Departments | Computing Division | Fermilab at Work | Fermilab Home
_____________________________________________________________________________________________________
Computing Division
| |
Departments | Computing Division | Fermilab at Work | Fermilab Home _____________________________________________________________________________________________________ Computing Division |
- How do I know if I need to request an exemption?
- To request an exemption, cut and paste the text below into an email message, answer the questions, and email it to your GCSC. He or she will then forward the request to the computer security team for approval.
Request for an exemption from mandated Kerberos configuration. All questions must be answered. List of nodes Node names: IP addresses (or DHCP): Operating system: Non-kerberized network services offered (only list network services that are moral equivalents of telnet or ftp): Alternate modes for securing these services (such as encrypted logins, restrictions to specific IP addresses, restrictions to specific users, etc.; if systems are to be "hidden" behind a kerberized gateway give details of gateway system here): Reason system cannot be kerberized: Date system will be removed from service (exemption request must be resubmitted annually if system will not be turned off): Responsible individual (must be on the registered sysadmin mailing list; if not registered, go to http://miscomp.fnal.gov/sysadmindb/). Include name, email, phone number: _______________ Approval (to be filled out only by computer security team):
What Requires an Exemption?
In general, any systems that offer non-kerberized network services similar to telnet, rsh or ftp (i.e., anything that lets you run arbitrary commands or programs or transfer arbitrary kinds and amounts of data) must request an exemption. However, the following types of systems have already been granted blanket exemptions and so do not need to make individual requests:
- Systems that are part of a critical system with an approved critical system security plan (such systems must of course abide by the critical system plan)
- Windows systems that are abiding by W2000 migration plans (More detail)
- Printers, oscilloscopes, microwaves, etc. There are still security issues with these systems, and some security precautions may still be needed (limiting access, and so on).
- Systems only offering anonymous ftp (providing the standard precautions about anonymous ftp are followed)
Note that systems offering non-kerberized network services (like telnet or ftp) that are not visible from the general internet are in accordance with policy but must still file an exemption request to allow us to keep track of such systems.
Windows Systems (95/98/NT/2000)
Until January 31, 2003, authentication in the old NT domain will still be allowed using existing NT domain authentication, without requiring any waivers. But note that as of January 1, 2002 any network services on any Windows systems other than NT domain authentication require that you perform one of the following actions:
- turn off the service
- kerberize the service (unlikely until the migration is complete)
- request a waiver
As of January 1, 2002, a Windows 95/98/NT system will be allowed to offer network services only if it is a managed server that has an official migration date.
When the W2K migration is complete (date not yet known), Windows 2000 systems will be required to use Kerberos authentication or request a waiver for services that are the moral equivalent of telnet or ftp. Windows 95/98/NT systems will need to use NTLMv2 authentication to log into the W2K domain.
Waivers are required for workstations or servers running ftp servers (other than anonymous ftp), telnet servers or terminal servers, and using such products as WinCenter, PCAnywhere, Timbuktu, VNC, or other products that allow remote execution of commands or file sharing (even between desktops). A Windows system running only client software does not necessarily need a waiver, but any servers offering these services does.
List of General Computer Security Coordinators (GCSC):
- Beams: Tim Zingelman (zingelman@fnal.gov)
- BSS: Tom Ackenhusen (tackenhu@fnal.gov )
- CDF: Rob Harris (rharris@fnal.gov)
- Computing: Matt Crawford (crawdad@fnal.gov)
- D0: Mike Diesburg (diesburg@fnal.gov)
- Directorate: Jud Parker (jparker@fnal.gov)
- ES&H: Matt Arena (arenam@fnal.gov)
- FESS: Ken Fidler (fidler@fnal.gov)
- LSS: Cindy Crego (crego@fnal.gov)
- PPD: Allen Forni (forni@fnal.gov)
- TD: John Konc (konc@fnal.gov)