Fermilab Computer Security

sidemenu

Policy Guidelines

Technical Info

Support and Services

Certificates

Meetings and Events

Sysadmin Round Table

Contacts

GPG/PGP Keys

Restricted Access

SPAM

The Fermilab Computer Security Team administers the laboratory's computer security program and provides the Fermilab community with technical expertise and up-to-date information and resources for improving computer security.

Verify your node registration. ScanMeNow PortScanMeNow

Was I Scanned? SurfMeNow CertTestNow

mailparse

What's New

whatsnewRC.html

Oct 5, 2012: FNAL Critical Vulnerability: Exposing Adobe ColdFusion Servers to the Internet
November 6, 2012 Computer Security Awareness Day 2012
June 19, 2012: FNAL Critical Vulnerability: Hypernews
June 14, 2012: Cumulative Security Update for Internet Explorer (MS012-037)
June 14, 2012: RE-RELEASE: Vulnerability in RDP (MS12-020)
March 16, 2012: Vulnerability in RDP (MS12-020)
December 27, 2011: FNAL Critical Vulnerability: Telnet server (telnetd) remote code execution
December 8, 2011: Computer Security Awareness Day includes schedule of ITNA-required and Speed Session courses.
November 11, 2011: FNAL Critical Vulnerability: Vulnerability in TCP/IP (MS11-083)
August 24, 2011: FNAL Critical Vulnerability: Flexera FlexNet/FlexLM License Manager
November 9, 2010: Computer Security Awareness Day Schedule of ITNA-required and optional courses.
August 2, 2010: FNAL Critical Vulnerability - Windows .LNK handling (MS10-046)
November 6, 2009: Updated Get-Cert package for Mac OSX adding the -t option to get certificate from the Test KCA server, fix success message handling. (includes fixing use of the encryption password for Globus users).
September 22, 2009: Security Awareness Day 2009 Schedule of presentations for Security Awareness Day 2009
September 16, 2009: Get-Cert for Mac OSX fixed an error which caued the get-cert.sh script to not work under 10.6 and some 10.5 systems. Please re-download this version..
September 10, 2009: See Tools page for a script fo make keytab for use with kcron in a shared (no Kerberos principal account). This script be will added to the Fermi Kerberos Tools for SLF 4 and 5.
September 4, 2009: Get-Cert for Mac OSX updated with new kx509 binaries (v1.05 supports -s server option and 1024-bit keys) and fixes to support Leopard (10.5) and Snow Leopard (10.6).
May 22, 2009: Updated the Proxy Server Manual Configuration document with more details on how to configure a web browser for explicit proxy operation.
May 22, 2009: Updated the FNAL Site Proxy Servers FAQ
May 8, 2009: Published the FNAL Patching timeline
May 7, 2009: New version of get-cert for Mac is available on Tools page. This code should also work on linux. We'd appreciate testing and feedback on both platforms so that, if poosible, we can merge both tools and just have one "unix-like" get-cert
April 20, 2009: How to forward syslog to CST
April 20, 2009: Info about Detecting system changes with checksums posted
April 20, 2009: April 13, 2009: New Thunderbird Add-On: View Switch (Quickly switch your message pane between HTML, Simple HTML, RAW and Plain Text)
April 10, 2009: Check out the Cert Manager Firefox/Thunderbird Extension! (it allows for a shortcut to the Certificate Store manager)
April 3, 2009: Updated the krb5.conf template file to V2.10, added SERVICES domain to [realms].
April 2, 2009: New KCA Service FAQ
April 1, 2009: New Authentication Policy. Be sure to read!
September 5, 2008: Created instructions on how to manually configure your web browser to test the new Proxy Servers.
August 26, 2008: Released a new CA Certificate for the Fermilab Kerberized Certificate Authority servers (KCA) as the old CA certificate expires in October of 2008. The new CA Certificate expires in 2018. See the page on CA Certificate Downloads for information on downloading and installing the Fermilab KCA CA Certificate.
May 28, 2008: Swtiched to new production KCA servers with new Subject Distringuished Names for people and robots
May 8, 2008: Added a list of the KCA certficate Distinguished Names for robots (special Kerberos principals) which will be issued by the new KCA servers.
May 2, 2008: Added initial list of the KCA certficate Distinguished Names for people which will be issued by the new KCA servers.
April 22, 2008: FAQ concerning the new KCA service
April 3, 2008: Instructions for forwarding apache access, error, etc logs to central logging can be found here. Apache baseline is CD-DocDB # 1536. RA policies are #2336 and #2360.
January 11, 2008: See Issues with Expired Certificates for instructions on dealing with expired certificates in your certificate stores. Some of you may have an expired DOEGrids CA certificate which might be causing problems.

December 11, 2007: Added start of How-To Guide on Notes on Changing Your Kerberos Passwords.
October 9, 2007: Changed the configuration files used to generate DOEGrids host/service certificate requests to include a single CN in the DN; for multi-home nodes use a regular expression such as (a|b|c|d).fnal.gov for this CN.
August 30, 2007: Updates on Tools page, linking to newer release of Win32OpenSSL and removed the link to Kerberos Client-only for Windows/Cygwin as this package is no longer supported and very much out of date.
August 15, 2007: DOEGrids Certificate Users: Please renew (replace) your personal certificates as soon as you receive the renewal notice E-mail from DOEGrids.org. Do Not Wait until the expiration date since the pki1.doegrids.org service site will not accept expired certificates for authentication.
April 9, 2007: Updated the krb5.conf template file to match the Kits Test version (V2.4) adding the CERN.CH realm.

What's Not New

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by JK. on Nov 11, 2011.
(Address comments about page to the Computer Security Team.)