IFAS COMPUTER COORDINATORS
NOTES FROM October 8th 2004 REGULAR MEETING
A regular meeting of the ICC was held on Friday, October 8th, 2004. The meeting was chaired and called to order by Steve Lasley, at little after 10:00 a.m. in the ICS Conference Room.
PRESENT: Twenty members participated. Remote participants: David Ayers, Marcus Cathey, Dan Cromer, Kevin Hill, David McKinney, and Joel Parlin. On-site participants: Mike Armstrong, David Bauldree, Dennis Brown, Marion Douglas, Joe Hayden, Chris Hughes, Dwight Jesseman, Nancy Johnson, Jack Kramer, Winnie Lante, Steve Lasley, Chris Leopold, Richard Phelan, and Mark Ross.
STREAMING AUDIO: available here.
Agendas were distributed and the meeting was called to order by Steve Lasley at 10am. There were no known new ICC members to introduce. It was noted, however, that a number of people already subscribed to the ICC-L had had been requesting access from another e-mail address. Chris Leopold asked that that be done by direct e-mail to himself, Dean Delker or Steve Lasley so the address can be changed from the old one to the new one rather than just added as a duplicate.
Kevin Hill, Chairman of the ICC AD sub-committee, did not have a Polycom unit available with which to give a report on yesterday's ICC-AD meeting, but Chris Hughes summarized the current status as follows:
Chris stated that everything server-side is basically now working. All e-mail accounts are active, have the correct aliases and are receiving mail. There are still a lot of client issues that are still to be resolved; the HelpDesk is working on a lot of them. If you need to get a service account enabled (that is, e-mail addressess of the form "if-svc-address" associated to a role rather than a particular person) you should contact Marshall Pierce via e-mail. He has the proper rights to enable those accounts and set their passwords as needed.
A name change has to be made to the SMTP, IMAP and POP servers. What had been set as "mail.ifas.ufl.edu" will be "email.ifas.ufl.edu" as of 5:30 p.m. on Tuesday, October 12. This is necessary because of unanticipated routing issues that occur due to the hostname matching our @mail.ifas.ufl.edu e-mail addresses. This means a new certificate will be needed as well. The problem arises when any mail destined to a "mail.ifas.ufl.edu" address bounces. A bounce causes the message to loop between the spam server and the exchange server 30 times (incrementing the headers each time) until it is finally dropped. This is making our spam servers very slow and must be fixed.
Because of the server name change, after Tuesday, everyone using IMAP or POP client will have to change the in-coming and out-going server names. Making this changing with via script would be extremely difficult for Outlook Express because the exact location of the proper value (beneath "HKCU\Software\Microsoft\Internet Account Manager\Accounts\") can only be discovered by intelligent inspection. This could be changed by hand via remote registry editing, however. Windows Eudora users also will have to manually trust the new certificate, which makes simply editing the eudora.ini (text-based setting file) fall short of fixing the problem via any form of remote file editing.
Chris Leopold reported on the status of the videoconferencing project. Remote sites are all done, configured and working. McCarty-D is the only on campus site that is configured for QoS at this point, however. That latter portion has been put on the back burner by the migration, but will continue as things settle down.
John Sawyer gave a brief status on network security. He reported that things have been rather quiet, with no major virus outbreaks for a couple of weeks. John did find one machine infected with "securitychk.exe" and a couple of machine infected with "bling.exe". In a two week period, there was a contiguous 4 day block that did not have any machines "netbios scanning." That is a record in the last six months.
Steve Lasley noted that the machines in his ENTNEM domain, a computer teaching lab he supports, have not been updating their antivirus DATs automatically. Also, when done by hand via the "Update Now..." feature of the VirusScan system tray icon, they contact SRVTASK3 (the machine that John has set up to handle requests for DATs by old agents) and that machine has out-of-date DATs for some reason. Steve loaded the latest superDAT manually to overcome this, but was concerned that machines still in IFASDOM may be vulnerable until migrated if this is not remedied. John will work on updating the login scripts to reflect the new agent in IFASDOM until the machines are migrated.
John said that the new agent would solve these problems but that the currently posted packages (\\if-srv-epo\install$\ePO-3.5\agents) were created with specific credentials that will only permit installation on machine migrated into UFAD. He can create another agent package with credentials that would work for IFASDOM machines, however. (Note: I believe an alternative would be to add "UFAD\IF-SVC-MrAntiVirus" to local administrator on non-UFAD boxes to permit the install. I believe that if this were done on PatchLink-managed IFASDOM machines, then the new agent would get installed automatically.)
The new ePO console and documentation are available at \\if-srv-epo\install$\ePO-3.5. You cannot install the console on a machine via remote desktop BTW; the install package does not allow that. John has sent an e-mail with the details of the access credentials (currently for viewing only until proper container permissions are established and he sends out individual OU Admin credentials) if you want to check out the new console and see the structure. John mimicked to UFAD OU structure for the most part, but did not create individual county containers within the districts yet.
Mike Armstrong asked it there was any mechanism being investigated to assure that a machine is patched when it is first connected to the network. John said that we are looking to use the VPN quarantine functionality that is built into Windows 2003 server. A broader solution (beyond VPN) would have to be patched together from components (which might be rather difficult) as commercial solutions are very expensive.
Dennis Brown asked about the status of IPSentry. John said it will be moved into UFAD, but that just hasn't been done yet. It broke when the account that it uses for checking things was deleted.
Dennis also asked about Windows XP Service Pack 2, with regards to how the firewall should be configured. It was pointed out that the firewall is currently turned off, via GPO in UFAD and via logon script in IFASDOM for the migration. John has sent an e-mail detailing the firewall settings and also asked for input with little result. Mike Kanofsky has some info on SP2/AD issues posted on the UFAD website as well. To enable the Cisco VPN to work while the XP SP2 Firewall is enabled, you need to create a Port exception for UDP port 62515.
John then gave an interesting demo of VirusScan 8.0's buffer overrun protection. His laptop was running SUSE 9.1 Professional. It had VMWare running two virtual machines installed with Windows XP--both unpatched--on an isolated VPN. John demonstrated a compromise with the LSASS vulnerability on one of these, and then how this was prevented on the other by VirusScan 8.0. John used TCPview to monitor the port activity. The exploit John used was one written by Houseofdabus that was ported to Linux by Froggy. The exploit connects to port 445 via a TCP connection, starting up the SMB protocol. There is vulnerability in the authentication process of LSASS that allows the exploit code to open a port back for connection by the exploiting box to run a shell. The Korgo worm "borrowed" this same code. VirusScan 8.0 was set to protection mode on the buffer overrun protection settings and it stopped the exploit in its tracks. Moral: upgrade to VirusScan 8.0 and run with buffer overflow protection enabled! John wrote a paper on all this in support of another security certification that he will soon to be adding to his long list of accomplishments in his chosen field.
Here are some links pertinent to John's work:
Kevin Hill reported that there are VPN routing issues from DE sites that prevent RPC connections to CEO's on DSL/VPN connections. He said that Jennifer advised this is being worked on and Chris Leopold confirmed that, but had not further details.
Now that we are part of UFAD, we are seeing end-user confusion over the fact that their usernames and e-mail addresses often don't match. We are having folks who are attempting to send to their GLID@ifas.ufl.edu, and it is not being delivered because that is not their e-mail address. Additionally, we have the problem that someone may create or have already created a GLID that matches one of our existing IFAS e-mail aliases for a different individual. Such conflicts will cause continuing problems unless we move to standardize on e-mail addresses in the GLID@ifas.ufl.edu format and remove all other "@ifas.ufl.edu" aliases for people.
Unfortunately, this is a very inconvenient process for many of our end-users which involves changing business cards, mailing list subscriptions, and other venues through which old e-mail addresses may have been propagated to client contacts. Also, many GLIDs were either not chosen with professionalism in mind, or the preferred name might not have been available due to prior use by someone else.
The ICC decided to draft a written recommendation for a new IFAS e-mail address naming convention which will be actively discussed and amended via the ICC-L with the goal of having a sound proposal ready for submission to ITPAC by November 4, the date of their next meeting.
Mark Ross suggested that a bounce message be created that directs improperly addressed incoming mail to a location at which the correct address can be determined. Chris Hughes will be looking into the various options along these lines.
Service accounts are an additional problem, because there is no corresponding GLID in UFAD, except by unfortunate occurrence. There will likely need to be in a separately named domain; something along the lines of "@service.ifas.ufl.edu" to handle this. The alternative is to get UF (probably requiring Chuck Frasier's approval) to allow service accounts as GLIDs; there is at least some precedence there. Chris Hughes said he will investigate through Mike Conlin. Dan Cromer suggested that UF might establish a policy of "eminent domain" that would allow IFAS to usurp certain pre-existing GLIDs for necessary service accounts. Chris Hughes believed that this would be difficult to obtain.
Chris Hughes reported that the IFAS HelpDesk and ITNS staff now have the PeopleSoft role permissions necessary to reset Gatorlink passwords. IFAS unit Admins could conceivably get this right also. The process would be to contact Fran McDonnell of the UF HelpDesk to receive the two necessary forms for requesting such access. Since the forms require approval by the IFAS ISM, Tom Hintz, Steve Lasley suggested that he would contact Tom to obtain his opinion on doing this for IFAS UFAD OU Admins.
Chris Hughes spoke to next-week plans for replacing the current XWall anti-spam solution with the Microsoft Intelligent Messaging Filter (IMF) which is a no-cost option for Exchange 2003. The filters will be configured and any message meeting some yet-to-be-determined minimum score (between 1 nd 10) will be moved to a "Junk" mailbox within the user's e-mail account as suspected SPAM. Messages moved to the "junk" folder will be unavailable to POP users. The "Junk" folder will be cleaned out every evening of messages that are older than 30 days. IMF uses an "undisclosed process" that is considerably superior to XWall in identifying spam. Those using Outlook 2003 or webmail will be able to going into their "Junk" folders and whitelist (based on domain or e-mail address) any e-mails that wish to not be marked as spam. This arrangement will considerably reduce the complexity of our e-mail system and should be more convenient for our users overall.
An IFAS install point for Office 2003 would be a great assistance in getting all users upgraded to take best advantage of the new Exchange server system. The UF Microsoft Licensing Agreement is currently being held up by 2 colleges out of 31 who are refusing to contribute on the grounds that their usage of Microsoft products was overestimated by those negotiating the contract. This was reported by George Bryan, UFAD lead, at yesterday's ICC-AD meeting. Chris Hughes vowed to do his best to hasten this process for us.
Chris Hughes proposed that the ICC draft a recommendation to ITPAC that would limit central IFAS IT support to only two e-mail clients: the current version of Microsoft Outlook (not Outlook Express) and Outlook Web Access via Internet Explorer. IMAP and POP would still be supported server-side, but users would not be given assistance in configuring their e-mail clients to access those. After much discussion, Steve Lasley agreed to draft a written recommendation for changing IFAS IT e-mail client support which will be actively discussed and amended via the ICC-L with the goal of having a sound proposal ready for submission to ITPAC by November 4, the date of their next meeting.
Jack Kramer noted that those wishing to use IMAP or POP at Ft. Lauderdale get configured to check Gatorlink for e-mail. The problem, however, is that it is very difficult--sometimes a matter of days--to get forwarding set on the IFAS side so folks can take advantage of this solution. Chris Hughes offered to look into the possibility of end-users configuring forwarding for themselves at some future date, but this investigation would be at least several weeks in the future due to other currently more pressing matters.
Steve Lasley mentioned that he has successfully configured Eudora and Outlook Express on the Macintosh and that he is willing to help others who need that.
Dwight reported that the new certificate for email.ifas.ufl.edu has been ordered and that he is waiting on UF to do their part in that. Dan Cromer reported that he shortly plans to send out a message about the Tuesday email server name change; he is is drafting it right now.
A discussion was held on calendaring and other advanced Outlook features--and whether our users wanted those. Joe Spooner thought it would be good to ask end-users and the administration exactly what they want. This comes back to the IFAS IT Charter issue which...again must be put off to some future meeting due to meeting time constraints. Mike Armstrong indicated that mandating Outlook could only be done from the top and Steve Lasley noted that our current IT policy processes are driven from the opposite direction.
The meeting was adjourned shortly after noon.