windows terminal server & citrix metaframe stanford linear accelerator center nt support group ...
TRANSCRIPT
Windows Terminal Server& Citrix MetaFrame
Stanford Linear Accelerator Center
NT Support Group
www.slac.stanford.edu/comp/winnt
Gregg Daly [email protected]
Supported by U.S. D.O.E. contractDE-AC03-76SF005515
General Information • Stanford University operated - U.S.D.O.E
funded unclassifiedunclassified research center
• Heterogeneous computing environment supporting high-energy physics research
• 3800 hosts (1400 Windows networking), Solaris, Mac OS, Linux & numerous other operating systems
• Exponential growth at the facility
Responding to ‘98 Security Incident
•Hackers compromised 25 systems and 50 user accounts
•Perform data & service analysis on areas of the network
•Decision to safeguard critical HR and Financial Data on PeopleSoft and Oracle
•Safeguard personnel data in Human Resource database
•Safeguard purchasing and budget data in Financial database
Options to securing data
• Corporate type lock down including limiting access to and from the Internet and other research facilities
•Two physical networks - one SLAC only & other Internet accessible
•Moving the data (but not the people) into a highly secured zone. Use encrypted access and extensive monitoring
Business Services Network• Created a highly secure “machine/data only” network
• Created a user/workstation network to access the secure network
•Secure all aspects of data access
•Secured workstations
•Encrypted application access via Citrix’s Secure ICA
•Encrypted host connections via Secure Shell (3DES/Blowfish)
•Two Phase authentication process for secure domain login
PeopleSoft WTS-MetaFrame Farm
Secure BSDnetSecure BSDnet
Oracle
Data
Data Data
Data
MetaFrame Farm
MS Windows Terminal ServerCitrix MetaFrameMetaFrame Load BalanceSecure ICA
Business Services DivisionBSD Domain
Workstation
Workstation
Workstation
Workstation
Workstation
Workstation
InterneInternet
SLACSLAC
BSDnetBSDnet
Connection: Secure ICA(future 2-factor authentication)
MS Windows Terminal ServerCitrix MetaFrame
MetaFrame Load BalanceSecure ICAPeopleSoft
Secure Business System
Business Services DivisionBSD Domain
M etaFram e Load Balance
Sun 450O racle
Data
Data Data
DataMetaFrame Farm
M etaFram e Load Balance
W orkstation
W orkstation
W orkstation
W orkstation
W orkstation
Internet
SLAC
Business Services DivisionExtremely Private Network
W orkstation
BSDnet
Secure BSDnet
Rest of SLAC
WTS+Citrix Farm
DataWarehouse
BISWeb Server
TestPeopleSoft
ProdPeopleSoft
Gigabit Ethernet
“Air Gap”
“Air Gap”
User01
UserMC
UserYY UserXX
BSDPDC
SMS,BDC
FileServer
DreadnaughtMetaFram e 1.8
Master ICA Browser
Norm andyMetaFram e 1.8
Secondary ICA Browser
SW H -N T
JerichoW TS / MetaFram e 1.8
ProductionMaster Configuration
M idwayW TS / MetaFram e 1.8
Production
MaginotW TS / MetaFram e 1.8
Production
Therm opylaeDevelopm ent
PeopleSoft 6.x
BastongeW TS / MetaFram e 1.8
Production
BadTolzDevelopm ent
PeopleSoft 7.x
CoronadoTraining
Multi-InstancePeopleSoft
BSD W orkstation
A lexandriaNT 4.0 F ile Server
OverlordNT 4.0 PDC
Security Dym anics
FSysHSys
Pars ley
BSD-EPN
SLAC BSD Extremely Private Netw ork Diagram
Lessons of the implementation
•SLAC’s business process application, PEOPLESOFT is not native to the Windows Terminal Server/Citrix Metaframe environment
•Increased session security incompatible with cross-platform access
•3rd Party applications (Crystal Reports) has to be reconfigured to not only run on WTS but also run with a non-standard implementation of a “multi-user” PeopleSoft
•Securing the application servers running WTS
•Staff intensive installation and troubleshooting
Securing WTS/MetaFrame
•Physical security critical - “Log on Locally” to all users
•Restrict anonymous connections
•Separate %rootdrive% and %systemroot% from %apps%
•Apply Microsoft ZAK for WTS
•Create bin folder on %apps% with system32 user apps
•Remove “everyone” access from everywhere file & registry
•Apply security based Service Packs and hot fixes immediately
•Recommend encrypted client
•Run highest NT authentication hash compatible with your site
Securing Business Services
• Standardized workstations
• Add’l filtering router on business subnet
• Secure application publishing - MetaFrame
• Two phase authentication
• Encrypted host, app & remote access
• Active monitoring
• “Air gap” fail-safe measure in the event of intrusion
General Use App Farm
• Goal: To provide non-Windows clients access to Windows applications; encourage single platform clients
• Based on Dell Dual PII-400, 1/2 GB RAM, RAID 0 servers
• “Master” to clone maintenance plan
• Provide most every app needed/requested by users
General Use App Farm
• Strong support for LINUX and Solaris clients
• Beware of potential “bad apps” on WTS
• NetMeeting (www.shenton.org/~chris/nasa-hq/netmeeting)
• DOS applications
• Using Basic encryption for general sessions, considering 128-bit SecureICA for all access to both farms
Future of Thin Client
• Windows 2000 servers “natively” support thin client- Watch for more features in MS’ RDP clients
• Windows 2000 Applications Deployment Services
• “Rental applications”
• Watch for significant changes in licensing requirements and fees from Microsoft and other software vendors
• Microsoft’s 2000 logo program “requires” WTS compliance
• Return to the mainframe-like methodology with Win2K and thin client solutions
WTS/Citrix Paper
NT Security in an Open Academic Environment - SLAC 8172
• Find the document at : http://www.slac.stanford.edu/pubs/fastfind.html
•http://www.slac.stanford.edu/pubs/slacpubs/8000/slac-pub-8172.html