WIN.MIT.EDUMIT Enterprise Windows ServicesIS&T Network & Infrastructure Services Team

WIN.MIT.EDU: MITs Central Windows DomainAudienceDescriptionCase StudiesArchitectureFeatures/BenefitsSub-servicesSecuritySupportPresented at ITPartners by Richard Edelson

AudienceAcademic DepartmentsClassrooms, Clusters, Labs, Staff, ServersApplication, File and Print Services, Database, Web

Research DepartmentsLabs, Staff, ServersApplication, File and Print Services, Database, Web

Administrative DepartmentsStaff, ServersApplication, File and Print Services, Database, Web

Description

win.mit.edu provides a centrally managed Windows environment for the MIT campus. It is integrated with MIT's Kerberos realm, Moira database and MIT's standard DNS namespace. Users logon with single sign-on to many MIT resources.

Departments can seamlessly share resources across the Institute with other faculty, staff and students. Departments are given control of their environments to customize in many ways while leveraging the added value IS&T has built into the platform. Departments no longer need to provision and manage user accounts, handle patch management or manage operating system licensing.

Over the past year the domain has been used by over 60 departments and 10,000 users. These include faculty, staff, and students in academic, administrative and research departments.

Case Studies: Academic DepartmentsDepartment of Urban Studies and PlanningCluster/Classroom environmentsDesktop Environment for Faculty and StaffFile Servers

Chemical EngineeringSpecialized cluster/lab environment with customized applications

Teal ClassroomsClassroom/Cluster environment

IS&T Academic Computing Classroom/Cluster environmentHigh performance computing environment featuring AutoCAD, ArcView GIS, Mathematica, MatLab, Adobe applications and more

Case Studies: Research Departments

Bionet: Biology, Bio Engineering and more54 labs in 18 DLCs using shared high performance storage on NetApp file appliances joined the win.mit.edu Active Directory. High performance storage required for generation of Genome research computational data.Desktop and Lab PC/Instrument environmentsWindows File and Print ServersSome Workstation Environments are behind Firewall on Private SubnetUsers make use of DFS home directories for personal space

CMSE-SEF Electron Microscope LabDesktop and Lab PC/Instrument environments Windows File and Print ServersSecure Web site using IIS for external data sharing

Case Studies: Administrative DepartmentsController's Accounting OfficeDesktop, Windows File and Print Server Environments, Secure SAP check printingHuman ResourcesDesktop, Windows File and Print Server Environments, Kiosk WorkstationsOffice of Sponsored Programs Desktop, Windows File and Print Server EnvironmentsCampus PoliceDesktop, Windows File and Print Server Environments, IPSecCard OfficeDesktop, Windows File and Print Server Environments, Access Management via CitrixParking OfficeDesktop, Windows File and Print Server EnvironmentsApplication Servers for Parking Gate ManagementResource DevelopmentDesktop, File and Print Server EnvironmentsSpecialized Database Application Environment via CitrixStudent Financial ServicesDesktop, Windows File and Print Server EnvironmentsFinancial Aid Database Server with IPSec

Architecture: Active Directory

Cross-Realm Trust

Trust of MIT Kerberos Realm by WIN.MIT.EDU allows single sign-on to multiple resources. Delegated User Management - MIT Kerberos accounts departments control resources by managing group membership and ACL's

Single Domain/Forest Model

Model in use by large schools, corporations and ISPsDelegation of Containers (OUs) Islands of ControlDepartmental container administrators have many tools to build their workstation and server environments. Each department builds and customizes their own environment.Container administrators control machines and access to their resources instead of the users directly Group policySoftware distribution, Security, Registry, and other feature settings can be assigned on a container basis. ACLs via Moira groups. Custom group policy settings written by IS&TStandard MIT DNS Serviceswin.mit.edu uses MITs UNIX based DNS services instead of Microsofts

LDAP Directory populated by data from:

Moira User, Group, and Container dataPopulator Moira host to container mapping, Data Warehouse, spn

WIN.MIT.EDU Architecture

MIT Kerberos KDCsWIN.MIT.EDU DCsData WarehouseMoiraPopulatorMITnet DNSQueryData FeedDFS Storage

Architecture: Moira Data Feed IncrementalThe Moira incremental update is used to keep the WIN.MIT.EDU domain synchronized to the Moira database. The Moira incremental will create and maintain the following in Active Directory:User accounts (MIT Kerberos IDs principals), and profile optionsAccount status changes such as activation/deactivationLists and Groups with their membershipsContainer Hierarchy

The Moira incremental is a UNIX executable image and resides on the Moira server and runs continuously. This application uses Kerberos V5 authentication to establish an LDAP connection with the Windows domain to perform the updates. It has been completely integrated into Moira operations.

When relevant changes to users groups and containers are made in Moira the incremental is triggered and the change is propagated to Active Directory.

The Moira incremental will distinguish between list and groups when propagating them in Active Directory:Lists = Distribution groups Groups = Security groups

Do not write directly to AD to create Domain groups or security descriptorsThe data may be over-writtenMake these changes in MoiraLocal groups can be managed directly via Windows

Architecture: User ExperienceSingle Sign-on:User Accounts via the Moira incremental

A corresponding user is created in Active Directory and automatically mapped to the MIT Kerberos principal

Profile and Home directory options are written to the users account data along with Office location, phone and email

A random 127 character password is generated and stored in the user properties in Active Directory so the password does not need to be propagated. Cross-Realm authentication will verify the users password directly from the MIT Kerberos KDCs.

Windows Service exists to refresh random passwords every 30 days

Webform to set the users Windows password to a known value for use with special applications where required

DFS: User Profiles/Home directoryDefault is roaming profile in DFS Configurable via web form.winprofile is created in the users DFS homedirCopied to local drive at logonNTFS user quotas

H: is mapped to the users DFS home directory 2 GB User quota by defaultPrevious Versions supportAccessed over network as neededUsed for folder redirection of Windows homedirWinData directory is created in DFS for user dataMy Documents Application DataFavorites

Quickstation utility for public machines

DFS: Previous VersionsUses VSS: Windows Server 2003 Shadow copy services for user Home directories Point-in-time copies of files. View, Copy or Restore files and folders as they existed at points of time in the past. Recover files that were accidentally deleted or overwritten. Compare versions of file while working. Self service file restore capability for the end user.

Snapshots are made every 4 AM. Versions of up to 64 days are available.Shadow copies are read-only. You cannot edit the contents of a shadow copy.

Sub-services

Citrix

Hosted Business applicationshttp://citrix.mit.edu/citrix/about.htmlCitrix Staging

MIT WAUS:

MIT Windows Automatic Update Services Site for MIT approved Windows Updates, load balanced via Big IPhttp://web.mit.edu/ist/topics/windows/updates/

Contract Administrative Services via IS&Ts DITR Team

WIN.MIT.EDU Group Policy and Container Management Desktop Management and SupportServer Management and SupportServer Collocation Services in W91

Features/BenefitsContainer Management Delegation of Account ManagementContainer Wide Job SchedulingWeb formsGroup PolicyStoragePrintingLaptopsNetwork Boot Installation Services

Container ManagementContainers (OUs) Islands of Control

Departments can administer their workstations and servers independently almost as if they were running a separate domainSeamless ability to share resources with other departmentsDepartments control machines and access to their resources instead of the users directlyDomain Administrators can be removed from Administrators Group on all workstations and serversContainer Administrators have the ability override default domain group policy settingsContainers have ACLs in Moira defining who may administer them and auto creation of groups to set ACLs on machine accounts within their containers

Delegation of Account Management benefitsMIT Kerberos accounts departments control resources by managing group membership and ACL'sAll students and staff have Kerberos IDs

Delegation of password managementSave time and money

Web forms for some user tasksEasy to use, self service

Departments only need to manage their groupsSave time and money

Seamless ability to share resources with other departments

Container Wide Job Scheduling - SelfMaint Container based scheduling service called SelfMaint is provided in addition to the Windows Task Scheduler service.Runs under the SYSTEM accountCan reboot, defrag disks or run custom scriptsScripts reside on the network and will continue to run if the OS is reinstalled or a new computer is added to the container

A script can either wait until no user is logged in to run or run unconditionally. Web request form

Microsoft Hotfixes not supported by WSUS can be installed.

Certain scripts run domain wide

Web forms for Usershttps://wince.mit.edu - Uses MIT CertificatesUser and Container Administrator tasksUser Web forms

Change Your Active Directory Password.https://wince.mit.edu/changepasswd/index.jspFor users: under certain circumstances, it might be necessary to set your native WIN domain password.

Change Profile and Home directory options. https://wince.mit.edu/changeprofile/index.jspA user can change their default DFS roaming profile and home directory locations to a local profile and home directory or to a path on a departmental server

Web Forms - Container Administrator FormsOpt into/out of various domain-wide deployments https://wince.mit.edu/optoutrollout/index.jspA container administrator can opt out of certain deployments until you are ready or to opt into test deployments early before they are released domain-wide. Containers and/or individual machines can opt-in or opt-out.Submit a Container Maintenance Jobhttps://wince.mit.edu/containermaint/index.jspSchedule a container reboot, defrag, or custom script. Selfmaint scripts can wait until a user is logged out in order to not disturb normal machine use.Delete a Machine from Active Directoryhttps://wince.mit.edu/deletemachine/index.jspA convenient tool if other tools are not available. To reinstall a computer, its machine account must first be deleted from Active Directory, but NOT from Moira.RIS or Join Computer Pagehttps://wince.mit.edu/getrisaccount/index.jspa container administrator or a container membership administrator, you may use this service to obtain a short-term account and password to be used while adding machines to WIN.MIT.EDU (the Moira host information should already exist)

Group PolicyContainer ACL's admins control group policyContainer admins only use computer settingsSoftware deployment - MSIAssign startup/shutdown scriptsAssign security settingsCustomizable AuditingConfigure registry-based software settings

StorageDecentralized Storage Model

NTFS: Departments are encouraged to use local departmental servers for their shared data storage needs

DFS Home directory: Holds user profiles and home directory data by default, can be changed to be local via a web form

DFS common space: generally is used for data used domain wide such as scripts and software packages. Supports multiple writable replicas Supports virtual links to departmental file serversWritable replicas not recommended for highly volatile data

PrintingFlexible Printing Model

Windows Server Print queue

Direct printing TCP/IP or DLC

Queue Published in Active Directory

KLPR (configured as local machine ports)

Samba

WIN.MIT.EDU group policy extensionsInstall these Network PrintersInstall these KLPR Printers

Microsoft Server 2003 R2 Print Extensions

LaptopsSupported in a number of scenarios:

Directly connected to MITnet normal operationWireless on MITnet normal operationRemote Broadband VPN / Enhanced settingsLaptop with additional opt-in settingsRemote Dialup Similar to Remote Broadband Disconnected Cached logon. Will prompt user for Kerberos password if later connected Workgroup (non-Domain machine) Users can map to domain file servers using native windows password from web form

Network Boot Installation Services

PXE included in most new hardware

MITnet DHCP will route PXE requests to WIN.MIT.EDU RIS

For more information see http://web.mit.edu/ist/topics/windows/server/winmitedu/RIS.html

SecurityDefense in Depth MeasuresLayered approach to system securityIPSec and Windows FirewallDomainKerberos V5 AuthenticationNo anonymous enumeration of Active Directory, including via LDAPUserPassword resides on Kerberos KDC while 127 character random password is written to Active DirectoryService refreshes random passwords every 30 daysClient MachinePatch management via WSUSNo anonymous access to local SAM by defaultLocal administrator denied access over the network by defaultLogons audited by client system and domain controllerCentral syslog server

IPSecSelectively Block IP trafficNative to Windows 2000 and up operating systemsBlock all incoming and outgoing traffic except allowed subnets or portsBlock all incoming and/or outgoing traffic except allowed ports (all IPs)Allow a port outgoing only or incoming onlyCan effectively firewall particular servers or applicationsConfirms to RFC standards not proprietaryAlready in use in WIN.MIT.EDU by a few departmentsConfigurable locally or via group policyConfigurable per network interface

Encrypt Data Communication between Servers and WorkstationsTo protect sensitive data and resourcesSupports Kerberos V5 Authentication3DES by default, configurable key regeneration intervals

Windows FirewallAvailable on Windows XP SP2 and Server 2003 SP1Exceptions configured on a by port basis, only IPSec can manage all traffic on a by subnet basis.Blocks incoming traffic onlyOutgoing traffic blocking available in Windows VistaSupports IP ACLs for individual ports or executables Configurable locally or via group policyConfigurable per network interface

Layered Security OverviewIPSecWindows FirewallBlocking of Anonymous NetBIOS queriesLocal administrator denied access over the networkKerberos V5 AuthenticationAuthenticationServiceDomain account 127 character random passwordNetwork Based Application SecurityPatching of System ServicesSMB ports blocked by MIT Border Routers

Support

Departmental Admin Escalation from UsersContainer Administrator is responsible for their users and computers, but can draw on NIST resources for technical advice if issue is domain based, also peer support is encouragedDITR SLA based Escalation - Dept Admin, UserSome departments may contract DITR to assist or even take place of container administrators depending on the departments needsACIS Not SLA based but some support for AdminsUsually highly involved in Academic cluster, lab, group implementations with emphasis on application deployment in the Academic space. Training of local administrators but no official ongoing support contract NIST Escalations from DITR, Container Admins, ACISSupports the domain infrastructure, container administrators, DITR, ACSTPSS Microsoft Support at discretion of NIST