Information Technology Division (IT) Computing and Communications Services News
July, 2005

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITD
CIS
ISS
NTD
 

IT Maps the Future of Windows Workstations at Berkeley Lab:
Desktop Security

Desktop security is accomplished in two ways:

  1. with the application of security templates to Windows computers
  2. by applying and verifying patches as they come out from Microsoft.

Security Templates

In response to the need for increased security on Windows desktops the IT Division has developed a set of security rules that can be applied to Windows workstations. The authoritative source for our effort is the National Institute for Standards and Technology (NIST) which has developed a set of guidelines which they intend to maintain. These Guidelines resulted from collaboration with other government agencies as well as Microsoft. The IT Divisions policy is to use these guidelines as our default settings, unless we can clearly indicate why a change is needed. This is much easier than developing (and defending) a start from scratch effort that does not have the benefit of the expertise that an organization like NIST can bring to bear.

Preparation of an IT Division security template was done with the support of technical support staff representing all the divisions we support. It will be deployed to all Windows users who are members of the new Active Directory Domain, but will also be made available to individual workstations in Division that provide their own support (distributed via the software download web page) in the August timeframe.

Patch Management

Most of the Windows Systems supported by the IT Division have been configured to receive patches directly from Microsoft using a built in tool called “Automatic Windows Update”. While this has proven very effective in insuring critical patches (typically received from Microsoft the second week of each month) are received, it does not allow us to verify that the patches were successfully applied. In addition, we do not have any way to review the list of patches before they are released to lab machines. Finally, patches for other Microsoft Products are not delivered using this mechanism.

The IT Division’s short term response to this is to implement a locally maintained service referred to as Windows Server Update Service (WSUS). Microsoft has developed a product which currently meets our needs at a price we can afford (it is free). For IT Division supported machines, including all machines in Active directory, WSUS will be used. At the present time, over 460 Windows systems have been redirected as part of our first set of tests. Computers in Engineering and Environmental Health and Safety, have led the way.

The following diagram helps explain the process: