|
|
ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
|
Message from Al Wysocki to the IFAS-ALL-L: IFAS Colleagues, See the email below from Bruce Floyd, Social Media Specialist at UF. This is a reminder that anyone creating social media websites (including county agents) relating to work you do at the University of Florida, must register their sites. For UF/IFAS Units http://ics.ifas.ufl.edu/social_media.html Approval and Registration ICS will grant approval and will contact University Relations on your behalf. E-mail your social media account request to webteam@ifas.ufl.edu and include:
To register on the official UF social media account directory, visit the registration page: http://www.urel.ufl.edu/marketingCommunications/socialMedia/registration.html Let me know if you have any questions or issues. |
IT Reporting Relationships (previous discussion)
Dan Cromer said that he has written up a plan and meets with Dr. Joyce and the executive team (the VP and all the IFAS Deans) Monday at 2:30 PM to discuss it.
The plan is to implement dual reporting for IT support folks in units that have such staff as well as direct reporting for locations that have shared services hubs.
Steve asked Dan about the advantages that he sees in such a system. Dan responded that the purpose is to streamline and improve services. He feels that if he has input on local IT staff evaluations and some directional authority over all the IT people then Dr. Payne can hold Dan responsible where IT is not working right.
New 'Trouble-Ticket' Entry Page for CNS (previous discussion)
The new Remedy system is now live. For those having difficulties in using it, on-line tutorials are available, as discussed prior.
There are several way to access the system:
Migration of DNS and DHCP Services to New BlueCat Platform (previous discussion)
Updates not available...
UF File Express now in live production (previous discussion)
Dan Cromer had reported that http://file-express.ufl.edu is now live, as reported on the UFIT News site. There are excellent instructions and a FAQs page that can answer most questions folks might have.
UF FAX server project (previous discussion)
Updates not available...
Upcoming requirements for InCommon Silver (previous discussion)
Updates not available...
Implementing the Mobile Computing Security policy (previous discussion).
Posting regarding incompatibility of PGP with Ivy Bridge CPU'S
|
Message from David Huelsman to the NET-MANAGERS-L: It was brought to my attention by Michael Seufert form ENG IT that Symantec put out a bulletin about PGP and Ivy Bridge CPU's. Please do not try and encrypt machines with these CPU's Mac or PC. Linked is an article describing the issue. They are working on a patch, we will notify all of you as soon as a patch is made available to UF. If you have any other questions please feel free to contact me. |
Wake on LAN support coming to campus: (previous discussion)
Updates not available...
New Secunia site license (previous discussion)
Updates not available...
KACE agent deployed to IFAS (previous discussion)
Updates not available...
Domain Policy and redirect duration (previous discussion)
Updates not available...
CNS working to implement NAC for UF wireless (previous discussion)
There is a new "Welcome to the UF wireless network" web site for helping users get up and running on the new "UF" wireless network.
Chris Hughes had shared the means for installing during machine setup with Paul Smith who posted that on the UF IT Wiki.
Dan Miller recently sent out the following via the Net-Managers-L list:
|
Message from Dan Miller to the NET-MANAGERS-L: IT Support Staff, Some major wireless changes are are taking place now. Many Public Relations outlets are being targeted, but many people have not yet heard this news. We need everyone to help spread the word. The UF Computing HelpDesk would appreciate converting as many users as possible during Summer B to minimize the last minute rush that we expect early in Fall term. There is an email below that we encourage you to customize and forward to your user communities. Note that there are two main changes described here:
Network providers on campus have been working together for over a year to specify, design, and implement an integrated wireless and NAC PA system. This will provide a common access method for wireless users all around campus, and will soon replace the old, public SSID wireless networks: ufw, hnet-public, and dhw. Most areas on campus are already live with the new systems, and the Academic Health Center will join us very soon. We're also working with UF Athletic Association and UF Foundation to include common wireless service in their areas. Changes to wireless in UAA and UFF areas should begin in Fall semester. The new general use SSID is "uf", and "ufinfo" is also available everywhere for initial configuration. GatorLink authentication is required. Other improvements include use of 802.1x to allow credential caching, and encryption via WPA2 Enterprise. We recommend that users first establish 802.1x connectivity during warning mode, and then work to remediate any NAC PA issues. We *highly* recommend the Auto Config option (see getonline link below) for users. A third shared SSID, "ufvisitor", will also be available later this summer. It will only be offered in high-traffic public areas, and is intended for causal use by people who are not affiliated with UF, and do not have a GatorLink ID. UF affiliated individuals with GatorLink IDs should use "uf" and not "ufvisitor". This network will be open to the public and require the visitor to register with their cell phone, and will receive a 4 character pin via text message. These accounts will be valid for one week, and the visitor must re-register after that time if they wish to continue using the "ufvisitor" network. The "ufvisitor" wireless network will be much more restricted than the standard "uf" network. It will appear as an outside network to UF resources, and all UF / Shands VPN services will be blocked. Stay tuned to IT-News for more details coming soon. The NAC PA system is currently in "warning" mode where users receive web browser messages about lack of compliance. On July 16, that will change in all areas to "blocking" mode, and users will need to remediate before they regain full network access. At the start of every term, the NAC PA system will be reverted to a "warning" or grace period. The NAC PA system will be looking for the following items: Windows
Mac
The dates for coming PA changes are:
Support groups that push updates from central servers such as SCCM will need to request an exemption from NAC enforcement. Please open a remedy ticket to process these requests: Specific changes will be announced during our normal network change cycle to this list. Please also keep an eye on IT-News for updates about this project and other exciting IT developments: This link is where users on the "ufinfo" SSID will land: Thanks, Dan Miller, ----- suggested email for your users ----- Subject: Notice of wireless changes coming soon UFIT is pleased to announce that all wireless systems are undergoing a major upgrade this summer. These upgrades provide improved security and allow you to reconnect without having to enter your password. If you are connecting via wireless, try the "ufinfo" SSID which should take you to the Auto Config tool. Please try that first to gain access to the new wireless network "uf". If you connect to "uf" before July 16, then you may see Posture Assessment (PA) warning messages on your browser. These indicate that your system needs to be updated to be in compliance with UF IT Security standards. On July 16, the new system will begin blocking access for any host that is not in compliance. Try to resolve the warning messages before July 16 in one of these ways:
NOTE: the old public wireless networks will be removed on August 13. These include "ufw", "dhw" and "hnet-public". Please try the new "ufinfo" and "uf" wireless networks listed above before August to beat the last minute rush. |
Discussion about off-campus Wireless with David Huelsman
Dan Cromer had asked David Huelsman from the UF Information Security and Compliance Office to attend today in order to be a part of a discussion regarding wireless at IFAS locations off main campus. Consequently, David Huelsman was on-hand (along with Nancy Watson) to answer any questions we might have.
SafeConnect vs. XpressConnect
Steve asked for clarification on the SafeConnect vs. XpressConnect applications. David explained that XpressConnect is the portion that can assist with configuring a device to connect to the new UF wireless. It is not strictly necessary, as you can configure that manually if you wish as well. The XpressConnect utility, however, will walk the user through the entire process from "I'm not on the network" on to the installing of the SafeConnect agent, ending with being on the network.
ufvisitor is coming
Steve noted that in the past RECs have utilized open wireless in order to handle outside folks attending conferences and the like. From there that progressed to employing protection via an advertised shared password that could be changed after each event. Now, it appears that shortly the ufvisitor SSID will be the way to handle such thing.
ufvisitor is for use at limited locations
David explained that ufvisitor is designed to support only certain locations on campus (the libraries and the big conference center at the Reitz Union) that service large numbers of non UF-affiliated people requiring wireless network access. The UF Guest Gatorlink creation process has been available as a placeholder solution for some time, but it is cumbersome to use in many circumstances. The security office has been working with CNS to create a "ufvisitor" wireless network whose sole purpose is to provide non UF-affiliated people with casual Internet usage while on campus at specific locations.
ufvisitor will be more restricted than the UF network
The "ufvisitor" network will be rate limited and will have some restrictions implemented via inline packet inspection (IPS) in order to secure that network as much as possible. P2P networks will be disallowed and adult web sites, hacking sites and the like will be blocked. The intent of this is to be able to relax the requirement for authorization.
ufvisitor will use cellphone-delivered PINs for authentication
That said, they do plan to have some level of authentication will this network as well. That process will involve a captive portal self-registration system using either SMS or voice to deliver a PIN. When users connect to "ufvisitor" they will be presented a self-enrollment authentication page which will provide some basic information about the "ufvisitor" network and will also give them the ability to register. They will enter a cell phone number to which a PIN will be delivered; for those w/o a cell phone a utility is being developed for the Help Desk so they can create accounts for people as well.
These four-digit PINs will be valid for one week and the phone number/PIN combination will be the login credentials required for access. Users will need to re-authenticate daily, but can continue doing so for up to one week. After that time they would need to re-register.
ufvisitor is currently in "alpha" test mode
This ufvistor network is available at the Help Desk currently in a very much "alpha" testing phase currently. Once they are convinced the system is working as intended they intend to move to a "beta" phase where they will put it out there for IT people to try out.
David said that the locations where this ufvisitor network will be available will be intentionally limited. They don't want this network to be a replacement for UF-affiliated individuals, including students, as a way to avoid using the actual UF wireless network.
ufvisitor will not be on UF IP space
The "ufvisitor" network will be completely off the UF network IP space and will live on Cox IP space. This should ensure that traffic on this will not affect UF's network reputation immediately. They have locked out the UF VPN services including Shands and the HealthScience Center; David is guessing that they will do the same for IFAS as well. If a person tries to get to these VPN from the "ufvistor" network they will be denied. They are really trying to limit the use of this system because they have only purchased a limited amount of bandwidth for this function. They are purposely making the UF network more attractive to those with Gatorlink credentials.
David said that there will be a Remedy queue for adding locations and reasonable requests will be approved.
David Blackman asked if the ufvisitor network utilized separate WAPs. David Huelsman responded that this network is hosted on the standard UF WISM network; it is the backend where the network goes off UF network IP space.
Open access to be eliminated
Dan Cromer related that the Straughn Center will definitely be added to the list of sites where "ufvisitor" is supported. Dan also stressed that IFAS is getting UF WAPs for all locations; as a result of this and "ufvisitor" being available, we will no longer allow any open access once the new network is in place.
James Moore briefly described steps that will be taken to locate rogue WAPs and eventually purge all those from the network.
ufw vs uf vs ufinfo
Winnie Lante asked for an explanation of the differences between these three SSIDs. David Huelsman responded that "ufinfo" is an open SSID that takes the user to http://getonline.ufl.edu/. By following the "Auto Configuration" instructions, the user is walked through the process of getting the connection configured for the "uf" network. Once that is done, the machine is moved off "ufinfo" and dropped on "uf".
http://getonline.ufl.edu/ is useful by itself for preparing for later access as well, such as for students preparing to come to UF for school.
"ufw" will be going away along with "dhnet" and "hnet-public" and "uf", "ufinfo", and "ufvisitor" will be the only broadcast SSID left here at UF for production use. This doesn't include the private non-broadcast SSIDs.
Posture assessment
Steve asked David what the user will see once the posture assessment begins to be enforced. David explained that starting on Monday the posture assessment on the "uf" SSID will go into effect. In housing areas it went into effect about a week ago. If a machine is non-compliant they will be presented with the same explanation page that is being delivered currently; the difference will be that they will no longer be able to bypass this until they have remediated the issue. They will have Internet access for fixing the issue, but nothing else.
Wendy Williams asked about users who do not have administrator rights on their machines. David responded that this should not be a large constituency because hopefully such machines are getting managed through their IT support. Steve mentioned that this will be nice because we will finally get those laptops coming in that we haven't seen for who knows how long.
UF Exchange Project updates (previous discussion)
Outlook prompting for credentials
Winnie Lante had reported that these issues continue, especially with one particular user within her unit. Joe Gasper suggested trying the following:
As the user:
You may be prompted again for your credentials in Outlook, but your current password will be remembered (by checking the remember my credentials option).
Winnie reported that the above steps were ineffective in her case, unfortunately.
Steve suggested that we keep reporting the issues so that the Exchange folks are at least aware that the issue continues.
Outsourcing of student email?
Dan Cromer said this is still on the table but has been pushed back for now. He believed that Summer 2013 would be the soonest we might see such a thing implemented.
Sakai e-Learning System now in production (previous discussion)
Updates not available...
Alternate IFAS domains in e-mail (previous discussion)
Updates not available...
Electronic Copy - Print Output Cost Reduction program (previous discussion)
Updates not available...
Split DNS solution for UFAD problems (previous discussion)
Updates not available...
New web cluster (previous discussion)
Steve mentioned that site migration is in progress. Winnie Lante's department, for example, has now been moved. Winnie reported that all went fine with that process. Winnie noted that the URLs were unchanged but she needed to help folks with the new UNC paths for accessing the server as a file system for uploading/editing.
Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM (previous discussion)
MDT 2012
Updates not available...
SCCM for IFAS
Work continues on the central SCCM plans.
Updates not available...
Exit processes, NMB and permission removal (previous discussion)
Updates not available...
Re-enabling the Windows firewall (previous discussion)
Updates not available...
Services Documentation: Is a Wiki the way? (previous discussion)
Updates not available...
Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection? (previous discussion)
Updates not available...
Print server (previous discussion)
Updates not available...
Recording lectures for Distance Education (previous discussion)
Steve noted seeing an announcement about a new Mediasite Desktop Recorder and wondered if anyone had heard anything about plans for that at UF. Steve continues to look for a replacement for the Accordent which Steve feels is too expensive and not flexible enough to be a long-term solution for lecture capture.
Steve also mentioned that he has been able to use the AVer codec to record VCs and then convert them into QuickTime MOV files. From there we can convert to other formats as necessary. Steve still has high hopes that the AVer can work as an inexpensive IP recorder for recording bridged VCs from his office for later playback via the web.
New DHCP reservation site created (previous discussion)
You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
IFAS efforts toward Green IT (previous discussion)
Updates not available...
Creating guest GatorLink accounts: singly or in bulk (previous discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
Can IFAS support DirectAccess in the future? (previous discussion)
Updates not available...
Moving away from the IFAS VPN service (previous discussion)
Updates not available...
VDI desktops as admin workstations (previous discussion)
Updates not available...
Wayne's Power Tools (previous discussion)
Updates not available...
Computer compliance tool in production (previous discussion)
Updates not available...
Folder permissioning on the IFAS file server (previous discussion)
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age (previous discussion)
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Since BitLocker stores its keys within the computer object in UFAD, Alex York and Chris Leopold are considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.
Core Services status (previous discussion)
Updates not available...
ePO updates (previous discussion)
Updates not available...
Status of SharePoint services (previous discussion)
IFAS migrating to centralized MOSS
Updates not available...
Public folder file deletion policies and procedures status (previous discussion)
Updates not available...
Patching updates... (previous discussion)
Microsoft
The July Microsoft patches included 9 bulletins (3 "Critical," and 6 "Important") addressing 16 vulnerabilities in Windows, Office, IE, and Visual Basic for Applications.
There also apparently is a security update for Lync that came out at the time of last months patched that will not be on WSUS or Windows update and will need to be downloaded manually.
While other versions of Microsoft XML Core Services were patched this month, the security updates for version 5.0 are yet to be released (see bulletin MS12-043). You may wish to consider mitigation processes in the meantime.
There is also a new security bulletin, Vulnerabilities in Gadgets Could Allow Remote Code Execution, along with mitigation procedures to disable gadgets until a fix is forthcoming.
McAfee provides podcasts on the highlights of each month's offerings.
Adobe
Steve reminded folks that Adobe does have security patches for Illustrator and Photoshop versions CS5 and CS5.5 that can only be obtained via manual download and install here for Illustrator CS5/CS5.5 and here for Photoshop CS5/CS5.5. Using the Update menu from those applications themselves will report falsely that they are fully patched.
Adobe Air had a security update since our last meeting. You should be at version 3.3 now.
The most recent versions of Flash can now be set to auto-update, but the timing of can be mysterious.
Apparently there is an issue with Adobe Reader 10.3 that can lead to it eating up CPU cycles.
Apple
A new version of iTunes was released since our last meeting that addressed some security issues.
Java
There were new JRE updates that came out on the afternoon of our last meeting. The upcoming halting of security updates for JRE version 6 in November is bound to cause problems. As just one example, Steve recently found that the Florida Department of Agriculture and Consumer Services has a Pesticide Applicator Certification CEU Database which is used by his department and which fails when JRE v7 is installed.
The other point worth noting is that the auto-update notifications (or updating via the Control Panel Java applet) will replace JRE version 6 with JRE version 7:
Mozilla
An update to Flash plugin version 11.3 caused crashes in Firefox 13 on Windows; it was somehow related to the new Flash "Protection Mode." Additionally, some crashes seemed to be due to bad interactions between Flash Player and other plugins, particularly one from RealPlayer. Firefox has since come out with version 13.0.1 that resolves most of these issues. The remainder were addressed in a new version of the Flash Plugin (11.3.300.262).
Malware that fakes hard drive failure
Steve mentioned that he had run into a couple of instances of malware that fakes hard drive failure. Other related links may be found here, here, and here.
MS Office News update (previous discussion)
Updates not available...
Job Matrix Update status (previous discussion)
Updates not available...
Remedy system status (previous discussion)
Updates not available...
WebDAV and VDI announcement pending (previous discussion)
Dan Cromer said that he plans to make an announcement to the IFAS-Announce-L about the availability of http://files.ifas.ufl.edu as well as http://virtual.ifas.ufl.edu.
Steve asked if we could get a web page up on the IFAS IT Home Page (or elsewhere) that provided some details on those two items. It is always good to have something to point folks to for the details about such services. Dan said that he would try to prepare that before sending out the announcement.
Winnie Lante said that she has sent a number of people to the virtual machines and they have been very pleased with that. It is particularly useful for those needing mobile access to ArcGIS.
Wendy Williams announced that the new computer lab on the third floor of McCarty B is just about ready.
Big Blue Button proof-of-concept server (previous discussion)
Updates not available...
Results of GPO disabling for non-portable devices (previous discussion)
Updates not available...
The meeting was adjourned well ahead of usual at about 11:00 AM.
