|
|
ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
|
Message from Larry Arrington to IFAS-ALL-L: This is to inform all UF/IFAS employees about the transition and reorganization of IFAS Communication Services, External and Media Relations, and Information Technology. On July 1, 2009, these units were merged to become IFAS Information and Communication Services (ICS) under the direction of Jack Battenfield. This reorganization will continue for several months, and will follow the objectives and expectations established last year by the Web Working Group, i.e.:
The new unit is organized with three key function areas:
All information technology and communications professionals in this new unit are expected to have overlapping functions and duties, with responsibilities in the following areas:
We look forward to a smooth transition and new direction that will improve the quality of information technology, communications, and external relations. We also thank Ashley Wood, who retired July 31, 2009, for his nearly 40 years of outstanding service and leadership in IFAS. |
Steve was surprised by the organizational chart which this memo suggests. The core of IFAS IT has been relegated to a functional subset of the newly merged unit and is now termed "Technology Support" with Dan Cromer as "Coordinator". The groups comprising this newly named "Technology Support" function, however are neither mentioned nor linked from the IFAS Information and Communications Services web site currently.
While Steve cannot envision how the proposed overlapping of functions and duties across all personnel could possibly work, his greater concern is the apparent marginalization of core IT functions. Those appear to Steve to have been assigned an "out-of-sight out-of-mind" status, which is exactly the opposite of what he believes to be a healthy situation for continued progress toward the very goals which the memo sets. Further, those goals require resources which do not seem forthcoming nor obtainable via any foreseen improvements in efficiency.
Course Management System Conversion to Sakai 3 (previous discussion)
Steve pointed out again that the UF IT web site now has a Projects tab which includes documentation on a number of ongoing projects, including the CMS Conversion to Sakai.
myuf Market (previous discussion)
Is it IE8 compatible as is claimed?
Steve pointed out that Michelle Quire claimed at the last ITPAC that IE8 was not compatible with myuf Market--even in compatibility mode. Dan Cromer responded that Michelle was working directly with someone at Bridges to investigate that, but he had not heard the resolution.
Steve received an update on this from Michelle the following day:
|
We are working on scheduling a web meeting with the SciQuest people. I have run several tests with the people at Bridges and I have not been successful in running a fully successful test through a complete purchase. I still hold firm to my stance that IE 8 does not work 100% with myufl market place. The answer I have gotten so far has been that the vendors do not have their sites up to par with IE8 and the problem is not on the UF side of things. Well that is great, but if we have to go out to the vendor sites to make the purchases through myuf marketplace, then it certainly is going to give the appearance to the "average" user that myufl market place is the issue. The average user is not going to understand that it is not UF that keeps up with these websites. |
Donna McCraw added later via e-mail:
|
I was just reading your notes from the last meeting about IE8 problems with myUF Market. I went to the PeopleFirst web site today, and there is a notice at the top that says their site is not compatible with IE8. There is a link to Alert 225 for more information. Very interesting. I haven’t tried compatibility mode yet, gotta find my userid and password first. |
UF IT Action Plan (previous discussion)
This topic marked for removal from our agendas
Now that the plan has been accepted and http://www.it.ufl.edu has been recently re-vamped to includes a good deal of information about the reorganization, Steve feels this matter can be dropped as a standing item from our agendas. Note that current documentation includes new sections on Governance and Projects.
After the meeting Dan Cromer shared other related news:
|
from Chuck Frazier's "Open Letter to UF IT Staff" in the September 2009 "IT Connections" newsletter... "At his fall State of the University address last week, President Machen announced a number of the changes occurring outside IT including replacement appointments of new senior administrators in several areas. He also announced searches that will begin soon to fill other administrative and faculty positions. Adding to that list, President Machen announced today that a national search for a new UF CIO will begin immediately. This search (not a new position) follows from and is a capstone of a year in which the 2009 Information Technology Action Plan (ITAP) was developed and adopted. The ITAP integrates core and distributed IT components throughout UF in a single organization. A key part of completing that plan is the appointment of a UF CIO to lead and manage the new IT organization. The UF CIO will have the title of Vice President and CIO and will report through the Senior Vice President for Administration Brian Beach. Two senior administrators have agreed to co-chair the CIO search. They are Paul Robell, Vice President of the UF Foundation and Paul D’Anieri, Dean of the College of Liberal Arts and Sciences. Committee members and a search firm will be announced soon." "Other important searches are either underway or are soon to begin. These include a search for a UF and Shands Health System CIO. This position will oversee IT in the Health Science Center and Shands. As with the IT lead in each of the four Senior VP areas, reporting is to the Senior Vice President for Health Affairs David Guzick with a dual-report line to the UF CIO. The dual-report to the UF CIO is for purposes of facilitating University-wide policies, standards, and coordinated administration of core and locally provided IT infrastructure, systems, and services. Also to begin soon are searches for an Information Security Officer and a Director for University Systems. Both of the latter searches are identified as new divisions or departments under the ITAP. Both will have University-wide responsibility and will report through the UF CIO." "On the management side of things, we have restarted periodic meetings of the UF Campus IT Directors Group. This group met once in the summer and will continue to meet bi/monthly throughout the year. The goal is to regularize a setting for information sharing and opportunities for coordination and collaborations. For the core unit directors and the IT leads from the four Senior Vice President’s areas, we have formed the UF IT Managers Council. This group has been meeting regularly on a bi/weekly basis through most of the summer. Going forward, we will move to a once a month meeting schedule. The new managers hired to lead the Information Security and Compliance Office and the University Systems Group will also be a part of this group." |
UF Exchange Project updates (previous discussion)
Fax services?
Steve asked if anyone had looked into the FAX services which Erik Schmidt had mentioned in a CCC list posting a couple of weeks ago. Apparently, FAX integration with the UF Exchange system is currently in limited production and is being worked towards implementation on a larger scale.
Dan Cromer responded that a third-party product was purchased by Bridges to meet their own needs. Health Sciences wanted to implement this as well and began discussions with CNS. CNS was somewhat reluctant to proceed immediately so the Health Sciences Center bought the product themselves and it is in production for their use. Broader availability is being researched though Dan was not aware of the timeline. This allows one to send a FAX directly from Outlook via a "printer". The discussions have been that for a ~$5/month charge one could have a telephone number assigned as your fax number and images received would be available via Outlook.
Office Communications Server
At Dan's suggestion, Steve began using OCS at the ICC meetings for out-of-band messaging. Anyone who wishes to submit questions and comments during the meeting is encouraged to use that.
Split DNS solution for UFAD problems
Steve wants to keep this on the agenda for future reference.
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM
Windows XP deployment
Daniel Solano has developed a "universal" Windows XP SP3 image which he is offering to make available for all IFAS. It includes:
Daniel said that he has been using this image in Food Science for about two years. It has worked on pretty much every computer model he has purchased, though has stuck mainly to the common Dell offerings. He has tried it on some Gateway and Sony and Lenovo machines and it seems to work there fine as well. It can be updated to support new drivers as needed, but drivers may of course also be added individually upon boot after loading the image as well.
Daniel's idea is to have this available for deployment along with a base Windows 7 image via Microsoft System Center Configuration Manager once we have it in place. Steve asked if this could be added to WDS in the meantime without too much bother; that would permit PXE booting in order to load the image w/o the use of optical media. Andrew Carey said he could look into that, but didn't want to spend a great deal of time should it prove difficult, as SCCM was the long-term plan. Andrew admitted, however, that he wasn't certain of the status of WDS currently as it has received very little use.
Steve asked Daniel about how often he has had to update that image, as updating involves the fairly time-intensive process of loading the image on a reference machine, installing whatever is necessary, sysprepping and then reimaging. Daniel responded that he hasn't done that very frequently--perhaps not as frequently as he should. He did feel that monthly updates, for example, would be excessive and unnecessary. As long as the image has the major patches, the time savings in deployment is enjoyed regardless.
Steve asked about preparing the ePO agent for imaging (ufad\if-admn credentials required), but Daniel responded that he has avoided that to-date by not including the agent in the image.
Steve mentioned that his understanding of SCCM was that it could handle application deployment. Down-the-road with Windows 7 we might want to look at leaving applications off the image and utilizing that feature. Daniel responded that this was indeed his goal as well. Steve asked Andrew if he had been using SCCM with the server rollout. Andrew said that he has been looking into it but has not had nearly as much time to devote to that as he would like.
Windows 7 deployment
Steve pointed out that the Microsoft Deployment Toolkit 2010 was released a couple of days ago. The Group Policy Settings Reference for Windows Server 2008 R2 and Windows 7 is also available. This is an easily filterable spreadsheet which includes all the GPO settings along with the registry keys that implement them.
Exit processes, NMB and permission removal (prior discussion)
Nothing further was available on this topic at this time.
Re-enabling the Windows firewall
This issue has been moved up in priority due to a newly reported vulnerability which apparently will not be fixed in Windows XP. A firewall is deemed the appropriate mitigation, but we have had that disabled via GPO for the last five years.
Wayne Hyde has begun looking into this afresh but had been somewhat stymied by the poor firewall implementation on Windows XP. There is no way to blanket specify "accept all traffic from a location except on this port or ports". Consequently, you have to open up individual ports.
Wayne is currently trying to work out some communication issues, as he is seeing dropped packets from DCs and even the file cluster. It appears that WinXP is doing an LDAP query or some other kind of a connection to a DC and then immediately closing the connection; thus when the DC tries to respond the packet is dropped. Hopefully this is traffic that is not critical and can be dropped, but Wayne is still investigating that aspect.
When applications are installed they frequently create exclusions in the firewall so they can communicate as needed. Wayne is concerned that those settings get configured and are retained even when the firewall has been disabled as has been the case with IFAS. The exceptions included in a machine's firewall configuration may be viewed via a "netsh" command:
Once the firewall is enabled, it is hoped that all these exceptions will be implemented; otherwise a huge mess would result. Note that there are separate Standard and Domain profiles; Wayne intends to make the Standard profile (which is used when the machine is off our network--laptops for example) to be more strict.
Steve mentioned that he really didn't see how the Windows XP firewall could be very effective against the sorts of DoS attacks mentioned in any case; as long as any traffic is allowed from the world it would seem to him that an attack is possible. Wayne responded that the great majority of our machines being on private IP helps a lot--limiting such attacks to among internal machines. With lots of laptops hooked up to non-WIPA ports, however, the potential will exist.
Wayne is creating two GPOs; one with the firewall rules and the other to re-enable the firewall. That way we can link the firewall rules first and link the other GPO more incrementally department by department. Once everyone in on-board, the rules will be moved into the co-managed computer GPO as our long-term solution.
Wayne then went through some of the settings. There will be separate settings for WinXP and Vista/7 due to their different capabilities. File and printer sharing is going to be enabled for pretty much all campus IPs plus the local subnet. He still needs to test whether "localsubnet" in the IP list truly limits things to a unit's /23 or /24 subnet; the documentation isn't quite clear on that.
Settings will be configured to allow remote administration (like MMC and PsTools) and remote desktop connections will be permitted from anywhere. Wayne had thought about limiting it to UF IP space including the VPN, but knows of cases where that would not work. Initially Wayne plans to log dropped packets and successful connections; he will likely drop the successful connections logging once this is deployed and working. Should someone complain of an application not working you can see what is going on with a machine by viewing the file at c:\windows\firewall.log. There is a setting that controls displaying of connection attempt notification via the system tray but those are prevented by default. Consequently, you will need to use the log for clues to connection problems.
You will also be allowed to make local exceptions on an individual machine (Control Panel > Windows Firewall) so you can fix unique issues which may arise:
The ICMP exception is enabled to allow pinging of computers.
Moving away from the IFAS VPN service
Questions of need remain
Steve failed to mention this topic during the meeting, but he did hear recently from a UF librarian, Michelle Foss, that she had been giving a presentation at a remote site which required VPN connection in order to access library resources. During that she found out about the IFAS VPN because the individual using that was the only one who could successfully connect to resources from that remote connection. This same issue had been reported by Joe Hayden for one of our remote locations. We obviously need to investigate these reports more thoroughly.
The IFAS VPN assigns public numbers currently
Santos Soler also pointed out to Steve after the meeting that the IFAS VPN utilizes public numbers. This was news to Steve as he had believed that vpn2.ifas.ufl.edu was public and vpn.ifas.ufl.edu private. Apparently those now point to the same location and public numbers are the rule. Steve believes this should be changed ASAP, and Santos recommended advising folks to enable their firewalls when connecting via the IFAS VPN.
Wayne's Power Tools (previous discussion)
Wayne has put these on the back burner due to other more pressing needs. He mentioned that users of these tools should contact him or Santos Soler if they receive an error; these tools stress the application pool on IF-SRV-WEB and the site sometimes has to be cycled to clear that.
Folder permissioning on the IFAS file server
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age
As with so many things in these times of inadequate staffing, finding time for implementation is proving difficult.
New MPS/DC testing -- access by unit-level administrators
Steve once again failed to ask, but Andrew certainly continues to work on this.
This topic remains as a standing issue, but was not discussed this month.
New dashboards implemented on the ePO console
Wayne Hyde recently updated some of the dashboards on the web-based ePO console. Wayne had posted a message to the ICC-L regarding this:
|
Message from Wayne Hyde to ICC-L: I changed a two of the panels on the “Detections (day/week/month)” dashboards. The top-right panel is now a list of the top-100 computers with detections under \WIN* (drives C thru H, covers \WINNT and \WINDOWS). The bottom-right panel now shows the top-100 computers with On-Demand Scan detections. If you see hosts on the “Detections in \WINDOWS” panel, please investigate them as malware has most likely already infected the computer. If you see the same file being deleted repeatedly, it is a good indication that there is some other mechanism that is re-infecting the machine and it may need to be wiped. “Nuke it from orbit, it is the only way to be sure.” The on-demand scan detections will only show detections from the various ODS tasks run in McAfee AV. This may be user scheduled or by ePO policies. Soon enough you’ll be able to schedule your own ODS tasks using tags in ePO. I will see about creating a new dashboard with trending information to show detections over time periods, etc. You can also run these queries manually under Queries -> Shared Groups -> WPT |
Steve brought up the console so Wayne could demonstrate the new dashboards. Steve complemented him on these improvements. It helps greatly to weed out some of the noise of the many events and to focus on those which are likely most critical. Wayne mentioned that we need to hone our deployment tools and get data off the local machines so that infections can be more easily dealt with by a rebuild; that is the direction we need to head with handling the inevitable infections which will no doubt increasingly occur.
Managed ODS have been instituted
Wayne has instituted two on-demand scans (ODS) which can now be viewed via the local VSE console (except on Windows 7 apparently):
One is set to do a quick scan of more critical areas daily at 5 AM, but he has also added a weekly full scan on 10:30 PM each Friday. This latter scan stops the task if it runs over 3 hours and if you are on battery power or have a presentation running (on 8.7). it The good news is that these scans detected less than he had feared.
Wayne mentioned that when PWS detections are seen, you should warn the users involved to change any passwords they may have entered using that machine as those are password stealing programs. Many of these just steal games passwords, but care is urged.
VSE 8.7 patch 2 is due out by end-of-month
Wayne mentioned that users won't see much effect, but that this should improve a number of things from the server side. Dan Cromer reported an issue on Windows 7 where VSE installation asks to disable Windows Defender. Wayne said that patch 2 will support Windows 7 and addresses that issue.
Wayne had also mentioned that McAfee has released a new 5400 scan engine, which he is testing prior to deployment.
Question about rootkits
Dennis Brown mentioned having read that some rootkits cannot be removed via a simple reformat. Wayne responded that boot sector infections would conceivable survive that. There are also rootkits which hang out in the BIOS. There are always ways to get rid of these, but it certainly will be annoying if they become at all prevalent.
Status of SharePoint services (prior discussion)
This aspect was not covered this month but will remain as a standing item for future discussion.
Public folder file deletion policies and procedures status
Nothing further was available on this topic at this time.
MicrosoftThe September Microsoft patches include five critical updates for Windows. A podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".
MS Office News update
No news to relate.
Job Matrix Update status
This is here as a standing topic--no discussion this month.
Steve wants to leave this matter as a standing agenda item for future discussion.
Snow Leopard includes built-in support for Exchange 2007 (prior related discussion)
It would appear that an OS upgrade may be the easiest way to improve Exchange 2007 access for Macintosh users. Francis Ferguson reported that he had spent quite a bit of time in an Apple store lately trying to get a Mac mini repaired; while there he noted that copies of this new OS are "flying" off the shelves.
Fergie also noted that Apple has no sympathy for individuals who drop or otherwise damage their iPhones. Such user-caused damage is absolutely not covered in their warranty. He urged any using those to get a protective case as it will be money well spent.
Wendy Williams mentioned having heard of a problem with the latest iPhone OS 3.1 upgrade at the Department of Medicine where they have encryption enabled. After the upgrade the phone reported that encryption wasn't active which deleted the account on the phone and wiped out all the contacts and email. This has since been resolved apparently via changes on the server side.
|
According to an EnGadget post by Donald Melanson, this... "upgrade can now enforce the Exchange ActiveSync mailbox policy requiring encryption on the device, which just so happens to only be supported by the 3GS (guess that "S" stands for more than just speed). Not surprisingly, the only solution for non-3GS users is to contact their Exchange Server administrator and hope that they're willing to change the policy to no longer require device encryption." |
After the meeting Dwight Jesseman reported not understanding this part of the discussion as UF Exchange has never required encryption and there have been no changes since the settings were first applied. Here are the settings for the ActiveSync policy:
PDF-Xchange (prior discussion)
Andrew Carey reported that he had received a quote on licensing of this Acrobat replacement. The cost for all of campus would be only $3000. Unfortunately, the company would require a "Corporate County Pack" to support all our remote sites across the state, which would run $13,500. Even though that price tag may seem a little steep, consider that according to LanSweeper IFAS has 307 installations of Acrobat Professional 9 and at the UF price of $62.03 per installation, IFAS has spent $19,043.21 on Acrobat 9 since it was released (June of 2008.) Adding $3,375.00 for two additional years of maintenance would still be a savings over what is currently being spent and would allow us to upgrade to new versions for the next three years FOR ALL USERS.
Steve pointed out that when costs are pushed out to the leaves of the tree, the trunk doesn't care. The $19,000+ spent by individuals within IFAS is not a direct concern to central administration, whereas the $13,000+ cost is likely seen as prohibitive from a central standpoint. Unfortunate, but true.
Steve said that the nice thing about this application is they have a portable version which does not require installation. Consequently, you can place that on a file share and make it available to all in an easily updatable fashion. Andrew mentioned that if there was interest we could put deploy the free reader; Joe Gaspar has a GPO for that which we could utilize.
All Windows 2000 machines should be on private IP
Dan Cromer wanted to reiterate this point which had been posted to the ICC-L and was pertinent to our earlier firewall discussion.
Machine administration is to be done via IF-ADMx accounts
Dan Cromer wanted to remind people that OU Admins should not be adding their Gatorlink accounts to the local administrators group on the machines in their units. While exceptions are allowed for an OU Admin's individual work machine, doing that broadly is extremely poor practice. It runs the potential risk of compromising all machines across an OU. While they can be a bit difficult at times, there is a very solid rationale behind using our OU Admin accounts (ufad\if-admn credentials required).
Directory coordinators should not be an IT function
Dan Cromer said that there is a current effort to separate out the NMB setting role and provide that to IT folks, so that we can do that portion of the job without needing be Directory Coordinators in the broader sense. Steve asked if these roles would be applied for us or if they would require a request. Dan wasn't sure, but seemed to think that requests would need to be made via our units' DSAs.
IT staff awards being planned
Dan Cromer related that plans are underway to create UF IT awards as proposed by Chuck Frazier. Eight awards are planned, one from each of the four Senior VP units and four others from CNS, AT, etc. There would be a single overall selection as well which would then be included as a candidate for the annual UF-level Superior Accomplishment Awards. This is planned to start rather soon, in October.
Further information is available in this month's newsletter:
|
from Chuck Frazier's "Open Letter to UF IT Staff" in the September 2009 "IT Connections" newsletter... "Finally, and generally under the heading of engagement, plans are moving forward for a fall assembly. The primary purpose of the fall UF IT Assembly is a social gathering to kick-off a new year and to recognize and celebrate service by IT employees. Expect an announcement on this soon with the target date being October 29th, 2009 in Emerson Hall from 3:00 PM to 5:00 PM. Recipients of the 5, 10, 15, 20, 25, 30 and 35 year pins will be recognized as will the recipient(s) of the 2009 UF IT Outstanding Service Award." |
All class materials should be on-line
Dennis Brown reported that one of his faculty came to him mentioning a message which all faculty received from Dean Barrick. The message indicated that all class materials should be posted on-line due to the anticipated flu epidemic. It was discussed that compliance will be the issue there as only those doing so currently are likely to comply.
There is a posting relative to this on the e-Learning Support Services site in the news section of the front page:
|
Instructors: Please be aware that the form to request new course accounts has been disabled temporarily while LSS staff are creating course accounts for all courses and sections not currently in the E-Learning System for pandemic planning. Because all courses are already being created, there is no need to request accounts for the Fall 2009 term. By Monday, 14 September, you will find your Fall courses simply by logging into E-Learning with your GatorLink username and password. As soon as things settle down in the world of pandemic planning, we will restore the form for instructors who wish to request accounts for Spring 2010 and after. Thanks for your patience! |
There was additional information pertinent to this topic from Chuck Frazier
|
from Chuck Frazier's "Open Letter to UF IT Staff" in the September 2009 "IT Connections" newsletter... "Anything that happens in the University impacts IT in some way, and vice versa. So, as we start this new semester, it is critically important for all of us to be thinking about and preparing for the H1N1 virus. Academic Technology, in cooperation with the Provost’s Office, has developed a plan to assure that all courses and all sections taught this term have the capability of delivering content to students electronically. More detailed information will be forthcoming in the next couple of days from the Provost’s Office and the Office of Student Affairs. A resource web page can be found at www.at.ufl.edu/flu." |
The meeting was adjourned early at about 11:30 AM.
