K4-5 Upgrade: The Saga Continues

Similar documents
Project Management Pre-Implementation Project status reporting Post Implementation Assessment Phase Solidify Project Scope

Get the Facts: Benefits, Timeline, How to Prepare

Strategic Action Plan. for Web Accessibility at Brown University

General Policy Imaging

NC Education Cloud Feasibility Report

SYLLABUS. Departmental Syllabus CIST Departmental Syllabus. Departmental Syllabus. Departmental Syllabus. Departmental Syllabus

Operating System Support Plan for Test Delivery System

1. Federation Participant Information DRAFT

(Office 365) Service Level Expectation

How Cisco Expedites IT Integration of an Acquisition

14 January 2013 Presented by: Kevin L. Jones Agency IPv6 Transition Manager

10 Cloud Myths Demystified

Overcoming IT Challenges in the Education Segment Leveraging Cloud and On-Premise Resources for Maximum Impact

MOVING MISSION IT SERVICES TO THE CLOUD

Operating Level Agreement for NYU Login Service

Organizational Structure of the Toronto Environment Office

Client Services Procedure Manual

Security and Compliance at Mavenlink

Information Technology Services. Informational Report for the Board of Trustees October 11, 2017 Prepared effective August 31, 2017

INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II

NFPA Edition

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Active Directory User Management System (ADUMS) Release User Guide

Draft proposal. This document contains the following sections:

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

!!!!!!! OWASP VETERANS TRAINING GRANT PROPOSAL BLACKSTONE VETERANS HIRING INITIATIVE: OWASP GRANT PROPOSAL

Symantec Data Center Migration Service

A guide for assembling your Jira Data Center team

The Four A s of Access A practical guide to auditing an access process.

Educator Learning Journeys. Tracy Immel Global Director Teacher Professional Development Programs & Certification

REFERENCE GUIDE TO THE STUDENT CENTER MY.CHAPMAN.EDU

UIS Monthly Update May 2015

ERO Compliance Enforcement Authority Staff Training

Connecting Students, Faculty, and Staff with a New

Introduction: UNCC COE MOSAIC Page 1 of 9

How to Activate Student Log in to the student Registration system (also known as My Community Education or Banner ).

State of IT. June 2, 2005 By William Lewis, CIO

CENTRAL TEXAS COLLEGE ITNW 2356 Designing a Network Directory Infrastructure. Semester Hours Credit: 3 INSTRUCTOR: OFFICE HOURS:

Department of Business Information Technology

CASE STUDY: RELOCATE THE DATA CENTER OF THE NATIONAL SCIENCE FOUNDATION. Alan Stuart, Managing Director System Infrastructure Innovators, LLC

Michigan Grid Research and Infrastructure Development (MGRID)

2019 Illinois WIDA ACCESS Technology Overview. January 04, 2019 ~ 1 ~

University of San Francisco Course Syllabus and Outline

Risk Mitigation Strategies 2017 Tier 1 Risk Profile Interim Report UNCW Institutional Risk Management

MNsure Privacy Program Strategic Plan FY

Controlling the Project Pipeline: Managing Constraints to Maximize Outputs

What actions do I need to take to prepare for the new USP NF Online product in 2018?

WHITE PAPER- Managed Services Security Practices

IT Services Performance Report

ORACLE SERVICES FOR APPLICATION MIGRATIONS TO ORACLE HARDWARE INFRASTRUCTURES

Project Charter Project Name: Defining and Delivering an SLA Information Technology Services

1 IAM Program Launch. 2 Agenda. 3 Introductions. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

Organizing a Campus Change: Planning for Identity and Access Management Improvements at UF

Lawson State Community College. Dual Enrollment Student Handbook

Three Key Considerations for Your Public Cloud Infrastructure Strategy

Centralized Directory Services and Accounts Management Project

Google Identity Services for work

Bozeman IT Council Agenda 10:00 am Friday, May 29, 2015 President s Conference Room. Members

Goal 1: Maintain Security of ITS Enterprise Systems

Information Technology University Budget Hearing. April 5, 2018

Module 1: Core Committee Staff Basics

Professional Development Standards and Support. Learning Across Broward (LAB) End User Training

Colorado Charter School Institute. Website Design & Development Request for Proposal

What actions do I need to take to prepare for the new USP NF Online product in 2018?

Campus Community Guide October 2012

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Juniper Care Plus Services

SOLID WASTE RESOURCES MANAGEMENT PLAN

Microsoft IT deploys Work Folders as an enterprise client data management solution

Professional Services for Cloud Management Solutions

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Texas A&M University: Learning Management System General & Application Controls Review

DSS in Transition RMS Pilot

The IDN Variant TLD Program: Updated Program Plan 23 August 2012

Influence and Implementation

STRATEGIC PLAN. USF Emergency Management

Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success

Education and Support for SharePoint, Office 365 and Azure

Ring of Fire : Achieving a FISMA Compliant Transition to Office 365. Matthew Maes, INL Cyber Security

IAM Project Overview & Milestones

[MS10974B]: Deploying and Migrating Windows Servers

Cloud solution consultant

Announcement date: December 1, 2009 New program launch date: May 1, 2010

EDINBURGH S TELFORD COLLEGE

DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Information Technology Branch Organization of Cyber Security Technical Standard

BASELAYER deployed modular data center infrastructure. Integration with the RunSmart DCIM software platform.

Avoid a DCIM Procurement Disaster

Canadian Access Federation: Trust Assertion Document (TAD)

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Leslie W. Hicks! 221 Pasture Lane! Winchester, VA 22602! (540) (540) !

Network Detective. Prepared For: Your Customer / Prospect Prepared By: Your Company Name

Registration Now Open for Spring 2019 ODP Quality Management (QM) Certification Classes

Joint Task Force District-Wide 40J Technology Program Monthly Status Update

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

1. All stakeholders shall ensure conformance to 9104 series of standards and the published timeline for 91XX:2009 transition as they apply.

Vice President for Information Technology Status and Activity Report for April 2019

Miscellaneous Calendar 2017

ERP/CRM System Implementation Methodology

Transcription:

K4-5 Upgrade: The Saga Continues Trials and Tribulations of Kerberos Transition at the University of Michigan or How to Prepare for the Next Upgrade

Overview In next half an hour we will: Present a general outline of the Kerberos upgrade project in the context of the large and diverse University of Michigan environment, Discuss organizational and technical issues we have encountered, Offer insights into what we have learned. 2

Kerberos History at the University of Michigan Prehistory: Kerberos was in production at the University of Michigan in 1990. It became popular in 1992. In 1998 MIT released K5: we upgraded our Kerberos servers almost immediately. In 2000 we turned on triple DES and added one more Kerberos server. 3

Kerberos History at the University of Michigan More recent events In 2002 University of Michigan Internal Risk assessment group audited Kerberos infrastructure and recommended we turn on preauthentication and turn off K4. In 2005 MIT announced plans to discontinue support for Kerberos 4. In 2005 ITSS was established and IT Commons initiatives was started: improving Kerberos became an IT management priority. Current team was assembled January 2006 and project was fast-tracked. 4

Kerberos 4-5 Upgrade Summary Project Objectives Provide more secure authentication mechanism while making sure there is a minimal impact on the end user. Project Goals Replace Kerberos 4 with Kerberos 5 services. Turn on preauthentication for all Kerberos users. Prepare for the switch to AES encryption. Project Timeline Upgrade project started in 1998. Projected finish date: mid 2007. 5

Upgrade Obstacles Environment size, complexity and decentralization. Pervasive use of Kerberos authentication. Shooting moving target: emergence of new services that use initial Kerberos authentication - analysis data obsolete within a week. Existence of multiple authentication environments within the university. Competing timelines with other initiatives. 6

The University of Michigan Users IT Providers Campus locations and number of schools and colleges: Ann Arbor: 19 Dearborn: 4 Flint: 5 Total student enrollment: 55,028 Instructional staff: 7,830 Regular non-instructional staff: 28,201 Living degree holders : 456,381 from Budget Update (http://www.umich.edu/~urel/budget/bg.html) 7

Kerberos Use Data ~395,350 Kerberos principals In the last six months: authentication attempts made against ~173,200 principals In a non-session day (June 5 th 2006) we had: 1,499,943 initial authentication attempts for 87,334 unique users 1,176,580 service tickets requests for 1252 unique services: 844977 mail 101730 cosign 35812 krbtgt 31876 afs 120 directory Uniqname Creation 1993-2005 Uniqnames Created 38247 29166 30277 25080 25939 23354 24794 26799 25735 29900 37984 31159 33064 1992 1993 1994 1995 1996 1997 1998 1999 Year 2000 2001 2002 2003 2004 2005 2006 8

Kerberos 4-5 Project Major Milestones Deploy Kerberos 5: completed 1998. Turn off Kerberos 4 Upgrade Kerberos 4 services/clients: 30% completed completion target Fall 2006 Implement external filtering: completed April 2006 Expire antique passwords: 95% complete - completion target July 2006 Staging Preauthentication: completion target mid 2007. Turn off DES: completion target mid 2007. 9

Turn off Kerberos 4: Upgrade Kerberos 4 services/clients Find services dependent on Kerberos authentication Communicate plan to the campus providers and negotiate K4-5 migration Provide resources Documentation Examples Support: debug problems, help with testing, coding IT providers: upgrade to K5 10

Turn off Kerberos 4: Implement filtering Facilitate staged withdrawal of service Prevent new services from being deployed with K4 dependencies Steps: Matt Bing (ITSS) developed wrapper script with host deny and host allow logic Tested and deployed wrapper script Defined external Vs. internal (to UM) IP ranges Analyzed K4 usage by IP address to isolate external IP ranges Turned off external K4 service in a staged fashion 11

Turn off Kerberos 4: Expire antique passwords More then 100,000 passwords last changed before 1998: AFS 3 salts and only one key. Steps: Identified active principals: >100,000 principals, ~20,000 active, ~10,000 could be reached via email. Launched password change communication campaign 40% users contacted changed their password before expiration date. Marcus Watts developed a script that expires antique passwords. Kevin McGowan developed a Web application that allows users to change their expired password on the Web. 12

Staging Preauthentication We are analyzing Kerberos logs to identify services that do initial authentication. We will test each service with preauthentication: We are finding pilot groups of users to test preauthentication. We will turn preauthentication on: By default for newly created uniqnames, For remaining uniqnames in a staged fashion. 13

Future Direction Turn off DES Required: Windows support for AES, AFS to support triple DES or AES. Turn off triple DES Required: AFS support for AES. 14

Measurements of Success Legacy cases (Kerberos 4, no preauthentication and use of DES) turned off before MIT officially stops the support. Little or no user surprise : No production outage due to the upgrade. Tolerable number of Kerberos support questions. 15

Lessons Learned Turning on K5 was relatively easy - turning off K4 is a challenge: Organization size and culture. Pervasive use of Kerberos authentication. Change of this type and magnitude requires upper management support. Never underestimate the power of communication and education. Make sure you have access to the right technical talent and expertise. Leverage all technical capabilities and tools. It is important to collaborate with other units: offer and provide technical support and expertise to IT providers campus wide. Research Kerberos usage: analyze logs weekly, monthly, quarterly, as a standard production support procedure. 16

QUESTIONS? 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback