 |
|||||||||||||||||
 |
Automatic Central Security Patch Management
|
||||||||||||||||
|
|||||||||||||||||
"Work at Home"
|
|||||||||||||||||
| Available Media (CDs) | Item Number | Price |
| Office 2003 Pro CD | #269-06755 | $35 each |
| Office XP Pro CD | #269-04589 | $35 each |
| Office v. X for Mac Standard | #731-00448 | $35 each |
| Windows XP Pro Upgrade CD | #E85-00289 | $20 each |
To order CDs under the WAH program download, print and sign the agreement form at www.uwyo.edu/infotech/services/software/wah/. Send the form and a personal check (sorry, no cash accepted) to:
Information Technology, Client Support Services
Ivinson Building, Room 140, CAMPUS
The CDs will be delivered through campus mail or may be picked up in the Ivinson Building, Room 140.
Important Note: Information Technology is not responsible for
installation, configuration, or troubleshooting of WAH products on
personally owned computers. This offer is only available to UW
staff and faculty. Student employees are not eligible.
Email Spam and Virus News
Sophos, UW’s email virus scanning software provider and PureMessage, UW’s spam filtering provider have recently merged into one company, Sophos PureMessage. Email virus scanning and SPAM message tagging services are now provided through an integrated product on UW’s central email gateway server. Despite a recent law passed in an attempt to reduce the flow of SPAM, it is expected to continue to grow. Sophos PureMessage recently noted that "USA SPAM laws are unlikely to stop spammers." Users can read the article and get information on the law at www.sophos.com/spaminfo/articles/gwbush.html.
The UW central email gateway processes approximately 4.5 million email messages a month. Recent statistics indicate that about 60 percent of this email is SPAM. The basis for tagging email as SPAM is a 50 percent or higher threshold probability indicator, which is calculated by the Sophos Puremessage software. When the probability threshold is 50 percent or higher the software adds the word SPAM to the message’s subject line.
Are you getting the most out of SPAM filtering? Outlook and WebMail users may create their own SPAM filtering rules to take advantage of the spam tagging UW provides. For users who receive legitimate email tagged as SPAM when it shouldn’t be, individual white-listing of senders can make SPAM filtering more useful. For examples and help see www.uwyo.edu/infotech/services/email/spam/.
In contrast to SPAM, virus-infected email only totals about 12,000 pieces received monthly at UW. W32/Dumaru-A and W32/Bagle-A were the most common viruses seen recently, with about 6000 detected in the last 30 days. For details about these and other viruses see www.sophos.com/virusinfo.
Even though UW’s current virus volume is not particularly high,
a single virus can severely damage the infected computer as well
as UW’s systems and networks. Users should continue to take
measures to protect their systems from viruses. This means
frequently updating their computers with software patches (see
Automatic Central Security Patch Management),
keeping the OfficeScan virus software current, not opening
attachments from unknown users and not responding to suspicious or
unusual emails.
Recent Changes to UW eMailing Lists
Recent security reviews revealed that the university’s electronic mailing list software (known as Majordomo) presented several potentially undesirable exposures for the university. Adjustments were made to make it more difficult for spammers to obtain list names, post to existing lists, or acquire lists of subscribers.
Unfortunately the changes had some negative impacts on usability, especially for subscribers using the Web interface at http://majordomo.uwyo.edu/cgi-bin/majordomo.
One problem related to spammers’ ability to obtain easily a list of all mailing lists. This was blocked, but as a result the Web interface no longer displays list names and therefore cannot be used for subscribing and/or unsubscribing. The major difficulty is that the Web form uses no authentication and thus cannot verify that you are who you claim to be. The alternative is to use the more traditional e-mail interface with Majordomo, by sending plain-text messages to majordomo@uwyo.edu with various commands in the body of the message. For example, sending a "which" command (without the quotation marks) will return a list of the mailing lists to which you are currently subscribed.
Note that you must use the same email address for sending the command as the address by which you are subscribed. Another useful command is "help," which will return a brief list of commands and their usage. The most common usage is either "subscribe list-name" or "unsubscribe list-name."
For the owner of a list, the Web interface remains mostly unaffected because list management requires the use of a password. As in the past, the email method is also available.
A second problem was spammers’ ability to obtain email addresses from lists. This potentially allowed spammers to harvest a large number of target addresses, and this was also blocked.
A third problem was the opportunity, by default, to send messages to a list even if the sender was not a member of the list. This will be turned off by default on all new lists; existing lists can be modified by the list owner by setting the "restrict_post" configuration item to the list name.
Information Technology is also examining options for replacement
of
Majordomo with newer, more flexible, and more secure products.
Changes to Email Display Names
In the past, email display names have been created from a person’s first, middle, and last names, for example, "Jonathon R. Doe." Recently, due to numerous problems parsing middle initials, email display names have been changed to match a person’s official name as registered with the Registrar and/or Human Resources. For example, either "Jonathon R. Doe" or "Jonathon Robert Doe" is used depending on whether Mr. Doe’s middle initial or middle name is registered with HR.
Many people have requested that their display name reflect their nickname. For example, Mr. Doe may prefer to be known as "Jon Doe" or "Bob Doe." IT and Human Resources are working to soon make this possible. Faculty and staff can now submit the "PS - 9 Personal Data Change Form" (www.uwyo.edu/hr/hrformslist.htm) to Human Resources, requesting that a nickname be added to their personnel record. Students can also request the addition of a nickname. This requires that the student appear in person at the Office of the Registrar’s service desk with picture identification.
In the near future, central email services will be updated to
include nicknames. Since Exchange supports a special field for
display names, the display name field will be created from the
nickname and last name, for example, "Jon Doe." Mr. Doe’s first,
middle, and last names will still be used in their respective
Exchange fields so that senders can verify the correct "Jon Doe"
before sending email. ASUWlink does not currently support a
separate display name field. Therefore, email names on ASUWlink
will be formed using the first, middle, nickname, and last names,
for example, "Jonathan Robert ‘Bob’ Doe."
MS Office 2003 Available to UW Users
Microsoft Office 2003 is now available to UW users. IT user consultants are ready to offer support for the upgraded core Office 2003 applications: Access, Excel, Outlook, PowerPoint and Word.
PeopleSoft users are advised to continue using either Office 2000 or Office XP. Compatibility testing between PeopleSoft and Office 2003 has not been completed and PeopleSoft has not issued a compatibility statement for Office 2003.
FrontPage 2002 users may experience problems with the Office Assistant if they upgrade to Office 2003. It is not recommended that FrontPage 2002 users upgrade their Office applications at this time. IT is aware of the problem and has reported it to Microsoft. Microsoft acknowledges the issue and may provide a solution to this and other reported problems at a later date. Please check www.uwyo.edu/Infotech/css/office03.htm often for the latest updates on this and other topics that we discover for Office 2003.
Microsoft has added Publisher and InfoPath to this release of Office Professional. Publisher was included in Office 2000 and separated in Office XP, and then disappeared from any Microsoft product list during the past year. InfoPath is a new application. (IT consultants will provide installation support for the Publisher and InfoPath applications and ensure that they are functioning after installation. However, the consultants are not yet able to provide application and feature support of Publisher or InfoPath.)
Users may install Office 2003 on Windows XP or Windows 2000 operating systems with Service Pack 3 or later. Some departmental computers may not meet the minimum system requirements (www.microsoft.com/office/editions/prodinfo/sysreq.mspx). Contact your user consultant about upgrading. He or she can help you evaluate the current hardware configurations, operating systems, and capacity.
To install Office 2003 refer to How to Install Microsoft Office 2003 Professional (www.uwyo.edu/AskIT/displaydoc.asp?askitdocid=236&parentid=1); call the Help Desk at 766-4357, option 1; or contact your user consultant for assistance.
If you install Office 2003, it is important to apply any available patches immediately. Users will need to have access to the CDs with which they installed Office 2003. If it was installed from the network, ensure that a network connection is available during the update. Start a browser and enter http://office.microsoft.com/officeupdate in the address bar. Allow the update process to install recommended updates.
One of the big benefits of Office 2003 is Outlook 2003. Outlook 2003 has a whole new look and feel. It is now easier to categorize and organize emails and see favorite or most used email folders all together. Users can also read emails in the upgraded Reading Pane, which can now be located to the side rather than under the list of email messages. Of all the upgraded applications in Office 2003, Outlook "looks" the most different.
IT will offer hands-on, instructor-led training classes for Office 2003 beginning in the summer of 2004. Computer Based Training (CBT) training opportunities in Office 2003 will also be available in the summer. Until then, IT will continue to schedule Office XP classes.
The UW student computer labs will be upgraded to Office 2003 late
in the summer. Students will have access to the latest version at
the beginning of the fall semester in 2004.
One Down, One to Go—
UW PeopleSoft Projects: PeopleSoft HRMS
UW has successfully implemented the PeopleSoft Human Resources Management System (HRMS) version 8.3 Service Pack 1. In fact, the paychecks that university employees received at the end of October, 2003 came from the new system. The success of this project was due to the hard work of many people across campus, and each of these people should feel proud of their accomplishment. The team is currently working on a number of cleanup items, but the university is now positioned to begin tackling some of the advanced functions available in PeopleSoft, including functions to aid with tenure and promotions and training administration.
All departments have now been offered formal training in the use of HRMS. It is understood that there will continue to be questions as people use the system; anyone with questions about the new system can call Duane Timmerman (766-9601) or Chad Marley (766-4874).
PeopleSoft Financials
The PIStOL upgrade continues to move forward. During extensive testing by functional users, several key issues were identified. Those issues were forwarded to PeopleSoft, who responded by informing UW IT that an additional upgrade to both our toolset and the application would be required. Due to the complexity of the software and our position in the middle of an upgrade, it was necessary to engage PeopleSoft to determine exactly what steps we needed to take to ensure that our work to date was not lost. PeopleSoft has provided experienced consultants at no charge to help guide us through these critical steps in our upgrade.
It was recently determined that we needed to upgrade our application (i.e., perform a double upgrade) to Financials 8.4, Service Pack 1, Fix Pack 2. With the hard work of UW employees and the assistance of the PeopleSoft consultant, this has been completed in a test mode and is currently being tested by functional users. As this testing appears to be successful, the decision has been made to proceed with a Test Move to Production (TMTP) in which we convert data from the older version of the software to the newer version. The TMTP will confirm that our data conversion is successful despite having to do an additional upgrade. Once the TMTP is completed and the data is reviewed, additional TMTPs will be completed to help us minimize the amount of system down-time required during the go-live time period.
No timeline for the completion of the project has been defined at this point. The project team agrees that we will have a much more accurate idea of the remaining work after the completion of the next TMTP.
The "PeopleSoft at UW" Web site (www.uwyo.edu/peoplesoft) has
information on both projects and is updated frequently. If you
require additional information, please contact Chad Marley, IT
project manager, at 766-4874 or cmarley@uwyo.edu.
Campus Wireless Access –
Authentication Now Required
Over Winter Break Information Technology installed wireless gateways and Virtual Private Network (VPN) services on the UW wireless network (also know as "WiFi," or "802.11"). These additions will help to make the system more accessible and easier to use, as well as provide an increased level of security.
The wireless gateways authenticate users by prompting them for their UW username and password. The VPN services allow users to create VPN connections that will allow them to sign on to the network and encrypt their data, keeping it secure from others (for a description of VPN see www.uwyo.edu/Infotech/aboutIT/news/newsletter/2002/02fall.asp and www.uwyo.edu/infotech/services/network/vpn/).
For Cisco wireless card users, the Lightweight Extensible Authentication Protocol (EAP/LEAP) will continue to function as usual. Users have three different methods to authenticate with the UW wireless network:
- EAP/LEAP – encrypted (only for Cisco wireless card users.)
- VPN – encrypted (see www.uwyo.edu/infotech/services/network/vpn/)
- Wireless Gateway – non-encrypted (Web page authentication.)
EAP/LEAP and VPN are the recommended methods, since these also encrypt data. Users who don’t use EAP/LEAP or VPN can be authenticated for wireless access by opening a Web browser and entering their UWYO or UWSTUDENT username and password. (When you attempt to access a Web page, if you haven’t already authenticated using EAP/LEAP or VPN the wireless gateway will present you with a specific Web page where you can enter your Windows domain username and password.) MAC addresses will no longer be used for authentication.
Guest user accounts are available for visiting faculty and staff, and for conference and event attendees. Call the IT Help Desk, 766-4357, option 1, to obtain the password for the guest account. Guest users are able to connect to off-campus Internet sites but for security reasons UW network access capability is restricted
The Central Student Fee Committee (CSFC) made a large contribution to help bring this central solution to university students, faculty, and staff. Recently CSFC placed wireless logos in campus locations where the CSFC provided the funding for wireless access. CSFC-funded wireless access points are located primarily in student study areas and other student open areas.
New wireless access points funded by the CSFC include the Geology
Library and atrium, the Fine Arts open-study areas and lobby, the
student congregation (vending) areas in Engineering on all four
floors, the Animal Science lobby and study area, the first-floor
study room in Business, and the student lab and library in Hoyt
Hall. For up-to-date information on the UW wireless service,
including instructions, maps, security, plans, locations and more,
please visit www.uwyo.edu/infotech/services/network/wireless/.
Dell Program for UW Faculty, Staff & Students
The University of Wyoming is now a participating member of Dell’s Education Personal Purchase Program. UW faculty, staff, and students are eligible to receive special discounts and offers that are not available to the general public.
Some of the benefits of this program include
- A 5 to 8 percent discount from Dell Home Sales list pricing on Dimension desktops and Inspiron notebooks;
- Additional discounts on OptiPlex desktops and Latitude notebooks;
- Academic pricing on peripherals;
- Access to additional holiday promotions;
- Discounted ground shipping; and
- 24 hour Dell hardware telephone technical support.
To take advantage of the program, contact the electronics department of the University Bookstore at 766-3264, email ebryant@uwyo.edu or go to www.uwyobookstore.com and use the links at left under the Dell logo.
It is important to note that the telephone technical support is
provided by Dell’s "relationship" organization, rather than the
typical home sales support organization. This means that the
"escalation path" for problem resolution is similar to the
university’s technical staff support channels. Additionally, users
enter the Dell support phone queue through a different path. The
path gives users access to a higher level of Dell’s technical
support and customer service.
UW Network Access May Be Restricted
for Infected and Un-Patched
Computers
Many university computers remain vulnerable to hackers and viruses. Security patches are not always being installed in a timely manner (or at all). This creates serious problems and substantial risks for UW:
- Data on vulnerable computers could be destroyed or stolen
- Viruses on infected computers can severely impact network performance and reliability
As noted in previous emails and newsletter articles1, to protect the university’s network, Information Technology may restrict network access for computers that become infected with a virus. Network access may also be restricted for vulnerable computers that are not "patched" in a reasonable amount of time.
In order to keep your computer updated with security software patches, IT recommends that Windows users either:
- use IT’s automatic Software Update Services (SUS) when it becomes available (see Automatic Central Security Patch Management)
- set your Windows Update feature to run automatically (see "How to Install and Run Windows Automatic Updates," www.uwyo.edu/AskIT/default.asp?parentid=1#book10)
- frequently visit the Windows Update website, http://windowsupdate.microsoft.com. Scan your computer and install all "critical" updates.
Users can refer to www.uwyo.edu/Infotech/services/security/ for a current list of vulnerabilities deemed critical by IT, including deadlines after which Internet access may be restricted for unpatched computers.
Additional Information
Many users have been successfully using Microsoft’s Automatic Update feature. The importance of installing critical system patches cannot be overstated. Unpatched computers are vulnerable to exploitation (i.e., the computer may be controlled remotely and/or infected with viruses). In several recent cases computers have been infected without the computer owner even opening an infected email or clicking on a Web page designed to exploit the computer. Unpatched, vulnerable computers may be taken over by hackers simply because the computer is attached to a network. Depending on the vulnerability, hackers might gain administrative access to the computer to copy or delete any data stored on the computer and possibly other networked computers and disks.
Viruses have caused massive amounts of data to flood the local data network and negatively affect other users (denial-of-service attacks). In extreme cases, the entire campus data network has become unusable until the infected computers could be identified and disconnected.
IT will continue to scan the network to identify computers with "critical vulnerabilities" and will begin to patch vulnerable computers automatically (see Automatic Central Security Patch Management). Any computers that remain unpatched are subject to disconnection from the network. Normally a one month grace period will be in effect but the time period will vary with circumstances and associated risks.
IT is working on a solution that will notify the user or administrator that their computer is vulnerable and will be disconnected from the network. In the meantime, network restrictions may be placed on infected and vulnerable computers without user notification. Users should contact the IT Help Desk at 766-4357 (6-HELP), option 1, if they have questions, experience any outages or have problems accessing the network. Please leave a message if you are transferred to a hold queue due to high call volume. Alternatively, email userhelp@uwyo.edu and a Help Desk representative will respond to your inquiry. IT will post a notice to uw-partners@uwyo.edu (the Partners mailing list) whenever the Security Web page is updated, at www.uwyo.edu/InfoTech/services/security/.
1For more information please see
www.uwyo.edu/InfoTech/aboutit/news/newsletter/03Fall.asp#security and
www.uwyo.edu/InfoTech/aboutit/news/newsletter/02fall.asp.
SIS Replacement Project Update
Early in 2003 UW started the search for a replacement to our aging Student Information System (SIS). Three vendors (PeopleSoft, SCT, and Oracle) were selected to receive the university’s Request for Proposal, with PeopleSoft and SCT responding. After a thorough analysis of the products and conversations with other higher education institutions, it was determined that the SCT Banner and SCT Luminus products were the best fit for UW. The SCT Banner product includes functions for admissions, registration, financial aid, accounts receivable, institutional reporting, and many other areas. The SCT Luminus portal could provide enhanced student email and calendaring as well as a central location for students to get the information they require.
A recommendation was forwarded to President Dubois that UW proceed with a "fit-gap analysis" on the SCT Banner product as well as the SCT Luminus portal product, and that recommendation was approved. A fit-gap analysis reviews the business processes of UW and fits them to the functions provided by the software. Any gaps identified are rectified by either modifying the software or modifying the associated business processes.
In December of 2003, the fit-gap analysis was successfully completed. SCT provided UW with a detailed estimate of the cost of the software and the cost of the necessary consulting services to aid in completing the project. SCT also provided a timeline in which implementation tasks would be completed. UW staff worked to complete a 6.5 year total cost estimate for the project which included hardware, software, consulting and training components. Utilizing these documents, UW is currently negotiating with SCT. While no timeline for the completion of these negotiations has yet been set, it is hoped that the project will begin early in 2004.
More information on the SIS Replacement Project is available at
www.uwyo.edu/newSIS or
from Jim Berrigan, project manager, at 766-2636.
IT Computer Support – What’s Available
Information Technology’s user consultants offer full support of standard hardware and software on university owned standard desktop computers. Standard desktop computers are business class systems that UW campus Partners Program subcommittee determined to be acceptable for use in the normal office and student computing lab environment.*
There are many different models of laptops that are in use at the university, and the user consultants offer a best efforts support approach for common laptops and peripheral equipment. The consultants are able to install common software and set up network connectivity for most brands without any problem. Consultants will work with various vendors to provide solutions to common computing problems, should they arise. On the rare occasion when normal troubleshooting techniques have been exhausted and a consultant cannot resolve the problem the laptop owner has responsibility for pursuing a resolution with the vendor.
Recent additions to the computer market are the Tablet PC and the Media Center PC. Information Technology is testing and evaluating the Tablet PC. Software compatibility will be tested and the decision on future support will be made after sufficient testing with UW related applications has been completed. No support or testing will be provided for the Media PC. The Media PC is primarily intended for the home entertainment consumer market.
The user consultants will continue to focus efforts on supported operating systems – Windows 2000 and Windows XP Professional – and expanding support, where necessary, for academic and administrative computing.
* The UW Partners Program is an assembly of UW campus technology
professionals and other interested individuals, working to improve
the use of computer technologies and the services and products of
the Division of Information Technology by promoting and
encouraging open communication and information exchange between
all areas of the University of Wyoming campus. The Partners
Program hardware recommendation is located at
http://www.uwyo.edu/partners/HardwareRec/reasons.htm. The standard
hardware and software list may be viewed at
http://www.uwyo.edu/InfoTech/services/Support/standards/.
Firewall Update
Information Technology has long had a router firewall between the campus network and the Internet. Several months ago a Cisco PIX "hardened" firewall was installed on the campus network. Segments of the UW network are gradually being moved behind the hardened firewall. The Residence Halls were one of the first to be moved behind the new firewall. Several departments were moved behind the firewall when they moved to other buildings. The Ivinson building and UW’s computing center were moved behind the firewall over Winter Break.
All the computing systems in the Ivinson Building computing center except for publicly accessible servers were moved to the 10.x.x.x subnet. The next phase is to continue to move sections of the campus network behind the new firewall.
The process of moving departments will take place in two steps. In the first step all work-stations and servers, with the exception of publicly accessible servers, will be moved behind the firewall. In the second step all publicly accessible servers will be moved behind the firewall.
The first step will be very simple for most users. Information Technology will issue a notice when parts of the network will be moved. Users with dynamically assigned IP addresses (most users) will simply reboot their system the morning after their building is moved behind the firewall. Users who require a static IP address (discouraged except for servers and specific situations) will need to manually change the IP address currently assigned to their system to a new IP address assigned by IT and then reboot their system.
Technical Information for Server Administrators
The second step is expected to take place over a single night this coming summer. In short, all publicly accessible servers will be moved at once behind the firewall. (Publicly accessible servers are servers that need to be accessed by the general public without use of a VPN session.) These systems will have two addresses: an outside address, which the outside world will see, and an inside address for campus users. The domain name servers (DNS) will be separated into an inside DNS and an outside DNS at this point. The outside DNS server will contain the 129.72.x.x addresses, and in most cases this will be the previous address of the server. The inside DNS server will contain the inside addresses of all publicly accessible servers and will not contain any 129.72.x.x addresses. Once the DNS servers are separated, the outside DNS will be updated to reflect the outside addresses of the servers, and the inside DNS will be updated with the inside addresses. Static entries will be placed in the firewall to translate the outside addresses to inside addresses. The network segment on which the publicly accessible servers are connected will be moved to a VLAN inside the firewall. The owner of the server will then change the IP address to the inside address.
The firewall Web pages at
www.uwyo.edu/infotech/services/security/firewall/ contain
(1) information about the procedures to be followed in moving
behind the firewall, (2) a form for requesting addresses for
publicly accessible servers and static IP addresses, and (3) the
dates when the moves are to be completed. Due to the high cost of
maintaining static IP address, they will be issued only to systems
that need them. Users will be asked to justify the need for a
static IP address before one will be issued.
eNews Extra:
New "Ask IT" User Self-Help Web Site Available
A new Information Technology help Web site is now available for
University of Wyoming (UW) computer users. The site is called
AskIT and is located at
www.uwyo.edu/AskIT. AskIT is a new centralized portal for
self-help resources and utilities, including how-to documentation,
frequently asked questions (FAQs), Web site requests, hardware
work order requests, computer training opportunities and UW
software licensing. Future additions to the site will be
troubleshooting tips, Web-based software installation points, the
ability to submit a problem or issue to IT via the Web and
numerous other utilities as they become available. The
documentation provided on AskIT is fully searchable and
categorized in a manner that will make finding the information you
need as easy as possible. So, please take a look at the site, and
come back often to see what new online utilities or information
are available to you. Feel free to e-mail us with any comments you
may have at AskIT@uwyo.edu.
