Windows Terminal Server& Citrix MetaFrame

Stanford Linear Accelerator Center

NT Support Group

www.slac.stanford.edu/comp/winnt

Gregg Daly gdaly@slac.stanford.edu

Supported by U.S. D.O.E. contractDE-AC03-76SF005515

General Information • Stanford University operated - U.S.D.O.E

funded unclassifiedunclassified research center

• Heterogeneous computing environment supporting high-energy physics research

• 3800 hosts (1400 Windows networking), Solaris, Mac OS, Linux & numerous other operating systems

• Exponential growth at the facility

Responding to ‘98 Security Incident

•Hackers compromised 25 systems and 50 user accounts

•Perform data & service analysis on areas of the network

•Decision to safeguard critical HR and Financial Data on PeopleSoft and Oracle

•Safeguard personnel data in Human Resource database

•Safeguard purchasing and budget data in Financial database

Options to securing data

• Corporate type lock down including limiting access to and from the Internet and other research facilities

•Two physical networks - one SLAC only & other Internet accessible

•Moving the data (but not the people) into a highly secured zone. Use encrypted access and extensive monitoring

Business Services Network• Created a highly secure “machine/data only” network

• Created a user/workstation network to access the secure network

•Secure all aspects of data access

•Secured workstations

•Encrypted application access via Citrix’s Secure ICA

•Encrypted host connections via Secure Shell (3DES/Blowfish)

•Two Phase authentication process for secure domain login

PeopleSoft WTS-MetaFrame Farm

Secure BSDnetSecure BSDnet

Oracle

Data

Data Data

Data

MetaFrame Farm

MS Windows Terminal ServerCitrix MetaFrameMetaFrame Load BalanceSecure ICA

Business Services DivisionBSD Domain

Workstation

Workstation

Workstation

Workstation

Workstation

Workstation

InterneInternet

SLACSLAC

BSDnetBSDnet

Connection: Secure ICA(future 2-factor authentication)

MS Windows Terminal ServerCitrix MetaFrame

MetaFrame Load BalanceSecure ICAPeopleSoft

Secure Business System

Business Services DivisionBSD Domain

M etaFram e Load Balance

Sun 450O racle

Data

Data Data

DataMetaFrame Farm

M etaFram e Load Balance

W orkstation

W orkstation

W orkstation

W orkstation

W orkstation

Internet

SLAC

Business Services DivisionExtremely Private Network

W orkstation

BSDnet

Secure BSDnet

Rest of SLAC

WTS+Citrix Farm

DataWarehouse

BISWeb Server

TestPeopleSoft

ProdPeopleSoft

Gigabit Ethernet

“Air Gap”

“Air Gap”

User01

UserMC

UserYY UserXX

BSDPDC

SMS,BDC

FileServer

DreadnaughtMetaFram e 1.8

Master ICA Browser

Norm andyMetaFram e 1.8

Secondary ICA Browser

SW H -N T

JerichoW TS / MetaFram e 1.8

ProductionMaster Configuration

M idwayW TS / MetaFram e 1.8

Production

MaginotW TS / MetaFram e 1.8

Production

Therm opylaeDevelopm ent

PeopleSoft 6.x

BastongeW TS / MetaFram e 1.8

Production

BadTolzDevelopm ent

PeopleSoft 7.x

CoronadoTraining

Multi-InstancePeopleSoft

BSD W orkstation

A lexandriaNT 4.0 F ile Server

OverlordNT 4.0 PDC

Security Dym anics

FSysHSys

Pars ley

BSD-EPN

SLAC BSD Extremely Private Netw ork Diagram

Lessons of the implementation

•SLAC’s business process application, PEOPLESOFT is not native to the Windows Terminal Server/Citrix Metaframe environment

•Increased session security incompatible with cross-platform access

•3rd Party applications (Crystal Reports) has to be reconfigured to not only run on WTS but also run with a non-standard implementation of a “multi-user” PeopleSoft

•Securing the application servers running WTS

•Staff intensive installation and troubleshooting

Securing WTS/MetaFrame

•Physical security critical - “Log on Locally” to all users

•Restrict anonymous connections

•Separate %rootdrive% and %systemroot% from %apps%

•Apply Microsoft ZAK for WTS

•Create bin folder on %apps% with system32 user apps

•Remove “everyone” access from everywhere file & registry

•Apply security based Service Packs and hot fixes immediately

•Recommend encrypted client

•Run highest NT authentication hash compatible with your site

Securing Business Services

• Standardized workstations

• Add’l filtering router on business subnet

• Secure application publishing - MetaFrame

• Two phase authentication

• Encrypted host, app & remote access

• Active monitoring

• “Air gap” fail-safe measure in the event of intrusion

General Use App Farm

• Goal: To provide non-Windows clients access to Windows applications; encourage single platform clients

• Based on Dell Dual PII-400, 1/2 GB RAM, RAID 0 servers

• “Master” to clone maintenance plan

• Provide most every app needed/requested by users

General Use App Farm

• Strong support for LINUX and Solaris clients

• Beware of potential “bad apps” on WTS

• NetMeeting (www.shenton.org/~chris/nasa-hq/netmeeting)

• DOS applications

• Using Basic encryption for general sessions, considering 128-bit SecureICA for all access to both farms

Future of Thin Client

• Windows 2000 servers “natively” support thin client- Watch for more features in MS’ RDP clients

• Windows 2000 Applications Deployment Services

• “Rental applications”

• Watch for significant changes in licensing requirements and fees from Microsoft and other software vendors

• Microsoft’s 2000 logo program “requires” WTS compliance

• Return to the mainframe-like methodology with Win2K and thin client solutions

WTS/Citrix Paper

NT Security in an Open Academic Environment - SLAC 8172

• Find the document at : http://www.slac.stanford.edu/pubs/fastfind.html

•http://www.slac.stanford.edu/pubs/slacpubs/8000/slac-pub-8172.html

HEPNT ‘99HEPNT ‘99

QuestionsQuestions

www.slac.stanford.edu/comp/winnt

gdaly@slac.stanford.edu