Procedures for auditing and moving systems into the Managed Security
Networks
System Setup
/ Prerequisites Audit Phase
- Verify system meets the following basic
requirements:
|
Window Operating System |
Mac OSX 10.4 or later |
|
Operating system is Windows XP SP2
or Windows Vista |
Operating system is Mac OSX 10.4 or
later |
|
Built-in firewall is enabled |
Built-in firewall is enabled |
|
Microsoft Update (not Windows
Update) is installed and configured to download/install critical updates
daily. |
Updates are performed regularly, and
the OS is up to date as well as all office products |
|
All current critical updates have
been applied |
All current critical updates have
been applied |
|
Time server is set to
time.uidaho.edu. (non-AD users) |
|
|
DHCP is enabled (no hardcoded IPs) |
DHCP is enabled (no hardcoded IPs) |
|
DNS is set to be retrieved via DHCP
and no static entries |
DNS is set to be retrieved via DHCP
and no static entries |
|
All network drives are mapped to ITS
servers |
All network drives are mapped to ITS
servers |
|
Screensaver configured to lock
console after idle at most 20 minutes and require a password to unlock |
Screensaver configured to lock
console after idle at most 20 minutes and require a password to unlock |
|
IPv6 Network Protocol is disabled |
|
|
Vista "User Account Control" is enabled |
|
- Install and configure Symantec
anti-virus software.
- Install and configure Windows Defender.
(for Windows machines only)
- Perform MBSA analysis (for Windows
machines only)
- Perform Proventure analysis
- Identify the edge switch to which the
system is attached and ensure it is VLAN capable.(can be done at time of
migration)
- Verify NMS information is correct -
principle userid, departmental domain (not campus.uidaho.edu), etc.
- Verify the appropriate "managed
security" VLAN is trunked to the switch.
- Ask the following questions of the user
to make certain we can correct the possible breaks before they happen:
- Ask if the user is using RDP
- if so they need to get a VPN account and install the VPN client on
their remote system *or* if on campus move their other machine into the
"managed security" networks.
- Client systems only are to be
moved into the networks - absolutely no servers or printers.
Thin clients are obviously clients so they are ok.
- If there is no departmental
sysad then strongly consider moving them into the ITS domain
but make sure you copy/configure their profile appropriate. Done
properly the user shouldn't know the difference (except they are using
their AD password).
- Macs can be moved into the
"managed security" networks if they are running OS X 10.4
or newer and meet the OS X equivalent of the above prerequisites (where
applicable).
- Ask if the user uses any service
that is IP specific. If so, take necessary
precautions to allow for little downtime for the specific service.
- Ask if the users printer needs
moved into the printer network. Verify if we
need to move the groups printers into the printer network
Process to move
device into the Managed Security Network:
(this will cause a
network outage for the client; make sure you coordinate the MAC and VLAN
changes. It is best practice to share your audit spreadsheet with Netteam, and
work together port by port to minimize downtime for the customer.)
1.
Ask Secondary or Net Team to
move the MAC address into one of the four managed security networks.
2.
Have a member of Net Team
move the network port into the appropriate VLAN.
3.
Wait ten minutes for NMS to
update the DHCP servers. Since DNS and DHCP configs are built and pushed at
approximately the same time you can use nslookup/dig to determine when this is
done.
4.
Reset network configuration
once NMS has been updated
5.
Verify network connectivity
|
