Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

MyIT release includes estimated FY16 costs

A MyIT release which includes estimated monthly FY16 costs is now available.

 

What and When:

As of Wednesday, MyIT includes new information on the “IT Things I Own/Manage -> Nebula Departments” page, aka https://support.nebula.washington.edu/myIT/myNebulaDepartments.aspx. Department contacts will see 4 new columns on that page for each department representing estimated FY16 costs for desktops, group directories, home directories, and a total FY16 monthly cost. The total is side-by-side with the current monthly cost allowing for easy comparison.

 

NOTE: estimated are based on preliminary FY16 rates for the Nebula Managed Desktop service and are subject to Management Accounting & Analysis (MAA) review and approval.

 

What you need to do:

You can review your estimated costs and if necessary take actions to reduce your usage to reduce your future costs.

 

NOTE: Estimated home directory costs are the least accurate component. This number includes users associated with your department which are long gone. Those “old” home directories will be purged in the future after you give us an eligibility group. In the coming weeks, we plan to purge “old” home directories in bulk across all Nebula departments, removing any Nebula account not in those eligibility groups. So take this into account when reviewing the home directory estimated cost. Except for urgent user removals, we ask that you not ask us to delete “old” home directories at this time—it’ll save us all a lot of time and costs to defer that to a one-time purge. J

 

More info:

Getting us that eligibility group is important. If you need help getting a Groups Service home group under “uw”, e.g. “uw_pottery”, for your eligibility group, we can help streamline that process. Send us a request and we’ll facilitate the request fulfillment process with the Groups Service team for you. We’d like to purge your old home directories. Help enable us to do that. J

 

NOTE: the eligibility group is intended to represent any of your users which need access to Nebula resources. This would include people in your department but might also need to include accounts that are not people, such as a Shared UW NetID. If the user needs access to one of the following, then it should be included: Nebula VPN, Nebula home directory, Nebula group directory, Nebula desktop.

 

A future MyIT release will provide the ability to input budget information for Nebula file service costs.

 

In the future, after the future MyIT release just mentioned, Nebula plans to call department contacts that haven’t provided an eligibility group and budget info for Nebula file service costs, to help make sure we have that information to enable continued service.

 

Our existing assignment of group directories has some inflexibility in its design. We are working on a more flexible design. We don’t believe this affects a lot of customers, but it is important to us because it is important to some of you. We hope to have a solution to this before we bill at the end of July. If we don’t, we’ll provide a workaround which will minimize the impact to customers.

 

Preliminary FY16 rates

Preliminary FY16 rates for the Nebula Managed Desktop service are available.

 

What and When:

As of late yesterday, preliminary FY16 rates for the Nebula Managed Desktop service were submitted to Management Accounting & Analysis (MAA). MAA provides final review and approval of rates for all cost-recovery centers at the UW.

 

We believe these rates will be approved, but they are not final until MAA approval. We will notify you only if these preliminary rates are not approved.

 

The preliminary rates are:

  • Nebula desktop rate: $34.50/desktop/month
  • Nebula file storage: $.25/GB/month

 

The other Nebula rates (Consulting, Nebula Windows file service, and Nebula training room for non-Nebula customers) are unchanged.

 

What you need to do:

If you haven’t provided an eligibility group for your department (and very few of you have), you really need to do that. Contacts for Nebula departments should visit https://support.nebula.washington.edu/myIT/myNebulaDepartments.aspx to supply that information. This will tell us who your active users are. If you need help with this, please contact us for help.

 

More info:

Our desire is that no one manage user removals manually by contacting us with a long list of users to remove, unless there is an urgent need to disable access. If there is no urgent need, then you should use the new process we are establishing. That new process is that you give us an eligibility group. In bulk across all Nebula departments, we remove any Nebula account not in those eligibility groups.

 

We plan to make those removals before FY16 starts, and there should be more communication about that.

 

We plan to have an update to MyIT next week which provides you estimated costs for FY16 based on existing use. There will be more communication about that.

Update to MyIT portal published–please verify department contact and provide active users for your department

The MyIT portal has been updated.

 

What and When:

This morning, several changes to the MyIT portal were published.

 

The changes included are:

  • Nebula Departments page – new. You’ll find this under the left-nav bar, under ‘IT Things I Own/Manage’.
  • Department Detail page – new. You’ll find this under the left-nav bar, under ‘IT Things I Own/Manage’, under ‘Nebula Departments’, when you click on a department listed.
  • Group Sync Info page – new. You’ll find this under the left-nav bar
  • ‘Export to csv’ capability sprinkled across more pages.

 

What you need to do:

We have a variety of things we are asking those that consider themselves a contact for a Nebula department to do.

 

  1. Help us get the Nebula contacts in order. Go to https://support.nebula.washington.edu/myIT/myNebulaDepartments.aspx and review what departments are listed. Our contact information is in a sad state of affairs, and we need your help to get it updated. There is more info below which may be useful.
  2. Provide a list of active eligible Nebula users for your department. These are users that your department is willing to pay for the associated costs, and for which you would like their access to Nebula resources to continue. Create a group in the Groups Service (https://groups.uw.edu) which has all of these users as members. Then add it to your department via the myDepartmentDetail page noted above (e.g. https://support.nebula.washington.edu/myIT/myDepartmentDetail.aspx?department=pottery if your department was pottery).

 

We’ll be sending a separate email to anyone currently listed as a contact, to ensure that all who might need to hear about this get the message.

 

More info:

 

General Questions/issues you may have

  • “I don’t know why you think I’m a contact for a Nebula department, please remove me.” We’d ask you to provide a better contact, if you are able. Maybe your manager knows? If not, you can remove yourself or ask us to.
  • “Our department hasn’t had that name for several years, can you rename it?” Absolutely. Just send us a request via help@uw.edu.
  • “We’ve had reorganizations and this Nebula department is now spread across several department you don’t know about.” We can help with that. Just send us a request via help@uw.edu.

 

Department Contact Info

The state of the Nebula department contact information is not good. We worked hard at populating some best-guess contacts for Nebula departments which had none recorded–relying on service team experience and some data analysis, but I am certain that much of our contact information is faulty. Having valid information about the contacts for your department is important so we can provide you the services you need. We really appreciate your time helping us help you. J

 

Here’s a reference for choosing which individual fills the following roles for your Nebula department:

  • Billing contact: this is the person who gets bills for this department. They may need to access MyIT for billing data.
  • Owner contact: this is the person who makes decisions for this department. They may need to access MyIT for a variety of data.
  • Tech contact: this is the person who provides local IT support for this department. They may need to access MyIT for IT management data.
  • Tech contact alternate: this is a backup for the tech contact.

 

Department User Info

Similarly, the state of our information about Nebula department users is not good. But don’t take my word for it—see https://support.nebula.washington.edu/myIT/myNebulaUsers.aspx, which lists all the users we think are “active” for your department. I think you’ll agree that we need some help getting that cleaned up. That’s why we’re asking you to provide and maintain a group of users associated with your Nebula department that are eligible for Nebula services. We’ll use what you provide to clean up, and looking ahead to FY16 only charge your department for the users who you tell us are active and eligible. In the future, you’ll maintain that group to remove Nebula services for that user at the time you choose or to add additional users.

 

We suggest that the group name (the group id) end with _nebula_eligibleusers, e.g. uw_pottery_nebula_eligibleusers might be all the Nebula eligible users from the pottery department. If you need help using the Groups Service, help@uw.edu can assist, or you can read the documentation noted at https://groups.uw.edu.

 

One tip to consider with regard to maintaining that group: if all your eligible users should be employees, you can use a dependency group of “uw_employee”. If you do this, when a member of your group drops out of the uw_employee group, they will automatically be removed from membership in your group. The uw_employee group is automatically maintained based on university data around employment, with members removed at the 2nd pay period after their termination date.

Nebula Managed Desktop service catalog update

A change to our service catalog entry occurred.

 

What and When:

On Saturday, March 21st an updated service catalog entry was published at https://depts.washington.edu/uwtscat/manageddesktop.

 

What you need to do:

Nothing. This is purely an advisory to you that we’ve updated the catalog entry that describes the service, so you aren’t caught off-guard.

 

More info:

This update isn’t intended to introduce any significant change to what the service provides, but rather was a refactor of our catalog description to more accurately represent what we are providing. As an example, one topic that came up recently on the nebula-discuss mailing list—OS support practices–is now clearly called out.

 

I plan to update the catalog entry when we make service design changes that impact what’s there. So for example, assuming we separate Nebula file services from the core package, we’d update the catalog to represent that change at the same time we adjust the FY2016 rate information tied to that change.

 

If you have concerns or questions about this update, please send email to help@uw.edu with “Nebula service catalog update” in the subject line.

 

Nebula phone practice change: 4/6/15

A change to our phone practices is planned.

 

What and When:

On Monday, April 6th Nebula will change its phone practices.

 

When you call the UW-IT Service Center (221-5000), the service center staff will do the same initial triage they’ve always done when you call for any UW-IT services. If they can’t easily resolve the issue, they’ll create a request record for Nebula in UW Connect and end the phone call, just as they do for every other UW-IT service. Nebula service staff will see your request and begin work. In some cases, they’ll call you back, in other cases, they’ll correspond using email from UW Connect.

 

The expectations you can have for our response will remain the same—we’ll respond in less than 4 hours during business hours, and we’ll continue to treat incidents urgently.

 

What you need to do:

Nothing. This is purely an advisory to you that we’re changing our practices so you aren’t caught off-guard.

 

If there is urgency associated with your request, you are encouraged to let the UW-IT Service Center staff know that when you phone. This will result in the request being marked as more urgent, with a different level of response from Nebula.

 

More info:

We believe this change will reduce the number of times you have to repeat information to Nebula staff that you previously gave the service center staff, as well as eliminate awkward pauses while we pull up any information that may or may not have been captured in a phone interaction prior to our staff being on the line. Put another way, this gives us a little extra time to be prepared to help you with your specific issue, instead of wasting some of your time while we come up to speed.

 

We believe it makes sense to have the UW-IT Service Center specialize in answering phone calls, giving us more time to focus on fulfilling your requests and improving the service. Improvements that the UW-IT Service Center makes will be realized by Nebula. By removing ourselves from that initial phone call activity, we believe there will be improved consistency across all UW-IT services.

 

If you have concerns or questions about this planned change, please send email to help@uw.edu with “Nebula phone practice change” in the subject line.

 

Spring 2015 Customer Meeting

Thanks to everyone who joined us for the customer meeting! Our initial foray into recording the meeting failed, so we don’t have a recording to share. But we’ll try again next time, hopefully with more success.

Here are some notes from the meeting.

—————–

Nebula Customer Spring Meeting, Mar 5, 2015

Brian Arkills, Service Manager for Nebula Managed Workstation presented a Powerpoint presentation based on the topics discussed in the most recent Newsletter.

Presentation summary:

  1. Folks who wish to continue receiving the newsletter should join the nebula-discuss mailing list.  See https://it.uw.edu/wares/nebula/contact-us/  for more information on communication options including nebula-announce.
  2. We’ve clarified the auto-response situation so you now have only one REF # for any request.
  3. Your Nebula billings have moved to the Non-Recurring tab of the Technology Service & Equipment bill; this is temporary while we work out some infrastructure changes, then they will be back on the Recurring tab.
  4. Corrupt Outlook profile workaround published; more self-help docs coming.
  5. Nebula2 -> NetID user conversion:  volunteer now for more help and date flexibility; in 6 mos we will be assigning conversion dates. This change is very important for retiring old equipment and making future improvements, such as making package development more readily available between campus units.
  6. We hope for a small rate reduction in FY16 (starts 7/1/2015) to reflect lower costs, plus we will separate file storage service from the core service, so you will pay for only the space you use (in both H: and I: drives)
  7. What’s next:
    1. Mac VPN – we will be changing the design of the VPN so that Mac users have easier access.
    2. We will start billing out of UW Connect, the new ticket managing system.
    3. Windows 10!
    4. Data encryption with Azure RMS pilot – let us know if you’re interested!

Questions

  1. Q: Can you help us moving group memberships from Nebula to NETID groups?  A: Yes.
  2. Q: what do we do with training room (or conference room) computers? A: ask us to change the default domain login to NETID.
  3. Q: if I’ve never used Nebula2 logins, do I have to worry about NETID logins?  A: no, you’re already doing the right thing.
  4. Q: Where are the Google storage and retention limits and policies on line (couldn’t find on Google Apps page)? A: we will publish this on the IT Connect page.
  5. Q: Is mapping the My Documents folder to the H: drive going to go away (please say yes)?  A: it’s already gone if you’re using Windows 8.  (Straw poll showed no other interest in getting rid of the mapping in Windows 7.)
  6. Q: Can we map a drive to Google?  A: no, but you can set up a sync process so you have a local folder that syncs to your Google drive.
  7. Q: What can you tell us about the H: vs U: drives?  A: it’s the same GPFS infrastructure, but different environments; in fact Nebula’s is a little behind.  U: drive now has 20GB free space available.
  8. Q: Can we use U: drive as a replacement for H:?  A: yes. (You can even map a drive to it.)
  9. Q: How can we see file space usage (H: and I: drives)?  A: your department contact will be able to see it; more on that soon.
  10. Q: Can you help us help our users manage their passwords? A: yes; we’ve looked at LastPass Enterprise license (widespread interest in audience for this).  Password can be passed to end-user, but not revealed to them.

Comments

  1. Google: it’s more difficult for group sharing.  Will be a learning curve.  Does integrate with UW Groups.
  2. Still some departments who can’t upgrade IE due to vendor issues (Medisys, Eprocurement, OHM, MyChem)
  3. Windows 10: we are in the early adopter program.  Win10 will have both IE and a new browser.  We’re hoping it’ll have better in-place upgrade options from Win 7 and Win 8.
  4. Many VPN users haven’t transitioned to new VPN because they’re using systems that haven’t needed a rebuild.  We need to have you using the correct VPN;  instructions are here.

Nebula Newsletter March 2015

Welcome to our first semi-annual Nebula service newsletter, which brings you valuable updates and information to help you make the most of our services. Because this is our initial newsletter, we are sending it to all Nebula users. We hope you’ll opt into receiving future issues by signing up for the nebula-announce mailing list, a low-volume mailing list we use to send customers notices about service interruptions and notable design changes, in addition to this newsletter. Go to https://itconnect-test.uw.edu/wares/nebula/contact-us/ for info on how to join that list.

 

==== New Capabilities and Improvements ====

 

* Nebula-discuss: A new two-way communication channel was created to encourage discussion of Nebula services: You can send email to it and so can the service team. The primary goal is to enable interaction about the service so that we can hear from you, and you can hear from each other. This will surface business needs, may expose recurring problems we have missed, and provides a way to ask questions about the service. This isn’t intended as a way to make requests.

 

To join the nebula-discuss mailing list, please see https://itconnect-test.uw.edu/wares/nebula/contact-us/

 

* Auto-email-responses: In January, we eliminated a confusing email response that said, “Your request has been resolved and will automatically close in 3 business days” when your request for help led to a consulting engagement.

 

* Billing changes: We changed our process for billing charges for Nebula desktops to simplify it and to make it more accurate. Nebula desktops moved from the recurring portion of your bill to the non-recurring portion of your January and February bill, as an unfortunate side-effect, but we expect to move Nebula desktops back to the recurring portion of your bill in the near future–likely the bill covering March.

 

* Customer Portal: We updated the MyNebula customer portal to be the MyIT customer portal. This portal provides reports and information about the computers and IT services you use, and provides departmental contacts more information about their department’s use. Several capability improvements have been added in the last six months, which are detailed in its change log.

 

====Spotlights====

 

* Customer meeting: A Nebula customer meeting is scheduled for Thursday, March 5,  from noon until 1pm in the UW Tower auditorium. The agenda is to review the material in this newsletter in more detail and take any questions. We look forward to seeing you there. 

 

* Self-help: Our support specialist Tobin Wood documented some common workarounds for when your Outlook profile gets corrupted. We plan to publish more of the workarounds in our internal documentation so you will be able to help yourself. We expect to increase the amount of self-help documentation to our Nebula customers.

 

* NETID user account conversion: We prioritized converting the Nebula2 user accounts to NETID user accounts for customers from UW-IT. This has helped improve our experience and highlight outstanding issues that need workarounds. We expect to leverage these lessons as we prioritize getting other customers converted.

 

Converting from Nebula2 user accounts to NETID user accounts reduces how often you have to log in, reduces our service costs, simplifies the infrastructure needed, and will enable Nebula to leverage investments made in the service providing the NETID user accounts.

 

In the next six months, we would like everyone to self-elect to change to NETID user accounts. At the end of that time frame,  we’ll be phasing out Nebula2 user accounts. That means we will have to make the switch for you, if you haven’t done so already. We believe if you self-elect, the impact to you will be less.

 

If you’d like to volunteer your department (or just a single user) for conversion, please send us an email with “Nebula2 to Netid user conversion” in the subject line. There are self-service or assisted options (and we won’t charge extra for basic assistance). The self-service directions are at  http:// www.uw.edu/itconnect/wares/nebula/news/netid-logins/.

 

* Core bundle changes: There are two anticipated changes to the Nebula Core bundle for FY 2016. These changes aren’t set yet, but this is the direction we are exploring at this time:

 

-We are in discussions to reduce the rate by a small but appropriate amount to reflect the cost of running the service. Our financial forecast suggests we can sustain a reduction, but we’re still running down some outstanding costs and preparing the financial model to support it.

 

-We plan to remove file services from the Nebula Core bundle for FY 2016 and instead charge for Nebula file services separately.

 

This would mean the Nebula Core desktop rate would be reduced by the average cost per desktop that Nebula pays to cover Nebula use of UW-IT provided file services. We’d then charge for file service use, i.e., the cost of how much file storage is used.

 

Today, some of you are subsidizing others’ file service use, while others are using a lot more. In the future, you’ll be paying for what you use.

 

We anticipate that there will be impacts and consequences of this change. Examples we imagine include:

-You may pay closer attention to which user accounts have Nebula service and file storage. A side benefit is that you will inform us more promptly when users should be removed from Nebula, as we have no good way of knowing this kind of information today.

-You may have a higher interest in no-cost file services such as Google Docs and OneDrive for Business, which  encourages users to move their files in a strategically beneficial direction for the UW.

 

If you’d like to explore Google Docs or OneDrive for Business but need help getting started, let us know.

 

We will let you know more about these anticipated changes when final decisions have been made. If you’d like a rough idea of your expected monthly costs for file services, you can review this report in the MyIT portal: https://support.nebula.washington.edu/myIT/fileServices.aspx. If you aren’t listed as a departmental contact, this report won’t show you anything useful. If you’d like to get added as a departmental contact, let us know.

 

==== Trends ====

 

Below are statistics across the Nebula service. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.

 

* Usage stats. Since August 2014, Nebula has:

-Basic stats: -50 computers (~3400 total today), +150 users (~4900 total today), +150 groups (~3000 total today)

-IE browser: +250 IE11 (~2750 total today) and -100 IE10 (~300 total today)

-OS: +0 Windows 7 (~2900 total today), +125 Windows 8.1 (~350 total today), +0 MacOS (~22 total today)

-Nebula VPN use: +18 sessions on average (~18 sessions total average with a peak of 35)

Notes:

-VPN stats reflect unusual increase due to stats from one VPN server not previously recorded.

 

* Operational assistance stats

-Support requests have grown by 16.7%; 2451 Nebula support tickets resolved since 8/20/2014 (vs. 2100 in prior period).

Incidents have grown by 223%; 58 Nebula incidents resolved since 8/20/2014 (vs. 26 in prior period).

Notes:

-Prior to the past six-month period, incident reporting was optional, so there was likely quite a few more actual incidents than were recorded.

-We’ve changed operational tools during the last year, so the request and incident comparison for the prior period is suspect and we’ve had to make some data compromises. Next time this data and the comparisons should have more validity.

 

==== What’s Next ====

 

Our objectives for the next six months include:

 

* Activities related to FY 2016 core bundle change, as noted above.

* Activities related to the Nebula2 user transitions, as noted above.

* Make some design changes related to the Mac VPN so it isn’t a blocker for letting go of the Nebula2 user account.

* Publish more self-service documentation to enable you to help yourself. We hope this will help drive down our costs, so we can increase our improvement investments and/or further reduce the service cost.

* Support a UW-IT project team in enabling UW Connect to submit billing data for consulting requests. We anticipate that there may be some changes to your experience of budgets and billing for consulting requests.

* Replace the servers behind our aging software deployment infrastructure (System Center Configuration Manager or SCCM). We also will explore moving Nebula’s software deployment capabilities to the UW Windows Infrastructure service so a broader set of the UW can leverage this capability and contribute packages Nebula customers might use.

* Explore the unreleased Windows 10 operating system. In particular, in tandem with the above software deployment infrastructure refresh, explore how it might enable us to provide a self-service, in-place OS upgrade experience, and other options that would lower our delivery costs.  We expect this will enable you to trigger your existing computer to get automatically upgraded without losing your user customizations. In general, our goal is to be prepared to support this new OS shortly after it is released.

* Via a pilot with some higher risk departments, explore a solution that provides data encryption capabilities regardless of where the data is stored, has broad cross-platform support and advanced tracking capabilities (Azure RMS). We suspect this is a strategically important technology for risk mitigation, but we need to verify.

 

==== Your Feedback ====

 

Supporting your needs for Managed Workstation capabilities offered via the Nebula service is our priority, so we welcome feedback on how we can make the Nebula service more valuable to you.

 

You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

 

Brian Arkills

UW-IT, Nebula Service Manager

Nebula billing change

A small change is planned to how Nebula does billing.

 

What and When:

Beginning with the bill you receive in February, Nebula desktops will show up in the non-recurring portion of your bill.

 

What you need to do:

Nothing. J

 

Why we are making this change

We’ve made some changes to the way we internally report billing charges to both simplify the process and improve the accuracy. Moving where the Nebula desktop charges show up in your bill is an unfortunate side-effect that we anticipate we’ll be able to change back in the near future.

 

More info:

It’s possible that you’ll see a Nebula desktop (that has been a Nebula desktop) show up on your bill for the first time, because our previous process allowed a few to go uncharged. The good news is that those prior missed charges are our fault–you won’t be back billed for them.

 

If you have questions about this planned work, please send email to help@uw.edu with “Nebula billing change” in the subject line.

 

2015 January

Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.

 

==== New Capabilities and Improvements ====

 

* Unix, Linux, and Mac Integration with UWWI Active Directory. Many customers already join their Macs, and some join their Unix computers to the NETID domain. We removed obstacles to using PowerBroker Enterprise or Open in the NETID domain, and put documentation together to help guide customers who would like these benefits but don’t know how. See https://wiki.cac.washington.edu/x/nCwJB for more. Customers with tips are encouraged to share them via the community suggestion wiki page: https://wiki.cac.washington.edu/x/-jAJB.

 

* Domain based DFS capability is now available. This provides redundant distributed file redirection services, allowing you to easily add and remove file servers without impacting your customers. Several customers are already leveraging this capability. See https://wiki.cac.washington.edu/x/obv5Aw for more info. Note: we recently partnered with a customer to get DFS-R working. Our documentation will be updated to reflect this new possibility in the coming months.

 

* Reduced latency for Entra ID directory synchronization from 3 hours to 1 hour. This primarily benefits customers of the MSCA service, but also benefits those integrating applications with AAD and with the future release of Windows 10 should provide other benefits.

 

* Self-service SPNs for application UW NetIDs. This permits owners of an application UW NetID to register service principal name values on their own without assistance from the UWWI service. See https://wiki.cac.washington.edu/x/5CwJB for details. This new capability means that customers can manage SPNs on:

-Computers in their delegated OU

-Group Managed Service Accounts (gMSAs) in their delegated OU

-Application UW NetIDs they own

 

* Major upgrades and refactors:

– Geographic redundancy achieved for all business critical systems in the UWWI service.

– UWWI Group Sync Agent redundancy. We deployed a 2nd passive server with the UWWI Group Sync agent on an Azure VM via the UW-IT Standard Managed Server service. If you’d like to hear more about our experience with Azure VMs, let us know.

– All NETID DCs upgraded Windows Server 2012 R2. Forest and Domain functional level moved to Windows Server 2012 R2.

– UWWI Kiwi Agent version release pending. Admin and Application UW NetID behavior changes.

– WINS server replaced

 

====Spotlights====

 

* UWWI service staff had a significantly higher operational load over the past 6 months—historically, about double our usual number of requests in the same period of time.

 

* The ‘Bring Your Own Zone for DDNS’ work was cancelled, due to lack of customer interest given the constraints we inherit from the UW network design. Customers are highly encouraged to talk to the campus DNS service for needs they have which aren’t currently being met.

 

* Over the last several months we evaluated two new security capabilities Microsoft provided with Windows Server 2012 R2, Protected Users and Authentication Policies, for use at UW. Our evaluation showed they aren’t effective for the most common scenarios, especially for the most pressing need–protection against the Pass the Hash style attacks behind most of the credit card breach news stories over the past year. For our analysis, see https://wiki.cac.washington.edu/x/8zAJB. Instead, we plan to make the following security investments:

– For privileged user accounts, experiment within UW-IT with some alternate protections and share more broadly if these are effective with some kind of self-service opt-in mechanism,

– Reduce use of NTLMv2,

– Continue active work on reducing and mitigating existing LDAP simple bind logons (passwords sent in clear over the wire),

– We also believe Microsoft will bring some more significant protection capabilities in 2015, so we will watch developments closely

 

* NTLMv1. Brian Arkills has presented on our experience to other universities on a couple occasions. The latest presentation, given via a webcast that Internet2/InCommon provides, was recorded and can be viewed at: http://internet2.adobeconnect.com/p9kl8urgl67/. This requires installation of the Adobe Connect add-in.

 

* James Morris is an invaluable part of the UWWI service team. While the UWWI service only has a very small fraction of his time, we put that time to high use by leveraging his excellent design skills in the early parts of our planning and relying on him to provide backup coverage when one or more of the service team are out. James often foresees problems in design and architecture before anyone else, which enables us to improve the design before you see it. We appreciate his contribution and the deep engineering background he brings to our service team.

 

==== Trends ====

 

* Since January, UWWI has: +3 delegated OUs (94 total), -1 trusts (56 total), +~1000 computers (9694 total), +~16k users (704k total), -8k groups (89k total).

* UWWI support requests have grown by 85%!!! 347 UWWI support records resolved since July (vs. 188 in prior period).

 

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

 

==== What’s Next ====

 

Our objectives for the 6 months ahead include:

* Continue exploration of deploying an AD-integrated Certificate Authority to enable a variety of multi-factor scenarios and easy internal website certificate renewal.

* Simple Bind Reporting/Notification to improve the security of UW NetIDs.

* Internal documentation refactor to improve our operational effectiveness.

* Minor Group Sync code fixes/improvements

* ADMT 3.2 upgrade

* AD snapshots to improve our ability to recover from unexpected AD incidents including possible AD corruption

* Internal HyperV upgrade with several VM migrations to reduce our operational costs

* UW firewall GPO template to provide customers with a simple way to leverage Windows Firewall

* UWWI security improvements, NTLMv2 explorations and privileged user risk mitigation

* Preferred Name (assuming this work moves forward as part of the HR/P project)

* Partner with Nebula to support new Software Deployment Service via SCCM deployment in NETID

* Support Authentication service in exploring Multi-factor Authentication solutions for Windows

* Support emerging Enterprise Monitoring Service by sharing Windows expertise

* Support the future Microsoft Campus Agreement goals by contributing to a 3-5 year Microsoft technology roadmap

 

Of the 8 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:

  • 7 were successfully completed
  • 1 was started and continues: AD-integrated CA explorations

 

Note: Of the top 7 incomplete items from last summer’s UWWI customer survey, http://ontheroa.uservoice.com/forums/258239-uwwi, 6 are represented above (4 of the survey items have been marked complete and are no longer visible at the URL). Many of these require other services to prioritize work, and given their competing priorities, some of this work may not be able to move forward. For these initiatives that depend on others, our investment will reflect the priorities you’ve indicated to the extent we aren’t blocked. Should a dependency blockage extend too far or we don’t have confidence that there will be timely progress, we will consider the possibility of moving away from a dependency on a strategically positioned service to a tactical solution we deploy to meet your needs, but that’s an option we don’t yet need to exercise.

 

==== Your Feedback ====

 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

 

The UWWI service has a backlog or roadmap visible to customers at https://wiki.cac.washington.edu/display/UWWI/UWWI+Roadmap where you can see more details about current and some future work items.

 

You can voice your support for future objectives to help us rank priorities by voting in the survey, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

 

Brian Arkills

UW-IT, UWWI Service Manager

 

New mailing list & communication practices for Nebula

We’ll be making a couple changes to the way the Nebula service communicates with you.

 

This mailing list will continue to function as a 1 way communication channel for important announcements. This will continue to include things like changes to the service design, and other broadly useful communication. My goal is to keep communication to this mailing list to the minimum you might need to be aware of what’s going on with Nebula.

 

In the past, there have been a number of other Nebula related mailing lists. Some you may have heard about and others you probably didn’t, but at this point all those lists are dead. I’ve co-opted the membership of one of those prior lists (neb-tech) to initially seed the membership of a new mailing list called nebula-discuss (nebula-discuss@uw.edu). This new mailing list serves two functions:

  • It provides a 2 way communication channel. You can send email to it, and so can the service team. The primary goal here is enable interaction about the service so that we can hear from you, and you can hear from each other. This will surface business needs, it may expose recurring problems we have missed prioritizing, and it should provide you a way to ask questions about the service. This doesn’t mean you send email to this mailing list to get support or make requests.
  • It provides a second list for us to send much more detailed information about the service. Folks who are on this new nebula-discuss list will see a larger volume of emails than nebula-announce, and because of this expectation, we will send more detail about what we’re doing to the nebula-discuss list. I have a regular practice of sending a monthly operational update about the services I manage. That update includes details about operational trends we are seeing, incidents, a detailed list of planned changes in the upcoming month (higher impact changes would also go to nebula-announce—this is just a more complete list), and some information about what kinds of improvements we’re hoping to work on. I haven’t yet been able to send a monthly update for Nebula because we needed to get this mailing list in place, but I have one drafted that’s been ready to go for a week. J

 

The idea of a mailing list where anyone can send email can be a little jarring. The 100+ people on this list will see your emails to this list, and any of them might choose to respond. This mailing list is intended to help promote discussion about the service, but if the traffic gets out of hand, I may moderate traffic or decide this mailing list experiment failed. I don’t think that’ll happen, but it’s worth noting that things don’t always turn out how you hope. J

 

If you are interested in joining this nebula-discuss mailing list, you can find information about how to get on that list at the bottom of this email. And again, if you were on the neb-tech list, you are already on the nebula-discuss list, and you may want to get off it. I’ll be sending this same email to the nebula-discuss mailing list shortly, so you’ll know if you are already on it.

 

Finally, I’ll be sending a semi-annual newsletter about the Nebula service. This newsletter will recap where we’ve been in the past 6 months by highlighting new capabilities and improvements, spotlighting items of interest, and reporting on trends, but it’ll also forecast what we think is ahead in the next 6 months. The first newsletter will likely go out in late February, and likely will be sent to the nebula-announce mailing list (although I may change my mind and send it to all Nebula users).

 

Brian Arkills

Nebula Service Manager