Skip to end of metadata
Go to start of metadata

 

 

Blog Posts

 

Just show me.. Featured Posts  -  Latest Features


During the 2019 Wall-to-Wall inventory campaign, a collaboration pilot program between IT and Berkeley Lab Property Management used and implemented BigFix to certify the existence of DOE tagged assets. Any DOE-barcoded system running BigFix on LBL's network was automatically verified for inventory purposes, without the barcode being scanned.  This saved tremendous time for property reps and staff normally spent digging through closets and desk drawers for missing laptops. Over 3500 DOE assets were accounted for in BigFix.  


Since 2019, BigFix has now scanned over 5000 DOE assets.  Given the current COVID-19 pandemic and the Shelter-In-Place (SIP), the need for BigFix has become more crucial than ever for inventory tracking. The lab has implemented safety rules to minimize exposure to COVID-19, and many lab employees are working remotely, making tracking and scanning of inventory more difficult and challenging.


The use of BigFix during the 2019 Wall-to-Wall inventory was a successful outcome; let's make the 2021 Asset Inventory campaign even better. 

Feel free to reach out to IT if you have any questions. You can contact our IT support staff by:

Your upgrade to macOS Big Sur has been blocked for now.

Apple has recently released their newest operating system, Big Sur. We would like to caution our users to be careful before installing this upgrade, see MacOS Big Sur compatibility: Find out if your device will work with the new OS and macOS 11.0 Big Sur: The Ars Technica review

IT recommends NOT upgrading at this time. Currently there are Berkeley Lab enterprise applications that may not work, such as Sophos, VPN, and Zoom. There are some known issues with some Adobe products. Note all 32-bit applications are not compatible with Big Sur. 

If you have BigFix installed, Berkeley Lab IT will be blocking the upgrade at this time until compatibility issues are addressed. If you attempt to install Big Sur, a pop-up browser window will open to this article.

If you choose to upgrade, please address the following:

  • Is your computer compatible?

  • Are all your peripheral devices compatible?

  • Is all your installed software compatible?

  • Do you have the installers for that software, if you need to reinstall?

  • If you do upgrade, do you have a full backup of your computer?

Feel free to reach out to IT if you have any questions. You can contact our support staff by:

The Druva inSync service will be changing effective January 1, 2021. To maintain the current service model and pricing of $57 annually, the data volume allowed to be backed up will be limited to a total data volume of 1TB per user. For users that exceed 1 TB of data volume being backed up, the annual cost will increase to $642. You will still be able to backup up to 10 devices. 

To avoid this increase in cost, we recommend you move your data to the enterprise storage solution, Google Drive using either Google Drive File Stream or Google Backup and Sync. If you use either option, then you must uncheck in your Druva inSync backup account the local file folder Google Drive to avoid backing up this data to Druva. This will prevent you from going over the 1TB limit.

Once your data has been moved, notify our Druva inSync Team so we can remove your old snapshots to reduce your backup size below 1TB. 

If you would prefer assistance to move your data or set up either Google solutions, you can simply reply to this email and a help ticket will be generated. You can also contact the Help Desk by chat at go.lbl.gov/itchat.

Apple has recently released their newest operating system, Big Sur. We would like to caution our users to be careful before installing this upgrade, see MacOS Big Sur compatibility: Find out if your device will work with the new OS. These are the questions you need to ask yourself before leaping:

  • Is your computer compatible?

  • Are all your peripheral devices compatible?

  • Is all your installed software compatible?

  • Do you have the installers for that software, if you need to reinstall?

IT recommends not upgrading at this time. Note all 32-bit applications are not compatible with Big Sur. Additionally both Sophos version 9.9.7 and Spirion are both not compatible at this time. There are also some known issues with some Adobe products. 

If you do upgrade make sure to backup your computer before installing.

Feel free to reach out to IT if you have any questions. You can contact our support staff by:

Update Chrome Now


In October, Google confirmed a serious Chrome security issue. This security vulnerability is a memory management error that can enable the execution of malicious code on a user’s computer, see Google reveals Chrome zero-day active attacks

IT recommends that users immediately update Chrome by restarting it. Users should verify they are running at least version 86.0.4240.111. The current version is 86.0.4240.111. For your reference Google provides Chrome update instructions here.

Thanks to BigFix, the IT Workstation Support Group will be distributing a communication to users who still have the vulnerability. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.

Berkeley Lab IT has released Microsoft’s latest updates for Windows 10, which contains patches for critical security vulnerabilities. One of these, CVE-2020-16898, has been identified by the Cyber Security group as a mandatory update. As such, all Windows 10 systems at the Lab MUST be updated and may be blocked from the network if they are out of compliance.

  • If you get a Reboot Reminder from BigFix, it means that Windows is attempting to install updates, and needs to be restarted to complete the process. Your system will remain vulnerable until the reboot is completed.

  • For systems that are not getting automatically updated, BigFix will prompt you to install the updates directly from our BigFix server. If you get a BigFix patch notification, you will need to take recommended actions in order to protect your system. BigFix will reboot your system upon completion.

Please note that systems that are enrolled in BigFix Passive Management Mode will not be patched or rebooted by BigFix, and users are responsible for installing required updates by running Windows Update.  For information regarding Windows Update, see Microsoft’s site, Update Windows 10.

Thanks to Windows Server Update Service (WSUS)Windows Reboot Reminders, and BigFix, IT User Support is able to identify vulnerable software running on LBL systems. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.

Reminder: always keep your operating system up to date, your applications patched, and your system rebooted at least once a week! Follow IT Best Practices to ensure computer health.

All LBNL users should now be able to see the new Chat features in Gmail by refreshing Gmail on their Web browsers  and updating their mobile applications.   Remember that chat notifications on your mobile device are disabled until you install and authorize the new Google Chat app on your device.

For more information on using Google Chat, as well as other collaboration tools to keep your remote and hybrid teams in sync, visit IT’s new team collaboration site at  https://worktogether.lbl.gov/.


We’re excited to share that we’ll be transitioning everyone at the Lab to Google’s next-generation collaboration product, Google Chat. Chat has a modern UI, team rooms that support better team collaboration,, bots to help you be more productive, and integrates with Gmail so that your chats can be accessed directly from Gmail.  

Beginning on September 30th, 2020 all users will be using Chat for 1:1 direct messages (DMs), group messages, and team discussions. Classic Hangouts apps will be turned off.  Your view of chat in apps, in your browser, and in gmail will all change as part of this upgrade.

How do I get Google Chat? It's important to do the following before September 30th as classic Hangout apps will stop working:

  • Explore the new Web experience at chat.google.com
  • Download the new mobile app for Android or iOS
  • Download the new standalone desktop app if you've been using the classic Hangouts Chrome extension or app. You'll be able to access the desktop app from a prompt that will appear inside chat.google.com
  • Sometime on or after September 30th, you will be able to refresh your Gmail to get the new Chat in Gmail experience.

Again, please make sure you install the Chat mobile app (Android or iOS) before September 30th to minimize chances of missed messages.

Where do I find my old chats?

  • You will be able to continue recent 1:1 direct messages from classic Hangouts in Google Chat, but group messages from classic Hangouts (including their history) will not be migrated to Google Chat.
  • All previous chat history from classic Hangouts will be accessible in Gmail.
  • The classic Hangouts web interface for chat, hangouts.google.com will remain available during this transition in case you need more time to access and move certain group conversations. Users cannot chat in classic Hangouts by visiting hangouts.google.com in a mobile browser.
  • The classic Hangouts bot in Chat will also notify you of missed group messages from classic Hangouts.

What are the limitations of Chat?

  • Group messages from classic Hangouts (including their history) will not be migrated to Chat. Users can still access these group messages in hangouts.google.com.
  • If you have important groups in classic Hangouts, you will need to recreate them as Rooms in the new Chat.
  • Direct messages to groups and rooms that are started in the new Chat will not appear to users outside LBL who are still using the classic Hangouts apps. 
  • Direct messages to groups and rooms that are started in the new Chat will not appear to users who are still using the classic Hangouts apps.  Ask those users to switch over to the new Chat.
  • Rooms are available to people outside LBL, but you must specify the Room as "External" when you create it.   Personal Google Accounts can access Rooms through the web interface, but will not see their room-based messages integrated into chat within their gmail client.   Note that UCB is already on this version of chat, so your colleagues on campus will see the same experience as you do.

Where do I go for help?

  • G Suite Learning Center for more information about the new Chat
  • Our Help Desk is ready to answer your questions, send us an email at help@lbl.gov.
  • We’ve also created a Chat room to help with Q&A

IT Division - Collaboration Services Team

IT Support Services in collaboration with Cyber Security have published new guidelines on Active Directory (AD) user accounts and password policies, see Active Directory Account Policy. All AD user accounts will require a password change every 365 days.

Beginning November 1, 2020 all AD account passwords that are set to “Never Expire” including service accounts, will be set to expire and will require user intervention to reset the password. Users can refer to the AD Password Change FAQ page for support. 

For more information on AD policies and procedures, see our Active Directory FAQ.

On Saturday, September 12, 2020, between 10 PM and 12 AM Sunday, IT will be performing an upgrade of the servers that handle Multi Factor Authentication (MFA) for the Lab.  

While we expect limited to no interruption to the MFA service during this period, there is a potential for outages lasting as long as 30 minutes.  If such an outage occurs, it may impact logging into services that require MFA, including the Lab's Web single sign-on service at login.lbl.gov, FMS, and IT's HPC clusters.  

During the upgrade period, users will not be able to create or modify existing tokens.  Should you use a Yubikey during this period to login and later experience problems, we recommend that you login to the MFA Management application at https://identity.lbl.gov/mfa and resync the affected token. 

If you experience any other issues with your MFA tokens or Yubikey, please contact the IT Help Desk at help@lbl.gov.

As of January 14, 2020 Microsoft stopped support of Windows Server 2008 and 2008 R2. Computers running Windows Server 2008 and 2008 R2 will no longer receive security patches. It is highly advised that all systems running Windows Server 2008 be upgraded immediately. 

As of September 15, 2020 all Windows 2008 servers will be blocked unless registered for an exception. For further information see Windows 7 and Server 2008 Disallowed. To avoid cyber blocking request an exception here.

For help procuring Windows Server 2019 licenses, contact licenses@lbl.gov.

Additionally, if you are using older hardware and need to retire it, you may want to consider migrating the system to IT’s Science Virtual Machine (SVM) hosting service. 

If you need help upgrading your server OS, or are interested in SVM, REQUEST HELP. 


The read-only issues with the Lab's Bitbucket repositories have been resolved as of 5:35PM, so repositories are writeable again.

The issues were first reported at 3:40PM (Pacific).

On Thursday, August 6 at 6PM, commons.lbl.gov, the Lab's Confluence server, was offline for about 3.5 hours during a maintenance window.

DHS has issued Emergency Directive 20-03 on this vulnerability which can be viewed here: https://cyber.dhs.gov/ed/20-03/. (Article quoted below for posterity)

Here is a description of the vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 (Article quoted below for posterity)

Please note that while the vulnerability only affects servers with DNS services, Cyber is required to report on the patch status today (July 20, 2020) and Thursday (July 23, 2020).

Please patch servers immediately by installing Windows Updates.



If you are not able to patch for some reason, e.g. Windows Server 2012 without ESU, then you can apply the workaround described here. 


https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability


Article Quotes for Posterity

DHS Emergency Directive 20-03


July 16, 2020


Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday


This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 20-03, “Mitigate Windows DNS Server Remote Code Execution Vulnerability from July 2020 Patch Tuesday”. Additionally, see CISA’s blog post.


Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)


Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).


Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)


These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).


Background


On July 14, 2020, Microsoft released a software update to mitigate a critical vulnerability in Windows Server operating systems CVE-2020-1350. A remote code execution vulnerability exists in how Windows Server is configured to run the Domain Name System (DNS) Server role. If exploited, the vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account. To exploit the vulnerability, an unauthenticated attacker sends malicious requests to a Windows DNS server.


The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of this vulnerability, but assesses that the underlying vulnerabilities can be quickly reverse engineered from a publicly available patch. Aside from removing affected endpoints from the network, there are two known technical mitigations to this vulnerability:


    1. a software update, and
    2. a registry modification.


CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the Federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.


CISA requires that agencies apply the security update to all endpoints running Windows Server operating system as soon as possible. A registry modification workaround can help protect an affected Windows DNS server temporarily (until an update can be applied), and it can be implemented without requiring a restart of the server. The registry modification workaround will cause DNS servers to drop response packets that exceed the recommended value without error, and it is possible that some queries may not be answered. The registry modification workaround is compatible with the security update but should be removed once the update is applied to prevent potential future impact that could result from running a nonstandard configuration.


Required Actions


This emergency directive requires the following actions:


    1. Update all endpoints running Windows Server operating systems.

      a. By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.

      b. By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.

      c. By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.


CISA recommends agencies focus on updating Windows Servers running the DNS role first.


These requirements apply to Windows Servers in any information system, including information systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.


In instances where servers cannot be updated within 7 business days, CISA advises agencies to consider removing them from their networks.


    1. Report information to CISA

      a. By 2:00 pm EST, Monday, July 20, 2020, submit an initial status report using the provided template. This report will include estimated status information related to the agency’s current status and will identify constraints, support needs, and observed challenges.

      b. By 2:00 pm EST, Friday, July 24, 2020, submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the applicable update has been applied to all affected endpoints and providing assurance that newly provisioned or previously disconnected servers will be patched as required by this directive prior to network connection (per Action 1).


CISA Actions


    • CISA will continue to monitor and work with our partners to identify whether this vulnerability is actively being exploited.
    • CISA will provide additional guidance to agencies via the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via CyberDirectives@cisa.dhs.gov).
    • Beginning August 13, 2020, the CISA Director will engage the CIOs and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have not completed required actions, as appropriate and based on a risk-based approach.
    • By September 3, 2020, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues.


Duration


This emergency directive remains in effect until all agencies have applied the July 2020 Security Update or the directive is terminated through other appropriate action.


Microsoft CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability

Security Vulnerability

Published: 07/14/2020 | Last Updated : 07/15/2020
MITRE CVE-2020-1350

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.



As of January 14, 2020 Microsoft stopped support of Windows 7. Computers running Windows 7 will no longer receive security patches. Most machines are able to upgrade to Windows 10, see Windows 7 End of Life and Upgrade to Windows 10. If you are running legacy software or have computers attached to scientific equipment that only work with Windows 7, you must register it with IT or risk being blocked from the network. Windows 7 computers which have not been registered on the Windows 7 Exception Request Form will be blocked after June 30, 2020.


Related links:

Services:

Business Systems

Cyber Security

Networking

Research Services

Workstation Support

Latest News

Posted by Babak (Bobby) Zavieh
Posted by Tammera (Tammy) Campbell
Posted by Jennifer (Jenny) Brown
Posted by Tammera (Tammy) Campbell
Posted by Jennifer (Jenny) Brown
Posted by Tareq Abdo Saif
Posted by Luis Enrique Corrales
Posted by Tammera (Tammy) Campbell
  1. Prev
  2. 1
  3. 2
  4. 3
  5. 4
  6. 5
  7. 6
  8. 7
  9. 8
  10. 9
  11. 10
  12. 11
  13. 12
  14. 13
  15. 14
  16. 15
  17. 16
  18. 17
  19. 18
  20. 19
  21. 20
  22. 21
  23. 22
  24. 23
  25. 24
  26. 25
  27. 26
  28. 27
  29. 28
  30. 29
  31. 30
  32. 31
  33. 32
  34. 33
  35. 34
  36. 35
  37. 36
  38. 37
  39. 38
  40. 39
  41. 40
  42. 41
  43. 42
  44. 43
  45. 44
  46. 45
  47. 46
  48. 47
  49. 48
  50. 49
  51. 50
  52. 51
  53. 52
  54. 53
  55. 54
  56. 55
  57. Next

Latest Features

Posted by Kryshna (Krys) Avina
Posted by Charles (Charlie) Verboom
Posted by Charles (Charlie) Verboom
  1. Prev
  2. 1
  3. 2
  4. 3
  5. 4
  6. 5
  7. 6
  8. 7
  9. 8
  10. 9
  11. 10
  12. Next

Upcoming Events: