|
|
ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
|
Message from Avi Baumstein to the CCC-L: The Office of Information Security and Compliance will host a workshop on October 19th, 2011 from 1:30-3:00pm in the Reitz Union room 282. This workshop will introduce IT staff to the new Mobile Computing and Storage Devices policy and standard, and ways in which units can comply. UF has purchased PGP Whole Disk Encryption software, and the workshop will cover license distribution and the installation, use and management of this software. ISC is also planning several trade-in events at which faculty and staff can exchange old, insecure USB drives for encrypted models. Details of this program will be discussed as well. This workshop is recommended for all unit ISMs and IT staff that support users and their mobile computing and storage devices. |
Dan Cromer related that the organizers do not want to provide remote access to this. Dan keeps fighting against the concept that allowing streaming for an event will decrease local attendance. The other aspect that gets in the way of streaming/recording is that some presenters are from outside commercial organizations who want to control access to any of their "intellectual property" which they might be relaying.
This particular workshop will be recorded, however, for later playback.
There was some discussion on how best to proceed with whole-disk encryption, with Chris Leopold being in favor of bit-locker as a solution. Everyone agreed that we need to wait until after the workshop to have a good idea of which way to go with this as the details of what is expected are still a bit fuzzy.
ITSA Day 2011:
ITSA Day 2011 event was held Wednesday in the Reitz Union Grand Ballroom. Videos of the presentation are available now on the ITSA website. Steve asked if anyone attended and Dennis Brown indicated that he was not able to because of other duties. Wendy Williams did attend the IT Track but was pleased to hear that recordings are now available of that and the General Awareness Track as well.
Fall 2011 Peer2Peer:
It also was announced last week that the Fall 2011 Peer 2 Peer event will be held Monday, October 31st in Smathers 1A. Dan Cromer has kindly requested remote participation but we will have to see if that can be accommodated. The agenda includes presentations on VoiceThread and lynda.com, SCCM, Lync, and others--including a presentation on SCCM Asset Intelligence by our own Alex York! Dan Cromer believed that streaming would be available for this.
Wake on LAN support coming to campus:
Dan Miller had reported that the campus router infrastructure should soon support Wake-on-LAN. This could be great news for the green initiative of shutting down computers afterhours while still supporting patching schedules and other remote administrative needs.
|
Message from Dan Miller to the CCC-L: All, Cisco now has wake on LAN support ready for all but the oldest campus Wall-Plate switches. CNS is investigating how this option could be extended across campus. Units may wish to delay any planned purchases of third party WOL solutions if they can wait awhile for our answer. If you are planning or wish to deploy WOL, please let me know directly so I may better gauge the need. Thanks, |
Steve mentioned that he has been using EMCO's Free Wake-on-LAN Tool to help with remote management within his own subnet. Once the BIOS is configured to enable WOL he has found this quite useful.
Misc topics for notification from recent Shared Infrastructure Advisory Committee (SIAC) meeting:
Dan Cromer shared a number of interesting points from a recent SIAC meeting. This is good of Dan because the committee website seems to remain a couple of months behind with its reports.
|
Message from Dan Cromer: All, The UF Shared Infrastructure Advisory Committee (part of IT governance) met yesterday. One item on the agenda was the proposal for central SCCM. I've posted on the ICC SharePoint site http://my.ifas.ufl.edu/sites/services/it/icc/Shared%20Documents/Forms/AllItems.aspx. Agenda follows, [with a few of my comments added]: Agenda 3:00 to 4:00 09/27/2011 CSE 507
Additional Information:
Dan |
Dan Cromer mentioned there had been a couple of other meetings since the SIAC meeting, including the Infrastructure Applications Advisory Committee (IAAC) meeting Wednesday and then the IT Directors meeting yesterday. Dan provided some updates from all those.
Fax server in pilot
The fax server system is in pilot production currently. There have been a few glitches; currently it can fax PDFs. It works via composing an email message to a fax number in a certain format with attachment(s); the subject and contents are ignored and the attachments are faxed. Unfortunately, the project has been headed by Chris Easley and Chris just went on family leave for three months. That might delay progress for a while, but at least the out-bound portion is working currently. Dan said that IFAS has about six people involved with testing in this pilot.
Dropbox
The Dropbox service is close to rollout, perhaps within a week or two. They have selected a domain name of file-express.ufl.edu for use by this service. Shawn Lander is the person who wrote this application for Engineering and he is setting this up for all UF. This will be a universal file sharing location where individuals can drop files too large to be sent as attachments in emails. This is a web-based application that should require little if any training to use.
SharePoint and My Sites
About 350 individuals within IFAS are using a feature of SharePoint called My Sites. This feature was basically unadvertised but discovered by individuals for themselves via the "My Site" link at the top of our SharePoint implementation. Support for that feature was not within the original scope of the UF SharePoint project. Dan Cromer tried to get them to agree to handle this for IFAS but was turned down.
IFAS must thus decide to continue supporting My Sites separately or to drop that with our migration to UF SharePoint. Chris Leopold would like to see the full SharePoint feature set supported by the centralized SharePoint service. He believes it could be manageable with proper quotas enabled; but that apparently will not happen without some major governance action that seems unlikely in the short term. Given those circumstance, Chris then suggested that we reduce our functionality to conform to what UF provides centrally and drop My Sites.
Allan Burrage said that they had gone through something similar with unified messaging (voice mail going to email) when they moved to UF-provided VoIP. CREC had this feature all along, but when UF took over they did not support this and refused to give it to CREC until it could be offered to everyone. That is now being rolled out and CREC is finally back where it was. Something like this may need to happen with My Sites and SharePoint.
ITN for Rationalization Assessment
Dan mentioned that there was discussion at the last IT Directors meeting about and Invitation to Negotiate (ITN) for centralization of services, which they are now calling "Rationalization Assessment" [RatAss?]. This will not just affect IT but is being planned for other environments as well.
Wendy said that Elias Eldayrie spoke of IT Rationalization Assessment, making it clear that it is not the centralization of IT per se, but would involve the centralization of some services. They are hiring a consultant to do this assessment which will include HR and Procurement in addition to IT. Wendy had heard that Accounting and Finance people would also be included.
New Secunia site license (previous discussion)
Wendy Williams relayed from the ITSA presentation that the UF Computing Help Desk is now assisting folks with installing Secunia Personal Software Inspector (PSI) on personally-owned laptops. Wendy said that this is the same package that individuals can download for themselves from Secunia but they were using this opportunity to provide training as well. Steve was surprised because he thought he remembered Joe Gasper mentioning that there would be a separate UF statistics area in the cloud for this application and Steve had assumed this meant a custom install.
[Note: this software is now available for download from http://software.ufl.edu/secunia/. According to Derrius Marlin at his last ITSA talk, this version is indeed linked into UF reporting.]
OU Admins need access to current inventory data
Steve used this topic to raise the point that OU Admins currently don't have access to any current inventory data unless they have rolled something in-house like Dennis Brown has done. Steve feels that if ITSA wants to discourage units from rolling their own solutions that they need to be more proactive in addressing this need. Steve added that he didn't really care if the data came from LANsweeper, Secunia, or Dell Kace, as long as he had access to it. Kace sounds like a fantastic system, but the only thing which is being offered to units (according to Wendy Williams) are static printed reports on request; that is of very little use. Access to Secunia data would require coordination with ITSA if Steve is reading the UF IT wiki correctly, but nothing has moved on that front as far as he has heard. With Wayne's Power Tools pointing to old LANsweeper data currently, we have a whole lot of nothing. Steve doesn't really feel comfortable with those above him having better access to his inventory data than he does.
[Wayne Hyde reported the following Tuesday that Matt Wilson had worked diligently the day before and that much of the new LANsweeper data is now available again. Thanks to them both!]
Chris Leopold said that what he really desires is to get a programmer who can roll these types of tools. There is great potential, but current staffing limitations lead to situations such as we are experiencing now, unfortunately. Wendy and others agreed, however, that just getting what we have (WPT and LANsweeper) providing current data should be the highest priority, as that data is very important and useful to OU Admins.
KACE agent to be deployed throughout UF for computer inventory purposes
Yesterday, Dan Cromer posted the following message to the ICC-L:
|
Message from Dan Cromer: I’d like to support the UF CIO by joining the KACE program in IFAS; . A small program is installed on computers to respond to queries from the master server about hardware and software inventory. It doesn’t collect any personal information on the computer, but would provide information about the scope of IT across UF. IFAS would have access to reports about our inventory. This requires no action by the local user, and implementation would be transparent. |
Nobody seemed all that concerned with having yet another agent installed on our computers, if only because (1) it seems to be very lightweight and (2) central administration would like mandate this anyway. Thus we might as well oblige. The fact that we will not get any real-time access to the information gathered, however, makes it rather less important to us individually.
Wendy said that the priority with Kace is inventory at the UF level. She suspected, once this was accomplished and working, that we might have future success in getting better access to the information the Kace tools could provide.
Steve (with Wayne Hyde's assistance behind the scenes) demonstrated a way to enable installation of the agent via GPO while providing control that could exclude certain machines from that policy as necessary. It seemed to Steve that such control would be desirable, for example with virtual machines and certain other instances.
Wendy asked if rollout was going to be handled centrally for IFAS or not. Discussion ensued and it appeared nobody was against doing that as long as a means for excluding machines via security groups was implemented as well. Dan seemed to want to bring this as an ICC recommendation to ITPAC, though Steve isn't really sure such formality would be needed.
There was further discussion about which machines this agent was appropriate for. Steve had assumed this was just wanted on UF-owned boxes and Bill Black pointed out that (perhaps) the majority of his machines were county owned, though still on UFAD. Dan Cromer believed there was no problem gathering data from all machines used by IFAS employees--regardless of who the owner was. His belief was that the more information we could gather the better. If that is the case, then such details as ownership might not be a big deal.
Mike Ryabin noted that a good number of his machines are joined to the domain but kept off-network for much of the time and would be difficult to assess via these inventory tools for that reason. It is true that any method used won't be perfect and account for everything.
Domain policy and redirect duration (previous discussion)
Updates not available...
CNS working to implement NAC for UF wireless (previous discussion)
Updates not available...
Lync updates (previous discussion)
John Wells mentioned that he and some of his users seemed to have lost their Contacts with MOC. Steve then mentioned that he had not experienced this but was curious as to why his MOC was continuously showing Address Book synchronization errors. Dan kindly responded...
|
Message from Dan Cromer: All, The one-time occurrence when a large amount of users were accidentally removed from the SIP-enabled group (by a host receiving the list to run the script from a server host that went through a reboot while it was transferring the list) and lost their OCS account caused those who had been temporarily removed from OCS for several hours to be removed from contact lists of all who had them. When the accounts were restored after the error was discovered, those who had been removed had no contacts at all. I’m unaware of any further problems in that area, and Luis Molina told me he, too, knew nothing further about it. The script for adding and removing SIP accounts that removed OCS users had been modified so as not to delete any accounts. If there are further incidents where contacts are removed, we need specifics about when it was there and when it was lost for diagnostics. The issue of synchronization is different. In Outlook 2010 you should be able to go to File -> Account Settings -> Download address book to get a current copy. Restarting OCS should then eliminate the red exclamation point on the task bar OCS icon. I don’t know the process for Outlook 2007 or earlier, but I suggest that it’s time to update to 2010. We will soon need to upgrade from OCS to Lync, and there may be features for Lync in 2010 not available in 2007 or earlier. Dan |
Steve tried to ask John if this had been resolved, but he had apparently been called away. Both Wendy Williams and Allan Burrage noted contact losses, but said it was due to the one-time issue that Dan Cromer had relayed and had not recurred.
Allan said that CREC had a number of synchronization issues arise with the Exchange 2010 implementation. He had been in frequent contact with Luis Molina on those issues and Luis had worked on that for some time. Allan said that Luis stopped corresponding on the matter before it was resolved, but then the issues went away and Allan never heard the details of the cause/resolution. Steve said he wished Luis could have been more proactive in informing IT people about on-going issues along with providing follow-up on the solutions provided.
UF Exchange Project updates (previous discussion)
James Oulman reported that the last trace of the Barracuda system has been removed:
|
Message from James Oulman via Network-Managers problem and change notification: In July CNS-OSG changed the default Proofpoint quarantine URL from quarantine.mail.ufl.edu to spam.mail.ufl.edu. The quarantine URL remained as a redirect to accommodate “UF Spam Quarantine” notices sent prior to the name change. We believe that the quarantine.mail.ufl.edu URL should no longer be needed and are planning to decommission it on Tuesday, October 11th. Please contact us at OPEN-SYSTEMS-L@LISTS.UFL.EDU with any questions or concerns regarding this work. |
Sakai e-Learning System now in production (previous discussion)
Updates not available...
Alternate IFAS domains in e-mail
Updates not available...
Electronic Copy - Print Output Cost Reduction program (previous discussion)
Wendy Williams reported discussions from the last IT Directors meeting. Lisa Deal is pushing this vigorously, apparently and wants to hear all feedback--both good and bad. The goal is to get 80% involvement with this program; they don't expect complete coverage. They are trying to replace the larger MFPs housed within units across campus with uniform equipment. They are not targeting desktop machines; they are hoping, however, to demonstrate the cost savings possible in doing away with those as well.
The idea is that units would not be buying toner and maintenance or leasing the equipment. Rather they would only pay for the paper along with a cost per page. They want to centralize departmental billing so that any savings realized would remain with the department. Wendy indicated that Pro Buyers won the ITN.
Wendy said that there has been a lot of push-back and she didn't get the impression that they were anywhere near implementing this yet. The plan is apparently to provide reports to each unit detailing estimates of potential cost savings. This is not going to be mandated, apparently; rather they hope to persuade a good number of units that this solution is better than what they have in place currently.
Split DNS solution for UFAD problems
Steve wants to keep this on the agenda for future reference.
Updates not available...
Steve asked Chris Leopold now this project was progressing. Chris responded that there were roughly 4-5 that had to be deployed to CEOs in John Wells's NW District; those had been held up due to needed LAN infrastructure work. Chris estimated that we are ~90% migrated for the MPS machines already in place. They are also working with CREC on their rather complex migration. TREC is yet to migrate as well.
Chris mentioned that Alex York is getting up to speed quickly and has been a great help on this. Alex has taken the lead on some PowerShell scripting needed to help these projects along. Steve noted that he had just gotten through Don Jones's excellent book "PowerShell in a Month of Lunches" which is available on-line free through Safari via the Alachua County Library District. Steve didn't understand it all, but finally does get the big picture of what PowerShell can accomplish and how important it is becoming for Windows administration--highly recommended.
Updates not available...
New virtual infrastructure being implemented
Chris reported on the hardware refresh cycle of their virtual infrastructure. As reported earlier, we are going with EMC's VNX 5300 SANs, both of which are in production already. We have also purchased 10 Dell R710s with 192GB RAM each. The new VDI will consist of five of those 710s with its own VNX SAN supporting somewhere in the neighborhood of 200 virtual desktops. That will support the needs of Soil Science, CALS, Food Science, and maybe a small subset for the ICC as management stations.
There will be another 5 x 710 cluster with VNX SAN for our virtual server infrastructure (VSI). This will support a little over 250 servers as we are getting away from physical servers as much as possible in order to realize the cost and time savings that offers.
All this is going to be connected via a new 10Gbps network based on two Cisco Nexus 5548 switches. These switches, which are the critical path for all this new hotness, have taken a good deal of effort, negotiation, and patience to obtain. They arrived recently, but one of them was unfortunately DOA and they are still negotiating its replacement. With the single switch, however, they have managed to get a "mostly functioning" environment for the VDI and VSI right now but consisting of only four nodes each. They have rolled out a test server within this for Dr. Borum in FSHN, who is very anxious to get this going. Things are running in a non-redundant test mode until a second switch arrives in working condition.
Chris said that they are very pleased with the extraordinary performance they are seeing within the testing environment, however, (like 600GBps transfers!) and are very pleased with the prospects for this new system. The new VDI and VSI clusters each hold about 1TB of RAM which is more than five times that of the old system. Chris is hoping this all will be out of test and ready for production in a month or so.
Chris is also working with Dell who may be willing to provide seed funds for a Hyper-V clustered environment. Chris envisions this having direct attached storage, perhaps an MD3200, attached to two 710s or some such. Such a configuration could be deployed, for example, at our larger RECs where they need more redundancy than our current stand-alone implementations support.
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM
MDT 2010
Updates not available...
SCCM for IFAS
Video is available from the September SCCM Meeting.
Exit processes, NMB and permission removal (prior discussion)
Updates not available...
Re-enabling the Windows firewall (prior discussion)
Updates not available...
Services Documentation: Is a Wiki the way? (prior discussion)
Updates not available...
Print server (previous discussion)
Updates not available...
Recording lectures for Distance Education (previous discussion)
Updates not available...
New DHCP reservation site created (previous discussion)
You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
IFAS efforts toward Green IT (previous discussion)
Updates not available...
Creating guest GatorLink accounts: singly or in bulk (prior discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
Can IFAS support DirectAccess in the future? (prior discussion)
Updates not available...
Moving away from the IFAS VPN service (previous discussion)
Updates not available...
VDI desktops as admin workstations (previous discussion)
Updates not available...
Wayne's Power Tools (prior discussion)
Updates not available...
Computer compliance tool in production (previous discussion)
Updates not available...
Folder permissioning on the IFAS file server
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Core Services status (previous discussion)
see the new virtual infrastructure section above...
Updates not available...
Status of SharePoint services (prior discussion)
IFAS migrating to centralized MOSS
Updates not available...
Public folder file deletion policies and procedures status
Updates not available...
Jim Hranicky posted a nice link to the Net-Managers list concerning how Windows gets infected with malware. Unpatched third-party software was said to be the main culprit.
Microsoft released the latest volume (11) of its Security Intelligence Report (SIR) covering January to June 2011. This report gives a somewhat different picture, finding that only about six percent of detections were attributed to exploits. More than one-third of the malware detections analyzed were attributed to malicious software that misused the AutoRun feature in Windows.
Microsoft
The October Microsoft patches included eight bulletins (two "Critical" and six "Important") covering twenty-three vulnerabilities in Windows, Internet Explorer, Silverlight, and Microsoft .NET framework.
McAfee provides podcasts on the highlights of each month's offerings and another podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".
There is a known issue with MS11-081 involving some drop-down lists and combo boxes not appearing in Internet Explorer 7 after installation.
Adobe
Yet another security update for Flash Player was released on September 21st.
Acrobat 8 is reaching end-of-support shortly. The Acrobat product provides five years of support and version 8.
Steve knows everyone will be thrilled at Adobe's announcement last week of Flash 11 and AIR 3 [not]. Not sure 3D is all that important strategically; it would just be nice if they improved their patch processes.
Mozilla
Firefox and Thunderbird 7.0 are now out and the critical security patches have already begun.
MS Office News update
Steve mentioned that he had not seen this, but there have been reports that links in Excel are broken and an error is thrown on file save after applying last month's security update MS11-072.
That same patch is apparently causing problems with charts as well.
Steve also noted that Microsoft Office 2007 Service Pack 3 has been announced and should be available later this year.
Job Matrix Update status
Chris Leopold said he would make a note to get this matrix updated. It currently still has Andrew Carey listed rather than Alex York, for example; but it is also out-of-date in other ways as well.
Remedy system status (previous discussion)
Trouble reported with SAS 9.3 installs
Mitch Thompson has reported difficulties trying to install the new SAS 9.3 on two Windows 7 32bit machines, both as if-adml-x and as the local admin. The symptom seen was that the installation just sat at the Install Wizard for 10 minutes then just closed itself out. He tried running in compatibility mode for windows XP with the same results. He did note that the SID file is on the media itself now.
Russell Hunter responded that he had installed it successfully on both 32 and 64 bit platforms, but that any traces of an old installation had to first be removed completely. That includes uninstalling old versions and deleting all instances of the SAS application folder within any local profiles, other SAS folders and SAS related registry entries. The need for the registry cleanup was likely due to a previous network install.
Unfortunately, none of that helped Mitch, who is still having problems. On-line installation instructions from the SAS knowledgebase don't seem to indicate any such known issues, but instructions from UT indicate the need to create a local "depot" prior to installation and that there is no need to remove previous versions. [Note mention of setting aside four hours for this installation!]
Steve tried to create 32 and 64 bit "depots" on the IFAS file server (see SAS Deployment Wizard and SAS Deployment Manager 9.3: User's Guide) but those attempts all failed. After contacting James Hardemon, Steve learned that the media originally distributed cannot create an installation point; he is awaiting fresh media to continue with the plan. Steve did test installation of 9.3 straight from the supplied discs, however, and it worked fine. He used a Win7x64 test machine and installed x64 SAS, uninstalled it and then installed x86 SAS as a test. Steve noted that the multiple discs swaps (back and forth that is) with the previous version are gone. Also, installation via the if-adml account worked where it hadn't in the previous version for some reason.
Limited Opt-Out Period for Adult Entertainment Domain Names
This issue apparently is being addressed by IFAS for their "SolutionsForYourLife" trademark. Other department administrators were being asked to consider any trademark domains they might have which might be worth the $200 potential protection. The deadline is rapidly approaching. Steve wonders if IFAS ought not to buy the "IFAS.XXX" and/or UF the "UFL.XXX" domain and sit on it, if there is a real concern.
Windows 8 Server news
Steve noted having seen a very interesting article "What's Coming in Server 8" from Mark Minasi's recent newsletter.
Departmental servers within IFAS (previous discussion)
Updates not available...
2012 Prudential Davis Productivity Awards Call for Nominations (previous discussion)
Unfortunately, we missed the submission deadline and failed to nominate the much deserving IT Server Administrators group. It would be good to keep this in mind for next year. The UFIT awards seem to be geared for central UFIT groups only as the evaluation involves 10 points for UF-wide impact.
Browser update
Updates not available...
usage of the UF IT Alerts Dashboard page by IFAS
Updates not available...
RODC issues at remote sites (prior discussion)
Updates not available...
UAC settings egregious for users?
Updates not available...
PDF-Xchange (prior discussion)
No updates available...
Steve noted that the plan is to skip next month's meeting, since our usual date lands on a holiday. We expect to meet next, December 9th.
The meeting was adjourned a bit early at about 11:50 AM.
