IFAS COMPUTER COORDINATORS
Message thread (somewhat abbreviated) among Dennis Brown, Mike Ryabin, Steve Lasley and Dan Cromer:
As I mentioned earlier, I did request that a 7TB storage array be included as part of the video package, which should provide room for archiving, whether recorded here or there. Even with your higher-bandwidth coming available, it still won't be able to match the network availability here in Gainesville, so storing and streaming from here is still the best option. Since you have the time available for archiving, I'll discuss with Video Services granting you access to the console here for working on it.
I do that on a routine basis and get very good response from video services. However, availability and archiving of the recordings proved to be an issue. They cannot make those recordings available for more than 1 week (2 weeks max.) due to their storage space limitations. Archiving takes 8-9 hours and Patrick told me on many occasions that he doesn't have available resources to do it for free. If we could operate such device locally, I'm sure we'd find a way to somehow fit archiving process with our daily operations.
As Dr. Monica Elliott stated in her letter to Dean Barrick, we'll take a single Accordent unit if it's our only choice, however it would offer extremely limited use of recording capability and might become a cause of classroom scheduling conflicts with increasing demand for recording and streaming.
As I said earlier, the Polycom RSS2000 and Codian recorders are already available, you just need to coordinate with Video Services to arrange for recording and archiving.
It was my understanding too that Accordent must be permanently attached to a polycom unit although they offer a mobile version as well. Our concern is that a single room based unit will not address recording needs between six polycom systems that we'll have to work with by the second half of 2010. Ron Thomas suggested to identify a "primary" polycom and set up Accordent there, however in our case four out of six polycoms might fit a "primary" status definition at different times.
I discussed this issue extensively with our director and with the IT Committee chairman, we all agreed that while the quality of IP recording is somewhat inferior to the Accordent, it would be acceptable to us if allowed to cover a wider scope of our VC network. In addition, our center offered to contribute funds towards purchase of such device (see attached) as it would be much more useful with the local VC systems.
I gave a quote to Dr. Rieger for ~$15,000 for 8TB storage for this project; Andrew and Chris worked on getting the quote. I was also very strong in my message to him that IFAS must consider the additional support burden. 4-H purchased a RSS2000 recording device last year or year before that is available. Its disadvantage is NTSC video resolution, the Codian already has a video recording capability built-in, but it's also NTSC quality. I wasn't brought into the conversation until it was well underway. If an Accordent was purchased, I think it ought to be permanently mounted in a room that would then be used for it, rather than trying to make it mobile between several rooms.
I'm just back from vacation (and deeply buried in back-logged work) but I did listen in to the ICC meeting on the 12th (as my flight out was delayed). I agree with the concerns you related in your e-mail. I was wondering if you had pursued discussion further on your own? I have relayed your concerns to my Chairman until I have time to consider things further; he was curious as to whether or not Mark Rieger was aware of the issues you raise.
I would think that utilizing Accordent more widely (or some alternative solution as you suggest) would require a substantial increase in support staff, server storage, etc. I'm getting the impression that those aspects have not been factored into these plans.
Here's brief recap of our discussion this morning. Per Dean Barrick's memo to the department and center directors, each unit is offered funds to purchase Accordent videoconference recording device at a bulk discount price. While it's definitely going to be a step up compared to our present low quality recording in NTSC resolution, such solution may not work well for FLREC and other departments. FLREC presently uses three active polycom systems in the existing building and will add two more system in the new FAU/UF joint building located a long street block away from our building; also a polycom system located in the Broward County Extension office building will be connected to our LAN about the same time. With such diverse topology of the site VC network, having one or even two recording devices that need to be physically connected to a VC system may not be an adequate option. Besides, operation of such device would require operator involvement with appropriate funding. A better solution for such situation might be an IP type device capable of recording multiple VC events and be entered on a connection schedule as a regular VC endpoint. Examples of such device are Codian IP-VCR 2200 series (see attached) and Tandberg Content Server, just to name a few. Although they might be pricier than Accordent, they address a wider scope capture needs with more flexibility and ease of operation.
I will greatly appreciate if you address this issue to the ICC on my behalf.
Mike's interim Director had composed a letter to Dean Barrick on this matter as well.
Andrew added that he had quoted a Dell PowerVault MD300i to provide storage space for this project. It is an iSCSI target with 22-24TB (raw) storage available. It sounds that they will be going ahead with acquiring that.
Steve said that he thinks it very important that we provide a method of storing and streaming lectures for distance education. More and more people need courses which they can take on demand to fit their schedules and which can be accessed remotely. If UF/IFAS doesn't supply such solutions then other institutions will.
Dennis Brown asked if any of this applies to people on campus. Steve responded that, yes, an on-campus unit would be eligible for an Accordent device. It does a good job of capturing a lecture, but Steve is concerned that the local IT person would need to be involved the entire time during recording; he isn't sure that is really feasible considering all the other things IT support must do. A lower-res less-fancy (but more scalable, perhaps) alternative is to better utilize current Video Services capabilities for recording.
Mike raised the fact that bandwidth limitations might necessitate remote sites recording and storing things locally. Dan Cromer suggested that perhaps such stored items could then be moved off-hours to campus for centralized distribution, but the details of how all this might work will definitely need to be investigated.
After the meeting, Lance Cozart shared that he had been working with CCS Presentation Systems on pricing and packages. They claim that they will beat anyone's prices. CCS seems to beat any price that Lance has seen. Also, they are working on finding grant money for both Polycom and Tandberg. CSS tells Lance that Tandberg has grant money for their equipment. It might be possible to get some of this equipment for free. CCS is working on having Tandberg lower their prices and give the University special pricing. Our contact at CCS is Joshua Sigmon. Phone number 904-998-7227 Ext. 219. Also, Lance is working with CCS to come up with a couple cookie cutter video conferencing packages that they could install for us at the same price point as video conferencing group charges.
Lance also related that he is working with CCS on a free demo room. In his original meetings with CCS, they offered to donate around $50,000 worth of equipment toward any type of room that could include: seminar room, class room, video conference or tele-presence room, or multipurpose room, or auditorium. CCS would relpace out the equipment every year. The thought was we could use this room as one of the higher room standards. If this goes through Lance needs to know a location and type of room we want.
Videoconferencing documentation being posted via SharePoint
Lance Cozart and Marion Douglas are updating a SharePoint video conferencing section and adding quite a few video conferencing documents. Some of these documents are still being worked on. Lance wants to organize the permissions as well. The link is http://my.ifas.ufl.edu/sites/services/ics/vc/_layouts/viewlsts.aspx.
WAN transition to CNS (previous discussion)
Updates from James Moore
James was unable to make it to our January, February and now our March meeting. He emailed that he was in the middle of converting all the IFAS Bellsouth circuits to AT&T and was prepping weekend changes for that. He has another two weeks of intense work to get Belle Glade, Immokalee, Vero, Ona & Live Oak REC circuits upgraded, and is looking forward to an easier project load by April.
Dan Cromer raised this discussion topic via the ICC-L recently. In July 2004 Dan assured the VP and Deans that older e-mail addresses would work for 10 years. Dan noted that now it’s “only” 4 years to 2014, and if we’re going to remove e-mail domains, we’ll need to give users plenty of warning. Dan mentioned having removed the @mail.ifas.ufl.edu alias from his own account more than a year ago, as he was only getting spam there. Removing it for all might significantly reduce mail load, but Dan suggested we’d need to get general consensus from users.
Dan Cromer had related that the search is down to three candidates. There is a web site available for following progress. Dan said that all three of the final candidates come from other universities. He expects the hire to be made fairly quickly now. Dr. Frazier spoke a bit about this and the status of IT governance at yesterday's ITAC-NI meeting.
Identity Management (IdM) Interface Training via Polycom, Wednesday, March 17th at 2:30-4:30 PM
Nancy Hodge recently sent a notice to all UF Directory Coordinators which Dan Cromer had forwarded to the ICC-L. Nancy indicated that a UF Focus group had been working the past several months on policies and an improved interface for managing UF's identity information. Directory Coordinators are being asked to attend training during the month of March, 2010 and IFAS training is being handled via Polycom. You can view the Event Calendar at http://video.ufl.edu to determine the Conference ID for connection. Those attending should let Nancy know.
ITAC-NI still meeting (previous discussion)
The committee skipped February but did meet yesterday and the draft minutes are now available.
Steve had no updates but wants to keep this on our radar.
Steve wants to keep this on our agendas in case discussion seems warranted.
Junk E-mail folder will no longer be populated by Exchange
This has been implemented now as everyone no doubt knows. If Outlook users set their Junk E-mail settings to the recommended "No Automatic Filtering" then no messages should ever go to the Junk E-mail folder and thus the user will have one less place to look for false positives.
Other changes affecting spam
Dwight Jesseman recently worked with the various mail server admins on campus to remove the secondary MX record for Exchange which pointed to spam.mail.ufl.edu. Spammers had learned to target that server directly and by removing that all outside mail now gets analyzed for spam via the central UF system. Apparently that system is doing a great job because the amount of spam being received dropped markedly:
Centralized FAX service via Exchange (previous discussion)
Steve wants to keep this potential service in everyone's minds as it seems a logical direction for all to take.
Office Communications Server (prior discussion)
The topic had been discussed somewhat earlier in the meeting.
Steve wants to keep this on the agenda for future reference.
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Further login script changes to accommodate Windows 7
Issues had been reported regarding the running of login scripts for Windows 7 machines which had multiple users. Andrew Carey diagnosed the issue and believes the changes he has made will resolve things:
Message from Andrew Carey to the ICC distribution group:
I have implemented a revised login script to address the issues that were discussed last week. Please let me know if you continue to have login script issues.
For those of you who like details:
In this revision, I have modified the scheduled task name to "IFAS Login Script for username” so that multiple users can run the script without conflicting and set the task to delete itself three minutes after it is run so that communal computers don’t become clogged with a scheduled task for each user that logs in.
I also simplified the login script process by combining the CheckOS.vbs and launchapp.wsf scripts into a single script (CheckOS.vbs.) Having a script calling a script, calling another script made troubleshooting the location of a problem challenging. The functionality of both scripts was preserved – the script still determines the user’s operating system and either runs login script.vbs or schedules it as a task depending on the OS version.
Please let me know if you have any questions.
Printer mapping issues
Andrew has had several reports of printers not mapping and would like anyone experiencing this to get in touch with him. He believes it involves Point and Print Restrictions but would appreciate help in nailing down the true scope of the issue. Daniel Solano reported seeing this on some machines; printers seem to be installing drivers only if the user logging on has local admin rights. The problem may have arisen secondary to driver updates; Andrew has been adding 64-bit printer drivers to support Win7 boxes and is consequently changing the 32-bit drivers to match.
Kamin Miller said he had noticed printer mapping issues primarily with 64-bit Windows 7 systems. Andrew suggested that this might have been due to the 64-bit driver not being there yet. Kamin had also noticed that the HP Universal drivers (the only drivers HP had available for Win7 x64 with some printers) were crashing when printing from Office apps; he had worked around that by substituting Vista drivers.
Windows 7 deployment
Steve received a number of Dell OptiPlex 780's recently and wanted to investigate better ways of deploying these with Windows 7. Andrew put Steve in touch with Daniel Solano who now has a Windows 7 image ready for testing. Daniel and Steve had issues getting PXE boot to work from Steve's subnet. Then they had issues with accessing SCCM via bootable media as well. While Daniel investigated, Steve began playing around WinPE and imagex.
Steve added some network drivers to WinPE using Daniel's great instructions and managed to make a boot disk with imagex which worked with the 780s. Then Steve tried loading Daniel's image manually, which worked fine; in doing that he learned a few things that Daniel had done to modify the image. Steve changed things a bit from Daniel's imagex deployment instructions however because he wanted to retain the Dell maintenance partitions. Doing that involved figuring out how to use diskpart and get the image loaded on the right partition.Having had this successful, Steve decided to experiment in making his own image. He took one of the machines and installed Win7 32-bit Enterprise. Just for kicks he added most all the stuff he will be putting on these boxes, including Office 2007, McAfee Agent and VirusScan. Then Steve used very enlightening instructions found to make an answer file. He left out the MAK and changed the time zone from what is listed there but otherwise kept all the same. After he was done Steve remembered that he had forgotten to kill the Agent GUID, but that is a registry fix which can be done manually for now and fixed in the image later.
Steve then imaged that c: partition onto a network store, swapped out machines, ran a bit of diskpart magic and loaded the image via a WinPE boot disk and imagex. When done it wouldn't boot, but he then booted off the WinPE again and did a: "C:\Windows\System32\bcdboot C:\Windows /l en-US /s C:" and voila! It turns out that Windows 7 creates a second system partition when installed on a clean volume; that probably caused the issue. We will likely want a dual partition in our standard image so it can support bitlocker on laptops, so learning about this is useful.
Micah Bolen reported that he has become a bit disappointed in the fact that all the best deployment features are part of SCCM and are not available in the Microsoft Deployment Toolkit 2010. Steve notes that learning imagex, diskpart, dism, etc. are very useful though because SCCM is essentially an automated scripting solution which makes use of these basic parts.
Nothing further was available on this topic at this time.
Wayne Hyde has this on his schedule for after the SAN upgrade (which begins next week) is completed.
Services Documentation: Is a Wiki the way? (prior discussion)
There has been some discussion on the UFIT-Wiki-L list about how access will be controlled to UF IT Wiki. Ben Beach was unavailable so Dan Cromer relayed what he knew of this. Apparently there was some confusion concerning the mission of the wiki and Dr. Zazueta believes it is best to have two wikis: one for IT people and one for general Help Desk. Dan's suggestion is to have a main Wiki page accessible to all and use that to direct general Help Desk info queries to the Help Desk Wiki and IT support folks to the IT Wiki which would be restricted to IT support folks. Doing this latter part will take some effort, however, because there isn't an "IT staff" role per se. Those in certain job classifications will be added automatically, but others will be able to request access and that will be granted via adding them to a UFAD security group.
Avoiding the logon screen security message with the MyUFL splash screen
David Bauldree had reported to the ICC-L that the UF Help Desk had provided a solution to a security message that apparently pops-up in IE when logging on to MyUFL. David was not comfortable with the broad solution the Help Desk provided and had asked for comment. Dan Cromer recommended configuring http://*.ufl.edu and https://*.ufl.edu as Local intranet sites, then allowing mixed content in that zone. Dan noted that this also has the advantage of limiting the number of username/password windows that pop up when accessing different folders and documents in SharePoint.
Kevin Hill then noted that this can be done via GPO:
BUT, that is not a good method for those in the Co-Managed OUs, and that situation applies to most of us. If you implement the zone assignments in the way Kevin demonstrates it will override the similar Group Policy Preference registry settings which are done by the "IF-Co-Managed User" GPO. That will remove the "file://ad.ufl.edu" setting it supplies and those using Windows 7 will start getting prompted via dialog box (Open File - Security Warning) to run the various logon script files. Most annoying.
There is a GPP equivalent that should work according to Steve's research (with Andrew's help), but is yet untested. The registry settings to add should be:
To add the http://*.ufl.edu you would use the following:
Value name: http
Value type: REG_DWORD
Value data: 0x1 (1)
...adding it to
Key path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ufl.edu
Similarly, to add the https://*.ufl.edu setting, you would use these:
Value name: https
Value type: REG_DWORD
Value data: 0x1 (1)
...adding it to
Key path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ufl.edu
The place to add those would be in the Preferences>Windows Settings>Registry GPP section of your "IF-ouname User" GPO in the People branch of UFAD.
Membership of ". IFAS-ICC" email distribution group to be narrowed to ICC members only
The ". IFAS-ICC-fans" security group is now be mail-enabled so Steve can add others such as Dwight Jesseman into our meeting notices using that group. Again, the idea is for that group to contain some-to-all of the ICC-L subscribers who are not in the ". IFAS-ICC".
Steve noted that he had located an interesting whitepaper: the Climate Savers Power Management Computing System Design Guide. Steve asked if anyone had anything to add on this topic this month.
Steve had left this on the agenda in case further discussion was deemed warranted.
Steve wants to keep this topic on our radar.
Moving away from the IFAS VPN service (previous discussion)
Steve assumes that moving our VPN to private IP is waiting on Wayne Hyde finding the time to implement.
VDI desktops as admin workstations (previous discussion)
This is another cool service that Wayne has in progress and which is awaiting sufficient time to pursue further.
More stuff from Wayne is pending him finding the time to work on this.
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew has a good plan for dealing with this which he simply has had no time to address.
Andrew reported that they have deployed the first new DC / MPS server at Fisheries. They are letting it "burn in" a while prior to migrating off the old MPS server, however. They did run into an issue where the current closet was small and had inadequate ventilation that led to overheating. Andrew wanted to get that warning out to district support to be on the alert for sites which may have similar issues and to begin looking at alternative deployment points.
The DC is running as a read-only DC (RODC) and is the first such server running on Win2K8 R2. These RODC have both a "pre-populated" cache and an "allowed" cache for local storage of user passwords. The pre-populated group will consist of any accounts within the OU for that site. This will allow those local users to authenticate even when WAN links are down. The decision was made to allow anyone in IFAS to have their passwords cached on these as well; thus once someone has logged on there they will have their password cached and can thereafter work even when the WAN link was down. This will help IT support folks whose duties cross OU/site boundaries.
Steve asked if Mike makes the DC image. Andrew responded that ITSA creates those but Mike does the DCPROMO. Andrew noted that since these are RODCs, ITSA admins can have access to login locally to the DC; they can't really do much there because they don't have Domain Admin rights. Since nothing is pushed to campus from these DCs there is not much damage that could be done either intentionally or by accident. The machines are prepped here on campus so their cache is pre-populated before deployment; that avoids having to download a great deal of directory information at one time via the WAN links.
Andrew plans to begin migrating the data off the old MPS server at Fisheries this weekend. At some sites that portion of things will take some time as Andrew wants to fix up permissions and the like which have shifted out of spec. He also wants to redo the print server setups to bring remote sites in-line with how things are done on campus.
Steve asked if a deployment schedule had been developed and Andrew said that the details are yet to be worked out. Once Fisheries is done and has been evaluated as working well, the plan is to begin with Ben's District 2--simply due to proximity. Once they are comfortable with things Andrew is fine with doing a few of the more pressing sites across the state out-of-band (such as the DC at the Hardy CEO in Bill Black's district). In general, however, District 3, 4 and 5 will follow District 2. District 1 will be left to last because it is in better shape generally and can stand to wait awhile.
Updating our virtual infrastructure software
Wayne has been majorly occupied in getting us upgraded to VSphere 4, which is now complete.
SAN upgrade is going in this upcoming week
A new DAE is being incorporated into our SAN to provide increased storage space for our file server. Dell will be on-site Thursday for that. The LUN structure is being changed and the transition from what we have now to that will be a long process. There will be small outages for OUs one at a time. Data will be pre-staged with robocopy to the new datastore, then Wayne will take the OU offline, do a last robocopy and integrity test, and change the DFS pointer. We will end up with four 8TB LUNs and two 4TB LUNs. Moving all that data will be time consuming.
Reclaiming wasted space on our campus file server
Wayne had put out a notice to the ICC distribution group on this topic:
Message to the ICC distribution group from Wayne Hyde:
In an effort to reclaim some wasted disk space on our campus file cluster, I have been running some FSRM reports to search the file cluster for:
I will be forwarding the reports on to the unit admins once the cluster spits them out.
Many folks in IFAS have duplicated the various windows install .ISOs from software.ifas.ufl.edu and vista.ad.ufl.edu to their various folders on their department share. Please don’t make your own “ISO” folder with copies as the files are readily available elsewhere. ICCers can use their ADMN or GL credentials to access some of the commonly used ISO’s (aka Windows / Office) straight from: \\ad.ufl.edu\ifas\SOFTWARE\Install ISO.
There are quite a few Linux distros stored on the file server, but I don’t intend to keep a repository for them. Just keep these on your local admin workstation’s drive. If your desktop drive croaks, the software can be easily downloaded again.
The BKF files should be deleted where appropriate – for example: users shouldn’t be storing image backups of their desktop machines on the file server. Solving the PST issue will involve unit admins coordinating with Scott Owens to increase mail quotas, importing the mail (if desired), and letting Exchange rip out the attachments before decreasing the quota again. More on the PST issue later since it isn’t a low hanging fruit.
Disk usage for the 3 file types listed above across all of the file server LUNs is:
That’s an extra $400 in tapes used for our 8-week tape rotation and a few thousand dollars in SAN storage being tied up. Add to that ~3-5 hours added to our backup window every weekend.
Winnie Lante mentioned that she was impressed by how much duplication of large files existed within her group. She has talked to the users and believes they can free-up a lot of that space. It will be something to continue to monitor and Wayne is configuring FSRM to automatically send out reports monthly.
Wayne had sent out a notice to the ICC-L on seeing threat detections in the ePO admin console:
Message to the ICC-L from Wayne Hyde:
There is an easy way to see all of your unit’s threats that have been detected by clients and reported to ePO via the console:
Click on the upper-left ‘Menu’ button
This will bring up a table format log window where you can filter results based on whatever criteria you want.
The first thing I usually do is add the ‘System Name’ column to the table. To do this, click on “Actions” at the bottom left and then “Choose Columns.” I usually delete “Agent GUID” and add “System Name” from the ‘Managed Systems’ group on the left. You’ll end up with the following headings:
Event Generated Time (UTC)
Some units may have quite a bit of event data, not all of which is indicative of malware/Trojan/virus activity. Some rules get tripped by legit activity and I’ve tried to filter out some of that so it doesn’t get reported. If you click on a table row it brings up a full page showing what went on for that event.
You can then use the filtering under the “Advanced Filter” at the top left to narrow down the results by computer name, event ID, etc.
I hope you find it as handy as I do.
Checking for computers lacking antivirus and the ePO agent
This morning Wayne sent out a message in an attempt to help us locate such machines:
Message to the ICC-L from Wayne Hyde:
There are still quite a few computers in IFAS that do not have McAfee installed. Some have an ePO agent but no AV and others don’t have either. As I’ve stated many times in the past, I do not push McAfee to machines and it is the responsibility of the unit admins to ensure AV is installed on a machine before (or when) it is added to UFAD. With that said, please check your OUs for machine status in ePO by doing the following:
Go to the system tree (big icon at the top)
The table should now have all machines at the top that do not have AV installed. Some of these machines may just be dead computer objects or non-Windows machine objects in Active Directory. You may have machines at the top with partial information (all but AV info listed). In these cases, the computers have an agent but no AV installed. Please either visit these computers in person to install AV87i or tag the systems with “PushAV” to have ePO push them. Since this is a client-task initiated by the Agent when it checks in to the ePO server, it works most of the time.
For the computers that don’t have AV or an Agent, you can tag the systems with “PushCMA” and “PushAV” to attempt to install McAfee on them. This does not always work as the ePO server must be able to contact the client machine during the set push schedule (a few times a day). Client firewalls can block the install as well as NAT devices.
ePO also does not automatically upgrade AV from 8.0 or 8.5 to 8.7i. If you have outdated AV products installed on some computers you can tag them with “PushAV” to upgrade to the latest and greatest. ePO will, however, attempt to update the installed version of AV to the latest hotfix/service-pack checked into ePO for that version level. Currently this is patch 16 for 8.0, patch 7 for 8.5, and patch 2 for 8.7i.
Later in the day Wayne sent an amendment:
Message to the ICC-L from Wayne Hyde:
It turns out that the default view doesn’t show the columns I told you to sort by and I had changed my selected columns long ago on my account. Here is how you change the default column listing:
Go to your OU under the system tree
The columns I use are:
These are found under the following groups:
System – Last communication, Operating System, Sequence Errors, Tags
I believe the default view uses the following columns:
A sample of the column chooser screen:
You can click the left/right arrows to move columns left or right and use the ‘X’ to delete the column. Should be pretty simple to figure out.
McAfee not catching malware
Wayne responded that it is not unusual for McAfee to miss malware, but one potential solution is to crank up the Artemis level in McAfee. This may cause more false positives but it could be enabled on certain machines that are problematic.
Kevin Hill mentioned how he has been disappointed in the job McAfee is doing on preventing malware infections and he wondered if any alternatives existed. Wayne mentioned that McAfee's anti-spyware component is available and can be pushed to machines via tagging within the ePO console. The tag to use is "pushAS", but this can only be pushed to systems that have McAfee VirusScan 8.7i.
There is also a Host Intrusion Prevention (HIPS) product which Wayne is currently testing. He doesn’t recommend pushing this module currently; if you have tagged any systems with PushHIPS, you can remove the software with the “RemoveHIPS” tag. The configuration is at the default currently and may need considerable tweaking to be useful. The configuration for that is rather complex and the potential for making things worse via false positives is something to consider soberly.
Here are some of the configuration screens for McAfee's Host Intrusion Prevention application. There are Firewall Policy settings:
There are the Application Policy settings
There is also the Application Protection List:
Kevin mentioned that he has seen examples of legitimate websites being compromised into serving up malware, so we need to find ways to increase our guard. Steve added that these things seem to go in cycles with one vendor holding a lead for a short time followed by another overtaking them; the one constant seems to be folks unhappy with their current vendor.
Once Forefront Endpoint Security 2010 is released, Wayne plans to investigate that as an alternative to ePO. Our newly acquired eCALS would make that a viable option if it fit our needs.
Rebuilding infected machines
Nobody likes rebuilds, but it is really the best way to address an infection as it is the only way to know for sure that everything is really removed. It is often faster to rebuild and we need to move toward having all our configurations support nuke and rebuild by getting data off our machines. Also, since most infections are preventable via user vigilance and education, a rebuild might reinforce in users the need to pay attention.
Scanning for vulnerable software
Dennis Brown mentioned that he had gone to John Sawyer's Vulnerability Scanning training and was impressed with how these self-service vulnerability scans can locate vulnerable versions of software across your machines. Steve pointed out that this might be a good alternative to Secunia's on-line scan which is something he always mentions to his users.
Status of SharePoint services (prior discussion)
IFAS migrating to centralized MOSS
Ben Beach had related that we will be moving our SharePoint environment over to UF and have it hosted on their SharePoint environment. Ben says that they do not have a specific date when this will happen yet, but the commitment has been made. Maybe not this year, but more than likely next year our SharePoint will be accessed through UF SharePoint. Ben plans to provide more details in the future when the time gets closer. We will be late adopters because of a number of issues and the fact that our service is functioning well as is. One point of discussion is that they do not want to allow the "My Site" feature (see link in upper-right of our SharePoint screen)--all sites will have to be created by an administrator.
As for when UF SharePoint would be available for use by campus units, Dan Cromer shared an e-mail from the HSC-ISAC-L list. In that e-mail, Michael Buchholz (Buck) was quoted as saying "... We are really pushing to be ready to start taking orders by the middle of April." Apparently, Buck also indicated they are reconsidering options because Microsoft has set a firm date for release of the next version of SharePoint with RTM to occur this April and launch being set for May 12th 2010.
Access for outside collaborators
Ben had related that we no longer offer a separate external access for non-UF affiliates. It was deemed more adequate for each dept. who needed non-UF personnel access to have their dept. liaisons setup those users in PeopleSoft as dept affiliates. That way, these users would be allocated a GatorLink username and have access to any UF resource they needed, with appropriate permissions granted. An added benefit is they apparently will not need a separate license.
Nothing further was available on this topic at this time.
The March Microsoft patches include two "important" bulletins; one for Windows and one for Office. These two bulletins address 8 vulnerabilities overall and in Steve's experience a reboot was not necessary on Windows XP but was on Vista and Windows 7. A podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".
The same day these patches came out Microsoft announced a new IE security issue that affects IE6 and IE7. This may be a good time to consider moving to IE8 more broadly.
Wayne has been planning how to assist folks in moving to IE8 for their own OUs and accelerated his efforts with a notice that he posted the afternoon after this meeting:
Message to the ICC-L from Wayne Hyde:
Since I like to teach people how to fish, here is how you can edit your OU’s default computer policy to push IE7 or IE8 to all managed machines via WSUS. Getting this working for a select group of computers in your OU is a bit more involved and I am working on getting that done via two additional GPOs and security groups to drop computer objects in.
For those of you who read the following and are not comfortable making the changes to push IE7 or IE8 yourself, just ask and I’ll take care of it for you.
I’ll use Steve’s OU as an example. In the Group Policy Management console, here are the current properties of his “IF-ENTNEM Computer” GPO:
Steve is currently using a WSUS group (On Campus IE7) that I am going to retire soon, so I will update him to use the new groups.
Edit the GPO (right-click, edit) and find the setting to change in the GPO editor:
IF-ENTNEM Computer\Computer Configuration\Administrative Templates\Windows Components\Windows Update
If Steve wanted to push IE8, he would use the following setting:
Since he currently pushes IE7, I used “Campus; IE7” as the target group(s) for his GPO. This puts his computers in two WSUS computer groups: Campus and IE7. The group names must be separated by a semicolon.
The way WSUS works is that computers check in and request patches for the target groups assigned to them by the above GPO setting. If a computer requests groups that aren’t defined, the computer will get patches from the “Unassigned Computers” and “All Computers” WSUS group. Groups can also be nested in WSUS so that child groups inherit all approvals of the parent. Our WSUS tree has the following client groups:
Please note that these groups have no relation to our Active Directory structure. These groups are only used by WSUS for patch management. I’ve trimmed out some of the current groups which will be going away and other ITSA groups.
Critical Updates, Definition Updates, and Security Updates are automatically approved each day for Unassigned Computers and Clients.
IE7 has only been approved to install for computers in the IE7 group. IE8 has been approved for the IE8 group. Security patches for IE7 and IE8 fall under Critical and Security Update classifications, so they get approved for all clients. If the computer doesn’t have IE7 or IE8 installed these IE updates will get ignored.
Ignore the “_” group as it is just a group I used to nest IE7 and IE8 and make it pretty for me in the WSUS console.
I deliberately nested IE7 and IE8 under Clients so that they inherit all the patches from the Clients group. This is to handle the case where someone accidentally creates a GPO that only has “IE7” or “IE8” as the target group.
Multiple client groups must be specified in a single GPO. For example, Steve could not specify “Clients” as the default for “IF-ENTNEM Computer” and then create a separate GPO that applies to certain computers that only has “IE7” as the WSUS target group. If he did this, whichever GPO gets applied last will set the target group – the targets don’t get merged.
A while back I updated all of the “IF-OU Computer” GPOs to use “On Campus” or “Off Campus” as the target groups. These will be changed to “Campus” and “Remote” as I have time. If you feel comfortable modifying the GPO, you can make this change yourself and add IE7 or IE8 if you want to push them. If you don’t feel comfortable send me an email and I’ll make the changes for you (to push IE7 or IE8).
The valid target groups are:
… depending on what version of IE you want installed and your location. Setting IE7 as the default won’t have any effect on machines that already have IE8 installed. It will only upgrade IE6 machines to IE7. Machines with IE8 will still get patched with the latest IE8 patches via the group nesting I mentioned.
Wayne stresses the point that IE6 has to go away and that IE8 is the preferred version for security reasons.
While not a security update from version 17, Java Version 6 release 18 (1.6.0_18) is now available. The current security baselines for various versions is available here
MS Office News update
Steve had no news to relate this month.
Job Matrix Update status
This is here as a standing topic--no discussion this month.
Steve asked if anyone had any issues with using the new system. He hoped that Adam Bellaire's demo at the February meeting answered most questions folks might have.
SMB v2 re-enabled?
SMB 2 had been disabled on our file servers due to a remote code execution vulnerability. Wayne confirmed that it has indeed been re-enabled.
PDF-Xchange (prior discussion)
Steve wants to keep this on our agenda for possible latter consideration.
Interest in Wordpress blog systems, and photo gallery systems that require PHP and MySQL
Mitch Thompson had raised this issue via e-mail:
Message to the Steve Lasley from Mitch Thompson:
I’d like you to bring up and find out about peoples interest in Wordpress blog systems, and photo gallery systems that require PHP and MySQL. I just got off the phone with Santos and a few people have been testing Wordpress with success. The issue that he is concerned about is a bit of uncertainty in regards to restoring MySQL backups. Which I understand the concern that when people put stuff in a database like that we run a risk of things becoming corrupt but for our needs here with a newsletter is not a major thing and we would not be using it as a full on site CMS but just a news style blog. Also scripts like PixelPost allow users here to upload photos so we can have a photo gallery within a databased system. Things like this are really needed If the policy still is that that we can’t use third party sites for these services.
Sharepoint really is setup for internal needs and not so much for a news blog in which we want to reach out and have stories linked back to us, we really need a proper blogging system that can be customized, and has a proper RSS and permalinking framework that can really support our local online marketing needs.
The concern from ITSA centered around the difficulties in backing up MySQL. The Backup Exec software we use for routine backups will not handle MySQL; the database would have to first be exported.
Mitch was hoping for WordPress because he has considerable experience with it, but he was open to other options. He did note that many of the better tools utilize MySQL, however. There was some discussion about finding a solution which utilized MS SQL such as DotNetNuke and Mojoportal. Mitch is interested in photo and news archiving primarily and doesn't need a full CMS system; he could, however, pick the features he needed from such a package perhaps.
Mitch asked about policy with regards to utilizing third-party sites like Flickr for such purposes. He assumed that this would be discouraged. Dan Cromer responded that the topic of social media sites (not quite the same thing, but similar in some ways) is being discussed centrally and policy is being developed. Dan can see the usefulness of things like Facebook and Twitter for extension in dealing with clientele. He would discourage, however, using the cloud for databases due to potential privacy concerns. Dan mentioned wanting to investigate how UF handles their MySQL backups, but we need to find a collective solution for IFAS that can be utilized by all. A major sticking point is that we have limited staff and nearly unlimited needs; on top of that we are looking at further budget cuts in the near future. Dan understands the need but does not have the answer.
Dennis Brown mentioned that Ligia Ortega had some blogging solution available. Dan Cromer also mentioned that the NW District is successfully using a product from Howard Beck for newsletters. Louise Ryan explained that this is basically a web-based authoring system which allows agents to enter newsletter articles which are then stored in a database. Howard's software automates publishing the newsletter from that database both in html and pdf format. This system is going to be utilized for EDIS publications as well.
Activating the local Administrator account in Windows 7
Dennis asked if others have been activating the local administrator account on Windows 7 boxes. Kamin Miller responded that has opted to create an additional local account with admin privileges. Steve said that he has used both methods and was wondering himself which to standardize on. On the one hand, when the local Administrator account is enabled it is renamed to MrAdmin just as happens on our WinXP boxes. On the other hand, it still has the well-known SID, so Kamin's method might be a tad more secure.
Dennis noted that the new SAS needs to be installed from a local admin account--a domain account that is a member of Local Administrators will not work for some reason.
Windows 7 activation: KMS vs. MAK
Mike Ryabin was concerned that machines which are off UF network space for long periods would have problems. Andrew responded that machines which will not be on our network space for over six months at a time should use a Manual Activation Key (MAK). However, even a VPN connection will allow re-activation to occur, so it should be a fairly rare need. It is easy to convert from KMS to MAK and vice-versa in any case using slmgr.vbs. Our MAK is available from http://software.ifas.ufl.edu.
The meeting was adjourned at about 11:51 AM