OUHSC Information Security UpdateOUHSC Information Security Update

IT, Information Security Services

Randy Moore

Mike Waller

Nathan Gibson

Greg Bostic

IT, Information Security Services

Randy Moore

Mike Waller

Nathan Gibson

Greg Bostic

Security Project Update (the three Ps)Security Project Update (the three Ps)

• Policy baseline completed– See http://it.ouhsc.edu/policies/

• Perimeter firewall management project complete– All externally accessible servers registered in db– Firewall rules updated with db– Servers scanned and vulnerabilities mitigated– https://www.ouhsc.edu/acl/admin23/allacl.cfm

• Private IPs for hosts on new network

• Policy baseline completed– See http://it.ouhsc.edu/policies/

• Perimeter firewall management project complete– All externally accessible servers registered in db– Firewall rules updated with db– Servers scanned and vulnerabilities mitigated– https://www.ouhsc.edu/acl/admin23/allacl.cfm

• Private IPs for hosts on new network

Security Personnel UpdateSecurity Personnel Update

• Kenneth Reed: moved to Engineering• Nathan Gibson: moving on risk assessments• Mike Waller is moving on to Charlotte• Greg Bostic is moving into security

• Kenneth Reed: moved to Engineering• Nathan Gibson: moving on risk assessments• Mike Waller is moving on to Charlotte• Greg Bostic is moving into security

New ProjectsNew Projects

• Payment Card Industry Data Security Standard• Risk Assessments• Security policy implementation• Active Directory Baseline Security Configuration

• Payment Card Industry Data Security Standard• Risk Assessments• Security policy implementation• Active Directory Baseline Security Configuration

OUHSC Group Policy ObjectsOUHSC Group Policy Objects

PurposePurpose

• Compliance• Security• Ease administrative overhead• High level Polices Only• Tier 1s can still apply organizational preferred

settings• User “buy-in”

• Compliance• Security• Ease administrative overhead• High level Polices Only• Tier 1s can still apply organizational preferred

settings• User “buy-in”

Time LineTime Line

• 4 Week Implementation Life Cycle– Week 1: IT will create and test the AD GP settings.– Week 2-4: Tier 1s will apply and test each GP to their

respective AD Organizational Unit (OU) and present feedback to IT. For settings that present a change for their end-users Tier 1’s should communicate those changes in advance to their user community. IT will assist in developing appropriate communications.

– Week 5: IT will evaluate any feedback given and make necessary modification before applying the settings at the campus wide level.

• 4 Week Implementation Life Cycle– Week 1: IT will create and test the AD GP settings.– Week 2-4: Tier 1s will apply and test each GP to their

respective AD Organizational Unit (OU) and present feedback to IT. For settings that present a change for their end-users Tier 1’s should communicate those changes in advance to their user community. IT will assist in developing appropriate communications.

– Week 5: IT will evaluate any feedback given and make necessary modification before applying the settings at the campus wide level.

Time Line(cont)Time Line(cont)

• 20 Settings– Will be separate into 4 separate groups containing at most 3

sets of related settings to limit impact.

Example:

• 20 Settings– Will be separate into 4 separate groups containing at most 3

sets of related settings to limit impact.

Example:

Time Line (cont)Time Line (cont)

Group 1:Setting 1: - – Network access: Allow anonymous SID/Name translation – Disabled– Network access: Do not allow anonymous enumeration of SAM

accounts – Enabled– Network access: Do not allow anonymous enumeration of SAM

accounts and shares –Enabled– Network access: Let Everyone permissions apply to anonymous users – Disabled

Setting 2 : – Add workstations to domain (Added Groups: OUHSC\Domain Admins, OUHSC\Computer-

Account-Creators)

Setting 3:– Turn on the auto-complete feature for user names and passwords on forms – DISABLED

Group 1:Setting 1: - – Network access: Allow anonymous SID/Name translation – Disabled– Network access: Do not allow anonymous enumeration of SAM

accounts – Enabled– Network access: Do not allow anonymous enumeration of SAM

accounts and shares –Enabled– Network access: Let Everyone permissions apply to anonymous users – Disabled

Setting 2 : – Add workstations to domain (Added Groups: OUHSC\Domain Admins, OUHSC\Computer-

Account-Creators)

Setting 3:– Turn on the auto-complete feature for user names and passwords on forms – DISABLED

IT ResponsibilitiesIT Responsibilities

• Create GPOs and configure settings• Assist Tier 1s in communicating GPO results to users• Receive feedback from Tier 1s and assist in resolving

problems• Apply GPO settings at the Domain level after testing

phase

• Create GPOs and configure settings• Assist Tier 1s in communicating GPO results to users• Receive feedback from Tier 1s and assist in resolving

problems• Apply GPO settings at the Domain level after testing

phase

Tier 1 ResponsibilitiesTier 1 Responsibilities

• Advise Users• Apply GPOs to Active Directory Organization Units• Give feedback to IT-OPS and IT-ISS

• Advise Users• Apply GPOs to Active Directory Organization Units• Give feedback to IT-OPS and IT-ISS

GPO ReviewGPO Review

• Group Policy Objects:1. Allows you to configure baseline settings to ensure all

resources have them same settings

2. Ease the administrative overhead in applying and modifying end user device and servers.

3. “One-Stop-Shop” for demonstrating policy compliance

• Group Policy Objects:1. Allows you to configure baseline settings to ensure all

resources have them same settings

2. Ease the administrative overhead in applying and modifying end user device and servers.

3. “One-Stop-Shop” for demonstrating policy compliance

GPO Review (cont) GPO Review (cont)

• Applying Group Policy Objects1. Use MS built in Group Policy Management Console

(gpmc.msc)1. Start > Run > gpmc.msc

• Applying Group Policy Objects1. Use MS built in Group Policy Management Console

(gpmc.msc)1. Start > Run > gpmc.msc

GPO Review (cont)GPO Review (cont)

• Applying Group Policy Objects

1. Use MS built in Group Policy Management Console (gpmc.msc)

a. Start > Run > gpmc.msc

2. Apply GPOs to your Workstations OU.

• Applying Group Policy Objects

1. Use MS built in Group Policy Management Console (gpmc.msc)

a. Start > Run > gpmc.msc

2. Apply GPOs to your Workstations OU.

GPO Review (cont)GPO Review (cont)

• Applying Group Policy Objects

1. Use MS built in Group Policy Management Console (gpmc.msc)

a. Start > Run > gpmc.msc

2. Apply GPOs to your Workstations OU

3. To apply the GPOs you right click on your OU and choose “Link an existing GPO”

• Applying Group Policy Objects

1. Use MS built in Group Policy Management Console (gpmc.msc)

a. Start > Run > gpmc.msc

2. Apply GPOs to your Workstations OU

3. To apply the GPOs you right click on your OU and choose “Link an existing GPO”

GPO Review (cont)GPO Review (cont)

• Applying Group Policy Objects

1. Use MS built in Group Policy Management Console (gpmc.msc)

a. Start > Run > gpmc.msc

2. Apply GPOs to your Workstations OU

3. To apply the GPOs you right click on your OU and choose “Link an existing GPO”

4. All GPOs that are in this project will have a common naming convention

• Applying Group Policy Objects

1. Use MS built in Group Policy Management Console (gpmc.msc)

a. Start > Run > gpmc.msc

2. Apply GPOs to your Workstations OU

3. To apply the GPOs you right click on your OU and choose “Link an existing GPO”

4. All GPOs that are in this project will have a common naming convention

GPO Review (cont)GPO Review (cont)

• Applying Group Policy Objects

4. All GPOs that are in this project will have a common naming convention

5. Choose the GPO you would like to link and repeat the steps 2- 5 for each GPO you would like to apply there

after.

• Applying Group Policy Objects

4. All GPOs that are in this project will have a common naming convention

5. Choose the GPO you would like to link and repeat the steps 2- 5 for each GPO you would like to apply there

after.

House Cleaning HelpHouse Cleaning Help

• Clean up Computers OU• Standardize GPO naming scheme

– HSC-Dept-XXXX– Delete Old GPOs– Combine GPOs If possible– Remove GPOs with settings applies at higher lever

• Clean up Computers OU• Standardize GPO naming scheme

– HSC-Dept-XXXX– Delete Old GPOs– Combine GPOs If possible– Remove GPOs with settings applies at higher lever

House Cleaning Help (cont)House Cleaning Help (cont)

Let’s TalkLet’s Talk

Questions & Concerns

???