Notes from the Collaborative IT Discussion on Wednesday, June 11th.  Thanks to everyone who attended and joined in the discussion, and especially to Wes Wright and Hope Greenberg for the demonstration of Big Blue Button.


Project Updates


Not much in the way of news. Email and calendar project is progressing, still on track for a product selection by end of June (hopefully). University Policy prohibits substantive discussion of the merits of proposed solutions outside of the RFP committee.


Big Blue Button


Wes Wright gave a demonstration of Big Blue Button, which is an amalgam of open source technologies that provide online meetings with shared whiteboard, session recordings, and Blackboard integration. UVM employees may create their own meetings at and explore the capabilities of the system.


Hope has offered to provide a “Blackboard for IT Support Staff” session at an upcoming Collab. IT Discussion. Stay tuned.


Pass-the-Hash exploits and mitigations


I gave a digested version of a really good session from Microsoft TechEd 2014, Pass-the-Hash: How Attackers Spread and How to Stop Them. One issue is that an attacker can essentially collect the credentials of any user that has logged into a workstation. If those credentials have access to other workstations, then the attacker can connect to each workstation in turn and harvest a growing set of credentials. Eventually, the attacker hopes to find a credential that has admin rights to a server, and can move closure to compromising the entire organization.


One small change that we have made is to prevent the *-tech accounts, which have local admin rights to all workstations, from being used to access workstations across the network. This doesn’t prevent using them to log into a workstation. Similarly, we prevent local workstation accounts from being able to access other computers. This prevents the problem presented by workstations that all have a common password on the local administrator account.


This change makes it harder for an attacker to move laterally through an organization, harvesting credentials and hunting for privileged accounts.


Two additional points:

1.       If you are running as a non-adminstrative user for your work, it’s much harder for an attacker to harvest any credentials at all. It’s a really good practice; if you aren’t doing it yet, please give it a try.

2.       If you have a netid.adm account, treat that as a high-value target. Don’t use it to manage user workstations; only use it on systems that you trust.


If you have a chance, check out the full TechEd session video; it’s both amusing and terrifying.


UVM Login Two-Factor Authentication


Mike Austin gave a preview of coming capabilities of the UVM Web Single Sign-on solution. The support for two-factor authentication, using a variety of mechanisms including SmartPhone App, hardware token, SMS/Text code, and more, will be required eventually for users with certain roles in PeopleSoft.


Don’t panic.There will be lots of communications around any new requirement, including documentation and information for IT support staff.


More meetings


We’re looking at scheduling a Group Policy workshop in mid-July, and the next Collaborative IT Discussion in early-ish August. We’ll likely be in the process of deploying a new email and calendar solution, so I imagine there will be plenty to discuss.


Thanks, and as always, please let us (or IT-Discuss) know what you’re thinking about these discussions.




Geoffrey Duke
802.656.1172 |
Sr System Administrator | Enterprise Technology Services | University of Vermont