Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.
==== New Capabilities and Improvements ====
* Unix, Linux, and Mac Integration with UWWI Active Directory. Many customers already join their Macs, and some join their Unix computers to the NETID domain. We removed obstacles to using PowerBroker Enterprise or Open in the NETID domain, and put documentation together to help guide customers who would like these benefits but don’t know how. See https://wiki.cac.washington.edu/x/nCwJB for more. Customers with tips are encouraged to share them via the community suggestion wiki page: https://wiki.cac.washington.edu/x/-jAJB.
* Domain based DFS capability is now available. This provides redundant distributed file redirection services, allowing you to easily add and remove file servers without impacting your customers. Several customers are already leveraging this capability. See https://wiki.cac.washington.edu/x/obv5Aw for more info. Note: we recently partnered with a customer to get DFS-R working. Our documentation will be updated to reflect this new possibility in the coming months.
* Reduced latency for Entra ID directory synchronization from 3 hours to 1 hour. This primarily benefits customers of the MSCA service, but also benefits those integrating applications with AAD and with the future release of Windows 10 should provide other benefits.
* Self-service SPNs for application UW NetIDs. This permits owners of an application UW NetID to register service principal name values on their own without assistance from the UWWI service. See https://wiki.cac.washington.edu/x/5CwJB for details. This new capability means that customers can manage SPNs on:
-Computers in their delegated OU
-Group Managed Service Accounts (gMSAs) in their delegated OU
-Application UW NetIDs they own
* Major upgrades and refactors:
– Geographic redundancy achieved for all business critical systems in the UWWI service.
– UWWI Group Sync Agent redundancy. We deployed a 2nd passive server with the UWWI Group Sync agent on an Azure VM via the UW-IT Standard Managed Server service. If you’d like to hear more about our experience with Azure VMs, let us know.
– All NETID DCs upgraded Windows Server 2012 R2. Forest and Domain functional level moved to Windows Server 2012 R2.
– UWWI Kiwi Agent version release pending. Admin and Application UW NetID behavior changes.
– WINS server replaced
* UWWI service staff had a significantly higher operational load over the past 6 months—historically, about double our usual number of requests in the same period of time.
* The ‘Bring Your Own Zone for DDNS’ work was cancelled, due to lack of customer interest given the constraints we inherit from the UW network design. Customers are highly encouraged to talk to the campus DNS service for needs they have which aren’t currently being met.
* Over the last several months we evaluated two new security capabilities Microsoft provided with Windows Server 2012 R2, Protected Users and Authentication Policies, for use at UW. Our evaluation showed they aren’t effective for the most common scenarios, especially for the most pressing need–protection against the Pass the Hash style attacks behind most of the credit card breach news stories over the past year. For our analysis, see https://wiki.cac.washington.edu/x/8zAJB. Instead, we plan to make the following security investments:
– For privileged user accounts, experiment within UW-IT with some alternate protections and share more broadly if these are effective with some kind of self-service opt-in mechanism,
– Reduce use of NTLMv2,
– Continue active work on reducing and mitigating existing LDAP simple bind logons (passwords sent in clear over the wire),
– We also believe Microsoft will bring some more significant protection capabilities in 2015, so we will watch developments closely
* NTLMv1. Brian Arkills has presented on our experience to other universities on a couple occasions. The latest presentation, given via a webcast that Internet2/InCommon provides, was recorded and can be viewed at: http://internet2.adobeconnect.com/p9kl8urgl67/. This requires installation of the Adobe Connect add-in.
* James Morris is an invaluable part of the UWWI service team. While the UWWI service only has a very small fraction of his time, we put that time to high use by leveraging his excellent design skills in the early parts of our planning and relying on him to provide backup coverage when one or more of the service team are out. James often foresees problems in design and architecture before anyone else, which enables us to improve the design before you see it. We appreciate his contribution and the deep engineering background he brings to our service team.
==== Trends ====
* Since January, UWWI has: +3 delegated OUs (94 total), -1 trusts (56 total), +~1000 computers (9694 total), +~16k users (704k total), -8k groups (89k total).
* UWWI support requests have grown by 85%!!! 347 UWWI support records resolved since July (vs. 188 in prior period).
You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.
==== What’s Next ====
Our objectives for the 6 months ahead include:
* Continue exploration of deploying an AD-integrated Certificate Authority to enable a variety of multi-factor scenarios and easy internal website certificate renewal.
* Simple Bind Reporting/Notification to improve the security of UW NetIDs.
* Internal documentation refactor to improve our operational effectiveness.
* Minor Group Sync code fixes/improvements
* ADMT 3.2 upgrade
* AD snapshots to improve our ability to recover from unexpected AD incidents including possible AD corruption
* Internal HyperV upgrade with several VM migrations to reduce our operational costs
* UW firewall GPO template to provide customers with a simple way to leverage Windows Firewall
* UWWI security improvements, NTLMv2 explorations and privileged user risk mitigation
* Preferred Name (assuming this work moves forward as part of the HR/P project)
* Partner with Nebula to support new Software Deployment Service via SCCM deployment in NETID
* Support Authentication service in exploring Multi-factor Authentication solutions for Windows
* Support emerging Enterprise Monitoring Service by sharing Windows expertise
* Support the future Microsoft Campus Agreement goals by contributing to a 3-5 year Microsoft technology roadmap
Of the 8 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:
- 7 were successfully completed
- 1 was started and continues: AD-integrated CA explorations
Note: Of the top 7 incomplete items from last summer’s UWWI customer survey, http://ontheroa.uservoice.com/forums/258239-uwwi, 6 are represented above (4 of the survey items have been marked complete and are no longer visible at the URL). Many of these require other services to prioritize work, and given their competing priorities, some of this work may not be able to move forward. For these initiatives that depend on others, our investment will reflect the priorities you’ve indicated to the extent we aren’t blocked. Should a dependency blockage extend too far or we don’t have confidence that there will be timely progress, we will consider the possibility of moving away from a dependency on a strategically positioned service to a tactical solution we deploy to meet your needs, but that’s an option we don’t yet need to exercise.
==== Your Feedback ====
Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.
The UWWI service has a backlog or roadmap visible to customers at https://wiki.cac.washington.edu/display/UWWI/UWWI+Roadmap where you can see more details about current and some future work items.
UW-IT, UWWI Service Manager