ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM March 14th 2014 REGULAR MEETING


A meeting of the ICC was held on Friday, March 14th, 2014 in the NEW UF/IFAS Communications Building. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Seventeen members participated.
 
Remote participants: David Bauldree, Bill Black, Dan Christophy, Kevin Hill, Wayne Hyde, Al Ibanez, Winnie Lante, Chris Leopold, Marvin Newman, Joel Parlin, Jonathan Potts, abnd Gary Wilhite.
 
On-site participants: Jimmy Anuszewski, David Blackman, Dennis Brown, Steve Lasley, and Matthew Nash.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman

Member news:

Updates not available...

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Security:


Steve thought it worth noting that back in 2010 Microsoft Research concluded that "sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement." A recent editorial in msdn magazine suggested that greater respect for usability is warranted in our current BYOD age.

Steve also wanted to point out that Apple released a whitepaper on iOS Security that shows how well Apple is on top of security issues regarding iOS; very impressive.

Proposed Remote Access Policy

Updates not available...

Implementing the Mobile Computing Security policy (previous discussion)

Updates not available...

Patching updates... (previous discussion)

Microsoft

The March Microsoft patches included 5 bulletins (2 "Critical", and "3 Important") covering 23 CVEs in Windows, IE and Silverlight. A risk assessment is available here.

Adobe

Back on February 20th Adobe surprised us with another security update for Flash Player to address a zero-day threat. Of course, that didn't stop them from putting out another security bulletin on patch Tuesday in March.

Adobe released a security update for Shockware Player yesterday as well.

Java

Another scheduled update is due in April, but we have been blessed with no out-of-band updates lately (knock wood).

Apple

There was an SSL security flaw in iOS that apparently was mirrored in OS X and that has now been fixed on both platforms.

Apple also released a security update for QuickTime and iOS 7.1 was released patching 41 vulnerabilities.

Other

Steve had sent out a link to an article on SAS For Windows Buffer Overflow Leads To Code Execution.

Dennis had a Cryptolocker infection in his unit recently and relayed the following: "The professor did not know he was infected and he was not locked out of his computer. Thankfully the UF Security team had the malware server black-holed so the malware couldn’t get what it needed to encrypt the computer. Kamin (who works with me) removed the client end malware and we put the computer back into service. He also removed Java 5 and 6 from the computer leaving no Java. Hopefully that’s the end of it."

Kamin had added that there were hidden files in the user's application data folder where most of it was located. This looked to be drive-by java malware. Because the professor wasn’t an admin on the computer, it couldn’t get any further than his profile.


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)


Endpoint security concerns (previous discussion)

Updates not available...

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Updates not available...

Possible end-point refresh in the works (previous discussion)

Updates not available...

Movi/Jabber Updates (previous discussion)

Dennis Brown mentioned that a student connecting from Immokalee for a class has been having issues with losing the content portion of the conference. She is apparently using the latest Jabber and reconnecting always seems to fix the problem--at least for a while.

End-user Scheduling (previous discussion)

Updates not available...

Lync updates (previous discussion)

Updates not available...

Blue Jeans (previous discussion)

Jimmy Anuszewski reported having had problems with Blue Jeans lately that he thinks may indicate that the program is a bit resource-heavy. He has experienced instances where one of the conference participants had a slower bandwidth that Blue Jeans did not compensate for well. In one instance the remote site with the problem could see but not hear them. Jimmy has been talking with Blue Jeans to try and track down the cause, but he is concerned because problems have happened more than once recently. In another session that included a presenter from Peru, the remote site had an increasingly long delay.

One would hope that in the case of insufficient bandwidth that Blue Jeans would drop video before audio. Jimmy did note that they used Google hangouts successfully over the same connection, so it would definitely appear that the problem was with Blue Jeans. Dennis noted that they had a Blue Jeans connection with Africa where the video did degrade in favor of the audio--as one would hope.

We are awaiting the decision on whether Blue Jeans will be renewed for another year; Dan Cromer wasn't available for comment but Steve thought a renewal likely since he has heard nothing about the Acano coSpace product that UF is supposedly pursuing. We will know soon either way.


WAN (previous discussion)


Updates from James Moore

Updates not available...

Wireless printers (previous discussion)

Updates not available...

VoIP at RECs

Updates not available...

Phone bills to be paid for centrally? (previous discussion)

Updates not available...


Policy


Spring 2014 Peer2Peer workshop

The Spring 2014 Peer2Peer workshop will be held at the Law School, in 180 Holland Hall on April 16th.

Report from January ITPAC

Dennis was out last meeting but provided us an update today on the main points that were covered at the last ITPAC meeting

UF wireless connection difficulties

Dan Cromer had spoken about the various difficulties people experience with connection to UF wireless. Al Wysocki, ITPAC chair, was going to relate these issues to the higher powers to see if anything could be done to improve that experience. Steve mentioned that the total number of hours spent by UF students and staff simply trying to connect must be enormous; imagine putting a cost number on that lost productivity.

G001 upgrades

Ron Thomas talked about equipment upgrades to G001 in McCarty and how well received Adobe Connect has been with distance education.

Blue Jeans updates

Dan Cromer talked about the new recording capabilities. He reported that the number of simultaneous participants has been increased from 25 to 100, which is good news. He also told the committee that Blue Jeans no longer supports Skype.

Separation of student and work email

Dan talked about separating student academic email from student employee email and that the ICC had recommended leaving this up to individual departments at least until there was a UF-level policy on the matter.

Revoking access

Dan presented the case for removing network resource access from former students no longer affiliated with IFAS. ITPAC supported that as had the ICC and implementation details will be worked out at some future time.

Sun-setting Windows XP

Dan discussed the need to remove Windows XP from our network by April 8th.

Accordent replacement

Al Wysocki had offered $5000 per each unit wanting to move to the Mediasite appliance.

Steve noted that he would rather IFAS put money into improving recording on the bridge due to its greater flexibility and cost advantage. Winnie Lante's department has a Geomatics room that was interested until they got a $30k quote (sans Polycom) from AT. Steve pointed out that this price is not really out of line for such things as they are indeed expensive.

There was some discussion about the ongoing costs and support from AT as well. A/V rooms are neither cheap nor simple, but we are fortunate to have Lance Cozart within IFAS whose expertise in this area is both broad and deep.

Third-level domains

It was pointed out that our domain names need to include IFAS (i.e., ifas.ufl.edu) unless they are sites that are UF-wide. That is IFAS policy.

UF Policy website

Al Wysocki had mentioned that we are trying to get the UF general counsel to host a UF policy website but have experience some push back on that.

Cleanup of IFAS websites

Dennis wasn't clear on exactly what was needed here, but Steve noted that there has always been a good deal of "junk" embedded various places with our web server. Santos has long wished for some way to get that cleaned up.

Terminal 4

It was mentioned that UF is going with Terminal 4 as our web content management system. Steve mentioned that the real problem will be getting folks moved over to that; it is a nearly insurmountable task without there being a mandate.

UF Online

This was discussed briefly at ITPAC. Steve mentioned that Betty Phillips resigned from leading that effort after less than three months.

IFAS student computer lab

Wendy Williams had reported that usage of the lab is great and that the new print system, with support for mobile printing, has been well received. Steve mentioned that he still wants Wendy to present on that to the ICC as her time permits.

The future of IFAS video servers

Ron Thomas had asked Dan Cromer about the future of the IFAS video servers and Dan had responded that there are plans to upgrade those.

Notes from last month's SIAC meeting

Updates not available...

Last month's IT Directors Meeting Notes

Updates not available...

PrintSmart initiative (previous discussion)

Updates not available...

New IT Service Management Initiative

Dan Cromer had related to Steve that the ITSM contract was being negotiated through lawyers and an update was published on what's coming next. They say we are now in the implementation phase with request fulfillment and incident management being the first two priorities.

Content Management System (CMS) for UF: Entering purchasing phase (previous discussion)

Updates not available...

Authentication Management policy draft (previous discussion)

Updates not available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates not available...

KACE (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

It was announced that the Eduroam service is now available.

There was a presentation on Eduroam by Chris Griffin at the Fall 2013 Peer2Peer for which a recording is available. Kevin Hill asked if the posture assessment still applied with the new "eduroam" SSID. Steve speculated that the Eduroam was a proxy for authentication only and that the connection details for those connecting would be up to each institution. We will have to investigate further.

One detail is that you offer your email address as your username when connecting because the domain portion of that is used by the system to direct the authentication back to your particular institution.

UF Exchange updates (previous discussion)

Dan Cromer sent out the following on Thursday, February 27th:

Message from Dan Cromer to the ICC-L:
"[ICC-L] UF Business Email and Email Forwarding" Thu 2/27/2014 9:06 AM


All,

Due to increased emphasis on UF business email and email forwarding, I’ve sent messages to those faculty and staff in UF/IFAS who have their official business email address or email forwarding set to a commercial account, e.g. gmail or yahoo, which is in violation of UF/IFAS policy http://imm.ifas.ufl.edu/6_150/6150-4.htm. This is a small number, 30 of 990 faculty and 28 of 967 permanent staff (TEAMS or USPS). I have yet to do this for other employee categories, as I’m waiting on further word from UF to review, and perhaps revise, the current General Counsel policy: http://www.generalcounsel.ufl.edu/regulations-and-policies/auto-forwarding.html.

Dan

For those of you who are curious as to what Dan said in that e-mail, here is a copy:

From: Cromer, Dan
Date: Wed, Feb 26, 2014 at 6:44 PM
Subject: Email forwarding to unauthorized commercial services
To: "Cromer, Dan"

Hello,

You are receiving this message because you have configured your UF official business email address to forward to a commercial email service, in violation of IFAS Policyhttp://imm.ifas.ufl.edu/6_150/6150-4.htm. Please correct your UF business email forwarding in PeopleSoft http://my.ufl.edu under Main Menu > My Account > Set GatorLink Email Forwarding. You should have a UF/IFAS Exchange mailbox for your UF email. I would appreciate your cooperation in this matter.

Dan
--
Daniel H Cromer Jr
Director of Information Technology
Institute of Food and Agricultural Sciences

While we await further clarification from UF, it is worth noting that Departmental Associates no longer get mailboxes. Your local IdM Coordinator (see Identity Management Roles), however, can add Consultant-Staff (220) or Consultant-Faculty (221) affiliations for onboarding new employees (i.e., to speed things along while the other more permanent affiliations can be established by HR) as those affiliations do have the right to an Exchange mailbox.

In case you are wondering, Courtesy Faculty does have the right to a mailbox, but one must go through HR to acquire that affiliation for someone.

Outsourcing of student e-mail

Winnie Lante had pointed out that documentation on the new system is available at http://helpdesk.ufl.edu/self-help/gatorlink-e-mail-setup/.

Outlook asking for re-authentication

Updates not available...

Sakai e-Learning System now in production (previous discussion)

There was a recent change in administration of UF Online with Betty Phillips leaving after a very short stay. One wonders where this leaves the Canvas vs. Sakai saga.

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


Projects


New web cluster (previous discussion)

Updates not available...

Windows 8 Deployment? (previous discussion)

Updates not available...

SCCM for IFAS

Updates not available...

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates not available...


Operations


Moving from McAfee VirusScan to Microsoft Endpoint Protection? (previous discussion)

UF has signed a site-wide contract for IBM Endpoint Manager (formerly "BigFix"). In addition to endpoint security and protection, this software also offers desktop and server administration features (including patch delivery, software distribution, OD deployment, remote control capabilities, and near real-time status reports). It also includes mobile device management and security components.

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Updates not available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Updates not available...

VDI desktops as admin workstations (previous discussion)

Updates not available...

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool update (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Updates not available...

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps DeWayne Hyatt can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates not available...

ePO updates (previous discussion)

Wayne Hyde made VirusScan Enterprise 8.8 Patch 4 available at \\ad.ufl.edu\ifas\SECURITY-TOOLS\VirusScan-8.8. He plans to push that out to clients after testing but you can install the new version yourself by copying the files to the local computer then installing. Wayne did note he is holding off pushing patch 4 due to unexpected alerts from the Buffer Overflow Protection (BOP) feature which McAfee says are "legitimate detections."

Wayne also noted that McAfee Agent 4.8 Patch 1 is the minimum supported agent for Windows 8.1. (Win8 supports Agent 4.6P1+) He will get a new agent pushed into ePO 4.6 and added to \\ad.ufl.edu\ifas\security-tools\epo-agents as soon as he can.

Steve mentioned that folks may want to consider EMET. Steve has been using this at home and on his own machine in the office. This is apparently easily deployed and managed via GPO and would have kept us safer across a number of zero day vulnerabilities.

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

MS Office News update (previous discussion)

Service Pack 1 for Microsoft Office 2013 was released on February 25th. You may want to read more about Office 2013 Service Pack 1 before rushing it out to your users, however.

Job Matrix Update status (previous discussion)

Updates not available...


Other Topics


Fixing domain trust issues

Dennis Brown had brought up this subject again; it was something that had been discussed on the ICC-L back in September of 2012. As pointed out back then by Nick Smith, you can use the command line to fix a machine whose trust relationship with UFAD has broken.

  1. Login with a local account, or unplug from the network and login using cached credentials if possible
  2. Open an elevated cmd and run nslookup to get the FQDN of your friendly neighborhood domain controller
  3. Then run:
    netdom.exe resetpwd /Server: /UserD: /PassworD:*

<server> = a domain controller in the joined domain
<user> = your admn account as UFAD\if-admn-account

Domain join fix via command line

Kamin Miller had offered the GUI equivalent as well where you run the “Network ID Wizard” and supply it with your ADMN credentials:

Network ID Wizard dialogs

Network ID Wizard dialogs

Network ID Wizard dialogs

Network ID Wizard dialogs

MyUF Payment Solutions requires Java

For those working in MYUF PAYMENT Solutions as “reviewers” or “approvers” the new Finance and Accounting program requires the Java plug-in in order to view invoices. In Steve's initial experience this will work with JREv7u51 if the following sites are added to the exclusion list via the Security tab of the Control Panel's Java applet:

  • https://daejaprod.corcentric.com
  • https://cor360lb.corcentric.com
  • https://cor360.corcentric.com

Java Control Panel applet security tab

So far Steve has not seen the need to lower the security level to Medium.

Winnie Lante pointed out that the exception list resides in a user-specific file named: "exceptions.sites" and resides at: Users\username\AppData\LocalLow\Sun\Java\Deployment\security. This is just a text file with the URLs listed one per line; it can be easily copied as needed.

Steve noted having heard that the Java exception list will not work on a system that has both the 32-bit and 64-bit versions installed. This likely explains a problem that Al Ibanez had noted with the 64-bit version on some machines.

Adobe licensing

Apparently a contract and been negotiated and we are simply awaiting details.

ICC Elections in August (previous discussion)

Steve wanted ICC members to be aware of the Bylaws of the ICC that he formulated back in March of 2002 as well as the IFAS IMM regarding the ICC which was implemented later at the end of 2005.

We now have two candidates for ICC chair: Dennis Brown and Jimmy Anuszewski. Steve still encourages people to put their names in the hat, but if nothing changes he hopes that whoever comes in second will serve the "winner" as vice-chair. Steve plans to put this out for a vote about one week before the August meeting so that the results can be announced at the August ICC meeting and that the new chair can begin their duties by September.

Getting rid of Windows XP

Updates not available...


The meeting was adjourned early at about 11:15 AM.