IFAS COMPUTER COORDINATORS
Message to the ICC distribution list from Wayne Hyde:
From this point forward if I see a security ticket for an on-campus host I will be adding the host to the “Deny-Filter” in DHCP and kicking the machine off of the network within a few hours if the ticket has not been marked as contained/resolved.
I will attempt to do the same for off-campus machines on subnets that ITSA manages DHCP. Until we get 2008 R2 DHCP servers at remote sites, I’ll create a reservation for the IP address and limit connectivity to the local subnet via DHCP options (router/dns = 127.0.0.1, etc). Once we get the new multipurpose servers I’ll switch to the filter-deny method which prevents the machine from getting an IP address completely.
Security tickets should be contained or resolved within 24 hours. Containing an incident is as simple as removing the computer from the network until it can be resolved via a nuke/reinstall or cleaning depending on the type of compromise. The tech who contains/resolves the incident should update the UFIRT ticket with the new status and an explanation of what was done.
Once a compromise has been resolved, you can request the filter be removed by emailing the ITSA server admin group.
DO NOT add another NIC to a machine that I have filtered to get it back on the network.
I will work with CNS to target alerts for a subnet to the OU report groups that we have created so everyone does not get all UFIRT alerts for IFAS. I suspect some folks eyes glaze over when they see UFIRT emails or move them to a subfolder in outlook automatically.
Wayne mentioned that IFAS still does pretty well on the semi-annual reports to the IFAS ISA (Joe Joyce). Our response time used to be about one day, but it popped up to about five days due to some security tickets which were open for about two months before they got closed; those were at sites which Wayne does not control and could only resort to "nastygrams". For machines Wayne does control, he will give the OU Admin a couple of hours to get it off-line before filtering it for you.
Steve pointed out that such filtering would prevent pulling files off over the network prior to a rebuild (via a Bart's PE or the like). Consequently, one would need to send a request to ". IFAS-ITNS LAN Systems" to get the filter lifted prior.
Wayne said that it is the responsibility of the local OU Admins to respond to security tickets and update their status. Do not expect Wayne to do this for you. It is very important to get infected machines off the network ASAP and update the ticket to "contained". UF Security only tracks time to containment so that is the most important metric from a response perspective.
Wayne announced his intention to enforce UAC via GPO to "prompt for credentials on the secure desktop" as a means of making it more difficult for users running as local admin to unintentionally install malware.
Message to the ICC-L from Wayne Hyde:
As stated in the ICC meeting – UAC is being enabled for Vista and Windows 7 machines in UFAD via GPO. I’ll flip the switch after some testing (currently IT and ENTNEM). Please let me know if you’d like to help test and change the setting now in your OU (or even a sub-OU) for your department.
The policy settings:
This setting will force a user who is a local admin to enter in their credentials to do administrative tasks on the machine. Since politics prevent me from forcing everyone to run as a normal user, this will have to do. (Chris will buy cookies for the folks who don’t let users run as local admins.)
There is an additional UAC setting, “Behavior of the elevation prompt for standard users,” which has the default setting of “Prompt for credentials on the secure desktop.” I am not enforcing this setting as you may wish to change it to “Automatically deny elevation requests” in some cases. The other possible setting is “Prompt for credentials.” There is no way to have it automatically elevate which is why I am not changing the default.
Now is the time for OU admins to remove their GL account from the local administrator group on their managed computers and use their IF-ADM-GL accounts for PC management duties. With the UAC change, you can still log on the machine with your Gatorlink account; you’ll just enter your if-admn-gatorlink credentials if you install software or do anything else that requires admin rights.
After some testing, Wayne determined there was a bug in Remote Assistance that threatened to foil his plans. He put out feelers asking how many made use of Remote Assistance with Windows 7 clients currently.
Message to the ICC distribution list from Wayne Hyde:
I am about to enable the UAC changes for Windows 7 clients across IFAS and would like to leave the secure desktop enabled (where it blacks out most of the screen except for the UAC dialog box). Unfortunately, there is a bug where the GPO setting to disable the secure desktop for UIAccess applications (such as Remote Assistance) is not working.
The bug causes the client (aka remote user) to get the UAC elevation prompts instead of the “help desk” side. The help desk side gets a pause screen on the Remote Assistance window.
Who currently uses Remote Assistance with Windows 7 clients in their OU?
Joe Hayden, Micah Bolen, Joel Parlin, Winnie Lante, and Marvin Newman all responded that they depended on this feature in order to support folks distributed far and wide. That led Wayne to request additional input in order to determine whether or not he could devise a suitable work-around.
Message to the ICC distribution list from Wayne Hyde:
Ok, so quite a few folks use RA and 7, which is fine.
The problem crops up when the remote user is not a local administrator on their machine and the “help desk” side needs to elevate. Due to the bug the client/remote user gets the UAC elevation prompt and the help desk side gets the pause screen. This situation means the help desk admin can’t elevate and get admin rights on the remote system.
If the client is a local admin on their machine, they can always enter credentials in the UAC dialogs.
With that said, how many people who use Remote Assistance have clients who are not local admins?
The temporary fix is to disable secure desktop until a fix is available and then I can re-enable secure desktop. I am just trying to avoid having to disable the SD.
Since this is a situation that is easy to see firsthand but difficult to explain, Wayne added a few details explaining the situation.
Message to the ICC distribution list from Wayne Hyde:
To clarify, the UAC issue pops up when the help desk side requests control of the client. The client gets a window asking if they want to allow remote control:
They *should* be able to check the box and click ‘Yes’ which will enable the remote tech to handle all UAC prompts. Unfortunately, once they click ‘Yes’ they are greeted with:
The client can still click ‘No’ or cancel the dialog and the Help Desk tech will have remote control. They will not, however, be able to do anything that requires UAC elevation – the local user will still get the UAC prompts.
The MAG group is working with Microsoft on the issue. There is no ETA on when or if a fix will be available.
Finally, Wayne decided to enforce the changes as originally planned, but detailed a work-around for issues which will arise due to this bug.
Message to the ICC distribution list from Wayne Hyde:
I am going to go ahead and configure UAC to use the secure desktop and require credentials for elevation. By default Windows 7 uses the secure desktop and users without administrator rights must enter credentials for elevation. The GPO will force administrators to enter credentials instead of simply giving consent. (i.e., click yes if you want to install this malware)
Since the secure desktop is currently being used by default, my change will not break anything that was not already “broken.”
The steps to open a remote assistance session for Vista/7 clients:
If the client user has local administrator rights on their machine
If the client user does not have local administrator rights
Steve has written two handy scripts that use psexec to do the dirty work for provisioning the temporary account. The first will create the local account on the remote system and add it to the administrator group. The second script deletes the account. The scripts will get published on the ICC webpage and also get sent here after some testing is done.
The pictures referenced above:
Picture #1 – client side dialog
Picture #2 – sample chat dialog
Picture #3 – client side disable secure desktop UAC prompt
This isn’t perfect and requires a minute of extra steps, but it is still usable.
Scripts for adding/removing a local admin account to a machine:
CRLA.CMD (Create Remote Local Admin) *********contents******** @echo off if "%1" == "" goto error if "%2" == "" goto error if "%3" == "" goto error echo executing... psexec %1 net user %2 %3 /add psexec %1 net user %2 %3 /add echo executing... psexec %1 net localgroup "Administrators" /add temp psexec %1 net localgroup "Administrators" /add %2 echo Account "%2" created as local admin on "%1" goto end :error echo You must specify a remote computer name, an account name, and a password! echo usage CRLA \\if-computername localaccountname password :end *******end contents****** DRLA.CMD (Delete Remote Local Admin) *********contents******** @echo off if "%1" == "" goto error if "%2" == "" goto error psexec %1 net localgroup Administrators %2 /delete psexec %1 net user %2 /delete echo Account "%2" removed from "%1" goto end :error echo You must specify a remote computer name and an account name! echo usage DRLA \\if-computername localaccountname :end *******end contents******
Replacement campus print server is being readied (previous discussion)
The migration is planned for two weeks from today and it is important that folks test out the new server prior.
Santos Soler posted the following just yesterday:
Message to the ICC-L list from Santos Soler:
We have been working on a new print server. We need to make sure printers work as expected. You should have access to ALL the printers in your area, please let us know if we are missing printers or if printers need to be added or removed.
We are using universal drivers when possible, this may cause some issues.
Please test that:
We are planning on moving to this new server by August 27 (in 2 weeks).
Please test ASAP and let us know if you have any issues.
One easy way to do basic testing as well as to centrally manage your printers is via an MMC console. You begin by installing the RSAT onto a Windows 7 management station. You must then enable the tools by going into the Control Panel > Programs > Programs and Features > Turn Windows features on and off > Remote Server Administration Tools. In this case you are interested in the "Print Management" tool. You then run an elevated MMC console (Windows Key + R > type "mmc" > press "Enter" and provide your if-admn credentials when prompted).
Next you add a snap-in:
The "Print Management" snap-in:
You will be prompted to specify print servers. Our current production server is "if-srv-print", but the new server which requires testing is "if-srvv-print". You might want to add both, but you can always change the list later.
You can then view your printers because the permissions for all have been applied to your if-admn accounts. You can do a test print by right-clicking on a particular printer:
That would, of course, be a very basic test but it would address the main issue which Santos has been seeing: namely that some HP printers cannot use the HP Universal print driver.
You can also select the printer properties to view the printer defaults:
Is would be good to check this configuration to see that it truly matches the features of your particular printer (duplexing, stapling, 3 trays, etc.). Winnie also mentioned it is important to check the default paper types, because sometimes these drivers switch that from what you might expect.
Andrew cautioned folks to be careful with these settings, but your if-admn accounts have full access via the console for changing those. Doing that for some of the settings could cause you problems. When in doubt you might want to consult with the ITSA group before making changes because some of these have been set for particular reasons. Things like changing drivers (in particular) would be a BAD idea without talking to them first.
More thorough testing of the features which Santos had mentioned (above) will require connecting to the printers as a client, however. On Windows 7 that is done off the Start Menu via the menu path of Devices and Printers > Add a printer > Add a network... > The printer that I want wasn't listed. Then in the "Selected a shared printer by name" box you would type "\\if-srvv-print\" and as soon as you hit that last "\" (as shown below) you should be offered a list of those printers to which you have access (this time via your Gatorlink credentials). You may have to add yourself into some security groups in order to get access to a particular printer.
Winnie Lante mentioned that the HP universal drivers have proved problematic for her in some cases. For example, in one case the printer would print multiple pages, but not multiple copies of multiple pages.
Membership of ". IFAS-ICC" email distribution group to be narrowed to ICC members only
You are reminded that the ". IFAS-ICC" email distribution group does not include the broader audience which the ICC-L will reach. Plan your e-mails accordingly.
Update as available...
Steve had left this on the agenda in case further discussion was deemed warranted.
Steve wants to keep this topic on our radar.
Moving away from the IFAS VPN service (previous discussion)
Steve assumes that moving our VPN to private IP is waiting on Wayne Hyde finding the time to implement.
VDI desktops as admin workstations (previous discussion)
This is another cool service that Wayne has in progress and which is awaiting sufficient time to pursue further.
There was nothing new to report this month.
OU Technical Contact email groups now in use
You should now be getting automatic FSR reports concerning file server space usage (duplicate/large files/etc.).
Computer compliance tool in production (previous discussion)
Update as available...
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey has a good plan for dealing with this which he simply has had no time to address. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Andrew Carey reported that seven of the new servers have now been deployed. He has been working with Ben Beach to get those out in the NE District. The plan is to roll throughout the various districts basically one at-a-time.
Deployment of the physical servers is just part of the process. The bigger reason this is taking so long is the actual migration of the data over to the new server; this involves a good deal of cleanup of the structure and permissions and is necessarily time consuming.
Mike Ryabin asked when Ft. Lauderdale might expect theirs because he is reworking his facilities, knocking down part of a wall to expand his area. Andrew said it is difficult to be precise because south Florida will be near the end of the list and all depends on how things go prior. Andrew does hope, however, that it will all be done before year-end. Andrew also mentioned that these servers are 2-unit rack mounts (a bit larger than the previous units) but will still go into the existing secure enclosures.
Steve asked about which sites had additional fileserver space that was not handled by these MPS servers. Andrew responded that Apopka, Plant City, and Ft. Lauderdale are certainly in that category. It might even include most of the RECs. The issue there is the need for storage beyond what has been budgeted by administration centrally. The MPS servers at these sites are at least providing DHCP if nothing else--with Lake Alfred being the single exception.
Data Protection Manager planning
Wayne Hyde reported that the purchase order for the necessary equipment just got submitted. It took three weeks to get all the information together for the lease arrangements.
Eventual move to MS Storage Server 2008 R2?
Wayne copied 8TB of data to a test cluster to investigate how much space moving to Windows Storage Server's Single Instance Storage (SIS) might save us. It turns out the savings for that test data (from our current file server) weighed in at about 25%--which is quite significant.
Changes in how the virus definitions are packaged and released will require a rebuild of the McAfee cleaner.iso. Wayne will get this done shortly; he intends to add Avira (another antivirus) onto that boot disc as well. A USB boot image is also planned; the issue there is that those (with few exceptions--those with a lock switch) are read/write and could get corrupted. The most important addition Wayne intends to make to the cleaner.iso is to give it the ability to update the virus definitions; that will alleviate him having to keep updating the .iso as well as us needing to keep burning the latest version.
Steve mentioned that he has been finding "McAfee Security Scan Plus" on a number of his user machines. Apparently, Adobe has been offering that along with updates to Adobe Reader. Steve suspects this can only interfere with VirusScan and should be removed where found.
Status of SharePoint services (prior discussion)
IFAS migrating to centralized MOSS
Steve hadn't heard any further information on when we might be migrating, but he understood that it wouldn't be until sometime after the end of the year. Steve asked if any departments were using this for "mission critical" things yet. Winnie mentioned that her department had been using it for their fiscal shadow system (PeopleSoft simply doesn't provide all the details units require, which necessitates keeping local shadow systems of fiscal data). This was begun by Michelle Quire who has since left the department and Winnie finds SharePoint management (particularly the permissioning) somewhat less than intuitive.
Steve mentioned that he has created sub-sites for both his fiscal and graduate coordinator groups, but really hasn't encouraged them to use those yet. He prefers waiting until we are migrated centrally to see how that transition goes.
Dennis Brown mentioned that one of his faculty is using SharePoint for collaboration within his lab and really likes it. Winnie added that Fisheries is using that similarly for several of their lab groups.
Steve mentioned that he has been concerned with the permissioning model as well. We worked hard to keep that sane and maintainable for the file server, but Steve doesn't see any way to encourage (let alone enforce) any particular standard on SharePoint. Those in charge of sites within their unit can basically do anything and permissions will become an enormous tangle over time he fears.
Dennis asked about collaboration with outside individuals via SharePoint. Steve responded that even though SharePoint allows for local (non-UFAD) accounts, the overhead in maintaining that is too great. Consequently, the solution is to have your Directory Coordinator create an UFID for outside individuals so they can get a Gatorlink account. They can also add the "Departmental Associate" role to provide additional rights such as email for those.
Dan Cromer mentioned that Fedro Zazueta is in charge of a project first initiated by Mike Conlon which has been on the back-burner prior but is now beginning to receive attention. This involves creation of a second level of UF association for Gatorlink accounts which would permit controlling access for less formal associations. Functional and technical descriptions have been posted prior. This will allow a web interface via which anyone may sign up for their own Gatorlink account. Obviously, the permissions for accounts in this category will be more strict but it should be quite handy for such things as permitting in anonymous SharePoint access. This is something which will be great for our extension programs like the Master Gardener, for example.
Steve noted that GLAuth is going away in favor of Shibboleth and asked Dan if IFAS was prepared; Steve wasn't sure that IFAS even used GLAuth much. Dan responded that In-service Training (IST) has been converted. The Bookstore Application is almost there. The portion of the IFAS Directory where the Directory Liaisons make changes also uses GLAuth currently and will have to be converted.
Steve asked where we were with regards to requiring this separate database for IFAS. Dan Cromer responded that the database was first of all useful because it is easier to search three thousand items rather than the million and a half that are in PeopleSoft. Also, we have fields in there such as "Specialty" which are not implemented in PeopleSoft. Other items include things like the salaries for Courtesy Agents which are paid by Counties, and faculty appointment percentages for teaching/research/extension. We also use the IFAS Directory for some of our dynamic listserv lists such as IFAS-ALL-L, IFAS-Extension-L, etc. Dan's goal has been to coordinate with PeopleSoft to get those fields added centrally so that there was a single master database from which to extract information.
Steve wondered how good a job the various Directory Liaisons were doing with keeping the IFAS Directory up-to-date. He had the impression that this may have slipped close attention in his own department, though he might be wrong. Dan mentioned that he had tried to coordinate with IFAS HR to have the database maintained more centrally but the director said she would need additional staff in order to do that. Unless things break so horribly that upper administration decides this is a priority, it appears we will have to continue to limp along with a difficult to maintain/manage distributed editing system.
Nothing further was available on this topic at this time.
The August Microsoft patches included fourteen bulletins overall covering a record-tying 34 vulnerabilities! Twelve of the bulletins affect Windows (seven Critical and five Important). Two bulletins affect Microsoft Office; one Critical and one Important. A podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".
The Microsoft Baseline Security Analyzer 2.2 was released last Friday.
A new version of Flash (v10.1.82.76) was released on Tuesday to address critical vulnerabilities. In Steve's experience you must uninstall all versions first or the old files remain. In case you missed it, last month Steve published a way to do this remotely via PsExec. It is also worth mentioning that Adobe AIR should be uninstalled, er... upgraded to 2.0.3 as well.
There is a critical flaw in Reader/Acrobat for which Adobe is expected to release an out-of-cycle patch the week of august 16th
MS Office News update
Steve wanted to remind folks that he has created a new 32-bit Office 2010 installation point (ufad\if-admn credentials required) for everyone's use.
Dan Cromer mentioned that he has been trying out the Beta of Microsoft Office 2011 for Mac. It has Outlook instead of Entourage and includes Office Communicator for the Mac as well. Dan feels this will be a good step up from the current Mac Office package.
Job Matrix Update status
This is here as a standing topic--no discussion this month.
Steve wants to keep this item on the agendas in order to address potential future concerns.
Issue with 64-bit SAS on Windows 7
Winnie Lante mentioned that she had received a notice from Software Licensing Service (SLS) that they have new media for supporting a 64-bit SAS install on Windows 7. Winnie mentioned that she has been installing it successfully prior w/o issue, however. James Hardemon cautioned Winnie that the installation required being logged on with a local admin account (i.e., not just a domain account that was a member of the local Administrators group on the computer. Steve confirmed that this has been his experience. Steve particularly hates this latest Win7-suppported install because it requires multiple and repeated swapping of discs during the install process. Steve has yet to try copying those to a network location to see if installation over the network could circumvent that.
When to use 64-bit Windows 7
We had a brief discussion about 64-bit Windows 7 and when that would be appropriate. Winnie is using it on machines that have 4GB or more of RAM. Andrew suggested that it was appropriate for any machine that was capable of holding more than 4GB of RAM. Steve mentioned that he is still installing 32-bit Win7 on machines with 4GB of RAM. His thought was to leave room for future upgrades to 8GB of RAM and would move to 64-bit at that time. He is somewhat cautious of the need for signed drivers. As for software support, Winnie said that she has been successful with SAS, SPSS and ArcGIS on the 64-bit platform. Dennis Brown mentioned having an issue with drivers for the Fujitsu Snap scanners; the 64-bit drivers are not available for direct download apparently--but one can fill out a form to request them.
Polycoms falling out of maintenance
Francis Ferguson mentioned that the most recent large Polycom purchase was nearly three years ago (74 units in Nov. 2007) and those system will all be going off maintenance. He was wondering if anyone was following up on that issue. Dan Cromer responded that maintenance extensions would be up to the individual units ($880 for a year or $2000 for three years). Assistance for placing the orders would be provided, however, and Lance Cozart could be contacted about that.
When Steve looked into the costs in the past, they seemed incredibly expensive. Steve dislikes that even firmware updates require a full hardware maintenance contract, feeling that it amounts to extortion. Frankly, his department has saved enough money over the years by NOT purchasing maintenance to buy a whole new unit. Dan Cromer mentioned, however, that the VSX 7000's have had quite a few issues over our various units.
Dan keeps hoping that OC with web cameras/microphones can replace a good deal of our Polycom usage needs in the near future. Cost considerations may move that along fairly rapidly.
PDF-Xchange (prior discussion)
Updates as available...
Interest in Wordpress blog systems, and photo gallery systems that require PHP and MySQL
Updates as available...
The meeting was adjourned early at about 11:30 AM