches, IE patches, SQL, Exchange, IIS, Windows patches, IE patches, SQL, Exchange, IIS,

MSXML, MDACMSXML, MDAC- MS Office patches with Office UpdatesMS Office patches with Office Updates

• Uses a mssecure.xml fileUses a mssecure.xml file• Wrapper Wrapper patchinstallpatchinstall provides for user provides for user

interfaceinterface


SUS Feature PackSUS Feature Pack

MicrosoftMicrosoftDownload CenterDownload Center

SMS 2003 Site Server

MSSecure.xmlMSSecure.xml

Sync ToolMSSecure.xmlupdate requestPatches, QFEs, SPs

Scan Tool

Hardware Inventory

Advertisement

Installation Status

Limitation!Works only with updatesmanaged by MBSA 1.2 (not all products involved)


Products not detected by Products not detected by MBSAMBSA

• Extended Security ToolExtended Security Tool- Workaround to deploy some MS product patches Workaround to deploy some MS product patches

• Windows Messenger & MSN MessengerWindows Messenger & MSN Messenger• Media PlayerMedia Player• .Net Framework.Net Framework

- Similar to SUSFP (XML file and Similar to SUSFP (XML file and patchinstall patchinstall wrapper)wrapper)- Will be merged to SUSFP in the futureWill be merged to SUSFP in the future

• Non-MS productsNon-MS products- Make a VB script for User Interface, deployment Make a VB script for User Interface, deployment

based on inventory (file versions / programs based on inventory (file versions / programs installed)installed)


Reports on security Reports on security updatesupdates


Patch Deployment of MS05-019

0

1000

2000

3000

4000

5000

6000

Apr-13

Apr-14

Apr-15

Apr-16

Apr-17

Apr-18

Apr-19

Apr-20

Apr-21

Apr-22

Apr-23

Apr-24

Apr-25

Apr-26

Apr-27

Apr-28

Date

Co

mp

ute

rs

Installed Total

Deployment Status of Deployment Status of MS05-019MS05-019

• Graph from SMS Graph from SMS patch status datapatch status data

• Patch publishedPatch publishedby Microsoft by Microsoft on 12on 12thth of May of May Forced deployment started

Patch advertised to all CERN computers


ConclusionConclusion

• Reaching 100% coverage is a dreamReaching 100% coverage is a dream• Always a computer without disk space, broken files etc.. Always a computer without disk space, broken files etc..

• SMS 2003 makes infrastructure much better SMS 2003 makes infrastructure much better managedmanaged• Hardware & software inventoryHardware & software inventory• Pushed software installationsPushed software installations

GP ‘Assign to computer’ was running only at startupGP ‘Assign to computer’ was running only at startup• patch deployment and statuspatch deployment and status

• DrawbacksDrawbacks• Heavy inventory phasesHeavy inventory phases

annoying for slow computers annoying for slow computers • Packaging steps may be necessaryPackaging steps may be necessary

deployment of non-MS products often require VB scriptingdeployment of non-MS products often require VB scripting


Questions ?Questions ?

• Visit usVisit ushttp://cern.ch/winhttp://cern.ch/win

Documents

Managing CERN Desktops with Systems Management Server (SMS 2003)