BerkeIey Lab Login BERKELEY LAB COMMONS D Procedures ctive Directory Procedures Change Management Process Change Initiation Chnge tht cn impct Active Directory nd its community cn be initited by three different groups nd with expected impcts tht rnge from significnt to limited (or none). The three groups tht cn initite chnge re: 1. dentity Mngement Tem Directory services uthentiction requirements (psswords, smrt crds, biometrics) Directory services integrtion (e.g. with LDAP) Cyber security policy implementtion (e.g. ccount mngement) 2. Desktop Support Tem File nd Print Softwre deployment Desktop inventory nd license trcking Desktop security 3. nfrstructure Support Tem Domin Controller hrdwre upgrdes Domin Controller operting system softwre upgrdes nd ptches Cyber security implementtion (e.g. firewlls) StakehoIders T Division mngement (Cyber Security, dentity Mngement, Worksttion Support) OU dmins group, T Division Help Desk, others (to be referred to s the AD-notify group) End user Viewable by the world 2 AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons 02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures End user Events and timeIines Approvl: provide 2 4 weeks in dvnce, s pproprite Advise: provide minimum 1 week in dvnce, include in testing nd evlution phses Notify: 1 dy in dvnce, in progress sttus (if problems occur) nd fter completion of the work GeneraI GuideIines Chnge Mngement requires uniform processes no mtter which group initites chnge. The process will differ bsed on urgency nd expected impct, but not by the group tht initites the chnge. CCM will be enforced t the root level of the domin or when n ction requires Domin Admin privileges. When pprovl or dvice is required, the nnouncement must indicte wht chnges will be mde, why the chnges re being mde, potentil impct to T stff nd end users, nd how much time the chnges re expected to tke. Notifiction requires very short one or two sentence description (mintennce on domin controllers will tke plce t X for period of Y hours). Notifiction is not needed for plnned outges published on the Web site (norml weekend mintennce for exmple). n the event tht chnge tkes longer thn expected, the AD-Notify mil list must be immeditely notified with the new completion time Chnge mngement does not involve the test domin. Change Management Matrix Scope ExampIe IT division management OU admins D-notify group End User PIanned Projects (with potentil wide impct on the lb community) single sign-on directory integrtion Domin controller upgrdes Mndtory use of new firewll policy pprovl Advise Notify Advise 3 AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons 02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures Routine or pIanned maintenance (Chnge with limited or no expected impct) Apply ptches to Win2003 OS on DC Updte of ntivirus definitions. Response to norml event nd security log dt Notify Incident response (Emergency chnge directed by CPP or T mngement, or in response to unplnned events) Mjor windows virus outbrek Filure condition within AD tht needs immedite ttention Power outge Notify (for other thn plnned mintennce) ccount Management (create, disabIe, deIete actions) Workstation Info 1. Worksttions in the LBL forest should be configured to turn off DDNS registrtion. This my be enforced by domin GPOin the future nd should not be blocked t the OUs 2. LBL nming stndrds re recommended for computer ccount nmes. The stndrd is to combine the UD of the primry person using the mchine, followed by dsh, followed by worksttion operting system identifier, nd finlly the lst two digits of the DOE number. The worksttion identifiers re x for Windows XP, w for Windows 2000, nd n for Windows NT 4. e.g. cwnelson-x44 or cwnelson-w39 3. t is recommended tht you wit 30 minutes fter creting nd deleting computer ccount before ttempting to crete new computer ccount with the sme nmeTop Creating and DepIoying GPOs GPOguidelines t Berkeley LbTop Group Management Best Practices Try to use globl groups to orgnize the users in your OUs into groups 4 AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons 02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures Try to use domin locl groups to ssign permissions to resources CCM More words on when CCM tkes effect nd when it does not? These rules pply to ll chnges to the Domin Controllers (DCs) in the LBL domin, including but not limited to the registry, file system permissions, network settings, security settings, virus definition updtes, ptching, directory services chnges, group policy settings, etc. However, good judgment must be used in order to identify which CCM ctegory the specific chnges pply to.Top Windows Patch Management Windows Ptches delivered by WSUS Updted My 10, 2012 Overview The T division mnges n institutionl Windows Server Updte Service (WSUS). The purpose of the WSUS server is to fcilitte ptching of Windows computers in the LBNL environment. Prticiption in the WSUS server is optionl, but widely deployed nd the defult for computers in AD. The overrching philosophy is to replicte the ptches Microsoft delivers vi the LBNL WSUS server (E.g., security ptches, office ptches, nd non-criticl ptches). The WSUS service dds the bility to monitor nd verify the ptch sttus s well s stop the deployment of problem ptch. Patch pprovaI Ptch pprovl is done by collbortive tem (WSUS tem) from T Desktop Support, nd CPP. This tem communictes monthly on the second Tuesdy of the month (e.g. Microsoft Ptch Tuesdy) to relese ptches. T Collbortion Systems is responsible for pproving ptches but delegtes this uthority to the WSUS tem. As norml prctice, one individul tkes the led notifying stkeholders of specil situtions tht might require n exception to the norml prctice of relesing ptches s they re provided by Microsoft. The WSUS tem (or designted individul) first reviews the ptches to identify ny high priority ptches tht my require CPP to scn nd isolte. The tem then briefly reviews the function of ech ptch nd releses them to ll clients. The tem lso performs brief review of WSUS to ensure ptches re pplying correctly. Patch ProbIems The WSUS tem releses ll WSUS ptches t the sme time s Microsoft. The WSUS tem will not pprove ptch in the event the ptch is creting significnt disruption or cusing significnt S AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons 02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures Lbels problems in the LBNL environment. T Collbortion support is responsible for deciding when ptches re unpproved. Group PoIicy Objects The T division creted nd mnges two Group Policy Objects (GPOs) in Active Directory (AD). The consumer of these GPO's re OU mngers. OU mngers re encourged, but not required (unless they support Opertions Divisions), to link one of these policies to the computers they mnge. Most computer re linked, but some computers opt to use the built in Automtic Updte cpbilities or mnully updte systems to mximize control in certin scenrios, such s servers or instrumenttion. The two policies provided re s follows: IT-WSUS3 This is the GPO recommended for most systems. This GPO will configure WSUS to downlod the ptches nd instll them t 10:00AM. f nyone is logged into the system, they will be prompted to reboot every hour, but never forcible rebooted. f no one is logged into the computer, it will reboot. IT-WSUS3-NotifyOnIy This is the GPO recommended for servers nd instrumenttion computers. A person must do instlltion nd reboot; the WSUS policy only prompts for downlod nd reboot. This GPO simply trcks the ptch sttus. None rinted by Atlassian Confluence 4.2. 13, the Enterprise Wiki. Commons contins user-contributed content nd does not represent the position or endorsement of the Lbortory, DOE, or the University of Cliforni. Your use of this site is subject to our security nd privcy policies. A U.S. Deprtment of Energy Ntionl Lbortory Operted by the University of Cliforni Questions & Comments Privcy & Security Notice