Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

Setting Up a Managed Workstation & Lite Touch

The Managed Workstation service has revised and added documentation for the commonly recurring task of setting up a managed workstation, including new documentation for a capability we provide that you may not be familiar with.

 

What and When:

There are two events in this notification:

  1. Notification of new documentation for a capability we believe should have been documented previously.
  2. Notification that there are a few things changing about that capability.

 

New documentation:

We’ve renamed the ‘Hardware and Repair’ document at https://it.uw.edu/wares/nebula/hardware-2/ to be ‘Setting Up a Managed Workstation’ to make it more clear that this documentation is where you go to find out how to do that task. There are three options listed: full service, self-service via CDW, and self-service via Lite Touch.

 

Linked from the ‘Setting Up a Managed Workstation’ document, we’ve also added documentation for a self-service option that provides Windows OS image deployment over the UW Network: https://it.uw.edu/wares/nebula/hardware-2/lite-touch/. Some customers have previously been told about this capability, and may be using it, while others have never been advised it exists.

 

Note: I expect we’ll have future additions to the ‘Setting Up a Managed Workstation’ document, as we are exploring other possible capabilities.

 

Changes to the Lite Touch capability:

We are retiring the legacy server providing the OS images for the Lite Touch capability, and already have in place a new server that provides up to date OS images. The customer interface provided by the legacy server advises customers to use the new server. Existing customers leveraging the Lite Touch capability should update their existing flash drive to use the new server that provides this capability. The legacy server will be unavailable for customer use after Friday, March 11.

 

What You Need to Do:

No action is required, unless you are currently leveraging the Lite Touch network-based OS deployment option. If you are, you need to update your existing flash drives before using it. See the Lite Touch documentation noted above for how to get a fresh flash drive.

 

More Info:

I want to express my apologies to customers who were not previously aware of this capability. Obviously, in the past we failed to document this capability and how you could leverage it. Some customers found out about it by asking, but we really should have represented this capability in our customer documentation before now. The good news is that this is now a capability all Managed Workstation customers can leverage.

 

Many customers use the self-service via CDW option to get their Managed Workstations setup. If that describes your usual approach, you may want to review your options afresh. The CDW option is excellent if you have little or no IT expertise within your department. If you have more than 5 computers to setup at once, we believe it is more cost effective for you to use the full service option (the CDW supplied image option does cost an incremental amount per computer). Finally, if you do have some IT expertise available within your department, you probably want to consider the self-service via Lite Touch option as that does not require any additional payment.

 

If you need to rebuild an existing Managed Workstation, the CDW option isn’t possible, so you may find the Lite Touch option is a good fit if you don’t want to pay for the full service option we provide. One scenario where you may need to rebuild an existing Managed Workstation is if it is compromised. Making sure that everyone has a way to rebuild an existing Managed Workstation that does not require the full service option is one of several reasons this gap in documentation came to light. J

2016 January

Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.

 

==== New Capabilities and Improvements ====

 

* Self-service certificates for Delegated OUs. An AD-integrated certificate authority (AD Certificate Services) has been deployed. This allows Windows domain joined computers to automatically get a certificate which is automatically renewed. See https://wiki.cac.washington.edu/x/_69NB for more details.

 

* Azure Active Directory (AD) External User Invitations. Invitations to users outside the UW can be initiated by anyone with a UW NetID. This allows sharing of data, applications, and services where the method of authentication is Entra ID based. The most commonly used resource leveraging Entra ID that you might want to invite external users to share is likely Sharepoint Online, which supports this for sites but not yet for OneDrive for Business. However, external users are useful beyond just Sharepoint Online—think of them as federated users on steroids—where not only do you have to provide a user account, but you have a meaningful way to control their access to your resources which works just the same way as it does for a UW user. We have more orientation material on this capability planned.

 

* Entra ID device registration. There are many different ways to get a device registered with Entra ID , across varying operating system platforms. For example, there are three ways to get a Windows 10 device Entra ID registered. Registering your device with Entra ID enables certain data protection and security capabilities. If you take it one step further and join your device to Entra ID (only possible with Windows 10), you get interactive logon using your Entra ID user account. Many of the various ways to do this are not enabled today, but a few are. We have more orientation material on this capability planned, to help everyone wade through all the details.

 

* Microsoft Advanced Threat Analytics. This product provides machine learning capabilities to evaluate activity on domain controllers to identify anomalous events. This tool is capable of identifying attacks and persistent “hidden” compromises of highly privileged accounts.

 

 

====Spotlights====

 

* UWWI service staffing availability has been down over the past 12 months—this is because other UW-IT services have had higher priority work and staffing shortages. You may notice a smaller amount of new capabilities again in this 6 month period, which is attributable to this smaller investment. We’re waiting for a new employee to start who will help backfill this staffing gap.

 

* An Entra ID governance team spent an intensive amount of time this summer working through the many emerging capabilities Microsoft is providing that are tied to this technology, including identity, access management, device management, and application support. We should have an Entra ID Application Request process soon, thanks to efforts here. And again, we have more orientation material planned. J

 

* The Enterprise Architecture program has encouraged the use of capability maps to facilitate communication about what’s provided and what’s needed. UWWI has created two capability maps, one for the overall service and one for Entra ID . You can view them at:

UWWI Capability Map: https://wiki.cac.washington.edu/x/sx5JB

Entra ID Capability Map: https://wiki.cac.washington.edu/x/sh1JB

Other services are developing capability maps, and over time you will likely be able to see connections. For example, you may also be interested in the Managed Desktop Capability Map: https://wiki.cac.washington.edu/x/LCBJB.

 

A brief description of the format used may help orient you. The use of color highlights specific capabilities and future planned initiatives in a broad capability area. The left side denotes some desired customer needs and outcomes. What’s within the rectangle with rounded corners is what is provided, although in some cases we haven’t yet provided an item or are planning to retire or divest (see the key to find those cases). The right side is a high level “roadmap” of imagined investment in initiatives. Between the key and rectangle with rounded corners is a laundry list of possible capabilities that we can imagine. Unfortunately, space constrains our imagination, so there are definitely things we’ve imagined but don’t list—we had to make a judgment call.

 

And that’s a really good note to end the description on—within a single page, it is hard to represent something like this, but the goal is not to create a perfect representation, but to encourage good conversations. Please do ask questions about this, either via the uwwi-discuss mailing list or help@uw.edu.

 

* UWWI plans to implement a design to address inactive user accounts. Of the ~770K NETID user accounts, only ~110K have been logged into over the last two year period. Reducing the risk and costs associated with the large set of unused user accounts is the primary goal of this design change. We are still refining the design after gathering some initial feedback within UW-IT, and when we have something we’re happy with, we’ll share it more broadly.

 

* We know that our customer documentation is currently split between two locations and this is not a good situation. We are exploring some options which should greatly improve this, which hopefully will come just in time for all the orientation material mentioned above. J

 

==== Trends ====

 

* Since July, UWWI has sustained growth: +9 delegated OUs (112 total), +2 trusts (55 total), +~1750 computers (12389 total), +18k users (772k total), -12k groups (96k total).

* UWWI support requests are steady. 224 UWWI support records resolved since the last newsletter (vs. 241 in prior period).

 

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

 

==== What’s Next ====

 

Our objectives for the 6 months ahead include:

* Explore possible expanded uses of AD-integrated Certificate Authority, as identified by customer business needs

* Explore LAPS-E, a local administrator password management solution. See current discussion on uwwi-discuss about possibilities here.

* Explore Azure MFA and Microsoft Passport as possible Microsoft MFA solutions for the UW, so we are ready for a broader discussion about MFA at the UW later in the year.

* Enable Entra ID Applications, via releasing a request and approval process, working with Microsoft to extend its user consent framework, and providing integration guidance for developers

* Entra ID Application Proxy deployment. This enables on-premises applications to use Entra ID based authentication without making any changes to their existing Windows Integrated configuration. They gain a hardened, cloud-based endpoint, the possibility of leveraging conditional access capabilities such as Azure MFA, and can leverage the logging and security anomaly analysis investments Microsoft is building.

* Deploy Azure Rights Management infrastructure to support RMS pilot exploration for customers with confidential data

* Partner with Nebula to build a high security Windows file service offering in connection with a high security managed desktop offering

* Partner with Nebula to support new Software Deployment Service via SCCM deployment in NETID

* Support growing Nebula migration efforts into the NETID domain

* Explore possibility of offering basic managed desktop offering for a nominal cost (or possibly no cost), re-using the infrastructure Nebula brings to the NETID domain.

* Implement ‘inactive user design’

* UW firewall GPO template to provide customers with a simple way to leverage Windows Firewall

* Deploy Microsoft Identity Manager’s Privileged Account Management capability to provide ‘just in time’ domain admin privileges instead of ‘always on’. This will reduce enterprise risk.

* Preferred Name (assuming this work has investment from the Directory Services service)

* Support emerging Monitoring Service by sharing Windows expertise

 

Of the 14 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:

  • 3 were successfully completed: AD-CS, ATA, AAD gov
  • 4 were started and continue: RMS, Software Deployment (SCCM), Nebula Migration, AuthN restrictions
  • 3 were started by dependent service, but hasn’t yet reached the point where we can start: Preferred Name, MFA project, Monitoring service
  • 4 were not started: ADMT, Firewall GPO, PAM, LDAP signing

 

==== Your Feedback ====

 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

 

The UWWI service has a capability map publicly visible at https://wiki.cac.washington.edu/x/sx5JB. This capability map includes a high-level summary of our roadmap. We can also provide more detailed information about our backlog if you have questions.

 

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

 

Brian Arkills

UW-IT, UWWI Service Manager

IE Browser Support

Browser support changes will be coming on 1/12/2016. Microsoft will drop support for older versions of Internet Explorer, leaving IE11 as the only supported version of Internet Explorer.  Go to the OS and Browser Support page for information.

Undesired H: Drive Purge

H: drive deletions coming for those without departmental eligibility groups

Current staff members who are not in your department’s eligibility group will have their home directory (H:drive) deleted on 1/15/2015. Please verify that all of your staff members have been added to the correct eligibility group before that date.

More info:

Last summer we revealed that there were a significant number of Nebula home directories which we believed were undesired, primarily associated with individuals who had long since stopped having an association with the university. That was primarily because the Managed Workstation service didn’t have an active mechanism to capture when individuals should lose their eligibility for our service. We implemented the user eligibility mechanism which puts you as a customer in the driver seat of provisioning and deprovisioning home directories and some other user related access. As detailed above we didn’t complete connecting those eligibility groups with the home directory provisioning and deprovisioning until the end of February.

In December we notified those users with an “undesired” home directory who were still accessing that home directory to let them know that unless a customer marked them as eligible and paid for that home directory, that the home directory would be deleted.

In late January we removed access to undesired home directories.

In mid February, we deleted undesired home directories. This constituted almost 5200 home directories using 6 TB of space. Under current practices, there is still a copy of that deleted data for a year.

Nebula to disable SSLv3

Nebula will disable SSLv3 on Nebula workstations and servers which still have it enabled.

 

What and When:

On Tuesday, January 5th, 2016, Nebula will configure managed desktops and its servers to no longer permit SSLv3.

 

SSLv3 is broadly used to encrypt sessions, but it is also very old and now considered insecure. Disabling SSLv3 should have little to no impact because there is broad support for TLS and no obvious impact on the user experience to using TLS instead of SSLv3. While the most secure option should be chosen when a client connects to a server, there are situations where that doesn’t happen, so this change will ensure that Nebula does not permit a less secure scenario.

 

What You Need to Do:

Nothing, unless you are responsible for a web server or other service that uses this protocol, in which case you should update to a stronger encryption protocol as soon as possible.

 

This is primarily an advisory to let you know that we’re making a design change to make Nebula more secure.

 

More Info:

There is a vulnerability in the cryptographic protocol Secure Sockets Layer version 3, or SSLv3 (see https://technet.microsoft.com/en-us/library/security/3009008.aspx). In order to prevent malicious actors intercepting your data, Nebula is disabling the weakened protocol SSLv3 for all Nebula managed desktops and all Nebula servers.

 

This change could affect anyone still using a service protected with SSLv3, and anyone using a version of Internet Explorer prior to 11. Since this protocol is being dropped across the industry, it is unlikely that you will be affected unless you use a site or service still only using SSLv3. If you anticipate or experience any difficulties that you believe are related to this change, please email help@uw.edu with the subject line “Nebula SSLv3 Change”.

 

 

Changes in accessing Nebula file services

Changes in accessing Nebula file services

Access is now based on eligibility groups managed by each customer. As users are added and removed from eligibility groups, access to Nebula services will be added or removed. If you are unsure or do not know what your eligibiity group is, send and email to help@uw.edu

If you do not have an UW eligibility group and need to create one, instructions are on our webpage  How do I set up an eligibility group for my department?

 

Network Incident -> Groups Incident -> UWWI incident

Some UWWI groups are not currently in complete sync with the Groups Service

 

What and When:

This past weekend there was a significant network incident. That led to a Groups Service incident. The impact of the Groups Service incident was that change notifications for groups changed during that part of the weekend were never sent to UWWI.

 

UWWI also had an incident because of the network incident and had to restart our group agent, but that only delayed the processing of group change notifications. However, most of the group change notifications were missing in action because the Groups Service was had its own incident.

 

9172 groups were changed during that period, but due to our efforts, there are now less than 7100 UWWI groups which are out of sync from the Groups Service. Affected course groups have already been fixed.

 

What You Need to Do:

Be aware that there may be some slight group inconsistencies in UWWI for a little while longer.

 

More Info:

We have a standard way of resyncing groups which are out of sync, and once a month every group is subjected to this examination to ensure that no group falls out of synchronicity. This process is more resource intensive (it examines the state, figures out what is missing, and then fixes it, instead of just applying the changes). We’re selectively applying this to the group changes that went missing during the Groups Service incident, but it’ll take a bit for that to reach completion.

 

There are ~91,000 total groups in UWWI so this affected about 1/10 of all UWWI groups.

 

Brian Arkills

UW Windows Infrastructure Service Manager