Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.
==== New Capabilities and Improvements ====
* Self-service certificates for Delegated OUs. An AD-integrated certificate authority (AD Certificate Services) has been deployed. This allows Windows domain joined computers to automatically get a certificate which is automatically renewed. See https://wiki.cac.washington.edu/x/_69NB for more details.
* Azure Active Directory (AD) External User Invitations. Invitations to users outside the UW can be initiated by anyone with a UW NetID. This allows sharing of data, applications, and services where the method of authentication is Azure AD based. The most commonly used resource leveraging Azure AD that you might want to invite external users to share is likely Sharepoint Online, which supports this for sites but not yet for OneDrive for Business. However, external users are useful beyond just Sharepoint Online—think of them as federated users on steroids—where not only do you have to provide a user account, but you have a meaningful way to control their access to your resources which works just the same way as it does for a UW user. We have more orientation material on this capability planned.
* Azure AD device registration. There are many different ways to get a device registered with Azure AD, across varying operating system platforms. For example, there are three ways to get a Windows 10 device Azure AD registered. Registering your device with Azure AD enables certain data protection and security capabilities. If you take it one step further and join your device to Azure AD (only possible with Windows 10), you get interactive logon using your Azure AD user account. Many of the various ways to do this are not enabled today, but a few are. We have more orientation material on this capability planned, to help everyone wade through all the details.
* Microsoft Advanced Threat Analytics. This product provides machine learning capabilities to evaluate activity on domain controllers to identify anomalous events. This tool is capable of identifying attacks and persistent “hidden” compromises of highly privileged accounts.
* UWWI service staffing availability has been down over the past 12 months—this is because other UW-IT services have had higher priority work and staffing shortages. You may notice a smaller amount of new capabilities again in this 6 month period, which is attributable to this smaller investment. We’re waiting for a new employee to start who will help backfill this staffing gap.
* An Azure AD governance team spent an intensive amount of time this summer working through the many emerging capabilities Microsoft is providing that are tied to this technology, including identity, access management, device management, and application support. We should have an Azure AD Application Request process soon, thanks to efforts here. And again, we have more orientation material planned. J
* The Enterprise Architecture program has encouraged the use of capability maps to facilitate communication about what’s provided and what’s needed. UWWI has created two capability maps, one for the overall service and one for Azure AD. You can view them at:
UWWI Capability Map: https://wiki.cac.washington.edu/x/sx5JB
Azure AD Capability Map: https://wiki.cac.washington.edu/x/sh1JB
Other services are developing capability maps, and over time you will likely be able to see connections. For example, you may also be interested in the Managed Desktop Capability Map: https://wiki.cac.washington.edu/x/LCBJB.
A brief description of the format used may help orient you. The use of color highlights specific capabilities and future planned initiatives in a broad capability area. The left side denotes some desired customer needs and outcomes. What’s within the rectangle with rounded corners is what is provided, although in some cases we haven’t yet provided an item or are planning to retire or divest (see the key to find those cases). The right side is a high level “roadmap” of imagined investment in initiatives. Between the key and rectangle with rounded corners is a laundry list of possible capabilities that we can imagine. Unfortunately, space constrains our imagination, so there are definitely things we’ve imagined but don’t list—we had to make a judgment call.
And that’s a really good note to end the description on—within a single page, it is hard to represent something like this, but the goal is not to create a perfect representation, but to encourage good conversations. Please do ask questions about this, either via the uwwi-discuss mailing list or firstname.lastname@example.org.
* UWWI plans to implement a design to address inactive user accounts. Of the ~770K NETID user accounts, only ~110K have been logged into over the last two year period. Reducing the risk and costs associated with the large set of unused user accounts is the primary goal of this design change. We are still refining the design after gathering some initial feedback within UW-IT, and when we have something we’re happy with, we’ll share it more broadly.
* We know that our customer documentation is currently split between two locations and this is not a good situation. We are exploring some options which should greatly improve this, which hopefully will come just in time for all the orientation material mentioned above. J
==== Trends ====
* Since July, UWWI has sustained growth: +9 delegated OUs (112 total), +2 trusts (55 total), +~1750 computers (12389 total), +18k users (772k total), -12k groups (96k total).
* UWWI support requests are steady. 224 UWWI support records resolved since the last newsletter (vs. 241 in prior period).
You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.
==== What’s Next ====
Our objectives for the 6 months ahead include:
* Explore possible expanded uses of AD-integrated Certificate Authority, as identified by customer business needs
* Explore LAPS-E, a local administrator password management solution. See current discussion on uwwi-discuss about possibilities here.
* Explore Azure MFA and Microsoft Passport as possible Microsoft MFA solutions for the UW, so we are ready for a broader discussion about MFA at the UW later in the year.
* Enable Azure AD Applications, via releasing a request and approval process, working with Microsoft to extend its user consent framework, and providing integration guidance for developers
* Azure AD Application Proxy deployment. This enables on-premises applications to use Azure AD based authentication without making any changes to their existing Windows Integrated configuration. They gain a hardened, cloud-based endpoint, the possibility of leveraging conditional access capabilities such as Azure MFA, and can leverage the logging and security anomaly analysis investments Microsoft is building.
* Deploy Azure Rights Management infrastructure to support RMS pilot exploration for customers with confidential data
* Partner with Nebula to build a high security Windows file service offering in connection with a high security managed desktop offering
* Partner with Nebula to support new Software Deployment Service via SCCM deployment in NETID
* Support growing Nebula migration efforts into the NETID domain
* Explore possibility of offering basic managed desktop offering for a nominal cost (or possibly no cost), re-using the infrastructure Nebula brings to the NETID domain.
* Implement ‘inactive user design’
* UW firewall GPO template to provide customers with a simple way to leverage Windows Firewall
* Deploy Microsoft Identity Manager’s Privileged Account Management capability to provide ‘just in time’ domain admin privileges instead of ‘always on’. This will reduce enterprise risk.
* Preferred Name (assuming this work has investment from the Directory Services service)
* Support emerging Monitoring Service by sharing Windows expertise
Of the 14 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:
- 3 were successfully completed: AD-CS, ATA, AAD gov
- 4 were started and continue: RMS, Software Deployment (SCCM), Nebula Migration, AuthN restrictions
- 3 were started by dependent service, but hasn’t yet reached the point where we can start: Preferred Name, MFA project, Monitoring service
- 4 were not started: ADMT, Firewall GPO, PAM, LDAP signing
==== Your Feedback ====
Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.
The UWWI service has a capability map publicly visible at https://wiki.cac.washington.edu/x/sx5JB. This capability map includes a high-level summary of our roadmap. We can also provide more detailed information about our backlog if you have questions.
You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via email@example.com.
UW-IT, UWWI Service Manager