240 likes | 346 Vues
Managing and Securing Desktops. Attempting to put the Genie back in the bottle. Central I.T. Support at Virginia Tech. Central I.T. under CIO (VP for IT) Approx. number of employees: 400 (about 4% of entire university employment) 3 Divisions (Assoc Vice Presidential areas)
E N D
Managing and Securing Desktops Attempting to put the Genie back in the bottle
Central I.T. Support at Virginia Tech • Central I.T. under CIO (VP for IT) • Approx. number of employees: 400 (about 4% of entire university employment) • 3 Divisions (Assoc Vice Presidential areas) • Responsible for application and systems administration and support of mission critical apps including E.R.P. (Banner), e-mail, Network (including telephony), courseware (BlackBoard & Sakai), Research, Web Hosting
Distributed I.T. Support at VT • Colleges, some departments, and certain administrative units provide local support to faculty, staff, and students • College of Engineering most pervasive; even has SWAT Team for students’ first few weeks of classes • The College of Agriculture, Human & Natural Resources provides hardware and software troubleshooting and support for users at Virginia Tech and across the state (Extension) • College of Liberal Arts & Human Sciences offers “House Calls” for faculty, staff, and GTAs • Some departments depend completely on Central I.T.
CIT offers guidance and free equipment • Academic Computing Client (ACC) Initiative: 2005-2006 • Total machines distributed225 • Shipped to Departmental Support Tech212 • Shipped direct to end-user13 • Total Macs shipped12 • All Dell desktops preloaded at factory with Dell image • Documentation letter sent out before machines arrive
We also provide software and configurations • “VTNet CD” offers access to a variety of applications including anti-virus, e-mail client, SpyBot, firewalls, and Browsers. • Ensures firewall and Windows automatic update are enabled • Provides software for Windows based and Mac OS X based devices • For faculty, staff, students, and retirees • In its 10th year on CD; prior to that, similar offerings were made via diskettes
We also provide software and training • IT Acquisitions leverages volume purchases to provide best cost for variety of packages to VT affiliates; from Microsoft to MatLab • These purchases influence what is used and becomes prevalent throughout university • Faculty Development Institute (FDI): Faculty receive personal workstation, software, and training • Graduate Education Development Institute (GEDI): Similar program for grad students; actually part of the curriculum (See www.gedi.vt.edu)
We also provide services • Backup services: through TSM and Legato • Total of 563 desktop users • Storage Services: Network Appliance NAS • Total of 1,007 individual users/ 860GB • Also have 3.5TB in use by 27 departments for file shares • Security Office audits • Desktops as well as servers • 24/7 Call-in support (Web form also available) • “Hokies” Self Service • “SafetyNet”
Support Options • 24/7 Call in support through VT Operations Center; Remedy Problem ticket created, passed to 2nd level • Beginning of Semester Get Connected; on-site assistance first 3 1/2 days of check-in period in each dorm for students • Executive Support Services (ESS) On-site desktop support (including after-hours and at home) for desktop, laptop, handheld devices for about 60 individuals (BoV members)
“Hokies” Self Service • Allows users to change Active Directory passwords • Allows users to create their own Microsoft Exchange accounts • Two levels full account or “calendar only” • Allows users to obtain NAS storage space for personal use (2.5GB) including roaming profiles • Approx. 24,000 unique logins since FY2003
“VT SafetyNet” • Developed by the VT Microsoft Implementation Group (or MIG) • “A centralized web application for VT computer users to proactively and remotely scan their systems.” • Currently for Faculty/Staff only • Is “OpenSource” and available • See http://vtmig.w2k.vt.edu site for overview of project, screenshots, etc. • See http://opensource.w2k.vt.edu for access to code (564 downloads to date)
First Priority: Security • Passwords • Poor choices (easily cracked) • Password sharing • Maintaining (Does anyone “expire” passwords?) • “Malware” • Through browsers, e-mail, IM, P2P, removable media (Does anyone have a policy against use of “removable media” on institution owned machines?)
First Priority: Security (continued) • Anti-virus maintenance • On local host or centrally installed, or both (Does anyone use a centrally managed A/V service or device to screen incoming e-mail messages? What about a network level screening device?) • Patch Maintenance • Automatic Updates are fine, but……. (Has anyone deployed a local WSUS server?), what about non-OS updates and MACs?
First Priority: Security (continued) • Users • “Weakest Link” • They will do something they will regret. (Does anyone have a mandatory security requirement?) • Physical (Are all machines inaccessible when staff are not in attendance?) • Backup and Recovery (Does anyone offer centrally hosted domain services?)
Next Steps: Walk-in Service • As more devices become portable, i.e., laptops, tablets, Treos, PDAs, etc., these can be brought to support staff for review • Will replace Resident Computer Consultants (RCC) program where students in dorms were paid to be available for questions • Will also accommodate faculty and staff • Pilot/Cost analysis is underway
Experimentation with “Thin Client” workstations @ VT • Sun Ray model 170s from Sun Microsystems • Utilizing Sun’s “Secure Global Desktop” software (formerly known as “Tarantella”) • Recognized vulnerability in personal workstations that perform information retrieval and update • Application can be “published” for use; security and access controls can be layered • If promoted widely, users could access sessions from any workstation properly configured (either through a Browser or Thin client device)
Benefits/Drawbacks • Benefits Centralized Application Support; Code can run “natively” on disparate systems • Drawbacks Browser still required; Possible exploit point (especially if it’s IE); More servers • Questions remain about “specialty apps”
Benefits/Drawbacks • Benefits Centralized Application Support; No “client side” vulnerabilities; Better access/security controls; “Steady State” for mobile users • Drawbacks Even more servers; Possible user backlash
Thanks for your attention! • William Dougherty • Network Infrastructure & Services • Assistant Director for Systems Support • 1700 Pratt Drive • Blacksburg, VA 24060 • (540) 231-9239 • william@vt.edu