Procedures for auditing and moving systems into the Managed Security
Networks
System Setup
/ Prerequisites Audit Phase
1. Verify system meets the following basic
requirements:
|
Windows Operating System |
Mac
OS X 10.4 or Later |
|
Operating system is Windows XP
SP3 or Windows Vista SP2 |
Operating
System is Mac OS X 10.4 or later |
|
Built-in or ITS-Approved Firewall is enabled |
Built-in or
ITS-Approved Firewall is enabled |
|
Microsoft update (not Windows
Update) is installed and
configured to download/install
critical updates daily |
Updates are
performed regularly and the OS
is up to date as well as all
Office products |
|
All current critical updates
have been applied |
All current
critical updates have been
applied |
|
Time server is set to
time.uidaho.edu (non-AD users) |
|
|
DHCP is enabled (no hardcoded
IPs) |
DHCP is
enabled (no hardcoded IPs) |
|
DNS is set to be retrieved via
DHCP and no static entries |
DNS is set
to be retrieved via DHCP and no
static entries |
|
All network drives are mapped to
ITS Servers |
All network
drives are mapped to ITS servers |
|
Screensaver configured to lock
console after idle at most 20
minutes and require a password
to unlock |
Screensaver
configured to lock console after
idle at most 20 minutes and
require a password to unlock |
|
IPv6 Network Protocol is
disabled |
IPv6 Network Protocol is
disabled |
|
Vista "User Account Control" is
enabled |
|
2. Install and configure ITS-Managed
anti-virus software.
3. Install and configure Windows Defender.
(for Windows machines only)
4. Perform MBSA analysis. (for Windows
machines only)
5. Perform Proventure/Insight analysis. (for Windows
machines only)
6. Identify the edge switch to which the
system is attached and ensure it is VLAN capable.(can be done at time of
migration)
7. Verify NMS information is correct -
principle userid, departmental domain (not campus.uidaho.edu), etc.
8. Verify the appropriate "managed
security" VLAN is trunked to the switch.
9. Ask the following questions of the user
to make certain we can correct the possible breaks before they happen:
a. Ask if the user is using RDP
- if so they need to get a VPN account and install the VPN client on
their remote system *or* if on campus move their other machine into the
"managed security" networks.
b. Client systems only are to be
moved into the networks - absolutely no servers or printers.
Thin clients are obviously clients so they are ok.
c. If there is no departmental
sysad then strongly consider moving them into the ITS domain
but make sure you copy/configure their profile appropriate. Done
properly the user shouldn't know the difference (except they are using
their AD password).
d. Macs can be moved into the
"managed security" networks if they are running OS X 10.4
or newer and meet the OS X equivalent of the above prerequisites (where
applicable).
e. Ask if the user uses any service
that is IP specific. If so, take necessary
precautions to allow for little downtime for the specific service.
f. Ask if the users printer needs
moved into the printer network. Verify if we
need to move the groups printers into the printer network
Process to move
device into the Managed Security Network
(This will cause a
network outage for the client; make sure you coordinate the MAC and VLAN
changes. It is best practice to share your audit spreadsheet with Netteam, and
work together port by port to minimize downtime for the customer.)
1. Ask Secondary or Net Team to
move the MAC address into one of the four managed security networks.
2. Have a member of Net Team
move the network port into the appropriate VLAN.
3. Wait ten minutes for NMS to
update the DHCP servers. Since DNS and DHCP configs are built and pushed at
approximately the same time you can use nslookup/dig to determine when this is
done.
4. Reset network configuration
once NMS has been updated
5. Verify network connectivity
|
