|
|
ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
| Setting | SPAM Score Range |
| Allow: | 0.0 - 2.0 |
| Quarantine: | 2.1 - 8.9 |
| Block: | 9.0 - Up |
| Tag: | No Tagging |
Raising the block level in this way effectively prevents any blocking of legitimate email; this would address the greatest concern with the current defaults. Also, rather than tag and deliver some of the messages as is being done, with the above settings all suspected spam would be quarantined at a fairly aggressive level.
While it was originally believed that different defaults could be set for different domains, that proved not to be the case. Consequently, a single default setting must be negotiated. Again, the Exchange Advisory Committee will have to address that issue. Dwight said he would confirm whether or not that was on the agenda for their next meeting, which he believed was set for February 22nd. Again, Mark Rieger would be the IFAS representative to contact with your opinions on this matter. Dwight noted that there is a great deal of quite technical information that the committee members need to understand in order to make an informed decision on this; trying to distill that into an executive summary will be difficult.
Anticipating that this might not be resolved to his satisfaction, Steve has already written a FAQ for his users on How should I configure my Barracuda settings?. The good news on this is that each user may configure these settings individually as desired. There are a couple of concerns in that regard, however. First of all, the user interface advertizes in-built "Recommended" settings that we certainly don't want users to implement:
The Barracuda appliance is positioned prior to Exchange within our e-mail flow and we definitely want to implement a quarantine in order to reduce the load on the Exchange servers. The other related concern is that users might disable the Barracuda entirely. This will be a matter for user education in any case as some may resent having another place to scan (in addition to the Junk E-mail folder) looking for false positives. UF Exchange is trying to offset that inconvenience by sending daily digests via e-mail and by allowing users to logon to the Barracuda at any time.
Steve also demonstrated how Barracuda places information into the header of each e-mail message which it processes (right-click a message and chose "Message Options..." in Outlook). The information tells you scoring values it used, the score it gave, and even provides information on how that score was derived. Additionally, it provides a "Debug-ID" which can be provided to the UF Exchange admins to allow them to investigate details of exactly how a particular message was handled by the Barracuda appliance. Dwight mentioned that once a mail store is moved to Exchange 2007, the headers will also include the Exchange SCL score as well. An example from one of Steve's paid newsletters (which would have been blocked under the default settings) is shown below:
X-ASG-Debug-ID: 1201801230-1f3301850000-KsSPYe
.
.
.
X-Barracuda-Connect: smtp03.osg.ufl.edu[xxx.xxx.xxx.xxx]
X-Barracuda-Start-Time: 1201801230
X-Barracuda-Bayes: INNOCENT GLOBAL 0.5000 1.0000 0.0100
X-Barracuda-Virus-Scanned: by UF Exchange Barracuda 2 at mail.ufl.edu
X-Barracuda-Envelope-From: apache@ActionMessage.com
X-Barracuda-Quarantine-Per-User: PER_USER
X-Barracuda-Spam-Score: 4.17
X-Barracuda-Spam-Status: Yes, SCORE=4.17 using per-user scores of
TAG_LEVEL=1000.0 QUARANTINE_LEVEL=2.1 KILL_LEVEL=9.0
tests=BSF_SC0_SA067, BSF_SC0_SA085b, BSF_SC7_SA015f,
HTML_FONT_BIG, HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.40988
Rule breakdown below
pts rule name description
---- ---------------------- -----------------------------------
3.00 BSF_SC0_SA067 BODY: Custom Rule SA067
0.40 BSF_SC0_SA085b URI: Custom Rule SA085b
0.00 HTML_MESSAGE BODY: HTML included in message
0.26 HTML_FONT_BIG BODY: HTML tag for a big font size
0.50 BSF_SC7_SA015f Custom Rule SA015f
Dennis Brown asked how often the Barracuda digests were e-mailed to users. That is controllable by the user themselves by logging into the Barracuda and going to the "Quarantine Settings" sub-tab of the "Preferences" main tab. The options there are daily, weekly or never and the user can even specify the notification address for those. Dwight said that these go out at 8:00AM each morning unless the user has changed that in their settings or if they have nothing in their quarantine.
Dennis also asked about tagged messages. Tagged messages preface the subject line with "[POSSIBLE SPAM]". The hub transport within Exchange evaluates tagged messages to an SCL score of "9", which should send them to the Junk-Email folder (unless the user has a rule set that moves the message elsewhere). If you forward or reply to those, they will not go into the Junk E-mail of the recipient, however.
User Lookup Tool
The UF Exchange group has provided a very useful web-based tool which is available to those with IF-ADMx accounts. This tool is provided at https://helpdesk.ad.ufl.edu and requires ufad\if-admx credentials. By entering a user's UFID or Gatorlink username you may see all sorts of useful information, some of which was never before available to you:
Chris Leopold asked Dwight if there might be any way to include the logon information (group memberships and drive mappings) for IFAS users, as https://itsa.ifas.ufl.edu/userinfo currently does. Dwight replied that UF Exchange has to think globally. Andrew Cary noted that we do login scripts entirely differently than others and suggested that perhaps an API could be implemented where we could supply the URL with a username to tie this to our own Userinfo Page.
Steve noted that Ben Beach had done a very nice demonstration of the new productions Sharepoint services at ITPAC. Steve and Ben quickly demonstrated the highlights of that.
Our Sharepoint Services solution has been divided into the following seven sites:
Since Sharepoint uses an SQL back-end for storage, splitting things up this way will avoid putting all our eggs into one basket and getting into a situation where a single database problem could bring down the entire system.
You and your users will want to manually add each of these sites into IE's "Local internet" sites. This will allow the sites to use your ufad logon credentials and prevent authentication prompts when entering and traversing these sites. If you are at home and using this, you can add them to your Local intranet sites, run a VPN, and then go to the Sharepoint site; it will then use your UFAD credentials again w/o prompting. The only issues will be for those sites that are not on UFAD, that are county supported, and which have their own county firewalls.
OU Admins will want to locate the ". IFAS-WSS-Owner-OUname" security group with ADUC and add themselves as owners of their Departmental site. A corresponding ". IFAS-WSS-Member-OUname" group contains your unit's autogroup to control Member access to your Departmental site. All UFAD has read access by default. You can control that aspect and even set up a finer-level structure for your own unit.
Ben has done a great job on the "My IFAS Help" tab, answering the question "What is this site and why should I use it?". There is a link to an excellent end-user FAQ at the bottom of that. There is also an "Owner's FAQ" which discusses how to create groups, assign permissions, create sub-sties, handle versioning on components, and setup e-mail alerts. You are all urged to peruse those materials in detail and get with Ben on any questions which might arise. Both the user and owner FAQs are wikis and can be edited by the corresponding audience should new items and their solutions arise. Using the "Issues with My IFAS" link you can create an issue and assign it; if you and another owner are in the same OU group and you notice there is a problem that you want the other person to handle, you can create and assign that to them.
Steve mentioned that this system allows individuals to subscribe to e-mail alerts for various document libraries and calendars. By doing so, a user is informed via e-mail when changes are made to a location they wish to watch. There will be training issues in getting people started on using this. Steve noted that some of the ITPAC members, for example, were a bit overwhelmed by the depth of Ben's demo there. Diana mentioned that she has some non-technical groups using this successfully, however, and the learning curve on that hasn't proven to be too terribly steep. Diana also mentioned the survey features as being very useful.
Steve asked about the ability to authenticate beyond UFAD. Ben noted that Brian Gray is already using this feature for collaboration with three off-campus groups. This feature uses forms authentication over SSL. Enabling that involves Ben renaming the site, extending this application to that site, and creating an .asp forms-based authentication page which uses a container on the SQL backend to keep the user accounts/passwords. Then the system will use those accounts to support authentication for the remote users onto that site.
Ben asked about how people wanted to link committees into the structure. Currently those are beneath the IFAS Administration site, but could potentially be distributed among the various sites.
Upcoming UF IT Advisory Committee for Network Infrastructure meeting
Steve mentioned that he will be presenting his usual harangue at next week's meeting and will report on how that goes.
CNS coming to March ICC meeting to discuss and answer questions on the Wall-plate
Steve has invited John Madey to our next meeting. John is the individual from CNS who does the scheduled initial interviews with units about whether or not they want to join the Wall-plate program. Steve would like people to send questions they might have so Steve can forward those to John prior. Some of the questions Steve has accumulated so far include:
Winnie Lante noted that her unit is not only migrating to UF Exchange in the next move, but is going onto VoIP very shortly as well. There is always snail-mail should problems arise :-)
Update on UF Exchange
See here for today's discussion details.
Split DNS solution for UFAD problems
Steve wants to leave this as a standing agenda item, but realizes that a solution will be a very long time in coming due to the complexities involved.
See here for today's discussion details.
Virtualization of Core Services
Wayne noted that the following likely should go under the topic "de-virtualization" since we are getting rid to the virtual file server (if-srv-file03) and going to a new cluster.
Upcoming File Server Cluster: Volume Shadow Copy issues
There is a limit of 64 shadow copies per source volume so Wayne Hyde originally intended to implement 32 snapshots a week providing 2 weeks-worth for VSC-based file recovery. It turns out, however, that having a large number of shadow copies greatly increases the time it takes for a disk resource to move between nodes. Consequently, we are going to cut back to a max of 34 shadow copies and do 3 snaps a day instead of 5. Weekends will still have 1 snap via the following schedule:
This should still provide 2-weeks coverage but with a coarser granularity. Backups are still being tested prior to putting the new file server cluster into production.
Upcoming File Server Cluster: Mac client issue
Please get Wayne a list of your Mac users! Unless they are using DAVE they are not able to utilize DFS paths. This means that rather than access our file server via paths like \\ad.ufl.edu\ifas they will have to use the machine SMB share path of \\if-srv-file03\data instead. When we move to the new file server cluster, those machine specific paths will break and will have to be edited to switch out the actual fileserver names with the new virtual node name. You will be given plenty of warning so you will be able to help your Mac users with this issue.
Dan Cromer mentioned he would encourage a policy that encouraged all Mac users get this DAVE software. Dan feels that if you have a Mac and want to join UFAD, you should have DAVE.
Upcoming File Server Cluster: Quotas and FSM filters
Not everyone uses quotas. Wayne is suggesting putting an overall quota for each unit but not setting finer controls; his is open to suggestions however.
Mark asked why this remains on the project list. Steve responded that we had never officially announced that service was available because no movement has occurred in getting this documented for end users.
Vista Deployment via SMS and WDS
Steve wants to leave this matter as a standing agenda item for future discussion.
Re-enabling the Windows firewall
Steve wants to leave this matter as a standing agenda item for future discussion.
Server-Side Include (SSI) support on the IFAS web server
Chris noted that this subject isn't specific to SSI, but really entails how IIS uses file name extensions to determine which program to run to process a request. This recently became an issue for some sites built on templates which were using SSI, but which had been using .htm or .html extensions for those files. The configuration of those sites had originally been set to handle ".htm" and ".htm" files via the SSI .dll rather than via the default .htm handler. This non-standard configuration worked until settings were changes at the top level which propagated down through all websites and restored such processes to the defaults.
To avoid this in the future, Chris wants to make sure that all web pages utilize standard file extensions which are appropriate to the purpose of the page. In the case of pages utilizing SSI, those pages should have the ".shtm" or ".shtml" extension.
No one had any problems with standardizing our file extensions and Chris said that Mark Ross would get something written up on this and post those standard extension-to-application mappings to the ICC-L so all would be aware. There will be some work in correcting problem sites, but then we should be good from that point forward. Marion Douglas mentioned that such issues point out the fact that links should be made to directories rather than to specific "index." files; any links done the proper way would not be broken by changes in files extensions.
Barracuda spam scoring recommendations
See here for today's discussion on this topic.
ePO version 4 is awaiting deployment
Wayne is awaiting some updates which are due later this month prior to moving ahead with ePO 4.
Wayne also mentioned that they are looking into GPO processing issues that seem to be affecting a number of our machines. This was made apparent via ePO. Originally computers were structured in ePO by OU to help with reporting, but that got to be too cumbersome with ePO 3.0 and Wayne moved to using "on-campus" and "off-campus" groups. There are still hundreds of machines reporting that they are in the old groups, however, and that indicates they are not getting Group Policy.
Steve mentioned that he recently finally understood that Wayne has configured the WSUS servers to provide just the catalog of updates. The updates themselves are pulled directly from Microsoft--which makes sense. This arose when Steve asked Wayne if he had applied the hotfix described in Knowledge Base article 938759. Because of how we manage our WSUS, this shouldn't be a problem for us.
Volume Shadow Copy on the file server
See here for today's discussion on this topic.
Patching updates
This will be a fairly heavy month for patches from Microsoft. Supposedly 7 critical and 5 important patches will be pushed.
Wayne wanted to warn folks that IE7 is going to be pushed out next Tuesday by Microsoft (along with Win2K SP2). Mike Ryabin noted that some of his users still have issues with IE7, especially those who are trying to use some distance education features. Mike wasn't sure of the exact details of the problem but knew that IE6 or Firefox had been used as a work-around. Wayne responded that he would recommend Firefox as the workaround there because IE6 is definitely going away.
Mike asked if there was any way to selectively keep IE6 and Wayne responded "no". By searching on "ie7 coming" Steve found an article entitled IE7 Coming Through on WSUS, Blocker Toolkit or Not which would seem to suggest that this could indeed be controlled at the WSUS server.
Steve mentioned the Microsoft toolkit for disabling automatic delivery, but Andrew said that expires this month. It should also be noted that this tool blocks only installation that occurs by using Windows Update and Automatic Update. The toolkit does not block distribution that occurs by using WSUS. (See KB946202)
Steve noted that two recent updates: Adobe Reader 8.1.2 and Quicktime 7.4.1. Wayne noted that there is new version of Firefox out as well. It remains difficult to keep up with all the third party updates.
MS Office News update
Office 2008 for the Macintosh is now available at http://software.ifas.ufl.edu (ufad\if-admx credentials required).
Thanks to Winnie Lante, Steve discovered that the IFAS Office 2007 install point was not installing Outlook in cached Exchange mode. That has now been corrected and SP1 has been added to the install as well. Winnie wanted to know if there was any way to avoid checking each user for that setting; Steve believed that this could be controlled via GPO.
Public folder file deletion policies and procedures
Steve wants to leave this matter as a standing agenda item for future discussion.
Job Matrix Update status
Steve wants to leave this matter as a standing agenda item for future discussion.
Steve wants to leave this matter as a standing agenda item for future discussion.
Computer disabling and removal from UFAD
Mike Ryabin asked about this as he noticed that machine accounts are now being deleted when computers (often laptops) are left off the network too long. Not only are these somewhat difficult to re-join, but deleting those loses useful documentation on the machine (namely the description and managed by fields which are often a pain to hunt down the details for and recreate.
Andrew Carey responded that there are two aspects of this issue. The first is that, as he understands it, UFAD will tombstone a machine after 60 days. [By tombstoning, Andrew means the object is deleted via a particular process. A deleted object is renamed, has most of its attributes cleared, and is moved to a hidden "Deleted Objects" container. This tombstoning process is necessary to support deleting objects within the multi-master DC environment.] This basically renders it useless and from that point on you will not be able to reconnect it.
The second aspect is that we have two scripts which we utilize for Co-Managed OUs. One disables computer accounts after 90 days; this will disable such accounts which are not tombstoned for some reason. This is what causes the big red X on the object within ADUC. The other script looks for computer objects with passwords older than 120 days and deletes them. Steve asked Andrew when this latter portion was implemented. Andrew responded that Chris had this in place for quite some time, but it was broken. Andrew recently fixed it.
Andrew hadn't been aware of past discussions on this matter, both at the March 2006 ICC meeting and via discussion on the ICC-L. The latter was represented primarily by a thread entitled "Expired Computers List" from January of 2006 and by a Chris Hughes posting entitled "Delete Expired Computers of 4/24/06. Apparently the delete at 120 days never worked until Andrew fixed it, but Steve believes that we need to relook at this issue before proceeding. Andrew has been kind enough to halt that portion until we can arrive at a consensus via the ICC.
Steve admits that he never fully understood the domain computer password process because he had often been able get machines whose passwords were older than 90 days communicating again by simply re-enabling the account in ADUC. This has obviously been Mike Ryabin's experience as well. Since we seem to get many computer accounts disabled by our script, it seems clear that UFAD is not deleting those--at least not for the most part. Steve tested the ability to re-enable accounts over the weekend and was successful in doing that without having to re-join.
Using Joe Richard's OldCmp utility with a command string of:
oldcmp -report -b "OU=ENTNEM,OU=IFAS,OU=Departments,ou=uf,DC=ad,DC=ufl,DC=edu"
Steve found two of his departmental laptops to have a password age of 96 days and for which the computer accounts had been disabled. After re-enabling those accounts, Steve was able to boot the machines, logon with domain accounts, manage remotely and the like. Obviously, there is something going on with all this that we don't fully understand.
Getting on the IFAS-announce-L list
Dennis asked about this. Dan Cromer replied that individuals may request that by sending an e-mail to "listserv@lists.ifas.ufl.edu" with "subscribe ifas-announce-L" in the message body. Dan doesn't yet have any good way to add new employees automatically, but is looking at various options for that.
Upcoming blocking of .PSTs on the IFAS file server
This won't happen until after the e-mail migration is complete, but Chris Leopold announced that it is their intention to eventually block the placement of .PST on the file server.
The meeting was adjourned on time, just a bit after noon.