|
|
ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
|
Message from Kevin Hill: We’ve recently rolled out a limited deployment of “UF wireless network” WAPS to replace some aging WiFi equipment at our unit. Aside from the usual aches & pains associated with moving everybody’s cheese, I’m wondering how other off-campus units are dealing with some of the quirks. Namely:
At this point, I’m really missing our circa-1998 WiFi equipment. I’d be interested in hearing what others are doing to deal with these issues. Has there been any discussion about asking CNS to build a separate UF wireless config for remote IFAS sites? |
James Moore responded to each of Kevin's points. For the first point, James said:
The best approach to dealing with this issue is to use a GPO. Please see: http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx
Drop down to figure 3 and it shows what you need to do: namely enable Single Sign On for this network and perform immediately before user log-on.
James suggested that a short document should be written and posted on the IT wiki for 802.1x and said CNS will look into this for Kevin.
Regarding point #2, James said:
-As discussed in my email yesterday:
*-We are testing features like Flex Connect in our lab and will be deploying very soon. This may be how we decide to keep certain local traffic local.
The latency that you are seeing is likely related to a bug in the code used on the Brighthouse Networks CO router upstream from IRREC. *We have a ticket open with BHN & Comcast.* I discussed this with Dan Cromer yesterday afternoon.
*For example, TREC in Homestead sees 14ms of round-trip-time to/from GNV. There is no latency there.
-This design is common across the industry for sites with L2 p2p loops into the cloud.
-Dedicated internet access (DIA) circuits using ipsec tunnels seem to perform good as well. (Feature sets such as Flex Connect will be rolled-out to these locations)
-Poorly funded, aDSL sites are supported with autonomous APs that use pre-shared keys. They are not using LWAPP at this time.
Regarding point #3, James responded:
-This is the same here on campus and works for all departments. UFIT Security tracks these via GatorLink username and will deal directly with the customer. You no longer have to hunt through DHCP logs.
Finally, James summarized with:
-For slower, aDSL fed County Offices, we use local pre-shared keys on autonomous access points. We do not use LWAPP behind slow, poor performing ISP services like DSL at this time. We do have a separate design for remote locations whether those are IFAS, CLAS, CoB etc. The design is based on the specific case, not the department.
SWFREC is FLR connected. Your local-loop into the cloud is suspect. We can pilot new features at IRREC once the lab testing has been completed. We will get back to you on this very soon.
Kevin himself later solved a portion of his concerns and reported the solution to the ICC:
|
Message from Kevin Hill: So I had a number of laptop users complaining about login scripts not running when connecting to the “uf” SSID. After beating my head against the wall trying to work through the 802.1x post-GINA user authentication problem, I finally figured it out and thought I’d share the solution: When a user first connects to “ufinfo” to run the Autoconfigure script, the resulting “uf” wireless connection is automatically configured with “Network availability” set to “only me”. This setting causes the single sign on options for the connection to be grayed out. To get to these settings you need to delete the “uf” wireless connection, and then reconnect directly to “uf”. You’ll be prompted for credentials and a new connection will be created, this time with “Network availability” set to “All users”.
Now you can select the Security tab / Advanced Settings and select “Enable single sign on for this network”. I had to extend the delay on my Surface Pro to 60 seconds due the crappy Marvel wireless chipset Microsoft used in their hardware (ymmv):
This solution works for me on Win 7 and Win 8. Maybe this is all documented somewhere already, but I couldn’t find it. Hope it’s helpful to someone. Also, as suggested by James Moore, this can probably be set via GPO, but in my testing it appears that only a domain admin can create one. Maybe a policy already exists, but I couldn’t find it among the 4000+ policy objects in AD. |
Steve mentioned that he had tried this "single sign on" configuration and was impressed. When this setting is configured the Windows logon screen displays "Windows will try to connect to uf" beneath the password input box (uf here referring to the uf ssid). This setting essentially allows a domain-joined laptop on the UF wireless network to have a "DA-like" experience where the login scripts and drive mappings run just as they would with a local wired connection.
This setting could be an extremely important usability enhancement for domain-joined laptops and begs the question why isn't this documented at http://getonline.ufl.edu/. In Steve's view there should be separate documentation available for Windows domain-joined laptops as this feature is too wonderful to overlook.
Phone bills to be paid for centrally?
There seems to be some doubt as to whether or not this is going to proceed. On the one hand, Dan Cromer says that this has been proposed for inclusion in the RCM by John Madey on the request of Elias Eldayrie. This RCM proposal will go to the final budget board, probably sometime in May; from what Dan has heard this is expected to be approved but we won't know for sure until after.
News from Campus IT Directors meeting
Passphrases to be allowed
Dan Cromer had shared the availability of the March meeting notes from the UF Campus IT Directors. There is a plan for changing password length rules whereby passphrases (18 characters up to 55 max) will be allowed without dictionary checking (yay!). The implementation of this change will be a bit tricky because of potential issues with legacy systems that might not handle such long passwords. Password minimums will not be changed from the current settings of 8 characters for P1-P3 and 9 characters for P4-P5 (see GatorLink Password Management Policy).
Forwarding policy
The other topic Dan wanted us to be aware of was the potential requirement for all faculty and staff to use Exchange, with no forwarding allowed. Dan also noted that IFAS has had this policy since December 2005.
Ben Beach pointed out that this could spell trouble for a couple of the counties he supports. John Wells agreed, noting that Leon and Okaloosa County, for instance, are required by county policy to use their county email addresses for all correspondence. Bill Black said his district was similar. Dennis Brown mentioned this might be a concern with Courtesy Faculty working in industry as well.
Dan's take was that he believed UF will accept exceptions for legitimate governmental agencies’ addresses, though he couldn’t be sure. The issue is having “discovery” rights to UF email for legal purposes. The policy will be set by General Counsel or Privacy Office, not by IT. On the other hand, Dan didn’t see how county government officials could complain about UF people using UF email, even if they are county-paid people doing UF work; this may need to be established in a memorandum of understanding (MOU).
Jimmy Anuszewski mentioned having a visiting professor from Brazil with an Exchange mailbox who wanted to forward that to his home email account. Jimmy asked Scott Owens about that who forwarded it on to the UF Help Desk. Eventually it was allowed once written permission was obtained from the department chair.
TurningPoint Response System being re-evaluated
Dan Cromer had relayed a message from McCallister about the availability of TurningPoint Clickers:
|
Message from Dan Cromer: FYI, thought you’d like to see this response from Mark at AT about TurningPoint “clickers”. I had been asked about them from someone doing a workshop who wanted to borrow some. Dan From: McCallister, Mark Sent: Thursday, March 21, 2013 10:08 AM To: Thomas, Ron; Wysocki,Allen F; Ruppert,Thomas K; Cromer, Dan Subject: Re: Turning Point "clickers" Hi, yes we have that quantity available. Rental charge would be $120 ($1/clicker) for the event + shipping if we need to ship them somewhere. Side note related to Al's comment below – I have become increasingly disenchanted with TurningPoint for instructional use over the past couple years (works great for workshops like this though). We currently have faculty piloting/using three alternative products, iClicker, TopHatMonocle, and ViaResponse. While we won't 'unplug' anyone using TurningPoint, we will probably shift our recommendation to some combination of those three products for next academic year. Thomas, if you would like to proceed with that, let me know and I'll have our front desk person get in touch with you to make arrangements. |
In case you were not aware the TurningPoint Response System has been used by UF for a few years now. It permits audience members to respond to questions posed in real-time and tallies the results. Apparently it hasn't worked all that well and AT is now looking at alternatives.
HighEdWeb conference
Donna McCraw had kindly spread the word about a HighEdWeb conference that will be held in Emerson Hall on April 22-23; registration is required.
Spring 2013 Peer2Peer workshop
The Spring 2013 Peer2Peer workshop will be held in the morning of April 18th at Smathers 1A. This latest iteration will include presentations about managing Mac/Apple devices in the UF enterprise (Kevin Hanson), an overview of the UF Data Center (David Burdette), Systems Center Configuration Manager (Andrew Carey), and the enhancements and changes in Shibboleth (Martin Smith). This event will be streamed and may be viewed here.
Steve mentioned some interest in the Kevin Hanson talk. He is still trying to understand if there is really any advantage in joining Macs to UFAD. Wayne Hyde expressed concern about controlling access to UFAD-joined Macs asking if there was a means to limit who could logon locally. Jimmy said he believes there is a way to have a GPO enforce that a Mac run an AppleScript file; he mentioned working with Santos Soler on such a solution. Others pointed out that it is rare to control local logon even on Windows boxes, though it is easily done should one wish.
Other discussion about various aspects of Macintosh support ensued. If you want the details you can listen to the audio recording at about the 38 minute mark. Varied discussion also took place on the need to remove WinXP boxes from the network by April 2014; if you aren't preparing for this you could be in for a BIG shock.
Content Management System (CMS) for UF: Entering purchasing phase
Updates not available...
Authentication Management policy draft (previous discussion)
Updates not available...
New 'Trouble-Ticket' Entry Page for CNS (previous discussion)
See remedy section below...
KACE (previous discussion)
Updates not available...
CNS working to implement NAC for UF wireless (previous discussion)
UF wireless still too hard?
Updates not available...
UF Exchange updates (previous discussion)
Outsourcing of student email?
Dan Cromer said this is still moving forward. Things may be a little delayed, but they were originally planning to offer Office 365 as an option to students first enrolling this Summer (as a trial). They would then make it mandatory for new students beginning Fall 2013 as well as an option for existing students. Gatorlink mail is planned to go away completely by the end of 2014.
Outlook asking for re-authentication
Updates not available...
Sakai e-Learning System now in production (previous discussion)
Updates not available...
Alternate IFAS domains in e-mail (previous discussion)
Updates not available...
Electronic Copy - Print Output Cost Reduction program (previous discussion)
Updates not available...
Split DNS solution for UFAD problems (previous discussion)
Updates not available...
New web cluster (previous discussion)
Updates not available...
Windows 8 Deployment? (previous discussion)
Updates not available...
SCCM for IFAS
Work continues on the central SCCM plans.
Updates not available...
Exit processes, NMB and permission removal (previous discussion)
Updates not available...
Services Documentation: Is a Wiki the way? (previous discussion)
Updates not available...
Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection?
UF is looking at moving from McAfee to either IBM or Symantec for its anti-virus protection software. Forefront would be another essentially no-cost option but it first requires SCCM to be deployed centrally.
Dan said the deadline for that is considered to be August 17th; this is the date listed in policy where encryption of all laptops and portable personal computers storing restricted data becomes mandatory. The SCCM component will allow confirmation that laptops are bitlocker encrypted; such proof is a component of the Mobile Computing and Storage Devices Standard.
Wayne Hyde said that if UF doesn't renew the McAfee contract we will obviously eventually move off that platform, probably to ConfigMan with FEP. In the meantime, Wayne will be migrating us from ePO 4.6 to ePO 5 as discussed below.
Print server (previous discussion)
Updates not available...
Recording lectures for Distance Education (previous discussion)
Updates not available...
New DHCP reservation site created (previous discussion)
You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
IFAS efforts toward Green IT (previous discussion)
Updates not available...
Creating guest GatorLink accounts: singly or in bulk (previous discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
DirectAccess pilot (previous discussion)
Updates not available...
VDI desktops as admin workstations (previous discussion)
Jimmy mentioned a new VMware View Client is available for download from http://www.vmware.com/go/viewclients. The Mac version now offers USB support. VMware has also an entirely new version of the product that is now named VMware Horizon view. Wayne will offer that via http:virtual.ifas.ufl.edu when he retools for the upcoming term. This new version supports HTML Access which means zero install access from a whole host of devices. Very cool.
Wayne's Power Tools (previous discussion)
Updates not available...
Computer compliance tool in production (previous discussion)
Updates not available...
Folder permissioning on the IFAS file server (previous discussion)
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age (previous discussion)
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex York can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Since BitLocker stores its keys within the computer object in UFAD, Alex York and Chris Leopold are considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.
Core Services status (previous discussion)
Updates not available...
ePO updates (previous discussion)
Version 5 of ePO recently became available and Wayne Hyde is already investigation transitioning to the new platform. The release notes for ePO 5 are available here. McAfee Agent 4.8 is also available. Rather than upgrade our current ePO server, Wayne has already stood up a new server with ePO 5 to which he is planning migrating clients. This process will help point out machines which aren't updating agents and the like because they will remain talking to the old server. Wayne also plans to tweak scheduled scanning so it is somewhat more palatable; it will remain a necessary evil however.
The new ePO system will have some new tags such as "Frozen" which is appropriate for systems with disk protection (like DeepFreeze). Such clients will get dat updates but agent or VSE upgrades will have to be installed manually. Wayne will also prepare the new ePO server so it can push agents and anti-malware to Macs. Steve mentioned that we will need to make sure UF wireless detects that product if we go that route.
Status of SharePoint services (previous discussion)
IFAS migrating to centralized MOSS
Updates not available...
Public folder file deletion policies and procedures status (previous discussion)
Updates not available...
Patching updates... (previous discussion)
Microsoft
Microsoft recently released an enterprise hotfix rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1. It is recommended that this be rolled into deployment images. Note particularly the "Registry information" section of that article for details on enabling two of the included hotfixes -- one which improves logon script run performance.
The April Microsoft patches included 9 bulletins (2 "Critical", and 7 "Important") covering 14 CVEs in the usual suspects. A risk assessment will be available here.
McAfee provides podcasts on the highlights of each month's offerings.
Adobe
There have been two patches for Flash since our last meeting; one on March 12th and another this Tuesday.
Java
There is going to be another release of Java next Tuesday.
Some mentioned believing that SAS won't work with JRE 7, but that is not the case as Steve pointed out at the February meeting. Steve had supplied instructions for reconfiguring this without reinstalling, along with a test program that you can use to assure yourself that SAS is working correctly with JRE 7.
MS Office News update (previous discussion)
Updates not available...
Job Matrix Update status (previous discussion)
Updates not available...
UF apps
Dennis Brown reported going to the meeting of a group charged with determining required features for a Help Desk ticketing system to replace Remedy. Remedy is not lacking in features, but rather would require customization beyond what our current staff could manage to create or maintain. As a result UF is looking for a more appropriate fit to our needs.
Dan mentioned that the endpoint protection products being investigated as a McAfee replacement also overlap with this category as does (perhaps to a lesser extent) Service Manager that Alex York is investigating.
Trouble with chartfield entry in PeopleSoft
Francis Ferguson mentioned frustration with entering chartfields in PeopleSoft. After entering 1,2 or 3 characters the thing "jumps" and you can't enter the rest of the characters. Dan Cromer said that this is due to an autocomplete setting that can be cleared.
If you logon to myUFL and select: "Main Menu" > "My Account" > "My Personalizations" > "Finance Personalizations" > "Personalize Navigation Personalizations" you can disable the troublesome "feature":
Winnie Lante mentioned having the same problem when setting NMB when trying to type into the "Department ID to relate field." This is apparently the same issue but Steve found out one must change the setting via the "Portal Personalizations" rather than the "Finance Personalizations." Also worthy of note, in researching this Steve found that the UF Help Desk test application has been extensively re-formatted to a more tabular form.
Redundancy for DHCP at remote sites
Steve asked if there was any consideration being made to support DHCP redundancy at remote sites in the future--perhaps at the next MPS refresh. Wayne Hyde responded that if an MPS server goes down then DHCP has to default to the router which James Moore has set up. ITSA is looking at the possibility of deploying some NAS devices for backup storage; those can also handle DHCP and that might be a possibility.
For on-campus, the DHCP in Server 2012 permits having two DHCP servers that both handout IP addresses. The servers are not clustered, rather they decide which machine will handout addresses based on a hash of the MAC address. The two DHCP servers do communicate, however, so each is aware of what numbers the other is handling. If one goes down, the other will take over handing out all IPs. Wayne has discussed with Alex whether or not this kind of configuration could be used with remote sites where the local system would be primary and handout all the IPs but the campus system could take over should the local MPS DHCP go down. Of course, all bets are off for that when the WAN is down.
Steve added that keeping traffic local as much as possible is an important consideration for remote sites as well. Dan Cromer mentioned this is a particular issue with authentication via the WAPs currently but network services is looking at Flex Connect (as mentioned earlier) to help with that issue. Francis Ferguson mentioned that he may be getting the first few WAPs that support this feature; we'll just have to see how it goes.
UFIRT notices
A number of folks had asked if it was necessary that we all get notices that don't apply specifically to us in our own units. Wayne had responded:
|
Message from Wayne Hyde to the IFASIRT-L: IT workers in IFAS that are responsible for hosts on the UF network will remain on this list. If members do not wish the list e-mails to all go to their inbox, it is fairly easy in Outlook to configure a server-side rule that moves IFASIRT-L messages to a folder but also leave messages related to your managed machines in your inbox. Two rules are needed -- the first rule looks for IFASIRT-L e-mails and stops processing rules if the message contains various strings. For example, the first three octets of your subnets (ie: "10.251.21") and partial matches of computer names in case you routinely have laptops that pop up across the statewide network (ie: "IF-ITSA"). The second rule moves all remaining IFASIRT-L e-mails to your subfolder. The increase in mail load starting this week was due to a LISTSERV issue where the IFASIRT-L was held for quite some time. You may have still received alerts which were sent to your GL account in addition to the IFASIRT-L address, but no alerts only sent to the IFASIRT-L list were distributed. When you do get a ticket for one of your hosts, please follow the procedures, standards and guidelines found at: http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response.html Please remember to update the ticket with what information you found about the host and what steps were taken to resolve/contain the incident. Tickets quite often are generated a day or more after an incident occurred. DMCA violations often come in weeks after an incident. The UFIRT ticket will have a ticket timestamp (when the ticket was generated) but also have the timestamps of the incidents and possibly a hostname. If the ticket is generated close to the incident times, the hostname may be correct. Since hosts come and go and we use DHCP, quite often the current host on the incident IP address is not the host that caused the ticket. This is where Chris' DHCP Search (http://itsa.ifas.ufl.edu/dhcpsearch) will help you track down the host. |
A tutorial on handling alerts
Wayne explained the process OU admins should take to handle these notices.
Begin with a close examination of the on-line ticket
The alert e-mail itself is of little value. You must begin with a close examination of the ticket by following the link provided in the UFIRT notice. The ticket will give you at least the IP address along with a BIOS name and a MAC address.
Timing is everything
The problem with the UFIRT alerting system is that they don't always detect something as it happens. Rather, some issues are only discovered by reparsing previous data. Consequently, one must pay very close attention within the "Ticket History" section to the Incident Date as oppposed to the ticket creation date as demonstrated below. IPs are reassigned and the machine currently holding the IP listed in the alert may not be the same as the one that triggered the alert. You need to know when the detection occurred in order to proceed properly.
Locating the device in question
Once you know the Incident Date, then the DHCP search site can be very useful in locating other details of the device. By selecting proper DHCP server (just DHCP for on-campus) you can search on the IP# to get a list of machines that held that IP that day.
Lease times are generally 3 hours so it is not uncommon to have a number of different machines in that list. You can then narrow it down via the time stamp on the Incident Date and get the MAC address of the device in question.
If you check the "Display NIC Manufacturer" box you can determine the make of the device (Dell, Apple, etc.); you can also use one of many on-line vendor MAC address lookup services as well.
If you are on Wall-Plate you can also use the Network Monitoring System and its "Search MAC Data" link to locate the port and thus the room number where the device was connected when the incident was detected.
"Malware Activity" vs "Vulnerability" detections
When you get a "Malware Activity Detected" alert whose ticket contains a bunch of cryptic flow data you can trust that the machine is infected and that this is NOT a false positive. McAfee might not detect it and you might have to use some other tools and/or boot into safe mode to detect the infection. Regardless, it is inappropriate to mark the ticket as a false positive.
Response
After you identify the computer, take it offline and mark the ticket as "contained." UF policy states that containment must occur prior to the end of the business day. If you think you have removed the infection you can then hook the machine back up to the network; should you be wrong another alert will arrive before long. In many cases a rebuild will be the simplest and certainly the surest method of removing an infection.
If this turns out to be an unmanaged machine or you are unable to locate the device, then please send a DHCP filter request to itsa@ifas.ufl.edu so the device will be blocked from network access.
Question or problems?
If you receive a UFIRT ticket and are unable to figure out what PC generated the ticket or need help with any other aspect of the ticket, please respond to the IFASIRT-L list and CC the ITSA group (itsa@ifas.ufl.edu) for assistance. Asking for help in the UFIRT ticket system will most likely be missed as the UFIRT e-mails do not include the comments appended to tickets. That is much less trouble for Wayne or whoever to track and respond to than to have to open each ticket update that folks may make just to find out you are having difficulties.
Slow Boot Slow Login (SBSL) Hotfix Rollup for Windows 7 and Server 2008 R2
About a month ago, Microsoft released an enterprise hotfix rollup for Windows 7 and Server 2008 R2. The potential usefulness of this is described here along with a tool (Xperf) you can use to determine how much this hotfix actually helps. The only real caveat is that there have been a few reports of BSODs; those have been resolved by upgrading video drivers however. Steve downloaded this and has posted it on the file server.
Powershell Workshop video
Nick Smith had shared a link to a Powershell Workshop video by Don Jones. This video is quite long but holds a wealth of information that all could utilize to become much more effective support techs. This is very cool stuff -- the kind of thing you wouldn't pick up on your own. If you work with Windows (and who here doesn't) you will never regret learning PowerShell; as Don Jones says "You can either learn PowerShell, or learn to ask, 'would you like fries with that?'"
Hard Drive Disposal
There had been some discussion on the ICC about methods for hard drive disposal. Wayne Hyde had responded with the following links:
As Wayne had pointed out, the second link pertains to media that contains or has contained restricted data.
UFApps
Dennis Brown had shared a link to a YouTube video describing the new UFApps "virtualized applications" service that is currently in Pilot. As Dennis pointed out, some of the available apps are Autocad, MS Office, and Adobe Photoshop. More details are available at http://info.apps.ufl.edu/. This service is available currently to all students (grad and undergrad) and Dan Cromer said there has been some thought that it should be opened up to all.
The meeting was adjourned a bit early at about 11:40 am.
