I’ve downloaded and made available the remote server administrative toolkit for Windows 10 (32 and 64 bit) install MSIs to \\ad.ufl.edu\eg-adm\depot\apps\microsoft\ . I added RSAT-WINDOWS-10 to the beginning of the filename so that it would be easy to identify.
I’ve installed and test it. Works fine so far. A reboot after install is required.
You could download it from the original location if desired:
http://www.microsoft.com/en-us/download/details.aspx?id=45520
Mike has downloaded Microsoft Office for Mac Standard 2016. It is available on our software depot:
\\ad.ufl.edu\eg-adm\depot\apps\Microsoft
Windows 10 Enterprise x64 ISO is also there in case you are interested.
EI&O has Windows 10 KMS servers in place and things are now activating. As mentioned in previous meeting, use Windows 10 Enterprise. Windows 10 Education is intended for the home use option for faculty,staff, student. There are still issues with the KMS in the AHC secure zone.
A number of you have pending “Unsupported UNIX Operating System” tickets (and consequently “Unsupported Web Server Detection” tickets) that have generated security ticket reminder messages today. Please make sure to address these tickets as soon as possible. Update them with the latest information and any planned actions for remediation/upgrade. Please include a date, or estimated date, you may have the ticket resolved if it isn’t already.
If you do not plan to upgrade the OS please include why and mention any security measures (technical or procedural controls) you have in place to protect the system. It may also be necessary to complete a security intake evaluation form for the system if you plan to keep the system in that state for a length of time.
The intake form and instructions can be found at https://security.ufl.edu/it-workers/risk-assessment/
Per UF security policies, systems are required to stay current. This means using current, vendor supported Operation Systems so that systems can continue to receive vital security patches. Systems not using current OSes are subject to being filtered from the network. In the past you’ve seen this happen with Windows XP and, most recently, with Windows Server 2003. Various Linux, and Unix, flavors that are no longer vendor supported sometimes can continue to be manually patched beyond vendor end-of-life dates. This is why you haven’t currently seen efforts to filter/block these systems from using the network. I believe it is only a matter of time, however, that there is a push to move forward with this (especially if tickets are not addressed in a timely manner).
Finally, it is important to note that the security intake form should be used when any new information system is brought online that is managed differently than other systems that have already been evaluated or that collects, contains, processes, or transfers any type of restricted data. As I’ve mentioned in the past, UF has been trying for years to make this intake/risk assessment process mandatory. It already is mandatory, by policy, in the Academic Health Center (AHC). We have seen various forms of new/updated risk assessment and data classification policies over the last two+ years but none of them, with the exception of the data classification policy, have really made it out of draft status. As a result, UF still operates under the old Risk Assessment Standard published at www.it.ufl.edu/policies/. The security intake form is an attempt to help units maintain compliance to this standard by having Information Security & Compliance evaluate and provide risk mitigation strategy reports for your information systems.
Concerning PGP and UF’s mobile device encryption policy.
Finally, in the past PGP was announced as available for UF employee home use. This also goes away. I don’t really know what UF is proposing for personally owned computers as it pertains to compliance to UF policies concerning encryption. Time to ask this question.
How many of you are familiar with this feature within UFX? Put [encrypt] at the start of your email subject and if the message is to someone outside of UF, proofpoint will encrypt the email via an internal service. Below is an example to show what it looks like. Additionally, URL from the HelpDesk wiki (below) explains it a little more. We don’t know much about the ‘Proofpoint Encryption Premium Plug-in’ mentioned yet.
https://wiki.helpdesk.ufl.edu/FAQs/SecureEmailEncryptionWithProofpoint (this link no longer works and has been deactivated)
Additionally, this does not work between UFX users (not sure if it works UFX to O365 either). My thought there is since it stays internal to UF that encryption doesn’t happen because the message doesn’t go through Proofpoint. It probably isn’t necessary to be encrypted either since it stays internal to UFX. I’m not sure what happens for a UFX user to a third party email server on campus (UFX to ECE.UFL.EDU for instance).
Several CHE and ISE network drives may currently be inaccessible due to issues with the hosting infrastructure at Enterprise Infrastructure & Operations (EIO). EIO is aware of the issue and is currently working on it. I do not yet have an estimate on when services will be restored. This is impacting several units on campus that have their hosting on the affected storage cluster.
As news becomes available I will make sure to send additional information if it looks like the downtime will be extended. Otherwise expect my next email after I’m able to confirm that everything is back.
If you have questions or comments please call 392-9217 or email mis@eng.ufl.edu.
UPDATE1 (@4PM 2015-04-10): As of 4:00pm services are restored.
UPDATE2 (@9AM 2015-04-13): UFIT has released a statement regarding Friday’s downtime.
On Friday afternoon, April 10, UFIT worked an incident that had wide-spread impact; so I’d like to give you the details:
About 3:15 PM Friday the UF Computing Help Desk began receiving calls about MediaSite being unavailable. Within a few minutes it was apparent that the problem was major, so the Help Desk notified UFIT’s Video Services and Operations groups.
The Operations group contacted appropriate personnel who quickly realized that the problem was with the Isilon storage system. Specifically that the Master Control Process on the cluster was hung and consuming 100% CPU capacity. UFIT staff immediately engaged EMC technical support so they might see the problem “live.” At the suggestion of a UFIT sysadmin, EMC killed that process at roughly 3:30 PM; at which point the Isilon storage server began functioning normally.
The outage lasted about 15 minutes, from 3:15 PM – 3:30 PM.
It should be noted that other services were affected, including UFirst and Network Shared Drives, though only MediaSite problems were reported to the Help Desk. UFIT and EMC are now investigating to determine what caused the MCP process to tie up 100% CPU utilization on the cluster, and to implement appropriate monitoring (short term) and ultimately resolve this problem (longer term, unknown duration).
If you have any questions or comments about this incident, please let me know.
So. A while back I emailed a tip to everyone about how we noticed that the ‘Sent-Items’ folders of shared mailboxes never had anything in them. In other words, when you have permission to a shared-mailbox and you responded to a message in the shared-mailbox as the shared-mailbox the message you sent would end up in your ‘Sent-Items’ folder and not the ‘Sent-Items’ folder of the shared mailbox. The tip was a way to fix this and have that sent message go where you want it to.
Well… that tip doesn’t work anymore in Exchange 2013. Microsoft took those cmdlets away. Apparently the setting continues to work if it was set prior to the mailbox being migrated to Exchange 2013. Additionally, the workstation registry hack for Outlook continues to work but is an inelegant way of doing things.
We are currently at Exchange 2013 CU7. Apparently in Exchange 2013 CU9 the default behavior of a shared mailbox will be that when a message is sent from a shared mailbox, the sent message will be stored in the sent folder in the shared mailbox. Microsoft will also introduce new argument to set-mailbox to change this behavior:
Set-mailbox –MessageCopyForSentAsEnabled [$True/$False]
Set-mailbox –MessageCopyForSendOnBehalfEnabled [$True/$False]
So. We lost functionality and won’t get it back until CU9 is applied.
Barring any unforeseen problems the date that the PEOPLE side changes for our UFAD OU structure will go into effect is Tuesday, April 14th. At 10am Enterprise Infrastructure & Operations will update the directory sync scripts and then Identity Access Management will kick off the scripts that remove NMBs and reassign them. The IAM scripts will be the process that makes sure everyone trickles to their correct OU. There will be an expected 30 min to 1 hr timeframe for this sync to complete.
After maintenance is completed user objects should be found in the new OUs. Since NMBs are being reassigned the start dates for all NMBs will be April 14th and there will be no end date assigned.
I will be providing IAM the list of UFID to NMB assignments at 4pm on Monday, April 13th. Any NMB changes you make between this time and the completion of the following morning’s work will not be made. It would be best to not perform NMB assignments until the completion of this maintenance.
Possible things to watch out for that have previously been mentioned:
EIO is currently reviewing the autogroup scripts to insure that the new OUs will receive their corresponding autogroups. Additionally, the delegation of permissions will be completed this afternoon.
The old OUs will be deleted at a future date.
If you have questions about this maintenance please let me know.
Once again time to share where we are on this project. We are in the home stretch.
Attached is the latest spreadsheet of what is happening with the reorg. It differs from the last one I sent in that I’ve added delegation groups for AD and UFX. There are also notes regarding what needs to happen at the bottom of the sheet. On Thursday these delegation group changes will happen (renames and permissions granted). Unfortunately the new permissions won’t be that useful since it’ll be granted on the new OUs (and people objects haven’t moved yet).
I’ve asked before and remember that these groups were not being used in scripts or shib arp authentication so these renames shouldn’t be an issue. However, if you do notice something off late Thursday or after and it has to do with one of these groups it may be because of a rename. Permissions are being added; they are not being removed from existing OUs (so you won’t lose any existing access you have to your current OUs).
Thursday afternoon I will also be meeting with Identity Access Management to finalize the date/time that they can handle our NMB touches. I’ve considered many different ways to handle the NMB touches to make sure people move appropriately. In the end the best way to handle this is to work off UFAD data instead of trying to get data out of the directory. The day the NMB touch is to be done I will be dumping current data from UFAD, running it through my processes to create a list of UFID to NMB assignments and supplying it to IAM. If people exist in your old OUs they will exist in your new OUs. Where an old OU is being done away with the NMB will be assigned based on the below crosswalk. You will then be able to use the DEPTIDs in the spreadsheet to move people about as you desire.
If you have questions please let me know. I will let you all know the scheduled date of the NMB assignments change and IAM touch after my Thursday meeting.
| CROSSWALK | |||
| ID | CURRENT-OU | NEW-NMB | NEW-OU |
| 1 | CCE | 19040000 | ESSIE->CCE |
| 3 | CHE | 19030000 | CHE |
| 4 | EG-AA | 19010200 | EG-ADM->EG-AA |
| 5 | EG-ADM | 19010000 | EG-ADM |
| 6 | EG-BIOMEDICAL | 19340000 | BME |
| 7 | EG-BIOMEDICAL ENGINEERING | 19340000 | BME |
| 8 | EG-CIVIL AND COASTAL | 19040000 | ESSIE->CCE |
| 9 | EG-COMPUTER – INFO SCI & ENG | 19140000 | CISE |
| 10 | EG-DEANS | 19010100 | EG-ADM->EG-DEANS |
| 11 | EG-DEVELOPMENT | 19011700 | EG-ADM->EG-DEVELOPMENT |
| 12 | EG-DSA | 19010300 | EG-ADM->EG-DSA |
| 13 | EG-EDGE | 19010400 | EG-ADM->EG-EDGE |
| 14 | EG-EES | 19100000 | ESSIE->EES |
| 15 | EG-ELECTRICAL – COMPUTER ENG | 19050000 | ECE |
| 16 | EG-ESSIE | 19070000 | ESSIE |
| 17 | EG-FACILITIES | 19011300 | EG-ADM->EG-FACILITIES |
| 18 | EG-FESC | 19380000 | CHE->FESC |
| 19 | EG-FL CTR SOLID HAZ WASTE MGMT | 19070300 | ESSIE->HCSHWM |
| 20 | EG-FL TRANSPORT TECHNOLOGY CTR | 19220300 | ESSIE->T2 |
| 21 | EG-FNP | 19010800 | EG-ADM->EG-FINANCE |
| 22 | EG-GEOMATICS | 19220300 | ESSIE->T2 |
| 23 | EG-GRAD ENG – RES CTR | 19120000 | MAE->REEF |
| 24 | EG-GRAD ENGINEERING – RES CTR | 19120000 | MAE->REEF |
| 25 | EG-INDUSTRIAL – SYSTEMS ENG | 19060000 | ISE |
| 26 | EG-MATERIALS SCI ENGINEERING | 19090000 | MSE |
| 27 | EG-MECH AND AERO | 19020000 | MAE |
| 28 | EG-MECHANICAL – AEROSPACE ENG | 19020000 | MAE |
| 29 | EG-MIS | 19011200 | EG-ADM->EG-MIS |
| 30 | EG-NUCLEAR – RADIOLOGICAL | 19090000 | MSE |
| 31 | EG-NUCLEAR – RADIOLOGICAL ENG | 19080000 | RSC->UFTR |
| 32 | EG-PNP | 19010900 | EG-ADM->EG-PERSONNEL |
| 33 | EG-PROC | 19011000 | EG-ADM->EG-PROCESSING |
| 34 | EG-PUBS | 19011500 | EG-ADM->EG-MARCOM |
| 35 | EG-REACTOR TRAINING | 19080000 | RSC->UFTR |
| 36 | EG-RGP | 19010600 | EG-ADM->EG-RESEARCH |
| 37 | NIMET | 19221100 | RSC->MAIC |
| 38 | PERC | 19330100 | RSC->PERC |