DOC

Patchlink 5

By Lawrence Gibson,2014-05-07 13:53
7 views 0
Patchlink 5

    Patchlink 5.0 on Windows 2003 Server/IIS 6.0

    Preparation for Patchlink:

    1) Create the computer object in Active Directory for the server that will be running

    Patchlink

    2) In the ADSI editor, edit the computer object and add the following to the

    servicePrincipalName:

    HTTP/

    HTTP/.fnal.gov 3) Since this will be an IIS server with additional locally-used accounts over a

    network loopback, you will need to either create a new GPO to override the

    domain’s ‘Access this computer from the Network policy OR- enable loopback

    processing of this GPO and add the following to the ‘Access this computer from

    the Network’ local policy:

    \IUSR_

    \ASPNET

    \IWAM_

    \Patchlink

    \PLUS ANONYMOUS

    Domain Users

    Domain Admins

    Installation of Patchlink:

    1) Ensure the Windows installation is a fresh build of W2K3 server with FNAL

    required hotfixes. Do not install any applications that use MSDE. Do not enable

    Terminal Services.

    2) Include the following Windows components (Add/Remove Components

    Windows Components):

    a. Application Server\Application Server Console

    b. Application Server\ASP.NET

    c. Application Server\Enable COM+ access

    d. Application Server\IIS

    3) If Windows IP Security Filters are used, make sure tcp/80 and tcp/443 are open to

    the Patchlink Corp. update servers

    4) Follow the installation instructions in Section 2.1 of the Patchlink deployment

    guide.

    5) After the installation of Patchlink is complete and the system reboots, add the

    following users to the PLUS ADMINS local group:

    ASPNET

    IWAM_

    6) Install Terminal Services and harden the server as required.

Setup for Anonymous Agent updates:

    Since the built-in agent supplied with Patchlink uses a locally defined account on the Patchlink server and has an easily calculated password transmitted in Base64 to the

    Web Server, it is best to allow for anonymous client fetching of the policies, updates and

    inventory. This local user account is normally used only for authenticating to IIS to

    prevent unauthorized clients from contacting the Patchlink server and using a client

    license. However, since this user account is a native Windows account, and must be

    granted access for logon over the network, it can be used by intruders to gain more

    privileged access to the Windows operating system. Note that this user account is not

    defined on the clients, but rather uses a known/static username and an easily guessed

    password scheme.

    1) Open the User Manager on the Patchlink server.

    2) Disable the PLUS_AGENT user account

    3) Change the password for the PLUS ANONYMOUS user

Next, you must change the IIS PLUS web site to use this PLUS ANONYMOUS account:

    1) Open the IIS Admin utility (or access it through Computer Management)

    2) Navigate to the PLUS site tree

    3) Right-click on the Update directory and select Properties

    4) Navigate to the ‘Directory Security’ tab

    5) Click on the EDIT button in the ‘Authentication and Access Control’ section 6) Deselect all the checkboxes in the ‘Authenticated Access’ section 7) Select the checkbox in the ‘Enable Anonymous Access’ section 8) Enter PLUS ANONYMOUS as the username

    9) Enter the password you set for the PLUS ANONYMOUS account in the

    password box

Follow steps 1-9 for the UpdateStorage, Gravitix, dagent and ErrorMessages

    directories. If the PLUS ANONYMOUS username is already defined in the

    ‘Enable anonymous access’ section, be sure to change the password in this section

    to the password you previously set.

Configure for Kerberos Authentication for Administration:

    1) Open the IIS Admin utility (or access it through Computer Management)

    2) Navigate to the PLUS site tree

    3) Right-click on the PLUS site and select Properties

    4) Navigate to the ‘Directory Security’ tab

    5) Ensure the ‘Enable Anonymous Access’ checkbox is unchecked

    6) Uncheck the ‘Basic authentication’ checkbox in the ‘Authenticated Access’

    7) Check the ‘Integrated Windows authentication’ checkbox in the

    ‘Authenticated Access’ section

    8) After clicking OK, you may be prompted with an ‘Inheritance Overrides’

    message box listing a bunch of directories from the PLUS tree. Select

    everything BUT the DAgent, ErrorMessages, Gravitix, Update and

    UpdateStorage child nodes. If you accidentally select all child nodes, follow

    steps 1-9 in the ‘Setup for Anonymous Agent updates’ section above to reset

    these directories for PLUS ANONYMOUS access only.

This screenshot displays the directories that SHOULD NOT have the ‘Inheritance

    Overrides’ selected upon. Anything else that is listed in your installation should be

    selected.

At this point, everything should be setup correctly. Reboot the server to ensure all

    changes are in effect.

Adding user accounts:

     Patchlink users are defined in a local Windows group for authentication, but are

    assigned a SQL role within the Patchlink SQL database. At this time, you cannot add a

    Domain Group to the local group and assign Patchlink roles to the member users. Instead,

    you must add each user individually to the local Windows group.

    1) Open up the User Manager

    2) Add user accounts that you want to be able to admin the Patchlink Server with to

    the PLUS ADMINS local Windows group

    3) On the Patchlink server, open up IE to http://.fnal.gov

    4) Enter Patchlink for the username and the password you assigned during the initial

    setup

    5) Click on the Users link

    6) Select the user you wish to edit and click the EDIT button.

    7) Follow the Patchlink User Edit wizard to assign the appropriate Patchlink role to

    the user.

At this point, you don’t need the Patchlink user anymore. It would be best to disable this

    account in the Windows User Manager to prevent it from accidentally being used and

    violating the Strong Authentication policies. You should now be able to authenticate to

    the Patchlink Administration server by using Kerberos Authentication with your current

    credentials (providing you are logged on as a Patchlink allowed administrator). If not,

    you will be presented a dialog box where you can type in your Fermi\username and

    obtain a TGT and HTTP service ticket for your alternate credentials.

    Troubleshooting:

    1) P: You receive errors while installing the Patchlink Server that startdb.exe,

    startjobs.exe and installcr.exe could not be found.

    R: You have Terminal Services enabled during the installation. Remove Terminal

    Services and re-install the Patchlink server.

    2) P: When installing the client agents, you receive an error that the server could not

    be contacted, the agent could not register with the server or the database could not

    be opened.

    R: You need to ensure the PLUS ANONYMOUS account is entered in the

    ‘Enable Anonymous Access’ section and all other authentication methods are

    deselected of the directory security for the following directories in the IIS PLUS

    tree:

     Gravitix

     Update

     UpdateStorage

     DAgent

     ErrorMessages

    3) P: Cannot login to the Patchlink Server for administration.

    A: Ensure you are connecting from a domain member workstation. Also, try to re-

    login to the workstation using the account defined in the Patchlink Server. Run

    the klist utility to ensure you have a HTTP/ service ticket.

Report this document

For any questions or suggestions please email
cust-service@docsford.com