ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM July 11th 2014 REGULAR MEETING


A meeting of the ICC was held on Friday, July 11th, 2014 in the NEW UF/IFAS Communications Building. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-five members participated.

Remote participants: Tom Barnash, Bill Black, Dennis Brown, David Depatie, Kevin Hill, Wayne Hyde, Al Ibanez, Chris Leopold, John Macias, Kamin Miller, Mike Morrow, Scott Owens, and Jonathan Potts.

On-site participants: Jimmy Anuszewski, Dan Cromer, Angelo Daniels, Francis Ferguson, Tennille Herron, Winnie Lante, Steve Lasley, Matthew Nash, Karen Porter, Santos Soler, Raichel White, and Wendy Williams.

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman

Election results!

The new ICC Chairman (and friend)

Jimmy Anuszewski (shown above with friend) won the election by 6 votes (22 vs 16) or a bit less than 58%. Congratulations! For the details of who participated in the voting go to the ICC Membership page.

Steve is looking forward to stepping down but will certainly help Jimmy and Dennis (who had agreed to continue on as co-chair) get up to speed with whatever duties he formerly handled that they might wish to continue.

Member news:

Angelo Daniels has replaced Mari Jayne Frederick at TREC. We were very fortunate in having Angelo at the meeting today in person and enjoy introducing him around our group. Welcome Angelo, and please let us know if we can be of assistance!

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Security:


New draft security Standards and Policies (previous discussion)

New draft documents for External IT Vendor Sourcing (Standard), Information Security Risk Assessment (Standard), and Information Security Risk Management (Policy) are now available for review at https://security.ufl.edu/it-workers/.

UF Security is soliciting feedback on these proposals; they have noted that very little feedback has been received on previous drafts and would obviously appreciate that to increase.

Implementing the Mobile Computing Security policy (previous discussion)

Updates as available...

Patching updates... (previous discussion)

Microsoft

The July Microsoft patches included 6 bulletins (2 "Critical", 3 "Important", and 1 "Moderate") covering 29 unique CVEs in the usual suspects. A risk assessment is available here.

Adobe

There was a security update for Flash Player on Tuesday.

Java

The scheduled quarterly updates are expected on Tuesday, July 15th.

Apple

Apple iOS 7.1.2 was released at the end of June fixing numerous security issues.

Other

Updates as available...


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)


In response to prior questions, Patrick Pettus had provided the following details about recent changes;

No need for anyone to make any changes to the gatekeeper settings. Nearly all of the sites that needed to move to the new gatekeeper have been moved. However this Sunday's change will not affect gatekeeper registrations, and any of the three gatekeepers 128.227.156.74, 128.227.156.75, and 128.227.8.45 will work for now. For any future changes to GK registration we will either take care of them for you, or coordinate with you to change them at the appropriate time.

Sunday's change [June 29th] is to the MCU (bridge) IPs. Any site that is registered with one of the gatekeepers above will be able to connect to any of the four MCUs using the conference ID numbers (783xxxx) as they always have.

The only change will be for sites that have been connected by dialing the MCU IP address: 128.227.156.80, 82, 83, & 86. Those will now by 10.227.156.80, 82, 83, & 86, and by moving to private IP will no longer be reachable by IP for outside the UF network. I know of only two that do this consistently and we have contacted those sites directly.

In short, if you can connect to the test conference 7837777 today. You will be able to connect to any conference after the change takes place on Sunday.

Steve asked if any folks had experienced difficulties with this transition. The only issue Steve noted is that he hasn't been able to access streaming via a browser since the change; he is using the private IP address equivalent, but when he logs onto the stream the audio/video never connects. Steve hasn't had the time to ask Patrick about this yet.

Kamin Miller relayed some issues that Javier Real has experienced connecting via Jabber using confId@uc.ufl.edu from a couple of different sites...one in Lake Alfred. More details might help with any diagnosis there, but Steve would suggest getting with Patrick Pettus for resolution in any case.

Steve said he hadn't tried confID@uc.ufl.edu dialing with either Jabber or Lync but assumed it was working. Kamin Miller pointed out that Lync 2013 won't work with the bridge; Dan Cromer added that this is an incompatibility between the Lync 2013 client and TMS. The move to Acano will solve that problem apparently; the hardware and software licenses for Acano have been purchased and it's just a matter of getting it going.

Winnie asked about configuring Jabber, wondering if the new instructions at https://video.ufl.edu/conferencing/videoconferencing/help/jabber/ needed to be applied. They do indeed as the External Server hostname has changed now from vcs.video.ufl.edu to at-vcse01.video.ufl.edu. [Note: to change the settings you must be logged off...something not mentioned in on the web page.]

Endpoint security concerns (previous discussion)

Updates as available...

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Updates as available...

Possible end-point refresh in the works (previous discussion)

Updates as available...

Movi/Jabber Updates (previous discussion)

Updates as available...

End-user Scheduling (previous discussion)

Updates as available...

Lync updates (previous discussion)

Updates as available...

Blue Jeans (previous discussion)

Updates as available...


WAN (previous discussion)


Updates from James Moore

Updates as available...

Wireless printers (previous discussion)

Mari Jayne Frederick had asked that this be discussed. Dan Cromer has stated that UF Network Services has this on their ToDo list; basically, what is needed is an authorized way to wirelessly attach printers to the UF network.

Dennis Brown had pointed out that Wendy Williams is using Collobos software to support printing from mobile devices; this might be another part of a solution.

VoIP at RECs

Updates as available...

Phone bills to be paid for centrally? (previous discussion)

Updates as available...


Policy


Cloud Services (previous discussion)

Updates as available...

Notes from last month's SIAC meeting

Updates as available...

Last month's IT Directors Meeting Notes

Updates as available...

PrintSmart initiative (previous discussion)

Updates as available...

New IT Service Management Initiative

ITSM Awareness Training is now available; this apparently will be required of any IT staff that will use the service management tool. To access the ITSM Awareness Training Course, login to myUFL > My Self Service > Training and Development > Request Training Enrollment and search for OIT100 ITSM Awareness.

Content Management System (CMS) for UF: Entering preparation phase (previous discussion)

Tennille Herron hosted a webinar on the plan for IFAS moving to T4 back on Thursday, June 19th; a recording is available. During that webinar, Tennille pointed to a UF/IFAS TERMINALFOUR FAQ where the IFAS web team has posted further information.

There was some confusion over whether or not this migration would be mandatory. Dan Cromer had responded that, though migration to Terminal 4 is optional for Web sites not in WordPress, it is mandatory for WordPress sites supported by IFAS IT, and he would expect this can be accomplished in two years or earlier. IFAS IT is not planning for WordPress services to continue into the next IFAS central server refresh in fall, 2015, though the current server system can be continued through that time. The long-term gain in ease of use, coupled with ease of support for Terminal 4, makes this potentially difficult transition worth it.

There is also confusion about templates and how much leeway departments will have in modifying those; apparently not much. Here is the tentative timeline for migration:

T4 Migration Timeline

On July 3rd Tennille provide a Web Services Update.

Tennille pointed folks to FAQ#12 which states:

12. I am a web maintainer, what should I do while I wait for access to TERMINALFOUR?

  1. Clean your web directory (remove broken links and unused files, then update the content on your website).
  2. Fill-out a Website Communication Strategy Form and then contact webteam@ifas.ufl.edu stating that you have completed the form.
  3. Both the point person and decision-maker will attend a meeting with the UF/IFAS web manager. If the point person and decision-maker are not the department head or director, the director or department head will need to attend the initial meeting to discuss the migration and planning of their website to TERMINALFOUR.
  4. After the meeting you will need to fill-out and return a homepage questionnaire. This questionnaire will help you determine your menu structure, sitemap, and layout of your new website into TERMINALFOUR.
  5. Refer to FAQ #4 to download and begin reading the end-user training manual.

Tennille was on-hand at the ICC meeting to explain about the IFAS Web Maintainers Advisory Taskforce (aka "Web Rebranding Committee") whose members are:

  1. Jennifer Sykes
  2. Jennifer Hugus
  3. Rhiannon Pollard
  4. Tracy Bryant
  5. Robert Wells
  6. Michael Morrow
  7. Jennifer Gillette-Kaufman
  8. Robin Snyder
  9. Santos Soler
  10. Jimmy Anuszewski

It is apparently the job of this committee to inform UF/IFAS Web Services on web elements (template items) that need to be included in the template that possibly are missing--i.e., what elements appear and where. Tennille is not on the committee, but will receive a report from the committee detailing their input.

Jimmy is going to T4 training during October in Boston; more details are available at http://www.terminalfour.com/tforum/. Tennille pointed out that UF will be providing training for end-users as well as for web-developers. IFAS plans to supplement this further as well that will focus on the various page layout options that our templates will provide.

Wendy Williams raised questions about whether or not we would be able to control our own web sites. Steve mentioned that change is always difficult especially where people fear losing control over what they had managed in the past. That is where many of these questions come from. Obviously, the whole point of a Content Management System is top gain control for the entire institution. We have been so distributed in the past that we have all gone different ways and various folks have developed various cool ways of doing many and varied things. Bringing that all together where we can do all the things we want, though perhaps some a bit differently, is difficult.

Tennille agreed adding that it is particularly difficult to address some of these questions currently because there are so many details that are still unknown to us. Tennille expressed her intentions of communicating what is learned in migrating the early adopters so that later migrations will experience less ambiguity as the migration proceeds. In short, there will be more information to share as we get farther along.

Authentication Management policy draft (previous discussion)

Updates as available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates as available...

KACE (previous discussion)

Updates as available...

CNS working to implement NAC for UF wireless (previous discussion)

Matthew Nash kindly provided a screenshot of what appears to be a Safe Connect Administrator's interface that he received from the UF Computer Help Desk when they were helping him solve an issue where MSE wasn't being detected:

Safe Connect Administrator's interface

Not only do they have tools we were not aware of, they have been recording some information that we did not realize they were monitoring.

UF Exchange updates (previous discussion)

Dan reported that the move to Exchange 2013 is now scheduled for September; they had hoped to get this done over the summer but that didn't prove possible. Dan asked if the ICC was willing to move to the 2013 server as early adopters; there were no real objections to that.

Dan noted that recent phishing schemes have been successful in part; those who fell for that are now listed on the "From:" field of additional spam. Dan put out a message to IFAS-All-L about this.

Another good resource to point folks to is at https://security.ufl.edu/learn-information-security/protect-yourself/email/email-safety/ and its associated links -- as pointed out by Matt Nash.

Outsourcing of student e-mail

It turns out that Office 365 mailboxes and Exchange mailboxes via service accounts don't get along together in Outlook. This makes the idea of having two mailboxes for student employees much less fun.

Winnie Lante had reported: "We have a part time student working for us with the Office365 mailbox. I had Scott Owens grant her permission to a service account mailbox. The account loads to Outlook fine but no matter what we do she cannot send on behalf of that service account. All she can do is send from her 365 mailbox. If she replies to a message that comes into the service account it goes out as if it came from her own mailbox. The "From" filed is there but it will reject the post if she selects the service account. She also is unable to share a calendar with an Exchange mailbox. No sharing in either direction. So now we are forced to have her use the service account in Webmail."

Dan Cromer had shared this response from the mail team: "Yes, delegation cross-premises has a number of known caveats[1]. Signing on to the service account directly, via OWA or a configured Outlook profile, is going to be the cleanest solution. We have documented some of this this here[2,3] but it should probably be rewritten and restructured to make the limitations, workarounds and scenarios more clear."

  1. http://support.microsoft.com/kb/2807149
  2. https://connect.ufl.edu/it/wiki/Pages/UFHybridExchangeOffice365forITAdmins.aspx
  3. https://connect.ufl.edu/it/wiki/Pages/O365andStudentEmployees.aspx

Winnie had been having her OPS log onto the computer with her GatorLink; what might be easier is to have them logon with the service account. Since there is a one-to-one relationship we will still be able to know who is using the computer at a particular time and thus meet UF security requirements. If things are done this way the OPS can use Outlook with UF Exchange via an On Premises mailbox (where our Tier 2 person Scott Owens can assist in setup) and use OWA for their student Office 365 account.

Outlook asking for re-authentication

Updates as available...

Canvas Selected as the Centrally Supported Course Management System (previous discussion)

Updates as available...

Alternate IFAS domains in e-mail (previous discussion)

Updates as available...

Split DNS solution for UFAD problems (previous discussion)

Updates as available...


Projects


New web cluster (previous discussion)

Updates as available...

Windows 8 Deployment? (previous discussion)

Updates as available...

SCCM for IFAS

Updates as available...

Exit processes, NMB and permission removal (previous discussion)

Updates as available...

Services Documentation: Is a Wiki the way? (previous discussion)

Attention!Attention!Attention!Attention!Attention!

A wiki has been created at http://my.ifas.ufl.edu/wiki/icc/. Everyone in the ICC distribution group should be able to add/edit.

Attention!Attention!Attention!Attention!Attention!

Operations


Moving from McAfee VirusScan to Microsoft Endpoint Protection? (previous discussion)

Updates as available...

Print server (previous discussion)

Updates as available...

Recording lectures for Distance Education (previous discussion)

Updates as available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Updates as available...

VDI desktops as admin workstations (previous discussion)

Updates as available...

Wayne's Power Tools (previous discussion)

Wayne had added a column to his OU users page within WTP that lists whether or not a user has "Student" status. You can also run the query sorting on "Password Set" to get a list of likely orphaned folders. Steve plans to use this to clean up Home folders that were created way back when we migrated to UFAD but were never used; most of those are for Faculty Associates at the USDA and other places. There is no sense in having them clutter up things if they never use resources here and it makes sense to clear their NMB settings until such time as they may actually need that.

Computer compliance tool update (previous discussion)

Updates as available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Updates as available...

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps DeWayne Hyatt can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates as available...

ePO updates (previous discussion)

Updates as available...

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates as available...

Public folder file deletion policies and procedures status (previous discussion)

Updates as available...

MS Office News update (previous discussion)

Updates as available...

Job Matrix Update status (previous discussion)

Updates as available...


Other Topics


Permissions on file server: Home folders

Dan Cromer had wanted to discuss multiple access to user folders. He could think of only one reason for this to be allowed, when one person leaves and another person needs temporary access. In fact, this could be accomplished without providing access to another user's folder by having admin move the needed folder to another appropriate folder, either Unit or Private. Dan wanted to re-emphasize the standard configuration and usage of Unit, Private, and User folders.

Steve began documenting permissions of the file servers a few weeks ago under the new ICC wiki under the topic "How should permissions be configured on the various shared folders?" and Santos has continued that process.

Wayne Hyde expressed his concern about broad and basically uncontrollable access to unit folders. Steve had thought that those with the "UF_PA_IDM_NETMGR" role could only set NMB to point to their own OU(s) or clear them; it turns out that anyone with that role can set NMB for anyone to any unit. Wayne feels (and Steve agrees) that this situation makes it very important to control what information is posted to such folders. This isn't being handled very well in most cases currently and is truly out-of-hand in many cases.

Steve pointed out that he clears his Unit folder every weekend and has labeled it so folks are aware:

Entomology's Unit folder

It had never occurred to Steve to use Entomology's Unit folder for any kind of permanent storage. Apparently Entomology is in the minority on this, however; many use the Unit folder to distribute templates and other such materials. There was considerable discussion about trusting units to use these resources properly, but the fact is many are not and keeping things as they are is just an invitation to a breach that IFAS will sorely regret.

David Depatie expressed the importance of teaching users about how to best use the file server and all agreed that user cooperation is an important part and maybe the most important part of all this. There is more that can be done to lead folks in the proper direction, however. Steve pointed out that it has always puzzled him why his unit is the only one (at least that he knows of) that redirects My Documents to the Home folders for folks.

Wayne has a plan to rename Private to Groups for our workgroup shares, but there are technical reasons related to our backup methods why this should be done at the next fileserver refresh and not before.

Wayne mentioned that Santos has created scripts to automatically create Home folders; this should help encourage proper use of the file server.

[Note: there are portions of Wayne's Power Tools that can help with cleanup of Home folders as mentioned earlier in these notes.]

Wendy Williams took the position (and Dan Cromer agreed) that either ITSA should take away the Unit folders because they are too unsafe, or ITSA should let us use them while providing the tools to help monitor them. Santos pointed out that monitoring is really only possible when dealing with a small number of files and folders; the size of most Unit folders makes this a nearly impossible task, however, in his opinion.

There was considerably more discussion on this topic. It is obviously good to raise this topic often to make/keep all OUadmins aware of the risks. It will be a continual struggle and hopefully we can continue to move gradually towards a more secure and maintainable situation. It won't happen overnight, but it won't happen at all unless we all remain vigilant.

SAS depot updated

The SAS 9.4 installation depot (\\ad.ufl.edu\ifas\SOFTWARE\SAS\SAS9.4 ) has been updated to permit installation on Windows 8.1.

FAQs for new hires

Updates as available...

Adobe licensing (previous discussion)

It was pointed out that the licensing forms initially provided no way to specify two machines for those user-based licenses that are to be used on two UF-owned machines. James Hardemon had responded that he would be correcting the form to address this issue. He wanted people to realize that when using the second installation on a second UF computer they will not have access to a home use license.

Getting rid of Windows XP

Steve noted that there were still 1350 XP computer objects and even 31 Windows 2000 computer objects in UFAD last he checked.


That's All Folks!

The meeting was adjourned by our new chairman, Jimmy Anuszewski, roughly 15 minutes before noon. Steve wants to thank everyone for attending today's meeting and trusts that they will continue to do so under Jimmy's (and Dennis's) excellent leadership in the upcoming months. It has been a pleasure writing these notes for the past 12+ years, but Steve is also pleased to pass the baton on this and his other ICC duties.

Take care all and I hope to see you at the next ICC meeting!