ICC logo IFAS logo

ICC Meeting:



A meeting of the ICC was held on Friday, December 9th, 2011 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-one members participated.
Remote participants: David Bauldree, Bill Black, Dan Christophy, Dan Cromer, Wayne Hyde, Marvin Newman, Joel Parlin, Mike Ryabin, Mitch Thompson, John Wells, Matt Wilson, Wendy Williams, and Alex York.
On-site participants: Dennis Brown, Francis Ferguson, Winnie Lante, Steve Lasley, Santos Soler, and John Sowers.

STREAMING AUDIO: available here


Agendas were distributed and the sign-up sheet was passed around.

Report from the chairman

Member news:

John Sowers was hired in mid-November to assist Winnie Lante with IT support in Geomatics as well as the rest of SFRC. He also will be handling office functions such as travel and purchasing for Geomatics.

John had shared the following via e-mail: "My background in IT was FDOT the past 6 years. I was the desktop Support person at the State Materials Office for FDOT which is located out by the airport on NE 39th Ave. Some of the duties I had were the Primary data backup person for both tape and disk to disk solutions. I was the IT property person there where I tracked over 5 million dollars' worth of servers/storage and desktops/laptops. The Exchange Admin for the office and Mainframe Admin too. I did a little of everything there and enjoyed my time there."

Steve also noted that David Essex is now working for the Help Desk. It appears that David began as a part-time Computer Operator at CNS back in 2002 then moved to the front desk there full-time in 2004. After that he was with the UF Computing Help Desk for about five years and we are now fortunate to have him with IFAS.

In other news, Andy King has left the FAWN group.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.

Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

End-user Scheduling (previous discussion)

Updates not available...

Movi (previous discussion)

Updates not available...

Lync deployment (previous discussion)

Back in mid-November, Dan Cromer e-mailed the ICC that he was planning moving us to Lync early:

Message from Dan Cromer to the ICC-L:
"[ICC-L] Lync migration early adopters" Tue 11/15/2011 1:24 PM

I'd like to offer most or all ICC members as volunteers for the final pilot stage of the OCS migration to Lync. The current estimate is that the production environment will be basically ready by November 23rd, though external connectors won't yet be configured, so only those on the UF network will be able to connect. Though the latest version of OCS will work with the Lync server, some features are limited, so the best experience will happen when using the full Lync client, which is available for IFAS users at \\ad.ufl.edu\IFAS\Software\Lync for the 32- or 64-bit versions. The Lync disk image is available for Mac users at smb://if-srvc-file2/DATA-U/Software/Mac/ (or smb://ad.ufl.edu/IFAS/Software/Mac for Lion), and some Lync documentation is at http://wiki.it.ufl.edu/wiki/Lync. Don't install the Lync client until your account has been converted on the server, as it overwrites the OCS client and you won't be able to connect to OCS. Lync clients are also available for download by those with Microsoft Campus Agreement access.

If you would NOT like to be included in this final pilot before production, please notify me by noon on 11/22/11.

Dan Cromer announced that ICCers were moved early last week. In that announcement, Dan asked that we install the appropriate version of Lync and then run Windows Update to get the latest patch. He also asked that we contribute to the documentation at http://wiki.it.ufl.edu/wiki/Lync. Note that Lync should install directly off the network share unless you elevate to your if-adml credentials (which do not allow network access).

Dan provided an update at the meeting saying that a few details were still in the process of being implemented. Edge services are still being readied so that folks will be able to connect from outside the UF network without using a VPN; a VPN is necessary currently. Also, the domain name on the Autodiscover service has yet to be changed and split DNS is being investigated as well. These changes are needed to permit the soon-to-be-released mobile apps (iOS and Android) for Lync to work. Federation with AOL, Microsoft, and others needs to be arranged as well. This work is awaiting the appropriate maintenance window at CNS (Sunday or Tuesday mornings); Dan thought this might happen in early or mid-January.

If you have any users you want added to Lync, let Dan know ASAP. Mac users might as well be done right away, as there is no MOC client for the Macintosh.

Steve asked if the MOC and Lync clients both interoperated with the OC and Lync servers. Dan responded that he knew MOC worked with both (as long as you had the latest patch level), but he did not believe the Lync client could connect to OC server. Thus, folks wanting Lync would first have to be migrated via request through Dan--or wait until all of IFAS is moved.

Issues connecting to the meeting via Lync

Several individuals reported having problems connecting to the meeting via link. Dan Cromer related that entering confID@vcs.video.ufl.edu into the Lync contacts search field and then trying to connect does not work currently as it did with MOC. He expects that to be fixed in the future, however. Dan also mentioned having had issues with the pull-down menu and sending touch tone codes to join a conference. If that happens you just need to hang-up the call and try again.

The "Office Communicator with videoconferencing bridges" section within the IT Wiki MOC topic should likely be included and updated on the new Lync page to document some operational changes; someone is encouraged to do that! With Lync you apparently cannot enter the "+ Video Portal 1" (for 7831XXX conference IDs) or "+ Video Portal 2" (for 7832XXX conference IDs) in the contact field and then double-click. Doing that will merely bring up an IM box so you can have a nice unproductive chat with the non-responsive bridge :-). Rather you must right-click and specify "Start a video call". Again, the keypad popup for entering the last four digits of the conference ID followed by # sometimes fails requiring you to hang up and try again.

Dan noted that the Macintosh version of Lync only handles audio in connection with the bridge--not video.

Blue Jeans Network

Steve mentioned having seen Blue Jeans Network being touted as a "cloud-based video conferencing service that is as easy, interoperable, and affordable as audio conferencing." This sounds pretty good, but the costs look quite high. It might be another option in certain cases, however.

IM client for iPhone

Dennis Brown mentioned that he is looking for an IM client for his iPhone. Dan Cromer had indicated that the Lync mobile clients were close to release. After the meeting, Steve found mention that these were only about a week away.

Campus VoIP improvement to be implemented (previous discussion)

Steve asked Dan if he had received any news about the status of this. Dan replied that he keeps forgetting to ask. Apparently, John Madey has indicated that he wants a list of people rather than just doing this generically. Dan is inclined to just tell him to enable this for all of IFAS and let those few who didn't want it opt-out after the fact.

Dan asked people to get him a list of names/numbers/exchange accounts for which they wanted this implemented. He would then send those on to John.

WAN (previous discussion)

Updates from James Moore

James did not make it to today's meeting, so no updates were available...


Upcoming requirements for InCommon Silver

Dan Cromer said that UFAD wants units to test this individually so as not to risk breaking things. This is being planned for implementation on the IFAS level and is something that Alex York will handle. Of course, any OUAdmin can do this for their own unit in the meantime should they wish to test separately.

FrontDoorSoftware laptop loss and recovery software available

Joe Gasper recently pointed out that, via UFPD, we have the right to use a laptop tracking package from FrontDoorSoftware. Joe suggested, if we want to manage it for our departments, that we each request (via Scott Owens) an e-mail alias to be added to our mailboxes (e.g., fds-mydept@mail.ufl.edu) when registering systems.

Implementing the Mobile Computing Security policy (previous discussion).

The Oct 19th Mobile Computer and Storage Device Security Workshop

Audio and slides from the Oct 19th Mobile Computer and Storage Device Security Workshop are available via links off http://infosec.ufl.edu/itworkers/pgp/Oct2011-workshop/. The mp4 seems not to be too Windows friendly. After downloading, Steve was not able to listen to this with either WMP or QT Player; YMMV. He finally managed via KMPlayer so he's guessing it is a codec issue. More details on the PGP Whole Disk Encryption software are also available here.

Encrypting flash drives

Joel Parlin had mentioned via the ICC distribution list that BitLocker To Go seemed to work well for him. Steve noted that BitLocker To Go is a Windows 7 feature; only the Enterprise or Ultimate versions can encrypt but all versions of Windows 7 can read an encrypted drive. It is easy to use as seen in this video demonstrating its use. There is a downloadable reader that can be used on Vista or WinXP to provide read-only access to BitLocker-protected FAT-formatted drives and no reader is available for other platforms. Thus transportability is quite limited with this free solution.

The most significant problem Steve sees with any flash drive encryption method is that of password management. A user will either have to use the same password on all devices or label each and keep track of which password goes with which. The latter is likely too cumbersome for most and the former is not the best of practices for obvious reasons.

While encrypting external drives which contain restricted data is essential, setting a standard that insists on encrypting everything may remove focus from the real issue and thus be more likely to be ignored by many. Steve would rather the standard stated that people dealing with restricted data on mobile devices must encrypt those devices and that it be recommended that encrypted drives be clearly marked and kept to as few as absolutely necessary. Given the significant monetary and convenience costs incurred by end users, compounded by the potential for inadvertent loss of access to even non-restricted data via forgotten passwords or other potential issues, Steve feels that insisting on encrypted storage for non-restricted data (i.e., all data on all mobile devices) will merely lead to a culture of security avoidance. That seems to be what is being proposed, however.

Encrypting laptops

Steve had noted having removed BitLocker from his laptop and encrypting it with PGP instead. Running SpinRite as suggested took over 6 hours on its 80GB HDD (no errors or it would have taken much longer). Installing the PGP software went smoothly, however, and encryption continued in the background until finished.

One big question, however, is how are multiple users going to be supported with PGP encrypted laptops? On the system Steve installed, the unlock prompt occurs at bootup. That would seem to indicate that only a single account controls all access. Though Steve has discovered a way of adding other credentials, it is cumbersome and details of how the Security folks expect us to handle this in our environment are yet to appear.

Chris Leopold and Dan Cromer have suggested that BitLocker would be a better solution for the IFAS Windows laptops. BitLocker has its own issues, however; access to recovery keys for laptops not joined to the domain would be an issue, as one example. Steve is also not sure if it meets their reporting needs as specified in any case, though he would think it should suffice. Since the recovery key is stored in the computer object, this also relates to the computer deletion topic we’ve kept on our agendas for the past long while. If a computer object gets removed the centrally stored recovery key will be lost.

Whatever encryption method is used, however, IT support staff need clear and detailed instruction on how to recover data. Our usual recovery methods via off-line access (mounting the drive elsewhere or booting to another OS from CD) will no longer work. Questions which arise include will drives have to be unencrypted prior to recovery? If so, the time involved for doing that could make restoration of service cumbersome indeed. It is important that we be trained on how to deal with the technical issues that encryption entails so that we don't contribute to data loss via inadvertent mismanagement of a situation. Other potential pitfalls exist as well. Those aspects seem to have been overlooked in this plan currently.

[Note: Steve found some useful PGP WDE information from the University of Illinois at Chicago covering installation, use, and frequently asked questions. Although not all aspects apply directly to our situation and they don't answer all questions, they do go well beyond current UF instructions.]

Encrypting handhelds

A few details have now been published. The consensus seems to be that Touchdown is the way to go with Android devices; the $20 cost is made worthwhile by how manageable it makes compliance with those devices. Windows 7 phone appears to be a no-go at this time due to its lack of encryption. It would be good to get the word out ASAP on which phones will not be compliant by the 2013 deadline since we already have less than the average 2-year lifetime plan before mandatory compliance. Some purchasers may be in for a rude shock otherwise.

Word is spreading but we're unprepared to respond

Avi Baumstein spoke at last month's FASP meeting and apparently kept referring them to contact their IT for more information and compliance assistance (this via Donna McCraw and Russell Hunter). This means that are users are beginning to look to us for answers at the very time we are full of questions. That is not the best of circumstances in Steve's opinion.

Discussion via ITPAC

At this point in the discussion, Steve jumped ahead in the agenda to the discussion of this matter at last week's ITPAC meeting, showing the outline that Dennis had provided to ITPAC.

Steve was concerned that the outline might not be enough ammunition for Dr. Allen Wysocki as it merely detailed the technical problems the ICC would have in implementing this rather than focusing on what was the main discussion at ITPAC: namely the non-technical absurdity of having an "everything must be encrypted" standard.

Steve said that it seems everyone he has talked to from departmental chairs down to end-users are simply planning to ignore this policy because they believe it will not go forward--at least as originally presented.

Winnie Lante said that she could easily envision seemingly unnecessary inconveniences that this standard would cause. A professor bringing their talk to a presentation would have to deal with the clumsy password access, for example. Steve noted that people would quickly learn that they needed the same password on all flash drives in order to remember how to get at the data. Keeping that single password secret through everyday use of such drives would be difficult (handing it off at meetings for loading as an example). Changing all the passwords on all devices when needed would be even more onerous.

This "encrypt everything mobile" standard implies that end-users need to be trustworthy stewards of restricted data, but the Security Office doesn't really trust them to do that--so everything must be encrypted. The end result would encourage avoidance by the majority rather than provide protection assistance to the minority of instances where it was actually needed.

Steve mentioned that he hoped someone followed up with Al Wysocki on this matter because he had gotten the impression that Dan Cromer supported the standard and therefore might not be the best one to rely on to push our case. Dan responded that he has his "official position" which is to try and figure out how he can have IFAS comply with the policy and then his "unofficial position" which he can talk to the ICC about. Dan said he understands the reason for the policy but has yet to figure out a practical way of implementing it. Using encrypted flash drives, for example, is just not practical for everyday use with non-restricted data.

Dan said he thought IFAS should push for a change in the standard that focused on devices with restricted data only; he felt that this was the message to bring to the IT Policy Advisory Council.

Joel Parlin suggested that restricted data shouldn't be on laptops at all, rather it should be kept on secure file shares. It seems that teaching end-users the proper handling of restricted data will be necessary in any case; implementing the standard as originally proposed won't relieve that need.


Steve advised ICCers to keep considering how we might implement this should it turn out we have to do so. In the meantime, we need to hope the standard relaxes somewhat, because the way it is now our users are not likely to comply no matter how hard we push.

Fall 2011 Peer2Peer:

There were apparently technical difficulties in remote access or recording this session. Hopefully, this can be worked out prior to the next session.

Wake on LAN support coming to campus: (previous discussion)

Santos Soler related his understanding that all the core routers would need to be brought to a certain code level for this implementation to work. That will happen gradually over time, but it is likely deemed too costly to handle just for the purposes of implementing this feature. More likely, this is something that will be enabled after refreshes all catch up.

Misc topics for notification from recent Shared Infrastructure Advisory Committee (SIAC) meeting:

Updates not available...

New Secunia site license (previous discussion)

Wayne Hyde had said "ITSA will be working on getting 3rd party patches enabled via CSI as soon as we can. One method is to create another WSUS target group and let you modify your OU’s co-managed computer GPO (or create a separate GPO filtered for specific machines) to enable the patches to be pushed." The main problem is providing a way that units can control which machines get the patches.

That said, a number of units outside IFAS (as well as Joel Parlin at GCREC) have apparently had good luck using PSI alongside the local agent. The former seems to be helping keep things patched and the latter provides monitoring of the overall status. If CSI proves difficult to implement, perhaps local PSI installations might prove useful.

Joel Parlin mentioned liking that PSI finds profile-installed software (like Chrome) that might otherwise be overlooked due to not being listed in Add/Remove programs.

OU Admins need access to current inventory data

Steve has asked Wayne about when he thinks the ICC can get the dashboard link to Secunia for IFAS, but has yet to hear back.

KACE agent to be deployed throughout UF for computer inventory purposes (previous discussion)

This is still in progress, but IT/SA has been very busy assisting with the migration of CREC to UFAD. Steve reiterated that his only concern was that a security group hierarchy be set up so that units could add machines which could be excluded from this deployment.

Update from November ITPAC meeting (previous discussion)

  • Welcome and introduction [Chair, Dr. Al Wysocki]
  • Social Media account approval [Dan Williams]
    • POINT OF INFORMATION: The pertinent Employee Relations Web page (http://hr.ufl.edu/emp_relations/policy/social_media.asp) says:

      “Authorization to present a social media account as an official university activity must come from the vice president with jurisdiction over one’s unit as well as the vice president for University Relations or his/her designee. Permission to use any University of Florida service marks, trademarks, or logos must be obtained from and may be requested of University Relations by calling (352) 846-3903,"

      ACTION: ITPAC can draft an IMM to codify this for IFAS, and perhaps suggest delegation authority to AVP for Marketing and Communications Services.

    • Dan Williams will bring up this issue with the advisory committee. There was much committee discussion about this. We may want to suggest some type of registration process rather than an approval process.

  • UF Mobile Apps committee update [Dan Williams]
    • POINT OF INFORMATION: There is currently a repository where needs for new apps can be listed. A process is being developed that will assist UF students with app development.

    • ACTION: There was some committee interest in developing a list of apps needed by IFAS.

  • CALS computer lab [Joe Joyce]
    • POINT OF INFORMATION: Dr. Joyce indicated there has been a glitch with funding the new lab.

    • ACTION: A decision is forthcoming but one idea is to renovate the space and use the existing computers.

  • Sakai/Elluminate Update [Dr. Al Wysocki]
    • POINT OF INFORMATION: The list of potential replacements for Elluminate is found below. UF is piloting several of these and hopes to make a choice soon.

      • Blackboard Collaborate
      • Adobe Connect
      • Cisco WebEx
      • Solar Digital Unity
      • Big Blue Button (open source)
  • ICC Update [Dennis Brown]
    • POINT OF INFORMATION: ICC has concerns about methods for implementing UF mobile device security policy. Dennis presented the following outline taken for the most part from Steve's prior notes:
      • Flash drives/External drives
        • Password management (one password per drive which is best practice recommendation or all the same? How will people keep track of multiple passwords?)
        • Encrypt every flash drive?
        • Faculty that have tried encrypted were not happy with them
        • Loss of key means loss of even non-restricted data
        • Encrypt everything will lead to culture of avoidance
      • Laptops
        • Drive prep is very time consuming (6 hours on 80 gig (small) drive with no errors, longer if errors)
        • Password at boot is a problem for laptops with multiple users, single password controls all access
        • Recovery key on UFAD server, key lost if laptop not connected to the network for a while 60-90 days
        • Data recovery when computer cannot boot
      • Handhelds/cellphones
        • Android, Touchdown which costs ~ $20 (or possibly has this built-in into Android)
        • Windows 7 phone, no solution
        • iPhone has built-in solution
        • 2013 deadline for policy compliance, people may need to change to compliant phone (most require 2 year contract so need to know asap if getting a new phone soon)
    • ACTION: Dennis reported to the ICC his understanding that ITPAC basically said IFAS wasn't going to follow the policy at this time. The consensus of the ITPAC seemed to be that restricted data needs to be encrypted, but encrypting ALL data is unnecessarily costly and inconvenient. Dennis was to provide a synopsis to Dr. Wysocki (which was done via the above outline) who would present our concerns to the IT Policy Advisory Council.

      It was also mentioned at ITPAC that a UF File-Express file sharing service is being developed that might alleviate the need for USB usage in many instances.

  • IT Update [Dan Cromer]
    • POINT OF INFORMATION: SharePoint migration deferred until replacement for CNS staffing is available.
    • POINT OF INFORMATION: Lync production hardware and software in place.
    • POINT OF INFORMATION: E-mail retention
    • POINT OF INFORMATION: Mobile Web site development test site at http://directorytt.ifas.ufl.edu; since gone live at http://directory.ifas.ufl.edu according to recent notice from Dan Cromer.
  • UF Domain name policy [Al Wysocki]
    • POINT OF INFORMATION: There is a UF Committee that is looking at the UF Domain Name Policies. The committee is in the process of alerting the web management community in order to gather relevant information and inform them that new policies will be drafted and in place. An e-mail to the web manager's listserv was sent to gather input.
  • New UF Website and implications for IFAS [Al Wysocki]
    • POINT OF INFORMATION: An 18-month comprehensive redesign, which requires developing new designs, content and site architecture for the website, will begin in early 2012, and involves constituents from across the university.
    • ACTION: Templates for the intermediate UF homepage design will be available in both a WordPress and an HTML format in January 2012, for those university colleges, academic and administrative units that would like to use them.

      There was discussion at the ICC about scalability issues with the mySQL database upon which WordPress relies, and Santos reiterated that each WordPress site requires a separate database that is impossible to backup in a reliable and restorable fashion. It is his opinion that WordPress would be a poor choice as a content management system for UF and IFAS. Wendy Williams noted (via e-mail) her understanding that UF is in an 18 month search for a new CMS. They understand that Wordpress is not scalable and it was only a temporary solution. It was apparently adopted by UF due to previous experience at the Health Center which is now having serious scalability issues with their own implementation.

  • UF Content Management System Taskforce [Al Wysocki]
    • POINT OF INFORMATION: Taskforce to make a recommendation for an enterprise-wide CMS for UF. The need to manage content in a robust and secure system has risen in importance as many of our services and mission critical activities continue to move into virtual spaces. It is of the utmost importance that whatever tools and services we put in place for content management are business centric, and that we consider in their selection challenges related to implementation and adoption. The taskforce will focus on conducting a needs assessment, identifying services that will benefit from a CMS, define a set of requirements, and recommend vendors/providers able to meet these requirements.

Automated registration, payment, GatorLink ID creation and enrollment in non-college credit courses in Sakai

A “Quick Reg” project for Sakai was also mentioned. This would allow anyone to create an outside account via the web and may have important consequences for our outreach activities. [See the QuickReg section on the Web Applications page of the Associate Provost for IT.]

CNS working to implement NAC for UF wireless (previous discussion)

Updates not available...

UF Exchange Project updates (previous discussion)

Updates not available...

Sakai e-Learning System now in production (previous discussion)

Updates not available...

Alternate IFAS domains in e-mail

Updates not available...

Electronic Copy - Print Output Cost Reduction program (previous discussion)

Updates not available...

Split DNS solution for UFAD problems

This is actually being active pursued now, so let's keep our fingers crossed! Dan's mention during the Lync update portion of the meeting led to Steve contacting Andrew who responded: "While we are still in very, very early stages, we've been discussing it here and share your interest (and more than a few other use cases.) The consensus in OSG is that the BlueCat devices that are now being used for campus DNS can assist in supporting a split DNS setup for UFAD and we've added "plan a meeting with the Net-Services team that is responsible for the BlueCat" to our to do list so that we can discuss it further. My feeling is that it will happen, but I don't yet have a timeframe."


New web cluster

Still awaiting infrastructure upgrades...

MPS/DC refresh

Updates not available...

New SQL cluster

Updates not available...

New virtual infrastructure being implemented

Steve noted that the high speed switches that had been holding up progress were now in. Wayne Hyde has been building the new file server cluster recently and he reported via e-mail that the new file cluster is up and running. He said that he has added all of the LUNs, created shares, quotas, etc. and just needs to fix some networking issues and do testing (failover, etc.) before we migrate. All of the current data is being sync’d with the new cluster so switchovers will be relatively quick.

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM

MDT 2010

Updates not available...


Alex York had asked Steve to assist in developing a distributed model for SCCM within IFAS. Currently, Steve has had some success deploying a test package and Alex has many of the permissioning details worked out.

Alex reported that more he looked into this the more he is looking forward to SCCM 2012 which is currently in RC. Still, he believes he has most of the issues worked out and we should be able to make SCCM available to units that wish to utilize it. Steve noted that there will be a learning curve there and hopes to have a demonstration available at some time in the not too distant future.

Exit processes, NMB and permission removal (prior discussion)

Updates not available...

Re-enabling the Windows firewall (prior discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (prior discussion)

Updates not available...


Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Competing product from Cisco?

Cisco has released a lecture capture system called Cisco Lecture Vision.

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

IFAS efforts toward Green IT (previous discussion)

Updates not available...

Creating guest GatorLink accounts: singly or in bulk (prior discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

Can IFAS support DirectAccess in the future? (prior discussion)

Updates not available...

Moving away from the IFAS VPN service (previous discussion)

Updates not available...

VDI desktops as admin workstations (previous discussion)

Updates not available...

Wayne's Power Tools (prior discussion)

Updates not available...

Computer compliance tool in production (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Core Services status (previous discussion)

see the new virtual infrastructure section above...

ePO updates

Updates not available...

Status of SharePoint services (prior discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status

Updates not available...

Patching updates...

There have been a very large number of UFIRT mailings related to Java vulnerabilities. This issue arose in part due to new exploit kits which make for trivial exploits. The overall volume of these prompted Dan Cromer to e-mail the IFAS-Announce-L list about the matter. From there some discussion ensued on the ICC-L about when, if, and how to provide local administrative rights on user machines. UFAD currently has no support for administrative aliases of UFAD accounts. Consequently, some provide local administrative access to select users via local machine accounts, while others place GL accounts into the local administrators group where appropriate--either temporarily or semi-permanently.

Most ICCers seem to believe that the balance between security and convenience supports providing local administrative access to trusted and knowledgeable users so they can handle updates for themselves. This is due in part to the fact that we still have some hurdles to overcome prior to providing a centralized patching solution, but it also reflects a viewpoint that total IT control of end-users machines is not necessarily deemed the most desirable situation.

One potential solution would be to implement PSI even on managed machines. It would be interesting for each department to run a trial of that on a select sub-set of their machines and report back with the results. On the other hand, Wayne Hyde reported "ITSA will be working on getting 3rd party patches enabled via CSI as soon as we can. One method is to create another WSUS target group and let you modify your OU’s co-managed computer GPO (or create a separate GPO filtered for specific machines) to enable the patches to be pushed."


November was a light month. The November Microsoft patches included four bulletins (one "Critical," two "Important," and one "Moderate") covering four vulnerabilities in various Windows platforms.

The December Microsoft patches are reported to include 14 bulletins (three "Critical" and eleven "Important") covering 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player.

McAfee provides podcasts on the highlights of each month's offerings and another podcast summary of these patches is provided by "Security Bulletins for the regular IT guy": November and December.


Acrobat 8 reached end-of-support on November 3rd.

New versions of Flash 10 and 11 were released the second week of November to address more critical vulnerabilities. Flash 11 now has 64-bit versions, but few run IE-64 and generally the 32-bit version would be the one to use.

There was also a Security Advisory for Adobe Reader and Acrobat released on Tuesday. Updates for version 9 will come out early, likely next week; version 10 fixes will be included in the usual quarterly updates in January.


QuickTime 7.7.1 was released in October to address security concerns.


A new release of JRE version 6 came out in October. This latest update is JREv6r29; the previous secure version was JREv6r26. Java vulnerabilities seem to be the number one choice among exploits.


There was an HP Security Bulletin that came out at the end of November advising the disabling of remote HP firmware update that is enabled by default on many models of networked printers.

The list of printers provided doesn't seem quite complete from Steve's experience. In any case, it is recommended that any "Printer Firmware Update" settings be set to ”disabled" as described at the above link.

Steve mentioned feeling that HP Web Jetadmin software is a royal pain to setup/use but noted that some may find it easier overall than individual configuration via the printer web interface if you have lots of networked HP printers as we do here at Entomology. There is an entire PDF file on security "best practices" for HP MFPs using Web Jetadmin available.

MS Office News update

Steve updated the Office 2007 installation point to include SP3, though most are likely installing Office 2010 by now. There are known issues with Excel which this introduces and which have been addressed by a hotfix.

Job Matrix Update status

At our October meeting, Chris Leopold said he would make a note to get this matrix updated. Steve noted that this is still pending.

Remedy system status (previous discussion)

Other Topics

SAS 9.3 install point created

Steve has created 32 and 64 bit "depots" on the IFAS file server at \\ad.ufl.edu\ifas\software\sas. There are subfolders for the 32-bit and 64-bit installers, each with a setup.exe file.

To install, first pre-install the latest 32-bit release of JRE version 6 (currently JREv6r29); both platforms use the 32-bit version of Java. If an older version of SAS has been installed, that should be removed and SAS folders within any Profiles present need to be removed by hand as well (as mentioned at the last ICC meeting). Next you may install SAS 9.3 itself.

Steve would recommend running “cmd” with if-admn credentials (via right-click, etc.) then entering:

  • \\ad.ufl.edu\ifas\software\sas\sasx32\setup.exe (on either 32 or 64 bit machines)
  • \\ad.ufl.edu\ifas\software\sas\sasx64\setup.exe (only on 64 bit machines)

depending on platform.

That will start the Wizard. Most of the prompts are obvious, but when prompted about Java, do not follow the recommended selection but rather point to:

  • C:\Program Files\Java\jre6 (on a 32 bit machine)
  • or
  • C:\Program Files (x86)\Java\jre6 (on a 64 bit machine)

Note that this is a one-time thing; if you uninstall/reinstall, you won’t get asked about JRE again and Steve hasn’t figured out how to get that prompt back.

Steve removed the SAS Installation Data (SID) files from the SAS depots; that seemed to be the best means for securing the site from unauthorized use IFAS-wide. You can obtain the SIDs by contacting James Hardemon.

Issue installing 64-bit Contribute on 64-bit OS

Francis Ferguson reported not being able to install the 64-bit version of Contribute on a newly built 64-bit version of Windows. He noted that the 32-bit version of Contribute installed fine. Steve noted that this reminded him that Kevin Hill had reported that the 64-bit version of SAS required the 32-bit version of Java for some reason.

Hobo software issue with removing old versions of Java

Dennis reported that removing old versions of Java on a machine which had the Hobo data logging software broke that software. When run, the Hobo software would report a Java error. That was fixed by reinstalling the Hobo software. Dennis wasn't sure if that fix was due to it reinstalling an older version or not. Steve noted that JMP installs JRE r6v20, which is something to note; he did not believe that upgrading JRE broke JMP, however. SAS installs an older version of JRE as well, unless you specify otherwise; removing that after-the-fact does indeed break SAS!

WebDAV issue with Mac OS X Lion

Santos reported an issue with Mac OS X Lion and http://files.ifas.ufl.edu. For some reason, access appears to be read-only and his is trying to develop a work-around.

UF FAX server project

Dan Cromer had an update on the UF FAX server project. Dan had met with John Madey this morning and they are moving forward on the FAX server project. Dan wanted to solicit volunteers for testing and said he would be putting out a message to the ICC-L about that.

Dan briefly discussed how the system works. Basically, you send an e-mail to [fax:faxnumber]. The subject and body of the e-mail are ignored; it is the attachment(s) that get faxed. Dan has tested .pdf, .doc, and .docx successfully. It is his understanding that .xls, .xlsx and .jpg should work as well.

Sending invoices to PeopleSoft with this system entails a cover page with QR code apparently; the details were not made exactly clear during the meeting. Dan said his planned e-mail would provide more details.

Dan has yet to test inbound faxing. This requires a fax number and each of those would incur an $11/month charge, just like the ATA's do that currently support fax machines on Wallplate VoIP. The way this will work is that a service account will be created (e.g., ". IFAS-OU-FAX-sevendigitnumber") that is tied to a distribution list that owns this resource. Those wishing to receive faxes to that number will then be granted permissions to that distribution list so they can add the service account's inbox into their Outlook. The fax number in the resource object within UFAD is where the inbound fax will go.

They did not want a distribution list directly connected to the mailbox because they wanted folks to be able to pull from the fax inbox rather than push it to the mailbox of everyone in the list (although that other method would be an option).

Dan will have some in-bound numbers available for testing; once this goes into production, CNS will be available to convert existing fax numbers to the new system as desired. Currently there is no restriction on long distance; consequently, they will have some auditing set up to see if bill-back needs to be implemented in some fashion. In the meantime, this could help our CEOs with long distance bills for all the materials they need to fax back to Gainesville.

Winnie Lante asked Dan if he had any idea on when this might be placed into production. Dan replied that this is in the final pilot and he does not expect it to be delayed much longer. The main thing is to get it tested, however, to make sure any glitches are detected and can be addressed.

Encrypted e-mail

Dennis Brown mentioned that one of his staff members receives encrypted e-mail from someone who sends the key in a separate message. This person was wanting this capability as well and Dennis has been looking into that. After today's meeting, Dennis had decided to tell her that we can't send restricted data through e-mail. Francis Ferguson concurred, noting that e-mail is considered public record. Sending the key in a separate e-mail would thus not protect the encrypted message as both the message and the key would be subject to public discovery. Winnie Lante pointed out that this latter issue could be bypassed by phoning the key separately perhaps.

Departmental servers within IFAS (previous discussion)

Updates not available...

usage of the UF IT Alerts Dashboard page by IFAS

Updates not available...

RODC issues at remote sites (prior discussion)

Updates not available...

PDF-Xchange (prior discussion)

Updates not available...

The meeting was adjourned a bit early at about 11:35 AM.