UW Windows Infrastructure
description
Transcript of UW Windows Infrastructure
![Page 1: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/1.jpg)
Brian ArkillsSoftware Engineer, LDAP geek, AD bum, and Associate Troublemaking Officer
UW Windows InfrastructureUW Windows Infrastructure
![Page 2: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/2.jpg)
GoalGoal
Goal: To provide a centrally-provisioned Windows accounts to all of the UW campus
Guiding Principal: The UW Windows Infrastructure is an enabling technology
![Page 3: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/3.jpg)
Core ComponentsCore Components
• Active Directory (netid.washington.edu)– LDAP directory AND KDC realm
• “Fuzzy Kiwi”, a kiwi client that provisions *all* UW NetIDs with an active Kerberos subscription
• Slurpee, a GDS connector, that synchronizes the enterprise group-oriented directory information
• WINS, a netbios name resolution service
![Page 4: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/4.jpg)
Key FeaturesKey Features
• AuthN: Windows user accounts with UW NetID password that are automatically provisioned
• AuthZ: Automatically-provisioned institutional groups that can be used for authorization– 60K course groups– 7 affiliation groups (e.g. student, staff, faculty)– ~150 other groups, including C&C org groups
![Page 5: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/5.jpg)
![Page 6: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/6.jpg)
Get a trust.Use UWWI users and groups in your ACLs.Tell users.See http://www.netid.washington.edu/documentation/howToUse.aspx
How to AdoptHow to Adopt
![Page 7: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/7.jpg)
Key LimitationsKey Limitations
• No delegated user management, i.e.– No home directory– No profile– No Exchange mailbox could be set, etc.
• Course groups are private, memberOf on *all* users is private
• NTLMv2 only for domain trusts; Kerberos & NTLMv2 only for forest trusts
• Account lockouts: 5 bad attempts in 1 minute -> 1 minute lockout
![Page 8: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/8.jpg)
Expected Uses (for now)Expected Uses (for now)
• Provide Windows service to entire UW audience– File service– IIS– Sharepoint– Others …
• Interactive login to existing domain workstations
NOTE: Members of the UW community don’t need a computer in a domain that trusts UWWI to access a Windows service that is ACL’d with UWWI principals.
![Page 9: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/9.jpg)
WinAuth ProjectWinAuth Project
• Arose out of C&C desire to move LABS out of UW Forest. This spawned outcry, a discussion group, and ultimately an C&C initiative to enable Windows-based services.
• “Phase 1” did the authentication and authorization pieces. Deemed doable without additional funding.
• “Delegated OUs” will make UWWI a nice place to live, phase out the UW forest, and provide other core Windows services as deemed necessary. Not currently funded.
![Page 10: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/10.jpg)
Phase 1 Project DetailsPhase 1 Project Details
• Maintaining existing LABS functionality was paramount, EPLT was on project team to facilitate quick adoption. – Maintaining Mac authentication– Providing a replacement for “LABS\domain users”,
i.e. all users who used to be in LABS.• Kiwi code needed some enhancements• Slurpee needed to be written from scratch
![Page 11: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/11.jpg)
Phase 1 Technical DetailsPhase 1 Technical Details
• “Fuzzy Kiwi”– Core is in C and helper app in C# (.net)– Handles account renames now w/o delete (preserving the SID)– Populates some person info from EDS/GDS– Uses a different delimiter to improve password handling– A new subscription maintains a group for EPLT authorization and
populates the UA (soon to be C&C) uid onto the uidNumber attribute• Slurpee
– VB.net– Automatically creates groups and updates them as appropriate (adds
and removals) on a daily basis (GDS is only updated 1x daily currently)– Gets affiliation information from eduPersonAffiliation attribute on
user objects in GDS. Uses this non-group-oriented info to create affiliation groups.
– Parses group member string, replaces with AD DN of member– Handles nested groups– Knows how to add objectclasses and attributes as needed– Knows how to set AD ACLs
![Page 12: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/12.jpg)
“Delegated OUs” Details“Delegated OUs” Details
A charter is written, and a Strategic Direction Team (SDT) proposal has been approved. Defines resources (2 engineer FTE, 1 CliSvc FTE), outlines deliverables (core and additional), and approximates a timeline.
Core deliverables include:• Solve user management delegation issue• 2-way password sync?• Core infrastructure to enable Exchange• Provide domain migration strategy into UWWI• Phase out UW forest
![Page 13: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/13.jpg)
Future Extended DeliverablesFuture Extended DeliverablesAfter the ‘Delegated OU’ project, additional services may be
pursued in follow-on projects depending on client interest. These include:
• Help Nebula to move in as first “occupant” as a proof of concept• Setup billing for anything that needs it• DDNS (ala nebula)• Ezreg services (wireless registration) • DFS/file services• VPN• CA/PKI• Unix interoperability• Mac authentication• ADFS• <Your favorite thing here>
![Page 14: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/14.jpg)
UW Forest TrendsUW Forest Trends
0
5
10
15
20
25
30
35
40
451
0/2
8/2
00
2
1/2
8/2
00
3
4/2
8/2
00
3
7/2
8/2
00
3
10
/28
/20
03
1/2
8/2
00
4
4/2
8/2
00
4
7/2
8/2
00
4
10
/28
/20
04
1/2
8/2
00
5
4/2
8/2
00
5
7/2
8/2
00
5
10
/28
/20
05
1/2
8/2
00
6
4/2
8/2
00
6
7/2
8/2
00
6
10
/28
/20
06
domain count
domain compromise
![Page 15: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/15.jpg)
State of UW ForestState of UW Forest
• Domain count: 21. C&C owns 5 of these, and will remove 3 within 6 months. From past conversations, 9 other domains have indicated in the past an intention to have moved out by now.
• 12 Domain compromises in past 4 years• Windows 2000 SP4 DCs: 18; Windows 2003 DCs: 28
• Windows 2000 Domain Level: 16; Windows 2003 Domain Level: 5
• Total number of users: 12141 (273730 w/ C&C domains leaving soon)
• Total number of computer: 6898• Domain size by users:
– <50: 3– 51-200: 6– 201-500: 5– 501-999: 4– >1000: 3
• Domain size by computers:– <50: 6– 51-200: 5– 201-500: 7– 501-999: 0– >1000: 3
![Page 16: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/16.jpg)
Expected Migration PathExpected Migration Path
• Similar to C&C ‘How to Migrate Out of the Forest’ whitepaper http://www.washington.edu/computing/support/windows/UWdomains/migrateOut.html
• Use ADMTv3 user/group migration• Use ADMT computer migration wizard to reACL and move
computers without needing to touch each.– Registry– Profiles– File system– Local groups– Services– not scheduled tasks– not application-level credentials
![Page 17: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/17.jpg)
Nebula NumbersNebula Numbers• 0 domain compromises over 10 year history• 0 Nebula managed server compromises (yes, C&C has a
managed servers service)• Users: 2323; Groups: 1388; Computers: 2816
– Gold (Nebula managed) workstations: 2452– Bronze (not managed by Nebula) workstation: 131– Kiosks: 61– Servers: 172 (31 unmanaged, 141 managed)
• 1 SG member + .25 engineer/250 workstations• 1 new software package/week• Cost:
– $52/month for Gold workstation– $58/month for Gold laptop– $26/month for BronzeDoesn’t include hardware, add ~$30/month for hardware
• 4.53 terabytes of network storage, 2.95 in use
![Page 18: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/18.jpg)
Future Nebula ProjectsFuture Nebula Projects
• Exchange (this is a C&C service that some Nebula users may consume)• SCCM (SMSv4 and SoftGrid)• Vista• Office 2007• Dynamic local admin passwords (stage 1 done)• Laptop improvements• Managed Macs (research only)• CA for Nebula• Administrator account improvements• Kiosk revisit (dependent on vista)• New models to reflect impending UW Information Security StandardSee http://staff.washington.edu/barkills/Nebula-HiEd.ppt for a recent
overview of what Nebula provides in the managed workstation space.
![Page 19: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/19.jpg)
The EndThe End
Brian [email protected]
http://www.netid.washington.edu
Author of LDAP Directories Explained
![Page 20: UW Windows Infrastructure](https://reader035.fdocuments.net/reader035/viewer/2022070409/568144ab550346895db17450/html5/thumbnails/20.jpg)