- General information
- Data readiness
- Grid
- Infrastructure
- Online Computing
- Software Infrastructure
- Batch system, resource management system
- Computing Environment
- Facility Access
- HPSS services
- Home directories and other areas backups
- Hypernews
- Installing the STAR software stack
- RCF Contributions
- Software and Libraries
- Storage
- Tools
- Tutorials
- Web Access
- Offline Software
- Production
Required sofftware and configuration for Windows PCs at BNL
Submitted by wbetts on Wed, 2005-05-25 19:43
Under:
BNL-specific
requirements and configuration for networked Windows computers:
-
A file and real-time virus scanner with up-to-date virus patterns/definitions is REQUIRED! (***Cyber-Security requirement***)
Information about the BNL-supported products from TrendMicro is available from the BNL ITD group: TrendMicro at BNL. It is critical that any anti-virus product receive regular updates (daily or even more often), which is sometimes difficult for mobile machines on a variety of networks. Four similar products are available to try to meet the demands of our diverse environment:Windows desktops that reside on the BNL internal networks are best served by TrendMicro's basic OfficeScan product. It has a master server inside the BNL firewall from which it receives updates and to which it reports infections. Every Windows desktop system at BNL should be using this product, with very few exceptions. You can
click here to go to the online install the OfficeScan product. (You'll need administrator privileges on your system for the installation.)Laptop users with wireless networking are encouraged to use a newer OfficeScan version that has a firewall module and is able to recieve virus pattern updates from multiple sources -- so it can roam around on- and off-site and usually still reach an update server. This OfficeScan version is also more capable of cleaning up some trojans and malware than the desktop version. To install it in the standard way, you must already be on the BNL external wireless network and go here. Repeat: you must be on the "BNLexternal" wireless network to use that link.
BNL employees' personal home computers are permitted to use the PC-cillin product, which gets its updates from servers that are outside the BNL firewall (and it does not report infections to anybody at BNL). PC-cillin includes a firewall module (OfficeScan does not) and PC-cillin has more (but quite limited) spy-ware and ad-ware detection capabilities.
If you are running a Windows *Server* OS (if you are unsure, then you almost certainly are not!), then there is yet another option, for which you will need to contact ITD (help desk at x5522 or Jim McManus directly at x4107).
or those readers to whom none of the above apply, which is to say, computers not owned or used primarily at BNL or by BNL employees, I recommend (though can offer no significant assistance with) the following three free anti-virus products about which I have read or heard good things:
Other anti-virus resources available include online scanners, such as HouseCall from TrendMicro and Symantec's Security Check. Most major anti-virus vendors have something similar. Relying on these online scanners as you primary defense is unwise. In addition to the inconvenience of manually performing these scans, you really need a product monitoring your system at all times to prevent infections in the first place, rather than trying to clean up afterwards. But since no two products catch and/or clean the same set of problems, occaisionally using a second vendor's product can be useful.
-
Windows Critical Updates/SUS (***Cyber-Security requirement***)
Windows systems must be regularly patched with "critical" updates. Unfortunately, the BNL firewall and proxy configurations can interfere with the Windows Automatic Update feature in Windows 2000/XP (though you can still use Windows Updates in Internet Explorer if you have the proxies configured correctly, see below for proxy info). To help with this situation, BNL ITD has set up a Software Update Services server to locally host critical updates. To use this service (which places a notification icon in the System Tray when updates are available), please click here for more information and installation instructions. (It is quite easy, but you must have administrative privileges.) You can manually apply Windows updates (critical and otherwise) using Internet Explorer -- go to the Tools menu and click on "Windows Updates", at which point it is straightforward. Note that in many cases, the machine must be rebooted to complete the update process.
-
Logon Banner (**Cyber-Security requirement**)
As required by the DOE, please install a logon banner for BNL-owned or BNL-based computers. (This includes other OSes as well -- essentially anything that you can log into is required to post a banner if technically possible.) Click here for more information about logon banners at BNL. To install the banner: Windows NT/2000/XP click here (must be an administrator to insert the registry changes). Window 95/98 click here instead.
-
MAC Registration (**Cyber-Security requirement**)
All networked devices on the BNL internal networks are required to be registered.
(NB--- Please do not attempt to register your machine while using STAR's cygnusb wireless access points.)
More specifically, each network interface is to be registered -- one
computer might have multiple network interfaces, each of which requires
a separate registration.
That's because the registration is keyed on a specific string
assigned to each network interface by the manufacturer that is supposed
to be unique in the world.
It is known as a "MAC", "ethernet" or "hardware" address and each
network interface has one. (Ie. You must create a separate registration
entry for each network card you use on a system.)
For more information, or to update your registration information, click here.
This requirement applies to things beyond typical PCs, such as remote
network power supplies, VME processors and other networked equipment.
If you have such equipment that you cannot register (typically
because it doesn't run any sort of web browser), then please contact
ITD (x5522) or Wayne Betts for assistance in registering the system.
While not necessary, if you have the capability to verify that the
MAC you are registering is in fact yours (Windows hint: "ipconfig
/all" or Linux hint: "ifconfig"), please do so.
Glitches in the system occaisionally fail to properly keep track of
the realtime IP-to-MAC mapping, and you, the adaptable human, can
perhaps avert the unfortunate situation of misregistration.
-
Proxy servers
For the most part, when using ftp or http with offsite servers, a proxy server must be used. Most web browsers can be configured to use the script at http://security.bnl.gov/proxy/cfg.pac For other applications, you may need to configure them to use http://192.168.1.3:3128 (http server 192.168.1.3 and port 3128). More information can be found here including alternative proxy servers.
-
Security Scanning
The BNL networks are routinely scanned
for vulnerabilities by ITD, auditors and even sometimes malicious
intruders. The most prevalent scan is done using Nessus, which looks
for common network services and many known vulnerabilities. Any user with a web browser
can initiate a new scan of his host machine and look
at the most recent scan results for his IP address by going to http://scanner.bnl.gov/.
(NB. When it requests an email address to send the results, you must
use an address ending in bnl.gov, or it will reject you.)
The results can be daunting to interpret, so please ask for assistance
if you are unsure how to interpret or correct any results. Some
results are "false positives" or uncorrectable but necessary, in which
case they can be marked as such in the database.
-
STAR printers (separate page)
-
Wireless networking (separate page, password protected)
Please send comments, corrections and suggestions to Wayne Betts: wbetts {at} bnl.gov