March 2005 Update

In This Update

• BizTech 2005: March 17
• Technology Advisory Committees Updates
• • U-TAC: Minimum Computing Security Standards
  • I-TAC: Final Recommendations on UW Administrative Systems Projects
• ASTRA: Easier, More Secure Access to UW Administrative Systems
• UW Founding Member of Calendar Consortium; Hosts Meeting
• UW Email Issues
• • .Zip Email Attachments to Be Allowed
  • Some Outbound Spam Email Is Now Discarded
  • Email Reliability: Focus of New Project

BizTech 2005: March 17

The second annual technology fair for UW faculty and staff is set for Thursday, March 17. BizTech 2005 will showcase the latest business technologies in use at the UW, with exhibits and presentations from 9 a.m. to 3 p.m. in the HUB ballroom. No need to register this year. Learn how new and existing technologies at the UW can provide improved access to information and enhance and support effectiveness on the job.

For more information about BizTech 2005, see http://www.washington.edu/admin/biztech/ or contact Clarice Hall, Event Coordinator, ckhall@u.washington.edu, 206-616-1328.

Technology Advisory Committees Updates

U-TAC: Minimum Computing Security Standards

A set of minimum computer security standards for the UW, approved by the University Technology Advisory Committee (U-TAC) and reviewed by the Board of Deans, will now be sent to the President for final endorsement.

The standards cover all computing devices connected to the UW network, including desktops, laptops, servers, PDAs, office machines, and other devices. They call for basic security measures that will help protect UW computing devices from viruses, worms, and other security hazards. The standards can be viewed at: http://www.washington.edu/computing/security/pass/MinCompSec.html

The standards follow from the existing UW "Information Systems Security Policy" and are part of a larger effort to prevent misuse of computer-based information and systems at UW. In directing this effort, U-TAC concluded that many of the nearly 80,000 devices on the UW network are currently under-managed (i.e., not getting regular operating system updates, anti- virus updates, etc.) Any single machine that is vulnerable to attack represents a significant risk to the entire institution; hence the importance of ensuring that every computer on the UW network is properly configured and updated, creating a more secure network for all.

A U-TAC subcommittee consisting of the Privacy Assurance and System Security (PASS) Council plus representatives from the Faculty Senate, the Office of Research, and the Academic Technology Advisory Committee (A-TAC) developed the standards. The process included broad review by UW computing directors and system administrators. The result balances the strategic objectives of U-TAC with the needs and concerns of the UW community. As a next step, the PASS Council will begin work on a companion standard for protecting the information stored on UW computers, as well as defining best practices to complement the minimum standards.

For more information contact Terry Gray, Associate Vice President, IT Infrastructure, gray@cac.washington.edu, 685-4729.

For more information on the Technology Advisory Committees, including agendas and meeting materials, see the Technology Advisory Committee Web Site at: http://www.washington.edu/president/tacs/

I-TAC: Final Recommendations on UW Administrative Systems Projects

The Information Technology Advisory Committee (I-TAC) has made its final recommendations on which projects should move forward of the 23 submitted for consideration under a new approval system for UW administrative system projects. The committee has proposed that six already funded projects move forward, and nine others be considered for funding. For a list of recommended projects see http://www.washington.edu/president/tacs/itac/meetings/2005/materials/proj.group.pdf (The committee recommended that Group A move forward and that Groups B, C, and D be considered for funding.)

The committee's recommendations are advisory. They have been endorsed by U-TAC and will now go to the Provost to inform the University's budget process. The new approval process, adopted by I-TAC in May 2004, requires all major UW administrative projects to be reviewed and prioritized by the committee.

For more information, contact Sara Gomez, Director, Administrative Information Services, sarag@cac.washington.edu, 543-1135.

For more information on the Technology Advisory Committees, including agendas and meeting materials, see the Technology Advisory Committee Web Site at: http://www.washington.edu/president/tacs/

ASTRA: Easier, More Secure Access to UW Administrative Systems

University-wide adoption of ASTRA advanced significantly during January and February, providing faster, easier, more secure authorization to UW administrative systems. ASTRA allows managers to quickly and easily authorize access to administrative systems over the Web, and also controls access to those systems. ASTRA provides full visibility of who can access what, and complete audit trails of all authority decisions.

Administrative units across the UW have now identified senior administrators who will serve as authorizing agents responsible for delegating authority to manage access to UW administrative systems through ASTRA. After undergoing training, they will be able to successfully delegate authority to other managers within each unit, who will in turn manage staff access to administrative systems.

The number of systems using ASTRA (which stands for Access to Systems, Tools, Resources and Applications) has steadily increased over the past year, and will soon include the following:

• Financial Desktop
• SIMS (Space Inventory Management System)
• Time Reporting
• OARS (Online Accident Reporting System)
• MyGradProgram
• Affirmative Action
• OPUS (Online Payroll Update System)

ASTRA replaces the multiple authorization procedures currently in use, which make authorization a cumbersome and time-consuming process that is difficult to manage and track.

For more information, contact Ian Taylor, Manager, Security Middleware Unit, iant@cac.washington.edu, 543-3565.

UW Founding Member of Calendaring Consortium; Hosts Meeting

The UW is one of five university founding members of a new consortium that is focusing on ways to get different calendaring and scheduling products to interoperate. The consortium, CalConnect, also includes vendors and open source foundations.

The goal is to enable cross-organizational calendaring and scheduling in environments such as the UW that use different calendaring products. The consortium, formed in December 2004, is making much more progress on calendaring interoperability than previously seen in this area. In mid-January, the UW hosted CalConnect for a roundtable where UW Calendar open source staff participated in interoperability testing of several products.

The other founding members are Duke University, EVDB, Isamet, Jet Propulsion Laboratory, Meeting Maker, M.I.T., The Mozilla Foundation, Novell, Open Source Application Foundation, Oracle Corporation, Stanford University, Symbian, UC Berkeley, University of Wisconsin Madison, and Yahoo! Inc.

For more information, contact Oren Sreebny, Director, Client Services & Learning Technologies, oren@cac.washington.edu, 543-5415.

UW Email Issues

.Zip Email Attachments to Be Allowed

Later this month, .zip, .exe, and .rar email attachments will once again be delivered to UW Email inboxes. These file extensions have been blocked because they are likely to spread viruses. But C&C is deploying a new approach that will allow these files to be delivered. The approach involves renaming the files and will require some extra steps to open them. Hopefully this approach will prevent people from inadvertently opening a virus-laden file while allowing needed files to go through.

For more information, see http://www.washington.edu/computing/email/manage/blocking.html which will have the latest details as they become available.

Some Outbound Spam Email Is Now Discarded

Some outbound spam from UW email accounts is now being discarded to reduce the risk that Internet Service Provides (ISPs) will block legitimate UW email. ISPs have been blocking email from sources that produce large amounts of spam. To reduce the amount of spam that is passed out from the UW, outbound messages with a spam score of 99 or 100 percent began being discarded effective March 8. This same policy is in effect for inbound messages.

For more information, see http://www.washington.edu/computing/email/spam.html

Email Reliability: Focus of New Project

A number of Internet phenomena including spam, viruses, phishing, and even legitimate bulk email can disrupt normal email flow on and off campus. In our continuing efforts to deal with these problems, C&C is launching a new project focused on email reliability. Major goals include:

• Keeping the UW off spam blacklists, which can prevent UW email from reaching its destination
• Protecting the UW infrastructure from load spikes due to email volume, which cause delays in message delivery and could shut down UW Email services

Blacklisting: Many organizations (including the UW) and email service providers such as AOL and MSN block incoming spam and virus-laden messages. They may use blacklistsInternet addresses or names believed to be associated with spammers. Blacklists are often created and maintained by third-parties, in order to help organizations make decisions about which incoming email to block.

Because of the size of the UW community and the relative openness of our email services, a large number of sources within the UW have sent spam and virus-laden email, which already has resulted in UW email being blocked (blacklisted) by AOL and other ISPs for a period of time. These sources within the UW include:

• Desktop computers infected with viruses or spambots designed to send spam
• Servers open to relay messages sent by spammers
• Spam passed along via UW account forwarding
• Messages from poorly managed distribution lists
• UW bulk messages that the recipient classifies as spam

Steps must be taken to prevent the UW from getting on blacklists, otherwise legitimate email from the UW will not get delivered reliably.

Load Spikes: Use of email at the UW continues to increase. With increased volumes have come greater magnitudes of load spikes, which sometimes outstrip the system capacity.

Overall email volume increased 54 percent in 2004 over 2003. About half of that rise was due to spam and virus traffic. In addition, UW departments increasingly use bulk email for marketing and communications, sometimes mailing to thousands of recipients. In combination, these factors result in the heavy load on the UW's email message handling infrastructure that can sometimes result in widespread delays and potential loss of messages.

Your Input Sought: This project will investigate technical and training/awareness options available to keep UW email systems off blacklists and to manage email traffic to ensure reliability. A large challenge is the rapidly changing email environment, with spammers using new techniques, new forms of viruses being developed, ISP's implementing new defenses, and more and more departments starting to do business via bulk email.

As plans develop, we will seek input from computing directors, departments, and units, and share them in these Updates. Feel free to contact us with your comments and suggestions.

For more information, contact Dave Wall, Email Reliability Project Manager, davidw@cac.washington.edu, 543-8491.