Nebula Bronze Services
- On This Page
- General Description
- Technical Considerations
- Implementing Nebula Bronze Services
- Clients Using Nebula Bronze Services
- Firewalls on Bronze systems
Nebula Bronze Services
This is a description of the Nebula Bronze service, and the responsibilities of both the Nebula support team and the department requesting Bronze services. As described on the Nebula home page under What is Nebula?, Nebula is a system of networked personal computers, centrally managed and supported by UW Information Technology. Nebula PCs are networked to a Windows domain, which provides the following services:
- Network file services, including both shared and private directory space
- Domain accounts and security groups, which protect access to shared files, applications and other domain resources
- Backup and emergency file restore services
- Network printer and fax services
- Automated operating system updates including hot fixes and security patches
- Regular scans of local workstations to identify problems with operating systems, virus updates, automatic update services, and other security related areas.
Nebula Gold is a full-service, managed desktop option that provides complete software update management and a wide array of technical support and consultation services.
Nebula Bronze is a managed desktop option designed for departments that have onsite technical support staff who can provide local desktop and application support, but want access to a professionally managed domain with secure file and print services. All software is provided and installed by the support staff; Nebula then regularly updates the operating system and virus software.
Nebula Bronze computers:
- Use a Nebula supported operating system (Windows XP Professional; Microsoft Vista Ultimate, Microsoft Vista Enterprise).
- Use a supported anti-virus tool (currently McAfee VirusScan 8).
- Receive operating system patches, service packs and virus updates via network distribution.
- Gain access to Nebula domain resources, including secure file services and network print services.
- Are managed by local technical staff. This includes hardware and software application support, maintenance, licensing, and any problems indicated by the regular Nebula scanning reports.
- Support responsibilities
Local support staff will support and troubleshoot the Windows operating system, all desktop applications, and any problems indicated by the Nebula scan reports. No software or hardware support is offered by Nebula for Bronze systems, other than that described above. Bronze client departments will identify primary and secondary local support people, who are given additional rights to perform the required functions. Nebula staff will consult with the local support staff on the process of adding a Bronze system to the Nebula domain. Local support staff actually perform all Nebula conversions (more information is given on the Implementation section below).
Local support staff are responsible for reporting security incidents to Nebula Support, to minimize the possibility of contagion.
- Domain accounts
Nebula domain accounts will be created for all client staff who require them, based on a valid UW NetID.
- Local accounts
Nebula uses group policy to rename the default 'Administrator' account. No change is made to the password. The local 'Guest' account is also renamed, and a secure password is assigned. Local support staff manage credentials for all local accounts, including the renamed 'Administrator' account.
- Remote management
Nebula domain administrators must be able to remotely manage Nebula Bronze workstations. Workstations are monitored for operating system version and service pack level, and antivirus DAT file revision level. Local support contacts will be notified about any problems, and are responsible for fixing them. If a system remains in conflict with domain policy for a period of time, it will be dropped from the domain. Local support staff will then work with Nebula support staff to ensure a system is in compliance before it is rejoined to the domain.
- Server services
Nebula Bronze workstations may run services that listen on the network, and are remotely accessible, so long as the appropriate security measures are in place (see Firewalls, below).
A firewall or similar network access control system is required for UW owned/operated machines, as outlined on the Minimum Computer Security Standards page. Nebula uses group policy to configure the built-in Windows Firewall so that remote management is possible. Local administrators may add additional firewall rules to the Windows Firewall, or disable the Windows Firewall completely, and use a different network access control method. Where local administrators choose to use the Windows firewall, they typically may not configure the ports controlled by the default domain policy. Where local administrators require additional exclusions for the Windows firewall, such as for RDP and SMB, they should contact Nebula Support.
If a client wishes to use IPSec filters or the UW Information Technology Logical Firewall to perform a similar function, Nebula will provide guidelines for doing so. Any other firewall is unsupported. If remote management functions are disabled by such software, local support staff will be given notice to comply with domain policy requirements. If they do not comply, the problematic computer will be removed from the domain until the problem is solved. Specific information on the firewall policy is on the Firewalls on Nebula Bronze Workstation and Local Servers section below.
- Remote Control software
Only the built-in Remote Desktop and Remote Assistance services are permitted for remote control of a Nebula system. Software which is not permitted includes, but is not limited to, PCAnyWhere, ControlIT, GotoMyPC, etc. Remote control software installed on a Nebula system to connect to a system elsewhere is generally prohibited as well.
- Network drives
Network access is granted via the I:\groups (shared) and H:\ (private) drives, and these drive letters need to be available for this purpose. Nebula will assist the department in moving files from any local servers to Nebula servers. Files stored on the networked drives are routinely backed up. The last several daily backups are available for user retrieval from I:\snapshots.
- Software updates
The required settings for Bronze workstations are to turn on both Windows updates and virus updates. Bronze workstations are sent specified software updates daily (operating system patches, service packs, hot fixes, and virus updates). Nebula will check to ensure that Bronze workstations have a current operating system, a current antivirus DAT file, and functional automatic updating of the operating system. Nebula will notify local support staff if these items are found to be out of compliance. These must be fixed by the local support staff, or Nebula will remove the compromisable system from the domain. Use of the supported anti-virus client is required on Bronze workstations. The client can download the Sophos Anti-virus software from the UWare site.
Additional software available
- Microsoft Exchange
The client can request user accounts on the UW Information Technology Microsoft Exchange server and pay for ongoing maintenance costs on these accounts via UW budget. The client is responsible for installing, configuring and updating the client software on each Bronze workstation as well as troubleshooting any issues.
- Virtual Private Network connectivity (VPN)
The Nebula Virtual Private Network is a service provided to help clients using a Nebula computer while connected to the Internet but not on the UW campus network. The VPN ensures a secure, encrypted connection into the domain, and provides access to Nebula resources. You will find instructions and a setup program on the Connecting When Out of the Office page.
As stated above, all software and hardware support for Bronze systems is provided by the client’s local technical support staff, although Nebula Support will assist in troubleshooting specific network connectivity and VPN problems.
Implementing Nebula Bronze Services
Nebula Support staff are available for consultation on the initial Bronze conversions within a department. Subsequent conversions, and all support, will be handled by the client’s local support staff, who are responsible for performing the following activities.
- Adding a new system to the Nebula domain:
- Ensure that the system is running a fully patched Windows XP Professional or Vista operating system, and the current anti-virus software.
- Log into the local administrative account using the local administrative password.
- Add the correct WINS settings to any active network connection.
- Using your Nebula credentials, join the system
to the Nebula2 domain. Do not
reboot. After the reboot and the
application of the Nebula policies, the
built-in administrator account will be renamed and
the password will be changed, so this account will
become unavailable for your use. The
built-in guest account will be changed in the same
way. Thus, you should add any Nebula2 groups or
accounts to the local admin group prior to rebooting
the system and finishing the domain join. You will
use these Nebula2 accounts in the future to perform
functions requiring administrative privileges.
Nebula will remove any non-Nebula2 accounts in the
- You may create other, administrator-level local accounts. Information on migrating profiles is found at Microsoft's Step by Step Guide to Migrating Files and Settings.
- Email the names of the new Bronze systems to nebula @ u.washington.edu, so they can be claimed into the correct domain organizational unit as Bronze devices, and added to the appropriate department for billing purposes.
- Once you receive confirmation of step #5, reboot and log into the Nebula2 domain with an authorized Nebula account, to apply domain group policy and see the H: and I: drives.
- Install the current anti-virus software, Sophos, from the Control Panel - Run Advertised Programs (RAP). Note: It may take up to 20 minutes for the RAP list to populate; it may be blank initially.
- Removing and re-adding a system:
You may need to remove and re-add a system to a domain, for renaming or troubleshooting purposes. Prior to removing the system, you must create a local account and add it to the local admin group. You will use this account once the system has been rebooted to log in, and then re-add it to the domain with your Nebula credentials. We suggest you delete this local account afterward to remove the possibility that it could be compromised. Nebula currently does no password strength checking on local accounts.
On-going Technical Support
Local support staff are responsible for managing and maintaining all aspects of the Nebula Bronze computer. For each Bronze computer, a single email address will be identified by the local support staff as the "managed by" contact for that computer. Regular scans are done of all Nebula computers to identify security vulnerabilities. For Bronze computers, these reports will be emailed to the "managed by" contact for the computer. Local support staff are responsible for fixing any problem indicated by the scans, within a reasonable timeframe.
Clients using Nebula Bronze Services
This section is for clients who are using the Nebula Bronze service on their desktops. For a description of the Nebula Bronze service, and the responsibilities of both the Nebula support team and the department requesting Bronze services, please see the Nebula Bronze Services section above.
As described in that section, Nebula Bronze desktops must be using an approved operating system (currently Windows XP Professional), and antivirus program (McAfee VirusScan v8). Nebula provides software updates to the operating system and virus program, and network services for printing and faxes. When using your Nebula Bronze service, keep the following in mind:
- You have been given file space on secure servers. You'll find this at H:\ and I:\groups. The H: drive is private, only your login will have access. The I:\groups drive is a shared drive for your department's use. Inappropriate uses of the Nebula file space are outlined on the Nebula File Storage Policy section of the Nebula Policies page.
- You can restore lost or damaged files yourself, from the I:\snapshots directory. See the Nebula File Restores page for more details.
- You'll need to log into your Nebula account regularly, because unused Nebula accounts are disabled.
- If you choose to manually update your Windows system, be sure to comply with any requested reboots.
You are welcome to browse the main Nebula web site. Many pages have useful information:
Please remember that all support is provided by your local support team, so contact them with any questions. They may request that you follow basic problem reporting procedures. When necessary, they will contact the Nebula support team for additional assistance.
Nebula policy permits firewalls on bronze workstations and local servers provided they meet the criteria documented here. The intent of this criteria is to provide access for remote manageability by Nebula support staff, as well as compliance with the UW minimum data security standards. The "no firewall" policy remains in effect for kiosks, gold workstations and managed servers. These systems are protected by other means.
We strongly encourage clients to use the Windows firewall if they feel they need a firewall, but they can choose any firewall product they like. Nebula (or one of our UW Information Technology partners) will provide limited support if they choose any of the following:
- the Windows firewall.
- IPSec filtering.
- the UW Information Technology managed firewall
Other products are unsupported.
- Using Windows Firewall
Because we are administratively configuring the settings of the Windows firewall for specific ports to provide access for Nebula support staff, the client will be unable to configure the ports documented in the criteria here. For instance, this means that the client won't be able to add their home computer to the scope of the RDP port, tcp 3389. They'll receive an error message similar to: "Windows Firewall cannot add the port 'TCP 3389 (rdp)' to the list of exceptions, possibly because the port you are trying to add is already included in a service, such as File and Printer Sharing." We have included the network segment where the Nebula VPN servers live, so any computer using the Nebula VPN has access to the ports automatically configured. This is a failing in the design of the Windows Firewall product which will hopefully be addressed in future versions. In the meantime, the VPN is a good workaround that should meet all client needs for access to those ports.
- Using IPSec Filtering
IPSec filtering is permitted if the configurations meet the criteria listed below.
- Using the UW-IT Managed Firewall
From networks with IP addresses assigned of the form:
Some firewall products do not understand the 'slash' notation, so it may be necessary to also provide the corresponding subnet masks:
- for /24 use 255.255.255.0
- for /27 use 255.255.255.224
These ports should be open:
- tcp: 135, 139, 445, 3389
- udp: 137, 138
- icmp: all
Scanning for Compliance
Nebula will scan to see if bronze/local servers meet the firewall criteria. When a computer is found to not meet the criteria, the owner will be notified of the need to come into compliance with the criteria documented within this policy. The owner will have a period of 2 weeks to come into compliance. If the computer isn't in compliance by the end of that period, it will be removed from the domain. The computer can return to Nebula when it's brought into compliance.
If you have questions or suggestions, please forward them to nebula at u.washington.edu.