IFAS COMPUTER COORDINATORS
NOTES FROM December 11th 2003 REGULAR MEETING
A regular meeting of the ICC was held on Thursday, December 11th, 2003. The meeting was chaired and called to order by Steve Lasley, at 10:00 a.m. in the ICS Conference Room.
PRESENT: Seventeen members participated. Remote participants: Mike Armstrong, Dan Cromer, Jack Kramer, and Josh Wilson. On-site participants: David Ayers, David Bauldree, Benjamin Beach, Robert Boden, Jenny Brewer, Dennis Brown, Bill Cope, Kevin Hill Steve Lasley, Chris Leopold, Richard Phelan, Roberto Ramirez, and John Sawyer.
STREAMING AUDIO: available here
Steve Lasley recapped Tuesday's ITPAC meeting, spending a brief time on the two policy recommendations that were passed there.
Kevin Hill gave a brief status report on the Active Directory project.
The items currently on our AD plate include:
- An immediate need to finalize Unit Common and OU Names. We have to make a few decisions on our organizational structure so that Mike can begin to implement that portion which will synchronize our user accounts with the UF campus registry (basically the Gatorlink usernames and passwords).
- A review of the charter for Physically Securing Domain Controllers for UF Active Directory.
- Updates to our timeline with specific objectives, milestones and goals in order to complete the move off Windows NT4 by the end of 2004.
- The need to fill Mike's position as AD Lead.
Chris Leopold gave a run-down on where we are with filling the IFAS AD lead position. Two good outside candidates were interviewed, but both required salary beyond what we could offer.
As a result we will be re-advertising the position with an eye towards possible local UF candidates. It was requested that an expected
salary range be included in the advertisement so we don't attract candidates we can't afford. After the first week in January we hope to begin
another round of interviews. Kevin stated that he is encouraged that we are taking our time with this portion and that he thinks we are on task to completing the AD project.
Steve Lasley led a discussion on the Unit Common and OU Names and, with a few minor corrections, everyone basically indicated that the names as listed would be fine. Kevin thinks
the next step is to come up with a hierarchy for these OUs. It is not precisely clear how deep this can or will be allowed.
Kevin led a discussion on the securing of domain controllers. Kevin wrote this document to proactively set reasonable standards for security on remote DCs. Kevin thought that item 4 on page 3 could be eliminated as this refers more to logical rather than physical security.
Access to the console, however, does relate to physical security and this section (#5 page 3) likely needs further elaboration.
Chris Leopold stated that if IFAS ends up supplying the secure enclosures for IFAS remote DCs, he would like to have space in those for other equipment as well. Chris
also wanted the phrase "solid floor-to-ceiling wall construction" better defined. The Remote DC Response Team section also elicited some discussion. We don't want to make this IFAS specific, but we also want to provide a means by which problems can be quickly and locally addressed. This will require a further detailing by the UF team at some point.
Jack Kramer requested moving the ICC meetings to either Monday or Friday in order to facilitate him traveling here for those. Steve Lasley will investigate this possibility.
Steve Lasley explained the lack of chat facilities for this meeting and requested that remote input come by way of email to the ICC-L
Chris Leopold began a discussion on limiting the size of individual emails--the current size being 50MB (except on listservs which also can and do have individual limits). He asked that we think about this with the idea of coming up with a recommendation by our next meeting. Chris also offered a taste of a future possible web-based sharing mechanism that might eventually supplant the need for email of large attachments: a new sharepoint site installation that Dwight Jesseman has been investigating. To access this site you have to enter your Ifasdom credentials. This facility resides on srvtask3.
Jenny Brewer gave an update on the anti-SPAM effort...see http://spam.ifas.ufl.edu for details. Jenny related that most of the functionality bugs have been addressed. Much of the email from AOL, MSN and Hotmail accounts was initially inadvertently blocked but that has been corrected. The turftable that was on Exchange was removed and essentially implemented via X-Wall--this stopped a problem whereby people requested a retrieval of a blocked message but never received it due to the old Exchange turftable. Less than 1% of the blocked messages are currently being retrieved by the users and much of that is not work-related in any case. There have been more requests to tighten up the filtering so as to catch more SPAM than the other way around.
Kevin Hill asked for the procedure by which an end user can request a particular address be whitelisted. Jenny reported that one method is to simply reply to such a message which had been retrieved from the blocked message list. Replying thusly, automatically whitelists that address (even if it bounces). This assumes that the "reply to" field in the email is the same as the sending source. It wasn't made quite clear at the meeting whether a Whitelist can be done on a per-user basis, but Kevin suggested that such a thing may eventually become desirable in some cases. Kevin also asked if we are discarding anything so that it cannot be retrieved. Jenny answered that this was true only of attachments with extensions that would be blocked by Outlook anyway. It was pointed out that GroupShield does a more exclusive job of that (as per ICC approval) and alert.txt messages about blocked attachments come from GroupShield on Exchange.
Jenny asked ICCers to educate their users about the PayPal scam. Apparently a number of these are being retrieved by folks.
Chris and Jenny asked the ICC if they could take steps to tighten the filters and increase the amount of SPAM which is caught. Jenny reported that yesterday we received 64 thousand incoming messages of which 9 thousand were blocked as SPAM. About 25 thousand were excluded off the top because they came from ufl.edu, usda.gov, .mil, .gov and the like and were thereby whitelisted. The bottom line is that we are only blocking about 25% of the SPAM--which is very low. We are using two RBLs currently and only blocking addresses which show up on both. Only 110 messages were retrieved by end users yesterday--less than 1%--and most of these were not work related emails.
Ben thought that we should tighten the filters, but first let the end users know. His point was that most folks are cooperative once they know what is going on and why. Steve Lasley proposed that Jenny use her own discretion on adjusting filters without coming to the ICC for approval on everything. Kevin Hill pointed out that we (the ICC) still need to know and be kept up on what changes are made so we can provide feedback on the results. Kevin also thought that folks should be aware that emails containing profanity will be blocked, although it may not be appropriate to publish that list of words. He thought our users should be kept well aware of what is going on. Dan Cromer said there is a clear mandate from ITPAC and others, including the Faculty Advisory Committee, that emails containing profanity can and should be blocked. In this regard, Dan stated his wish to separate policy decisions (i.e., what words are on the blocked list) from technology procedural decisions. To that end, he is suggesting that the IFAS cluster editors (see http://help.ifas.ufl.edu/edis_editor/faq.html) decide what words should be in such a list. As for sending another explanatory email to our users on this, he wanted to wait a few weeks to have things stabilize first. Jenny related that even tagged messages that are not blocked will show up on the end user reports-this is not configurable. Jenny thought we may want to later stop releasing some of these messages that are tagged due to inappropriate language.
Chris asked that the ICC give Jenny the discretion in modifying the filters and this was agreed. She will in turn keep everyone well informed on what she does in this regard.
John Sawyer gave an update on the status of acquiring patching software (See category software review and comparison table for some background info.) We are looking at Patchlink Update and a rebranding of that software by Authentium called TotalCOMMAND, as our two main options. TotalCOMMAND will include an antivirus (F-Prot) which may be of good use if our McAfee license is not renewed. Both packages cost $6 per user, but may differ on server costs; that is still being worked out and may be finalized on Monday. John has found documentation on how to use remote update repositories--thus answering the concerns of remotes sites. Ideally, we won't need this product after a year because we can use AD to control patching. John mentioned a very good and active Patch Management List that he is now on that is helping him keep up with this software category.
With regards to the POP3 protocol issue, Dan Cromer was successful in getting at least one cell phone user connected to email via other than POP. He thinks needing POP for cell phone users may be a non-issue afterall.
Dan Cromer asked for feedback on notification and scheduling for the dropping of "mail." from email addresses. Chris asked that this be delayed somewhat due to his lack of staffing and the work that would necessarily be involved. Because of this, the ICC deferred to Chris and Dan on the scheduling.
John also mentioned that UF is considering a site license for Kerio Personal Firewall. This is still in the beginning stages. The capabilities of this software appear impressive, including application blocking, a full packet filter and a quite advanced built-in intrusion detection system with a XML-based rules system similar to snort. It is not agent based, but it does allow remote administration of the firewall itself. It also can tie into a central syslog server. The site license is $20K and UF is looking into footing that bill.
Steve Lasley asked John to keep the issue of turning off the WinXP SP2 automatic firewall setting, should that come to pass. Logon scripts should be one way, but John speculated that Microsoft may offer an even better solution by the time this arrives. You may all want to get and peruse the Changes to Functionality in Microsoft Windows XP Service Pack 2 Word document.
Steve Lasley spoke on the erroneous inclusion on the ICC and ITPAC recommendations that Exchange 2003 does not support POP--which it does, but not by default. He stated that ICC credibility is a product of everyone's participation and requested that all members follow up more carefully on the wording of our recommendations.
The meeting adjourned about noon.