Berkeley Lab IT has released Microsoft’s latest updates for Windows 10, which contains patches for multiple critical security vulnerabilities. One of these, CVE-2020-0601, has been identified by the Cyber Security group as a mandatory update. As such, all Windows 10 systems at the Lab MUST be updated, and may be blocked from the network if they are out of compliance.
Most systems have already been updated using the recommended Windows Update settings, but there are still many systems which remain vulnerable. To address these remaining vulnerable systems, Berkeley Lab IT is using BigFix to ensure patches are updated:
If you get a Reboot Reminder from BigFix, it means that Windows is attempting to install updates, and needs to be restarted to complete the process. Your system will remain vulnerable until the reboot is completed.
For systems that are not getting automatically updated, BigFix will prompt you to install the updates directly from our BigFix server. If you get a BigFix patch notification, you will need to take recommended actions in order to protect your system. BigFix will reboot your system upon completion.
Please note that systems which are enrolled in BigFix Passive Management Mode will not be patched or rebooted by BigFix, and users are responsible for installing required updates by running Windows Update. For information regarding Windows Update, see Microsoft’s site, Update Windows 10.
Thanks to Windows Server Update Service (WSUS), Windows Reboot Reminders, and BigFix, IT User Support is able to identify vulnerable software running on LBL systems. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.
Reminder: always keep your operating system up to date, your applications patched, and your system rebooted at least once a week! Follow IT Best Practices to ensure computer health.
Just as your operating systems need to be patched, so do your browsers. Mozilla recently disclosed a critical vulnerability in Firefox, and advises all users to patch it immediately:
If Firefox is configured to update automatically, patching is as simple as restarting your browser. Users should verify they are running at least version 72.0.1. For your reference Mozilla provides instructions for updating and verification here.
Thanks to BigFix, IT User Support is able to identify vulnerable software running on LBL systems. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.
Lastly, users should follow IT Best Practices to ensure computer health.
IT Workstation Support has catalogued the recent issues users have encountered when upgrading their system to the latest macOS Catalina. They are:
32-bit applications will not run on Catalina, see table below
Top 10 32-bit Applications in-use
Microsoft Word, what version?
Microsoft Excel, what version?
Microsoft Powerpoint, what version?
mdworker32 (Office365 process)
Adobe Acrobat XI Pro (This software is out of compliance and must be upgraded to the subscription version, see Adobe Acrobat Pro DC)
Carbonite (This software is no longer the Lab’s enterprise backup software, see Druva inSync)
Adobe Application Manager
Applications will request proper permissions to run
Chrome Remote Desktop
Download and install latest driver (beta release), https://www.displaylink.com/downloads/macos
Toshiba copiers fail to print with a “filter failed” error message
On Mac OS 10.15 Catalina, you need to allow Zoom access to Screen Recording to share your screen.
As with any major operating system upgrade, users should always do the following:
Perform a hardware assessment and check for compatibility
Mac compatibility list - see https://support.apple.com/en-us/HT210222
User must check with the hardware vendor for any external equipment
Perform a software assessment and check for compatibility - users can check https://roaringapps.com/ for software compatibility
Ensure you have all software licensing information if you need to reinstall software
Perform a data assessment and backup all data
Perform upgrade in place or from scratch
If you upgrade to macOS Catalina and something stops working, contact IT User Support at x4357 or email to help@@lbl.gov and we will be glad to help.
As of Oct 17, 2019 Workstation Support is under guidance from LBL cybersecurity to remove CCleaner from all Lab systems.
Computers that have BigFix (Active Mode) installed will have a pop-up appear informing the user of the action and provide a button to click for easy uninstallation.
We are looking at other options to handle the functions that CCleaner provides, but in the short term, we need to remove it from all Lab systems. Workstation Support will be removing CCleaner beginning Friday, Nov 1, 2019.
Additionally, the free version of CCleaner cannot legally be installed on Laboratory computers.
CCleaner can be removed either via BigFix or via the Windows standard "Add and Remove" programs menu.
If you don't have BigFix installed on your system please see our IT Software Download Page at https://software.lbl.gov/.
If you need help removing CCleaner please contact the Help Desk at xHELP (x4357).
Just a reminder that on June 1, 2019, Malwarebytes was no longer being offered by Berkeley Lab IT. Existing clients will continue to function, but will not receive updates. IT recommends that users uninstall Malwarebytes. This can be done manually, or users can wait until they see a BigFix Offer from IT, which will remove the application automatically. For further information, refer to our Malwarebytes FAQ site.
Berkeley Lab computers are constantly under attack, but what should we, as users, do to protect ourselves and our systems? According to research conducted by Google, users and security experts often have different ideas as to what the best steps are to be taken.
To make it easier, Berkeley Lab IT has developed a series of IT Best Practices that all staff should follow when using Lab computers. These best practices address the most important security recommendations, data protection, and performance optimization.
IT Best Practices include:
Install BigFix on ALL computers. BigFix is used to help keep your operating system and common applications up to date. There is even a Passive mode that you can use if don’t want any updates done automatically.
To make sure that updates are installed, it is also essential that you REBOOT your computer regularly! BigFix will also tell you when your system needs a reboot.
Use LastPass, a password manager which IT provides for free. LastPass makes it easy to make sure you always use strong, unique passwords.
Enroll in the Lab’s Multi Factor Authentication (MFA) system. With MFA enabled, an attacker who knows your Lab password still won’t be able to log in.
Install Sophos on all workstations. Sophos is provided for free by Berkeley Lab IT.
Use Druva inSync to backup your workstation data, $51/yr for up to 10 computers
Use VPN when on public networks (including LBL’s Visitor Wireless) or on travel. It is a good idea to use VPN whenever possible while offsite.
As most people know, keeping your software updated is the number one thing you can do for cyber security. What is less well known is how important this is on mobile devices, such as iPhones and Android devices. A recent set of vulnerabilities announced in iPhone devices both makes it a priority to update now and serves as a reminder of the importance of updating regularly.
You can read more about newly accounced vulnerablities at https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
There is good news, update and reboot your iOS devices now to ensure they are secure.
On August 13, 2019 Microsoft released a warning to update and reboot your system due to new Microsoft Remote Desktop Services vulnerabilities:
This affects the following operating systems:
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012
Microsoft Windows Server 2008
Microsoft Windows 10
Microsoft Windows 8
Microsoft Windows 7
Berkeley Lab IT suggests all Windows users patch and reboot all systems immediately. Updates will also be released using BigFix for systems that were not patched through normal operations.
Advice: Always keep your system and all software up to date and REBOOT at least once a month.
On January 14, 2020, Microsoft will stop releasing updates and critical security patches for Windows 7, leaving them unable to be secured and putting your personal data and the Lab at risk. Due to this, Windows 7 computer must be updated to Windows 10.
What should I do?
In most cases, upgrading your system to Windows 10 is straightforward, and may not even require you to buy a new Windows license. Options and instructions for upgrading your system are available at Windows 7 End of Life.
Can IT help me with my upgrade?
Yes, IT can upgrade your system for you. The cost to perform a Windows 10 upgrade is $250 (additional license costs may apply). To get started, email firstname.lastname@example.org.
What if my system is too old to run Windows 10?
IT can help you get a new or used computer. Visit go.lbl.gov/get-a-computer to browse our standard models, and to submit an order. The cost to deploy a workstation is $250.
What if I need my system to keep running Windows 7?
Many computers run equipment or software that is not compatible with Windows 10, and which cannot be replaced or upgraded. Please report such systems to IT by submitting a Windows 7 Exception Request.
What will happen if I don’t upgrade my system?
If and when a critical vulnerability is exposed in Windows 7, LBL IT will block all Windows 7 systems from the network. The most recent vulnerability of this type was discovered in May 2019; fortunately Microsoft had not yet ended support for Windows 7.
We’ve all heard the stories about major data breaches at some of the largest online businesses. 3 billion Yahoo customers had their usernames and passwords compromised leaving those users vulnerable to hackers. Target was breached in 2013, exposing the information of 41 million customers.
A strong password is no longer enough to protect you and your data. Multi Factor Authentication (MFA) provides a second layer of security beyond your username and password. Think of it this way: your username and password are “something you know.” MFA requires both “something you know” and “something you have.” At Berkeley Lab, the “something you have” is a physical token that will generate a unique one-time password (OTP). Under MFA, a hacker who has your credentials still can’t access your account, because they lack “the something you have.”
Berkeley Lab has implemented MFA protection for your Berkeley Lab Identity. As a computing best practice and to help protect you against credential theft, you can choose to add MFA protection for your Single-Sign-On (SSO) logins, such as Gmail, Google Calendar, Google Team Drive, LETS, HRIS, etc.
To set-up MFA, simply go here.
Detailed instructions are available in the Multi Factor Authentication Instructions page.
For additional help, create a ticket by emailing email@example.com.
Choose a topic from the list on the left, or search for a topic.
If you need to contribute to the IT FAQ's and find you do not have permission, contact the Help Desk and ask that you be added to the Commons faq editors group