Date | Host | Agenda | Notes, decisions and action items |
|---|
| John Echeveste (Unlicensed) | Dell not shipping machines with Windows 10 starting June. Using Identity API for NetID name mapping script Windows Server 2012/2012 R2 EoL - Sam
| |
| Andrew Espinoza | Remote Workstation Solutions: Update on Kerberos and netlogin roadmap and implementation using Identity API for NetID name mapping script
| Alex Mook described ARIT' current remote workstation solution. Uses mixture of Citrix, VPN, etc. Mehrshad Moghimi provided this doc about AWS workspaces and gave a setup demo AWS_Workspaces - Google Docs Using retail pricing for an estimate is advised as it gives you the higher threshold of cost, but there is a discount for campus cloud
While not remote workstation, Library uses Azure Lab Services for remote classroom labs. Ask Andrew Espinoza if interested. SOC has Guacamole as an RD gateway solution, best-effort service. Appstream is also an option if a full desktop environment is not needed. ITS offers screenconnect as a service. Usage increased during the pandemic. On-prem Windows Remote Desktop Service is possible, but not compatible with campus AD.
|
| John Echeveste (Unlicensed) | Endpoint Topics: Tenable/Nessus client deployment for all endpoints. FireEye Agent client deployments for all endpoints Bitlocker LAPS and local account password management Kerberos hardening patches / roadmap
| Roger Padilla Kerberos and netlogin updates and roadmap Blog post for Kerberos and Netlogon currently in phase 1 of deployment patch tuesday updates did include an issue some current clients (ex, linux) will be affected also some legacy Windows Operating Systems will be affected Alex Mook will check with Mike Franklin about rules to put in place for Splunk to assist with Auditing
John Echeveste (Unlicensed) Nessus endpoint deployments. Who has started deploying? Ken (ARIT?) has deployed to over 1000 endpoints Alex Mook and his team have been dealing with the reports. It’s a bit overwhelming Don Kileen is happy to report back to SOC for better reporting deploying for endpoints is trickier due to the installer wanting to use network security contact (at home host, or on wireless)
FireEye agent deployment Bitlocker - built in full disk encryption. is typically required for mobile devices with sensitive information John Echeveste (Unlicensed) ITS/ETS starting to roll out for all endpoints GPO requirement to have recovery key escrowed to AD only on endpoints with TPM so far, not performance issues for endpoints also putting the recovery key with Datto RMM only a solution for domain-joined computers
Andrew Espinoza and Dan O'Brien also deploying at the library Jim Woods is there an existing recovery document/KB that we could reference or point to?
LAPS - Local Admin Password Solution Use case is for student techs accessing endpoints, and being able to restrict access and rotate quickly randomize and escrow (and encrypt) your local admin passwords in your Active Directory https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview built-in to Windows 11 Will be built-in to AD and Windows Server (current or coming?) Will need to extend your AD schema Will need to add a client to your computers (endpoints? servers?) Be careful about permissions
There is also MacOS LAPS
|
| Jim Woods | Windows Authentication and AD horror show stories | Campus outage issues Andrew Espinoza Library EZ-Proxy depends on Campus LDAP Sam Hunter Campus AD was down. Secondary location for Pub Safety will be used for additional resiliency DR sites in the Cloud Alex Mook Backup systems like Cohesity and Rubrik can restore to the cloud. Need the rest of the infrastructure to use that as a proper DR site. Andrew Espinoza Domain Endpoints (Client)- dependencies on on-premise DCs Hank Rayner - Storage replication between local sites Is there an RCA yet for the outage? Coming soon Glen Nason (Unlicensed) - recovery of systems and the order, based on dependancies to sequence the recovery
SHI check-in and gripes
|
| Alex Mook | | - Jim Woods will host the next meeting
- Most groups using SCCM for imaging, Datto or other tools for config
- ARIT and ETS have recurring issues with SCCM, “it’s a beast”
- Library, ARIT and ETS all looking to migrate or upgrade in the near future
- ARIT, ETS, and SA all using SCCM for multiple domains
- Get SCCM admins access to shared resource page
- HelpDesk Endpoint Topics for next meeting, pressing needs and tools/tricks
- Future topics:
- Workspaces
- Bitlocker
- LAPS and local account password management
- Windows 11 and infrastructure support for it
- Tenable/Nessus
- User onboarding/offboarding, lifecycle management
|
| John Echeveste (Unlicensed) | | |
| John Echeveste (Unlicensed) | PSA for EOL and EOS of Windows Server 2012 and 2012R2 PSA - EOL for SQL Server 2012 SHI issues Remote Management, Patching and Software Deployment Moving local User Ids to netid
| - Action Item: Migrating Local users IDs to Campus NetIDs
|
| Sam Hunter | | - Action Item: add custom Splunk AD dashboards to Github Repo
- Action Item: Could we create a shared AD Dashboard?
|
| John Echeveste (Unlicensed) | IE 11 EOL Fireeye rollout Monitoring Survey Patching
| |
| Andrew Espinoza | Microsoft Licensing (MCCA) Information sharing Encryption, Certificates, and PKI infrastructure Available Lightning Talks
| |
| Andrew Espinoza | | |
| Jim Woods | Initial kickoff Introductions
| |