York Secure Scan vs Microsoft Windows Our story and how we dealt with it

York Secure Scan vs Microsoft Windows

Our story and how we dealt with it

2

Introduction

Presenter:

Leonard Chow

Supervisor / Technical Analyst, Client Services

Computing and Network Services

York University

Toronto ON Canada

[email protected]

http://www.yorku.ca

3

This Presentation…

Tuesday, June 24 2008Presentation 5A: 9:00 - 10:00 AM – Singer Bldg Rm 151

York Secure Scan vs Microsoft Windows - our story and how we dealt with it

Clients want to get ResNet Internet service - ResNet Network Administrators want a secure and safe network - and our ResNet Support Team is right in the middle of it!

This is the story of how we dealt with York Secure Scan, the application on the York University ResNet network that grants permission to registration for Microsoft Windows workstations.

First, a brief introduction to the history of the York University ResNet service will be done outlining the important role our York Secure Scan application takes to only allow clean secured workstations onto the our ResNet service. Next, there will be some discussion into the problems that were reported by clients (missing MS OS patches, problems loading MS OS patches, etc). Lastly, some solutions to the problems that we faced will be presented (how to get patches loaded) and our procedures for dealing with some of our more problematic clients/students.

This is not a presentation about how to build and implement an application such as York Secure Scan, this is only the Client Services perspective of how we did our jobs.

This MS Powerpoint presentation is currently available at http://www.yorku.ca/lchow/

4

York UniversityComputing Support

-Specific Faculties - Technical Support

-Specific Admin./Bus. Dept. - Technical Support

-Central Computing Services -Infrastructure-Network-Server Administration-Information Security-etc. -Client Services

-Residence Support (ResNet Support / In-Residence Support)

5

York University ResNet Service...

-DHCP - assigned IP and DNS information-MAC authentication-Registration through browser and student authentication-Registration/authentication VLAN vs actual Internet service VLAN

-9 York undergrad/dorm residence buildings or areas-14 York apartment/suite residence buildings or 3 areas

-Approx. 50,000 students attend York University over 2 campuses (main campus and Glendon campus)-Approx. 6000 ResNet jacks/beds in all the buildings-Approx. 5000 ResNet clients/users registered and they have their “own” computers running MS Windows, Mac OS, and Linux typically

6

Back then, in a perfect world...

To get ResNet Internet Service

1. Clients/students comes with their laptop/computer and plugs into the ResNet service jack with their network cable; the computer will get an IP/DNS via DHCP for 'registration/authentication VLAN'

2. The client/student authenticates themselves and registers onto the ResNet service via browser

3. After registration finishes, then there's Internet service (IP/DNS via DHCP)

7

ResNet before being registered…

8

Back then, it wasn't a perfect world...

-There were many improvements that need to be made

-Not sure what the problem was

-Network device (Cisco Switch) problems

-Rogue problems

-Virus problems

-Client/end-user problems (OS problems?)

-WHY WOULDN'T THINGS JUST WORK!

9

In came Information Security...

-York Secure Scan (yss.exe) was introduced into the process

So in the new world...

To get ResNet Internet Service1. Clients/students comes with their laptop/computer and plugs into

the ResNet service jack with their network cable; the computer will get an IP/DNS via DHCP for 'registration/authentication VLAN'

2. If the computer is a MS Windows computer, then it will be forced to go through the York Secure Scan

3. In order to pass York Secure Scan and continue onto client/student authentication for ResNet Registration, the MS Windows computer must have all Critical Updates/Patches and must have Symantec Antivirus with up to date virus definitions

4. The client/student authenticates themselves and registers onto the ResNet service

5. After registration finishes, then there's Internet service (IP/DNS via DHCP)

10

The new features...

-Secured 'registration/authentication VLAN'

-Proxy to allow clients to get MS Windows Critical Updates/Patches

-Proxy to allow clients to get Symantec Antivirus virus definition updates

-Things improved drastically!

-Cut down on client-end OS related problems

11

York Secure Scan

http://resnet.yorku.ca/secure_scan.html

12

The new problems...

-Illegal/cracked copies of MS Windows OS

-Critical Updates/Patches that aren't really loaded

-Language Versions of MS Windows OS that aren't supported by YSS

-3rd party firewalls and security suite programs

-Corrupted MS Windows OS

-They don't like our Symantec Antivirus

13

For Illegal/cracked copies of MS Windows OS clients...

-Get a legal valid copy/service key of the MS Windows OS

-Student discount on-campus, but it's still a lot of pain for the client

Warn them...

-Backup data (personal pictures, music, documents, homework, etc.)

-Format/reload very often means everything will be deleted

-This is between the client and the computer store/vendor

14

For clients where there are critical updates/patches issues...

-Go and download the missing patch from Microsoft

-Load the same update/patch again

-Uninstall the specific update/patch and load it again

-Go and download the York Antivirus CD (which has MS patches on it)

Warn them...



15

For clients with Non-English Language Versions of MS Windows OS that are not supported by YSS

-Escalate it to Information Security so that they're aware

-There's a workaround version of York Secure Scan

16

For clients running 3rd party Firewalls and security suite programs...

-Shut the 3rd party software off

-Advise client to uninstall the security suite program that's expired

Warn them...



17

For clients who don't like our Symantec Antivirus program...

-They MUST use our version of Symantec Antivirus if they're running MS Windows OS if they're going to pass York Secure Scan

Warn them...

-Uninstall the existing antivirus software fully, and restart the computer, before installing a new antivirus software



18

After 2 years, York Secure Scan ver. 2 came out...

-Now runs new MBSA engine

-Now accepts other popular antivirus software e.g. Norton, McAfee, etc.

19

The new York Secure Scan ver. 2, new issues...

-MBSA errors

-Languages Versions of MS Windows OS that aren't supported by YSS

-3rd party firewalls and security suite programs (LiveOne Care)

Same old problems...

-Can't load a patch

-Patch is not there, but it says that it's loaded

-Corrupted MS Windows OS

-The antivirus software is not recognized

20

For clients who get an MBSA errors...

-Escalate it to Information Security if necessary

-Download MBSA standalone from Microsoft and if it doesn’t pass this test, then the system is corruptedhttp://technet.microsoft.com/en-us/security/cc184924.aspx

-Rebuild/reload the system

Warn them...



21

For clients who get end up with no IP/DNS with LiveOne Care

-Trial versions of LiveOne Care gave this problem; advise the client to uninstall this software or get the full version

-Full licensed versions of LiveOne Care were less troublesome

-Use a SOHO router

Warn them...



22

Our other rarely advised solutions?

-Use a SOHO router (~$50) and find a non-MS Windows OS computer to register

-Use a Linux live CD (e.g. Knoppix, Ubuntu)

-There are other Internet services available on campus

23

End of presentation

Questions?

Thanks for coming to this presentation.

Documents

York Secure Scan vs Microsoft Windows Our story and how we dealt with it