We are migrating desktop computers to UF Active Directory to provide several additional features, improved security, and more affordable licensing.
Active Directory allows many security-aware programs to use your login authentication to provide a "single sign-on" (SSO), which means you don't need to (re)enter your username and password(s) to each application to access those resources. Combined with tools such as Office 2007, Exchange 2007, and Share Point, this allows you to collaborate with colleages across the hall, across campus, and even across the globe.
However, according to UF Network and Host Security standards, all units must be able to restrict access to UF resources via authorized methods. Unfortunately, due to decisions made over a decade ago, our old Novell Netware computer network is unable to enforce these requirements. To secure the systems, we have to effectively start over, reinstalling the operating systems from scratch on all college servers and desktop computers. But since we are no longer participating in the campus Novell Netware license, we cannot deploy any new Netware services. Thus, we are implementing the new security model using Windows Server and UF Active Directory.
Before Reinstalling
Before reinstalling the operating system on a computer, the primary user must identify and back up any local data. Any licensed software must be identified, and the license and media must be available to CLASnet techs so they can reinstall the software afterwards. This includes drivers and software for any local peripherals such as printers, scanners, video cameras, etc.
Units with their own IT staff may choose to audit their existing computers, rather than reinstall. Such an audit may require several hours per system, ensuring the proper software packages are installed, removing any unknown applications, examining the systems for trojans, backdoors, extra administrative accounts, etc. Be aware some Windows builds lacked the Active Directory client code, so in these cases the IT staff will still need to reinstall the operating system.
Standard Software
All computers on Active Directory will have a number of standard site-licensed or freeware office-productivity programs available. Please contact us if you have additional discipline-specific software that is required on multiple computers. Assuming licensing allows, we will work with you to make the software automatically available accordingly. While not an exhaustive list, we will provide:
- Microsoft Office 2007 Suite (Word, Excel, PowerPoint)
- Microsoft Outlook 2007
- Microsoft Internet Explorer and Windows Media Player
- Mozilla Firefox and Thunderbird
- Kompozer HTML Editor (updated Mozilla/SeaMonkey editor)
- Adobe Reader, Flash, Apple Quicktime, and Real Player
- Java
- X-Win32 or HostExplorer
- CoreFTP
- TN3270 (NERDC mainframe access)
- SSH
- Time & Chaos
Additional Software
Users with licensed software required for the job may contact CLASnet. Assuming the software is compatible with UFAD, we will install the software. The user will be required to provide both proof of license and the installation media.
As part of the new security model, no trojans, backdoors, keyloggers, or other malware should be installed on the computers. The most common methods for such malware appear are via users surfing infected websites, or clicking on links embedded in "Phishing" email messages. To prevent such malware from being installed, normal user accounts do not have rights to modify the systems.
We will need to meet with any staff or faculty hired to maintain departmental computing systems. We will delegate required administrative rights to these IT workers, assuming they agree to all applicable UF IT standards and practices. This includes personal liability requirements as per federal laws.
Laptop Computers
Laptops can either be on Active Directory or "self-maintained." AD-connected laptops will be automatically authenticated to campus network resources when the user logs into the laptop. Such laptops will be maintained by CLASnet, like desktop computers, and will receive patches and updates when the systems are connected to the campus network. In contrast, self-maintained systems must be patched by individual user, applications locally installed, and in effect the user is responsible for all network interactions and interference that may originate from the laptop. The user will need to authenticate themselves to each and every network service when used. Networked files may be accessed via FTP, and printers may be manually mapped via server shares.
Macintosh Computers
While Macintosh computers can be configured to authenticate individual users via Active Directory, they cannot automatically enforce the security requirements, nor can application patches and OS updates be automatically installed. Certain third-party server software packages (such as Apple's OpenDirectory) can be used for this end, but we cannot afford the licenses at this time.
Unit with a substantial investment in Macintosh systems may choose to hire an IT support staff to handle the security and administrative duties that Active Directory would normally provide. Should such IT staff be unavailable, these Macintosh systems can be run as "self-maintained" systems until CLAS can afford OpenDirectory or a similar managed solution.
Unix/Linux Computers
Due to their complexity and embedded services, Unix and Unix-like operating systems are treated as servers. Thus, we expect units to assign IT staff to handle operating system patches, security updates, and to enforce the UF authentication, authorization, and accounting requirements.
Self-Maintained Computers
Where available, self-maintained systems will be connected to the campus walkup network, rather to the building internal networks. The walkup network will require the individual using the computer to authenticate via a web browser before they can access the campus network. After such authentication, a user may authenticate against individual services, such as FTP and printer shares, assuming they are authorized to access those resources. The individual is still responsible for securing their computer, installing all applicable security patches, keeping their anti-virus software up-to-date, etc.
Under certain circumstances, an individual may be allowed to connect a self-maintained system directly to the campus network. Such access must be agreed to by the department chair, any unit IT staff, and the CLAS ISM. The individual must sign any/all relevant agreements codifying any potential liability, and must ensure all security, authentication, authorization, and accounting requirements are met.
