Minutes - February 11, 2005
1:30 - 3:00 pm - I. G. Greer Hall - Room 224
Persons Present:
Ex Officio members: Doug May (Acad. Computing Serv.), Jeff Williams (Chair, Info. Tech. Serv.)
Voting Members: Kevin Howell (Coll. of Fine & Applied Arts), Greg Lovins (Business Affairs), Tom Bennett (proxy for Lynne Lysiak, Belk Library), Emory Maiden (Coll. of Arts & Sciences), Tom McDonald (Hayes School of Music), Ed Pekarek (Coll. of Arts & Sciences), Dick Riedl (Reich Coll. of Education), Bill Ward (Academic Affairs)
Visitors: Steve Breiner (Instructional Comp. Serv., ITAC Recorder), Tony Grant (Dept. of Tech.), Michael Bennett (RCOE), Bryan Johnson (RCOE), David Earp (ACS), Oscar Knight (ITS Security Manager), Tom Van Gilder (Arts & Sciences), John Spagnolo (RCOE)
Preliminaries
Jeff Williams opened the meeting at 1:40 PM and greeted the attendees. He noted ITAC had acquired a number of new representatives and introduced them.
1) IT Security - audit follow-up, workstation management, operational procedures
Williams noted that increased emphasis on security requirements by State Auditors and on dictates of normal prudence, ITS would be implementing a number of projects to secure and protect our computer environment. He introduced Oscar Knight and David Earp to update ITAC on some upcoming projects.
Knight noted the group that recent requirements from the State Information Resources Auditors will require more intrusive scanning of all network-connected computers for such issues as “weak” passwords and null sessions (see http://www.lokbox.net/help/html/Security/NullSession.htm). Further, he anticipated needing to perform those scans at least twice per year. Williams noted that these scans will not shut down or reboot the machines being scanned, and asked whether there were other concerns ITS would need to address before beginning the scanning. Tom Van Gilder asked what was the definition of “weak,” referring to passwords. Knight responded that passwords with dictionary words, user information, and without digits and case changes were characteristic. Steve Breiner (ITS) asked whether regular users had been notified of the specific requirements for strong passwords. Doug May (ITS) responded that users had not yet been, but would be notified by e-mail. Ed Pekarek (Comp. Sci.) asked whether there were a link on the Appalachian Password Set page to inform users about various password-related issues. Williams stated that he would check with the Webmaster’s office to find an answer.
Knight suggested that the next time Appalachian undergoes an IT audit, we should expect much deeper scanning for vulnerabilities than has previously been the case. He mentioned that he expected the auditors to focus on previously unscrutinized issues like firewalls, identification devices, currency of virus scanners and definitions, and others. Auditors concerns are increasingly adding issues related vulnerabilities of internal origins (server to server, internal workstation to outside world) to the traditional focus on attacks originating from external sources.
Williams asked Earp to comment on application issues. Earp noted that the ultimate goal of the efforts being implemented were to prevent Knight (and auditors) from being able to find any vulnerabilities. Earp noted that addressing many concerns involved pushing automatic updates for operating systems (OS), virus scanning (VS) software, desktop productivity applications, and other software used on connected machines. He mentioned the recent implementation of ePolicy Orchestrator, which can detect and identify machines with out-of-date VS software or definitions and can establish baseline configurations and proactively identify problematic machines to prevent potential problems. He stated that the ultimate goal was to automate procedures to provide security, thereby freeing users from the necessity to do so and allowing them to focus on their jobs or studies. He mentioned that the ePolicy agent will help keep machines’ OS, VS, and applications updated and can enforce certain desired security settings and that Zenworks (a Novell workstation management tool) can provide software delivery services and updates, prompting proposed recipient to accept the updates at their convenience (until completed). Earp noted that ITAC needs to provide some guidance as to how deeply (for everyone? students? peripheral organizations? connected home machines?) such a policy need be applied.
Pekarek asked whether the new scanning policies would require all users to move to Windows. Earp replied in the negative; PCs running windows would be the earliest targets for the new policies, but that Macintoshes would follow, with Linux PCs possibly targeted somewhat later. Pekarek then proposed that negotiations occur before starting pushed updates or software to determine acceptable times of day for such operations to occur. Earp replied that the ePolicy agent allows the user to temporarily defer proposed updates if timing were an issue for specific updates, but that later, the “push” request would automatically reset to the original schedule.
Pekarek then asked whether there would be a university-wide movement away from FTP (file transfer protocol) toward secure FTP (SFPT). Knight replied that he would support that becoming an institutional standard as soon as possible.
Williams then suggested that as important IT initiatives begin to take shape, there needs to be an open, 2-way communication channel between ITS and the user community (as represented by ITAC).
Pekarek then noted, referring again to the idea of “pushed” updates, that Appalachian needs to better provide helpdesk support to address issues immediately when and if “pushes” somehow degrade access to services necessary for classroom or other time-sensitive applications.
Knight then reported that this very morning, an infected machine was brought onto campus and connected to the network, thereby bypassing our border protections. An intrusion prevention device (IPD) detected the problem reasonably quickly, but the occurrence points out the need to be more vigilant as threats become more pervasive. Breiner asked whether it might be possible to require a pre-connection scan of all machines on a first (after some reasonable interval) connection to the net, to check for current AV and OS updates, with an automatic refusal to issue an IP address if a scan shows problems or if the user refuses to allow a scan. He also noted that most users are unaware that the university will provide them with AV software for both their office and home machines - he suggested overcoming our historic lack of communication with users would help with some of the issues we face. Bennett asked whether there was general access to the software, to which Earp replied that only IPs on Appalachian’s subnets should have access.
2) ASU Communications Plan - including recent roll out of Email Distribution Management List
Williams noted the deployment of the Appalachian’s new Email Distribution Management (EDM) system to help users manage the email they receive from university-related sources. He mentioned that all users have been auto-subscribed to all lists under the EDM umbrella, but that they received an e-mail explaining how to unsubscribe from the optional lists.He mentioned that ITS is currently examining the feasibility of attaching a one-click unsubscribe link to each message sent out by the optional lists.
3) Planning for student lab / public workstation refresh (assuming new E&T is approved)
Doug May reported that ACS is encouraged by the possibility of formally establishing a refresh cycle for student laboratory and classroom computers. He noted that a mechanism for central purchasing would be a necessity for managing such a program on a regularized schedule. Williams noted that the UNC Board of Governors had rejected Appalachian’s tuition increase request and that approval of the E&T fee increase was not certain at this point. Presuming a stable funding mechanism can be established, Williams asked for suggestions and discussion on how to establish a fair distribution mechanism for refreshes. May stated that a “standard machine” would be the ideal, with mechanisms in place to allow for special requirements. Some questions with which May and ITS need assistance include: What should we do with existing machines which are outcycled? How can we handle requests for new labs? What is the appropriate refresh interval (noting in an aside that a 4 year cycle seems to be reasonable at this point)? How should the cycle vary for “special needs” situations? Faculty desk machines will require a separate discussion and a funding source other than E&T… how might that be handled?
Williams reported that, in conversations related to a formal lab computer refresh cycle, the provost had asked how many machines would be required. That issue is one on which an ongoing conversation needs to happen, with input from this group. Williams noted that after the March 13 Board of Governors meeting, where the E&T request will be decided, ITAC would need to discuss the implications of that decision.
A brief discussion of advantages of machine standardization occurred, during which Van Gilder mentioned that the College of Arts and Sciences had found that their efforts to standardized seemingly were working very well.
4) Other business
Pekarek asked that digital projectors also be considered in the refresh cycle and raised the issue of who should be responsible for routing maintenance, consumables, and damage. He noted that traditionally, departments had borne the costs of original purchase, bulb replacement, and replacement of units stolen or damaged by nondepartmental users (such as Conferences and Institutes or Camp Programs); he suggested that a more equitable mechanism for covering such costs be established. Bill Ward (Academic Affairs) stated that he was reasonably sure that when damage was demonstrably caused by nondepartmental groups who were given access to rooms by nondepartmental officials, that the sponsoring agency would cover the costs of damages caused during their stewardship of a venue. Pekarek proposed that outfitting and maintenance of technology-enabled classrooms should be a centrally funded, facility management responsibility.
John Spagnolo (RCOE) noted that his college had experimented with the user of mobile computer carts, outfitted with laptops, for enabling some classrooms with technology. Michael Bennett (RCOE) asked (referring to the earlier discussion) whether computers in labs at Distance Education sites had been included in the refresh cycle discussions. May replied that Appalachian had provided those machines in the past but that they were seriously aging and should be part of the discussion.
Williams announced that construction had begun at the Caldwell Community College “Alliance” site and Bennett noted that the site would be used mostly by RCOE.
Van Gilder asked whether wireless network access in academic areas can be funded by E&T monies. Williams mentioned that the original request for $2M in E&T increases had included $300K for wireless enhancements, but that only $1.2M had ended up in the final requested increase. He suggested that wireless access would need to be considered in a process which balanced that need with all of the other needs resting on those funds.
5) Adjournment
Williams bid the group to enjoy the falling snow and adjourned the meeting at 2:49 PM.
