IFAS COMPUTER COORDINATORS
(ICC)
NOTES FROM January 9th 2004 REGULAR MEETING
A regular meeting of the ICC was held on Friday, January 9th, 2004. The meeting was chaired and called to order by Steve Lasley, at 10:00 a.m. in the ICS Conference Room.
PRESENT: Sixteen members participated. Remote participants: Jack Kramer, Joel Parlin and Kevin Hill. On-site participants: Mike Armstrong, David Ayers, David Bauldree, Robert Boden, Jenny Brewer, Dennis Brown, Dan Cromer, Joe Hayden, Tom Hintz, Steve Lasley, Helena Niblack, Mark Ross and John Sawyer.
STREAMING AUDIO: John Sawyer kindly handled this in Dwight's absence and it is available here. Note that there were initially microphone problems and the first 6:40 is blank.
NOTES:
Steve Lasley reported that Roberto Ramirez was leaving ICS and would no longer be available to run the Polycom video equipment. Tom Hintz assisted with setting up the Polycom for initial use and Mark Ross monitored the unit during the meeting (as well as providing a projector and laptop for the meeting). Mark has offered to preform this service in the future. There were issues with the new MCU software that were not resolved during the meeting, but can hopefully be fixed by next time. As a result, the conference used sound only.
As Kevin Hill joined late, we began with John Sawyer reporting on the upcoming ePO upgrade. John is waiting on Dwight's return to assist with the SQLserver ties but should be ready to move to the updated ePO server software very soon. This move will also entail having all ePO admins upgrade their ePO management console clients. Availability of that software will be announced when the move is imminent.
John Sawyer also reported that the Patchlink software purchase has been made and that he has received an installation CD as well as a Patchlink T-shirt. The software will live on the same server as ePO. John expects to begin testing next week using Jenny Brewer's district as a remote test site. He intends to organize it similarly to the way ePO is organized in terms of groups. The management interface is web based. Kevin Hill and Jack Kramer asked about using PatchLink to push Viruscan patches rather than using ePO. John mentioned the lack of reporting features inherent in that method. John said that a separate meeting will be held to discuss the various details of how admins may implement this patching solution.
Steve Lasley referred members to a link that John has emailed to the list on Deploying Internet Connection Firewall Settings for Microsoft® Windows® XP with Service Pack 2. It is recommended reading. Scot Finnie's newsletter had a good report on the beta of Windows XP Service Pack 2 as well. (Note: links to this and other newsletters can be found on the ICC Peer Support page.) Jack Kramer asked for further info on Kerio Personal Firewall. John will check into the status of a UF purchase of that and let us know.
Jenny Brewer reported that the anti-SPAM effort was chugging along fine. She has stopped the "zero SPAM" reports that she had turned on for a short while. About 100 blocked messages are being retrieved a day (out of 20k) so it seems to be working well. Few if any are reporting false positives. Because of Jenny's efforts in helping test their beta software, we have been given a free license for ESATInformer. Good work, Jenny! Currently, emails with naughty words in the subject are being tagged and released; Jenny would like the ICC to gauge user acceptance of not delivering such emails at all. For the timebeing, all users will continue to get notices of blocked emails; the originally planned year-end opt-in date has been moved to the end of January. In the meantime, Jenny is working on a better report retrieve system. Joe Hayden mentioned that Hormel is suing folks using "SPAM" in their product names; apparently their use of all caps is their main gripe.
There was a brief discussion by Jack and Kevin as to why they don't use ePO currently and why they wish to use Patchlink to handle anti-virus software installation and (possibly) virus definition updates.
Kevin Hill gave a brief status report on the Active Directory project. Mike Kanofsky, of UF-AD, has a working process for pushing Gatorlink user/password info in SQLserver and from there populating at least a shallow user OU structure within the UF-AD. The user-side OU structure which the ICC passed on last meeting has been forwarded to Mike for his use in creating the structure for our user accounts. A few holes in that structure were found and are in the process of being resolved. There is a prototype webpage for changing Gatorlink/AD passwords. Mike has created a couple of administrative accounts so that we can begin to pass on authority to ICC members to give them a chance to try out group policy tools and the like and get some practice with the new setup. We still need to flush out our implementation timeline. The IFAS AD lead position is being reposted for another week and we hope to move foward quickly on finding the best candidate. The domain controller security issue is moving along and allowances for those are expected. Steve noted that he has added links on the ICC AD Deployment page to documentation on the new Group Policy Management Console.
Dan Cromer discussed the issue of written IFAS IT Policies. What little currently exists is documented at http://imm.ifas.ufl.edu. Section 6C1-6.140 is for Information Technology, the only entry there so far is the establishment of the ITPAC, though 6C1-6.90-2 on Identity Standards requires use of ifas.ufl.edu for e-mail and Web pages. (It was noted as an aside that this page itself violates the workmark policy.) Dan related that he doesn't think we should write policies where things ar working OK. Dan also distinquished between verbal policies within his central IT organization (e.g., we have only certain platforms and applications for which we provide Helpdesk support) and official written policies. For the latter, he suggested that if the ICC had particular policies in mind that we could develop formal recommendations that would be brought to ITPAC and, if approved, from there make their way into the IMM system. Dan mentioned that he had one such policy issue in mind, that being a very general statement that "Email is an official communication of IFAS". This would mean that every IFAS employee is responsible for checking their email daily or delegating that task to a subordinate. Jenny mentioned the difficulties that she is having in coding a web application for retrieving blocked emails that is platform and browser independent. She suggested that Outlook should be designated as the official IFAS email client.
There was a brief discussion of the new UF OIT Standard - Authorized Email Flow proposal whose announcement is listed below:
The ITAC-ISM committee is proposing the following email standard. Four steps
follow and they are tentatively scheduled to start in February. The first step
recommends blocking nomadic populations (dialup and wireless) from establishing
outbound port 25 connections to off-campus servers. In March, nomadic
populations will be restricted to smtp.ufl.edu and SMTP AUTH will be enabled.
In April, nomadic populations will be required to use SMTP AUTH on smtp.ufl.edu.
Finally, in May, all campus outbound port 25 traffic will be restricted to
registered campus mail servers. Your comments on this proposal are appreciated.
http://net-services.ufl.edu/security/admins/email-std.shtml
Current requirements for registered email servers include:
1) Reverse DNS
2) Administrative and technical contact information
3) Unit ISM approval
A web request form will be provided to register campus email servers that
require port 25 open to the internet. It will be available soon from the
Network Services web site. Contact information will be maintained in the
Network Services database linked from https://net-services.ufl.edu/.
If you manage an email server, you can protect your server from spam zombies and
other forms of abuse and misuse with authentication, encryption, and relaying
only from trusted networks. It is becoming more accepted that best practices
for email servers include authentication and encryption. Managers of campus
email servers should be working towards these goals.
Other measures being investigated include secure web proxies for WIPA and other
areas to help protect against client-side browser exploits that appear to be
the cause of the recent rise in spam zombies.
If you have questions or concerns regarding this matter,
please reply to this email as soon as possible.
Thank you,
Network Services
Net-Services@lists.ufl.edu
(352) 392-2061 suncom 622-2061
Home page: http://net-services.ufl
John related that UF IT is working toward reducing spam zombies and things of that nature. This proposal would restrict all outbound port 25 connections except from authorized email servers. Initially this would be done for dialup and wireless, but later for all. This would stop zombies from spamming through outside email services--the sort of thing that gets UF blacklisted by various services. This means folks on campus won't be able to configure an email client to send mail via outside email servers (although they could check mail). Web-based methods would of course work for sending from such outside email services. UF soon will be running SMTP AUTH on smtp.ufl.edu to prevent infected machines from pounding UF email servers--much as IFAS recently did. All authorized email servers will soon need to move to using authentication for outgoing email. (Note: John reports that there is now talk of limiting the SMTP Auth
to only nomadic populations so it does not break Netscape 4.7 users.)
Dan raised the point that IFAS has a policy that does not allow forwarding from Exchange to an outside email service such as AOL; however, it is not clear whether this is documented anywhere--even as a recommendation.
Mark Ross discussed his proposal for setting up NAS boxes centrally for backup instead of local tapes & changers. He had gotten little response on this. This would necessarily be a campus only solution initially, although the possibility would exist for providing remote NAS boxes as well. The main need right now is to get an estimate of the amount of storage various unit might need. It would be useful to have this broken down by function, e.g., administrative, research, teaching and extension. All ICC members were urged to estimate such backup space needs and get that info to Mark or Dwight so that this could be used to develop a cost estimate for instituting such a central service.
Mark also initiated a brief discussion on spyware/adware and the problems inherent in dealing with that. Adaware, Spybot-S&D and Hijack This were mentioned as the best tools to use in removing such things, however, the time involved is considerable. There is a setting within McAfee VirusScan (On-Access Scan Properties >> All Processes >> Advanced tab >> Find potentially unwanted programs) to help prevent or at least notify of attempted installations--however its efficacy was questioned. It was recommended that this setting be pushed down from ePO as a default. It was noted that some malware programs actually change registry key ownerships to hinder uninstallation and that there is one which puts a hostfile entry that prevents updating of the Spybot definitions.
The meeting adjourned about noon.
|