Fermilab Computing Division
Search

Fermilab Computer Security

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

The Fermilab Computer Security Team administers the laboratory's computer security program and provides the Fermilab community with technical expertise and up-to-date information and resources for improving computer security.

Verify your node registration. ScanMeNow PortScanMeNow nessquik
Was I Scanned? SurfMeNow CertTestNow

What's New    

whatsnewRC.html
  • October 23, 2008: FNAL Critical Vulnerability: Microsoft Server Service (MS08-067)
  • October 14, 2008: Ehanced the description and remediation of the SSHd Password and Public Key Authentication Strong Authentication policy violations.
  • October 7, 2008: Added pages on policy violations for  VNC, Timbuktu, pcAnywhere and Windows Remote Desktop to the Critical Vulnerabilities page (along with some information on correcting these issues).
  • August 26, 2008: Released a new CA Certificate for the Fermilab Kerberized Certificate Authority servers (KCA) as the old CA certificate expires in October of 2008.  The new CA Certificate expires in 2018.  See the page on CA Certificate Downloads for information on downloading and installing the Fermilab KCA CA Certificate.
  • May 28, 2008: Swtiched to new production KCA servers with new Subject Distringuished Names for people and robots
  • May 8, 2008: Added a list of the KCA certficate Distinguished Names for robots (special Kerberos principals) which will be issued by the new KCA servers.
  • May 2, 2008: Added initial list of the KCA certficate Distinguished Names for people which will be issued by the new KCA servers.
  • April 22, 2008: FAQ concerning the new KCA service
  • April 3, 2008: Instructions for forwarding apache access, error, etc logs to central logging can be found here. Apache baseline is CD-DocDB # 1536. RA policies are #2336 and #2360.
  • January 11, 2008: See Issues with Expired Certificates for instructions on dealing with expired certificates in your certificate stores.  Some of you may have an expired DOEGrids CA certificate which might be causing problems.
  • December 11, 2007: Added start of How-To Guide on Notes on Changing Your Kerberos Passwords.
  • October 9, 2007: Changed the configuration files used to generate DOEGrids host/service certificate requests to include a single CN in the DN; for multi-home nodes use a regular expression such as (a|b|c|d).fnal.gov for this CN.
  • August 30, 2007: Updates on Tools page, linking to newer release of Win32OpenSSL and removed the link to Kerberos Client-only for Windows/Cygwin as this package is no longer supported and very much out of date.
  • August 15, 2007: DOEGrids Certificate Users: Please renew (replace) your personal certificates as soon as you receive the renewal notice E-mail from DOEGrids.org. Do Not Wait until the expiration date since the pki1.doegrids.org service site will not accept expired certificates for authentication.
  • April 9, 2007: Updated the krb5.conf template file to match the Kits Test version (V2.4) adding the CERN.CH realm.
  • December 08, 2006: Modified KCA configuration so the issued certificates are only valid as SSL Client certifiates (and not for E-mail signing) in order to make use of KCA certificates easier for Macintosh u.Mail users.
  • September 29, 2006: How-To Access the Baseline Documents in DocDB. Step-by-Step instructions presentation is now available.
  • June 23, 2005: CST RSS Feed available
  • Mar 9, 2004: Email containing a virus is now dropped at the email gateway to avoid flooding.
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by JK. on Oct 23, 2008.
(Address comments about page to the Computer Security Team.)