STAFF SYMPOSIUM SERIES INFORMATION TECHNOLOGY TRACK FACILITATORS
Carl Brooks System Manager ‐ Detroit, MI Chapter 13 Standing Trustee – Tammy L. Terry Debbie Smith System Manager – Robinsonville, NJ Chapter 13 Standing Trustee – Al Russo Scot Turner System Manager –Las Vegas, NV Chapter 13 Standing Trustee – Rick Yarnall Tom O’Hern Program Manager, ICF International, Baltimore, MD STACS ‐ Standing Trustee Alliance for Computer Security STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 1 Information Systems Managers
Windows 10
Debbie Smith System Manager Regional Staff Symposium ‐ IT Track May 11 and 12, 2017 Las Vegas, NV
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 2 Windows lifecycle fact sheet
End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. This is the time to make sure you have the latest available update or service pack installed. Without Microsoft support, you will no longer receive security updates that can help protect your PC from harmful viruses, spyware, and other malicious software that can steal your personal information. Client operating systems Latest update End of mainstream End of extended or service pack support support Windows XP Service Pack 3April 14, 2009 April 8, 2014 Windows Vista Service Pack 2April 10, 2012 April 11, 2017 Windows 7* Service Pack 1 January 13, 2015 January 14, 2020 Windows 8 Windows 8.1 January 9, 2018 January 10, 2023 Windows 10, July 2015 N/A October 13, 2020 October 14, 2025 * Support for Windows 7 RTM without service packs ended on April 9, 2013. Be sure to install Windows 7 Service Pack 1 today to continue to receive support and updates.
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 3 Windows 10 Pro vs Enterprise
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 4 Initial Config. & Deployment Issues
Which version of Windows 10? ◦ HOME version cannot join domain ◦ PRO version (after anniversary update [version 1607]) cannot disable store via GPO (there is a workaround) Will include new ‘features’ with updates ◦ ENTERPRISE version has 2 license models E3 – access to all Windows 10 Enterprise Features ◦ Pay‐as‐you‐go cloud license $7 p/user p/month ($1,932 p/year for 23 users) ◦ Open Business License $294.99 ($6,785 one‐time purchase) E5 –E3 plus Windows Defender Advanced Threat Protection
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 5 Initial Config. & Deployment Issues ◦ If you upgraded to the FREE version of Windows, you got Home or Pro –Enterprise was never free ◦ ENTERPRISE Long Term Servicing Branch (LTSB) Does not include: ◦ Cortana ◦ Windows Store ◦ Edge browser ◦ Photo Viewer ◦ UWP version of Calculator (replaced by classic version) Will not receive any feature updates Gives companies more control over the update process Upgrade license $274.00 p/seat
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 6 Compare Windows Versions
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 7 Compare Windows Versions
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 8 Compare Windows Versions
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 9 Compare Windows Versions
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 10 Compare Windows Versions
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 11 Windows 10 Features
Bitlocker > PRO & ENTERPRISE ◦ Upgrade laptops with HOME to PRO to get Bitlocker Device Guard > ENTERPRISE ◦ Helps protect against malware ◦ Helps protect the Windows core from vulnerability and zero‐day exploits ◦ Allows only trusted apps to run Applocker > ENTERPRISE ◦ Whitelist apps that can run on the machine
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 12 Windows 10 Features
Managed User Experience > ENTERPRISE ◦ Restrict access to Cortana & Windows Store ◦ Remove and prevent access to Shut Down, Restart, Sleep & Hibernate ◦ Remove Log Off from Start Menu ◦ Remove Frequent Programs from Start Menu ◦ Remove All Programs from Start Menu ◦ Prevent users from customizing Start screen ◦ Prevent changes to Taskbar and Start Menu Direct Access > ENTERPRISE –always‐on VPN
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 13 Initial Config. & Deplyment Issues
Uninstall bloatware / games using Scot’s Powershell script ◦ Doesn’t remove everything ◦ Can’t remove store (after anniversary upgrade on Pro) ◦ Even though apps appear to be uninstalled, some come back when new user logs in Sway, Feedback Hub, OneDrive, Paid Wifi & Cellular Must uninstall these as logged in user
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 14 Windows Update Issues
Cannot turn off updates in PRO version (can defer) Set up ACTIVE HOURS so your machine doesn’t restart in the middle of the day (or in court) (Settings > Update & Security) If you set your WIFI connection to ‘METERED’ Windows *should not* run updates Set CHOOSE HOW UPDATES ARE DELIVERED (Settings > Update & Security > Advanced Options) and turn off updates to/from other computers on network
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 15 Group Policy Settings
If your Windows Server version is prior to 2016, download ADMX for GPO templates ◦ There are 2 downloads –1 for machines running pre‐ anniversary update, and 1 for post
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 16 Group Policy Settings
Security and functionality ◦ Prevent OneDrive Use ◦ Turn Off Cortana ◦ Turn Off App Updating ◦ Turn off Store (ENTERPRISE version only) Workaround: Disallow access to store software ◦ Remove Store Icon from Taskbar ◦ Turn off Live Tile Notification ◦ Set Interactive Login (CTRL + ALT + DEL) and Login Message ◦ Turn off Action Center
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 17 Privacy Settings
Everything in all categories off (unless necessary) ◦ Privacy > General: Opt‐out of personalized ads in browser Stop Cortana from getting to know you Turn off your location Never send Windows feedback Anniversary update changed previous settings back to default
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 18 Privacy Settings: Account Sync
If you login with a Microsoft account, syncing settings may include sending passwords to Microsoft: TURN THIS OFF ◦ Settings > Accounts > Sync your settings
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 19 Information Systems Managers
Endpoint Management
Carl W. Brooks Manager of Information Systems Regional Staff Symposium ‐ IT Track May 11 and 12, 2017 Las Vegas, NV
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 1 Endpoint Devices
Internet‐capable, TCP/IP network‐ capable Hardware
Server Tablets Desktop Thin clients Laptops Virtual Machines Smart phones
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 2 Endpoint Security In network security, endpoint security refers to a methodology of protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry point for security threats. webopedia.com
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 3 Endpoint Management
Asset Control Endpoint Security Software Management Back Up Your Data Communicate & Document Important Information Redundancy
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 4 Asset Control
Eliminate “Ghost” assets Conduct physical asset inventories Tag assets appropriately Use the right labels for the job
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 5 Inventory Software
Snipe‐IT ◦ www.snipeitapp.com PDQ Inventory ◦ www.adminarsenal.com Open AudIT ◦ www.open‐audit.org Spiceworks ◦ www.spiceworks.com
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 6 Asset Disposal
Repurpose or Dispose Wipe Data Removing Tags Removing from Inventory Removing from Premises ◦ Charity Organization ◦ Recycle ◦ Destroy \Shred ◦ Buy Back
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 7 Support Strategies Trustee and staff ◦In Office ◦At Court ◦At Home ◦On the Road 3rd Party Support\vendors Debtors\Trainees Visitors and Auditors
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 8 Strategies for supporting auditors and visitors ◦ Access to network for Internet, printing, Case data ◦ File transfer electronic files ◦ Credentialed access to network computer, case management software, ECF/PACER, Wi‐Fi/Internet
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 9 Endpoint Security
• Physical Security • Window/Desktop • Patch management firewall • Anti‐virus, SPAM, • Risk/vulnerability Malware assessment • Browser Plugins • Security policy management • Endpoint Loss and Recovery
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 10 STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 11 Security Considerations
Using Computers (Dos and the Don’ts) Personal device uses Access to email USB charging, connections to Trustee Equipment Access to Wi‐Fi, LAN, VPN, Internet Two‐Factor authentication
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 12 The Weakest Link: People
A leakage can be avoided if the person involved can have better knowledge in data protection. Users are recommended to develop information security mindset, build and reinforce good practice through regular updates of information security awareness.
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 13 Computer/Data Usage: Do’s
Be accountable for IT assets and data Adhere to Policy on Use of IT Resources Use good judgment to protect data Protect your laptop during trip Ensure sensitive information is not visible to others Protect your user ID and password
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 14 Computer/Data Usage: Don’ts
Don’t store sensitive information in portable device without strong encryption Don’t leave your computer / sensitive documents unlocked Don’t discuss something sensitive in public place. People around you may be listening to your conversation
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 15 Surfing the Web: Do’s Validate the website you are accessing Be cautious if you are asked for personal information Use encryption to protect sensitive data transmitted over public networks and the Internet Install anti‐virus, perform scheduled virus scanning and keep virus signature up‐to‐date Apply security patching timely Backup your system and data, and store it securely
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 16 Surfing the Web: Don’ts
Don't download data from doubtful sources Don't visit untrustworthy sites out of curiosity, or access the URLs provided in those websites Don't use illegal software and programs Don't download programs without permission of the copyright owner or licensee (e.g. Torrent software)
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 17 Email: Dos Do scan all email attachments for viruses before opening them Use email filtering software Only give your email address to people you know Use PGP or digital certificate to encrypt emails which contain confidential information; staff can use confidential email Use digital signature to send emails for proving who you are
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 18 Email: Don’ts Don't open email attachments from unknown sources Don't send mail bomb, forward or reply to junk email or hoax messages Don’t click on links embedded in spam mails Don’t click on links in mails when not expecting a link from known parties Don’t buy things or login from links
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 19 Training your Users
https://securityiq.infosecinstitute.com
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 20 What are the Threats?
Plain Old Deception: Phishing Brute‐Force: Password Guessing Web Browser Vulnerabilities USB Drive Attack Vector Outdated Software\Drivers Outdated Firmware
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 21 How to Secure Endpoints BIOS or Pins at bootup Encryption –Disk, Device, Data Disclaimers, Right to Use, Login consent to use/monitoring/no rights Patch the system regularly Install security software (e.g. web filtering, anti‐Virus, anti‐Spam, anti‐ Spyware, personal firewall etc.) Beware of P2P software
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 22 Malware Solutions
Kaspersky Endpoint Security for Biz http://usa.kaspersky.com Malwarebytes for Business www.malwarebytes.org/business Symantec Endpoint Protection www.symantec.com Fortinet Endpoint Protection www.fortinet.com
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 23 Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume.
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 24 Disk Encryption
Symantec Endpoint Encryption Check Point Full Disk Encryption Dell Data Protection Encryption McAfee Complete Data Protection Sophos SafeGuard DiskCryptor Apple FileVault 2 Microsoft BitLocker
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 25 • If your computer seems to be working fine, you may wonder why you should apply a patch. • By not applying a patch you might be leaving the door open for malware to come in. • Malware exploits flaws in a system in order to do its work.
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 26 Patch Management
Operating System Patches Office Software Browsers (I.E., Chrome, Firefox, etc.) 3rd Party Software ◦ Adobe Acrobat (PDF) ◦ Adobe Flash ◦ Oracle Java
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 27 Patch Management
Know your network Scan and assess Reply on a single source for patches Have an “undo button” for patches Support a good user and administrator experience Stay organized Right‐size
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 28 Patch Management GFI LanGuard www.gfi.com Shavlik Patch www.shavlik.com Solarwinds Patch www.solarwinds.com ManageEngine www.manageengine.com
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 29 Software Deployment PDQ Deploy http://www.adminarsenal.com EMCO Remote Installer emcosoftware.com/remote‐installer Ninite https://ninite.com Ketarin http://ketarin.canneverbe.com
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 30 Remote Management Issues • Intrusive vs non‐intrusive remote access • Cloud/Agent based remote access (maybe bad) • Backdoor into network • Excessive access through agent features and capabilities • Access control of remote vendor (enable, disable, terminate) • Who has access? (Local IT person, Cloud vendor, Case Management Vendor) • Using two factor authentication
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 31 Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages. It is part of network management.
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 32 Network Monitoring
Network Mapping Device Health Monitoring Network Traffic Analysis Flexible Alerting Wireless Network Monitoring Automatic Device Discovery Reporting
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 33 Network Monitoring
PRTG SolarWinds® NPM Nagios Core Wireshark Cacti ntopng Zabbix NMAP
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 34 Enterprise Backup Services
Veritas Backup Exec EMC Networker IBM TSM CA Technologies ARCserve HP Data Protector CommVault Simpana FalconStor Acronis
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 35 Backup Strategies
Data on endpoints OS/firmware Settings and configuration
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 36 Backup Strategies
Policy and Procedures (Where and How?) • Trustee Smartphone, Tablet, Laptop • Court tablets and laptops
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 37 Backup Strategies
• Local sync vs Cloud Sync • To use or not to use: • iCloud, • iTunes, • One Drive • Google Drive • Dropbox
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 38 Backup Strategies and Products • Deep Freeze – Tool to reset back to default state after reboot • Macrium Reflect (freeware) –system imaging • Acronis (freeware) – system imaging
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 39 Lost Recovery Resources • Find my iPhone (Apple) • Android Device manager ‐ Google Play (Android) • MaaS360 by IBM • Lo‐jack for laptops (Windows)
STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 40 Communicate Important Item
Provide Policies and Quick Report of Procedures Problems\Resolutions Announce Policies and Update Cycles\Reboot Procedures Changes Inventory Changes Announce Training Objectives\Results Provide Encrypted IT Essentials and Password to Trustee
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 41 Document IT Essentials
Hardware Vitals Software ◦ Brand ◦ Keys ◦ Model ◦ Maintenance Terms ◦ Serial # ◦ Device Installed On ◦ Warranty Dates Passwords for sites, ◦ Asset Tags hardware, etc. ◦ Maintenance Terms Device Settings ◦ Location Disaster Plan ◦ Assigned User Policies Important IT Contact Information Procedures Training Material
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 42 IT Redundancy
Multiple Backup Live Training, Webinar, Methods Email Tips Multiple Security Points Guard against inbound & (Firewall, network, outbound threats devices) Two Factor / Multiple Multiple IT Password for access Reporting\monitoring Notifications for multiple Documents: Hardcopy & internal parties (ex: Digital [email protected])
STAFF SYMPOSIUM IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 43 STAFF SYMPOSIUM ‐ IT TRACK
5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 44