Monthly Meeting Agenda and Notes 2/22-2/23

Meeting overview

Monthly meeting for the Microsoft Admins User Group. The purpose of this user group is knowledge sharing between various IT experts around campus. The group is open to all campus IT staff who have an interest in talking and learning about administration of the Microsoft Ecosystem.

Some sample topics to get the conversations started:

Active Directory & Identity Integration
How-to: Creating a Campus Active Directory Trust
Splunk Logs for Active Directory
Firewalls with Group Policy
Account Creation Workflows
Server Core
Introduction to security technical implementation guide (STIG). Based on Department of Defense (DoD) policy and security controls.

The sessions will be an open format, so feel free to stop in just to listen or stick around with questions and conversation about the various topics.

✅Open action items

Running List of tasks or open action item discussed over the previous meetings.

John Echeveste (Unlicensed) publish the STIG GPOs that the campus AD team came up with
Action Item: add custom Splunk AD dashboards to Github Repo
Action Item: Could we create a shared AD Dashboard?

📝Meeting minutes

Date	Host	Agenda	Notes, decisions and action items
17 Feb 2023	John Echeveste (Unlicensed)	Dell not shipping machines with Windows 10 starting June. Pushing Windows 11 with Datto. Using Identity API for NetID name mapping script Can then be used to “sync” user status with identity, account lifecycle stuff. Reminder about Powershell and MAUG github repos Windows Server 2012/2012 R2 EoL - Sam What issues are people facing?	Windows 11 Should still be able to get current machines being sold for another year to support Win10. ITS will start deploying Win11 in June when machines with Win11 start shipping. How to get ready for Windows 11 Skilling snack: Windows end-user readiness - Microsoft Community Hub David Lynch looking into using MECM for Windows 11 in place upgrades ITS and Library planning to use Datto Identity API for NetID name mapping script This is a script from John Echeveste (Unlicensed) to help map local AD users to netID. It is not authoritative, but can get you most of the way. Make sure the check. https://github.com/ucsb/msadmins/tree/main/IdentityTools
20 Jan 2023	Andrew Espinoza	Remote Workstation Solutions: RD Gateway or Terminal Server Guacamole Cloud-based Workstations AWS Workspaces Azure Labs and Windows 365 ScreenConnect other solutions from MAUG members Update on Kerberos and netlogin roadmap and implementation KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25 https://dirteam.com/sander/2022/11/08/spend-some-time-on-properly-configuring-and-monitoring-your-domain-controllers-this-patch-tuesday/ using Identity API for NetID name mapping script	Alex Mook described ARIT' current remote workstation solution. Uses mixture of Citrix, VPN, etc. Wants one solution. Looking at netscaler (citrix), splashtop (datto), RDP proxy Mehrshad Moghimi provided this doc about AWS workspaces and gave a setup demo AWS_Workspaces - Google Docs Using retail pricing for an estimate is advised as it gives you the higher threshold of cost, but there is a discount for campus cloud While not remote workstation, Library uses Azure Lab Services for remote classroom labs. Ask Andrew Espinoza if interested. SOC has Guacamole as an RD gateway solution, best-effort service. Appstream is also an option if a full desktop environment is not needed. ITS offers screenconnect as a service. Usage increased during the pandemic. Site license. Tom Howard in ITS is the person to contact. On-prem Windows Remote Desktop Service is possible, but not compatible with campus AD. NPS in a one-way trust would need to setup and managed in the netid.ucsb.edu domain.
18 Nov 2022	John Echeveste (Unlicensed)	Endpoint Topics: Tenable/Nessus client deployment for all endpoints. FireEye Agent client deployments for all endpoints Bitlocker LAPS and local account password management Kerberos hardening patches / roadmap	Roger Padilla Kerberos and netlogin updates and roadmap Blog post for Kerberos and Netlogon currently in phase 1 of deployment patch tuesday updates did include an issue some current clients (ex, linux) will be affected also some legacy Windows Operating Systems will be affected Alex Mook will check with Mike Franklin about rules to put in place for Splunk to assist with Auditing John Echeveste (Unlicensed) Nessus endpoint deployments. Who has started deploying? Ken (ARIT?) has deployed to over 1000 endpoints Alex Mook and his team have been dealing with the reports. It’s a bit overwhelming Don Kileen is happy to report back to SOC for better reporting are rreports coming daily or monthly is it possible to get access to tenable dashboard/interface? deploying for endpoints is trickier due to the installer wanting to use network security contact (at home host, or on wireless) John Echeveste (Unlicensed) solution using OU? willing to share scripts FireEye agent deployment Time to start deploying No plans to renew the Sophos licenses at this time Bitlocker - built in full disk encryption. is typically required for mobile devices with sensitive information John Echeveste (Unlicensed) ITS/ETS starting to roll out for all endpoints GPO requirement to have recovery key escrowed to AD only on endpoints with TPM so far, not performance issues for endpoints also putting the recovery key with Datto RMM only a solution for domain-joined computers Andrew Espinoza and Dan O'Brien also deploying at the library Jim Woods is there an existing recovery document/KB that we could reference or point to? LAPS - Local Admin Password Solution Use case is for student techs accessing endpoints, and being able to restrict access and rotate quickly randomize and escrow (and encrypt) your local admin passwords in your Active Directory https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview built-in to Windows 11 Will be built-in to AD and Windows Server (current or coming?) Will need to extend your AD schema Will need to add a client to your computers (endpoints? servers?) Be careful about permissions There is also MacOS LAPS escrow keys to an MDM provider (Jamf)
19 Oct 2022	Jim Woods	Windows Authentication and AD horror show stories	Campus outage issues Andrew Espinoza Library EZ-Proxy depends on Campus LDAP Sam Hunter Campus AD was down. Secondary location for Pub Safety will be used for additional resiliency DR sites in the Cloud Alex Mook Backup systems like Cohesity and Rubrik can restore to the cloud. Need the rest of the infrastructure to use that as a proper DR site. Andrew Espinoza Domain Endpoints (Client)- dependencies on on-premise DCs Hank Rayner - Storage replication between local sites Is there an RCA yet for the outage? Coming soon Glen Nason (Unlicensed) - recovery of systems and the order, based on dependancies to sequence the recovery SHI check-in and gripes
16 Sep 2022	Alex Mook	Infrastructure as Code Configuration Management Resource Deployment SCCM What do you use SCCM for? What are your sticking/pain points? Who’s doing what? SCCM Best Practices and Shared Resources Page Andrew Espinoza Terraform Demo Endpoint and Helpdesk topics What’s a pressing need? Any tools or tricks to share?	Jim Woods will host the next meeting Most groups using SCCM for imaging, Datto or other tools for config ARIT and ETS have recurring issues with SCCM, “it’s a beast” Library, ARIT and ETS all looking to migrate or upgrade in the near future ARIT, ETS, and SA all using SCCM for multiple domains Get SCCM admins access to shared resource page HelpDesk Endpoint Topics for next meeting, pressing needs and tools/tricks Future topics: Workspaces Bitlocker LAPS and local account password management Windows 11 and infrastructure support for it Tenable/Nessus User onboarding/offboarding, lifecycle management
19 Aug 2022	John Echeveste (Unlicensed)	New Dell standards in Gateway, new Dell rep AD Audit, complete? Reminder about AD and Endpoint audits DOD STIG overview from Keith Jakobs (Deactivated) Rundeck Demo from Mark Norstedt	Windows 11 - Is anyone working on this yet? John Echeveste (Unlicensed) will send info about Dell updates to CSF Keith Jakobs (Deactivated) and John Echeveste (Unlicensed) publish the STIG GPOs that the campus AD team came up with
15 Jul 2022	John Echeveste (Unlicensed)	PSA for EOL and EOS of Windows Server 2012 and 2012R2 PSA - EOL for SQL Server 2012 SHI issues Remote Management, Patching and Software Deployment Survey of what people are using now DATTO Demo Moving local User Ids to netid Why? How? What are the drawbacks?	Action Item: Migrating Local users IDs to Campus NetIDs
17 Jun 2022	Sam Hunter	PSA for EOL and EOS of Windows Server 2012 and 2012R2 Splunk for Windows M365/AzureAD App Demo Splunk “Apps” to look at M354, InfoSec, Observability Mike Franklin has a custom Dashboard for On-premise Active Directory Audit Rules shared best practices request	Contact Info: Mike Akita, Splunk Sr Sales Engr. makita@splunk.com Action Item: add custom Splunk AD dashboards to Github Repo Action Item: Could we create a shared AD Dashboard?
20 May 2022	John Echeveste (Unlicensed)	IE 11 EOL Fireeye rollout Monitoring Survey SCOM (Systems Center Operations Manager) (no current users) LogicMonitor - a few users Naggios - a few users Zabbix - a few users Patching Roger Padilla to talk about Windows patch rollouts in ETS ARIT is using Datto
15 Apr 2022	Andrew Espinoza	Microsoft Licensing (MCCA) Information sharing MCCA 2018 Presentation link Encryption, Certificates, and PKI infrastructure Available Lightning Talks Interfacing between Campus Identity API and your local Active Directory using Powershell
18 Mar 2022	Andrew Espinoza	About Campus AD How to set up a One-way Trust with Selective Authentication
18 Feb 2022	Jim Woods	Initial kickoff Introductions