Notes from the Collaborative IT Discussion on Wednesday, June 11th.  Thanks
to everyone who attended and joined in the discussion, and especially to Wes
Wright and Hope Greenberg for the demonstration of Big Blue Button.


Project Updates


Not much in the way of news. Email and calendar project is progressing,
still on track for a product selection by end of June (hopefully).
University Policy prohibits substantive discussion of the merits of proposed
solutions outside of the RFP committee.


Big Blue Button


Wes Wright gave a demonstration of Big Blue Button
<> , which is an amalgam of open source
technologies that provide online meetings with shared whiteboard, session
recordings, and Blackboard integration. UVM employees may create their own
meetings at and explore the capabilities
of the system.


Hope has offered to provide a "Blackboard for IT Support Staff" session at
an upcoming Collab. IT Discussion. Stay tuned.


Pass-the-Hash exploits and mitigations


I gave a digested version of a really good session from Microsoft TechEd
2014, Pass-the-Hash: How Attackers Spread and How to Stop Them
<> . One
issue is that an attacker can essentially collect the credentials of any
user that has logged into a workstation. If those credentials have access to
other workstations, then the attacker can connect to each workstation in
turn and harvest a growing set of credentials. Eventually, the attacker
hopes to find a credential that has admin rights to a server, and can move
closure to compromising the entire organization.


One small change that we have made is to prevent the *-tech accounts, which
have local admin rights to all workstations, from being used to access
workstations across the network. This doesn't prevent using them to log into
a workstation. Similarly, we prevent local workstation accounts from being
able to access other computers. This prevents the problem presented by
workstations that all have a common password on the local administrator


This change makes it harder for an attacker to move laterally through an
organization, harvesting credentials and hunting for privileged accounts.


Two additional points:

1.       If you are running as a non-adminstrative user for your work, it's
much harder for an attacker to harvest any credentials at all. It's a really
good practice; if you aren't doing it yet, please give it a try. 

2.       If you have a netid.adm account, treat that as a high-value target.
Don't use it to manage user workstations; only use it on systems that you


If you have a chance, check out the full TechEd session video
<> ; it's
both amusing and terrifying.


UVM Login Two-Factor Authentication


Mike Austin gave a preview of coming capabilities of the UVM Web Single
Sign-on solution. The support for two-factor authentication, using a variety
of mechanisms including SmartPhone App, hardware token, SMS/Text code, and
more, will be required eventually for users with certain roles in


Don't panic.There will be lots of communications around any new requirement,
including documentation and information for IT support staff.


More meetings


We're looking at scheduling a Group Policy workshop in mid-July, and the
next Collaborative IT Discussion in early-ish August. We'll likely be in the
process of deploying a new email and calendar solution, so I imagine there
will be plenty to discuss.


Thanks, and as always, please let us (or IT-Discuss) know what you're
thinking about these discussions.




Geoffrey Duke
802.656.1172 |  <> Sr System Administrator |
<> Enterprise Technology Services |
<> University of Vermont