Skip to main content
Sign In |
  Help (new window)

Information Tech Blog

Go Search
FUSD
Fresno.K12
Board of Education
Community
Departments
Families
Schools
Students
  

Categories
Category 1
Category 2
Category 3
Other Blogs
There are no items in this list.
Links
Photos
Archive
Archive (Calendar)
FUSD > Departments > Information Technology > Information Tech Blog

1/19/2010

Windows 7 Security

Windows Security in the era of Windows 7 ®
An FUSD Perspective    

 

A Brief History of Windows Security

Revised Local Administrator model for FUSD

Delegation in Systems Center Configuration Manager (SCCM)

Summary

 

A Brief History of Windows Security

Windows 7 has finally eliminated a long standing security vulnerability within Windows XP and NT that has existed for "centuries" in web-time (about 10 years.) This improvement should result in significant productivity improvements for Enterprise IT staff everywhere. Although most people never followed the 'best practice' account setup recommendations from Microsoft for Windows XP--even those who knew better--everyone really should have. If everyone had done so, the result would have been a world with dramatically less malware sloshing through both users' computers and the Internet. Antivirus companies wouldn't have a billion dollar market niche, you wouldn't see those "speed up your PC now!" commercials on late night TV, Apple would have to come up with new material for their commercials, and global IT-based productivity would have been a lot higher over the last decade.

What was this best practice? It had to do with a very simple issue: how you login to your computer for day-to-day work. The most secure way to use Windows XP was to have, at a minimum, two accounts: one, the "Administrator" account, that had full privilege to the machine to allow software to be installed and system changes to be made, and the second, a "user" account, with "standard" privileges, with which one did day-to-day work. The "Administrator" account was only to be used at those infrequent times when one was installing a new device or a new software package.

For system administrators, the rationale behind enforcing this practice was that you didn't want your users to do all of their daily work using an "Administrator" level privileged account. That is, if you, the user, always did your "work" as a normally-privileged user, malware would have less of a means to gain a foothold and take control of your computer (and spread across the network to other computers, a Rolaids® swigging moment for your network administrators.)

Of course, doing things this way was a major inconvenience: people didn't want to have to log off, log on as an Administrator, do some software or peripheral installation task, log off again, and then log back in as a standard user. Especially when it took 20-30 seconds for each logoff/logon. So naturally, people decided to just assign their day-to-day user account full Administrator privileges, so as not to be bothered with all of the account switching back-and-forth, and go on their merry way. Of course, Microsoft didn't make it easy, at least until recent years, to quickly switch to "Administrator" context from a standard user account, so most people took the path of least resistance. And malware, of course, went on its merry way, infecting millions of computers as a result.

In a large enterprise IT environments, out of a desire to contain the malware side effects of this practice, it became common practice to "lock down" managed Windows XP computers, and deny ordinary users the ability to login as an Administrator-level user. This made life for the system administrators much easier -- fewer "virus spill in aisle 9, bring your mop" calls to deal with. But it also made life more difficult for the user population, who now could not install software or add peripherals without an IT staff member assisting. This model of "Administrator user lock down" does not scale at all well for large enterprises, because it places a heavy burden on IT support, particularly in an environment that lacks remote assistance technology. At FUSD, with computer to technician ratios exceeding 1000:1, it creates massive service bottlenecks, with or without remote assistance tools.

With Vista and Windows 7, the execution model is different than it is in Windows XP from a security standpoint. In Windows XP, if your user account was configured an "Administrator", then you ran all of your programs, all day long, as a highly-privileged user (including when you clicked those email links that make your IT staff cringe.) That presented lots of opportunities for malware to "leak" into your computer undetected.

In Windows 7, by contrast, even if your user account has been granted elevated "Administrator" privileges, you still run day-to-day programs as a standard user, only switching to "Administrator" on demand, e.g. to install software or make some significant system change. When you run something that requires elevated rights, a window pops up on your screen, and you can only click "OK, proceed" from the local keyboard (In Windows 7, "OK" can't be clicked by remote control, which helps to prevent malware attacking your computer across the network from elevating its own privileges without your knowledge.)

This is the reason for those "security popups" that Apple's marketing campaign took amusing aim at in its negative TV commercials against windows Vista. It is a great idea, in concept: alert the user anytime a "significant" change is being made to the computer, so that the user is aware of the change and has the ability to reject unexpected changes made maliciously.

With Windows Vista, however, the default settings were too "sensitive", with the result that security popups were appearing much too frequently for comfort. What should have been a welcome security improvement became viewed as a major annoyance and distraction (and great fodder for Apple.) In later revisions of Vista, and in Windows 7, the "noisiness" was dialed down to a more acceptable level, and there are now far fewer such security prompts.

With Windows 7, one can therefore "unlock" the desktop in an Enterprise environment, relax the draconian policies, and allow the user to have "Administrator" rights to his or her own PC, without running at an unreasonably elevated risk level. It is still true that users may make changes to their computers that IT Staff would rather they did not, and they can still ignore the security popup after clicking on a suspicious link in their email, but at least a reasonable balance can be struck between providing a more friendly "unfettered" user experience and implementing a stringent lock down policy that causes productivity to fall and support costs to skyrocket. Although there are still vulnerabilities, the balance results in significant reductions in time lost to battling virus outbreaks, but the remaining malware cleanup work must be weighed against higher user productivity that results from users having more control over their own workstations.

Revised Local Administrator model for FUSD

The new Local Administrator model for FUSD, which is made possible with Windows 7, is summarized as follows:

  • All computers belonging to the District must be domain joined. This is the cornerstone to central management.
  • All local user accounts with Administrative privileges (and arguably, ALL local user accounts) should be deleted on domain joined PCs*, and only Domain credentials should be used (certain Servers may be exempted.)

    This practice:

  1. Eliminates "anonymity" and makes it possible to audit who actually did what as a privileged user. If the log files only say "User Administrator performed the following action at <timestamp>" its impossible to know who was logged on as the Administrator and who actually did the deed.
  2. Allows a password complexity/expiration policy to be enforced.
  3. Removes a vector for malware to spread easily between machines that have the same username\password combinations for local user accounts.
  4. Allows Enterprise-wide revocation of access when an employee leaves, and his or her account is disabled in Active Directory.
  5. Can be implemented easily through Active Directory Group Policy using Restricted Groups.
  6. Allows Credential cache expiry to be controlled through GP, which can remove easy access to disabled or unauthorized users after a certain period of time has elapsed without the computer "checking in" with Active Directory (the current setting is 30 days.)

* Caveat: in our current environment, some users login to their PCs every day with the username "Adminstrator", "Teacher", "Student", or some other local account name instead of using Domain Credentials. The desktop profiles for these users need to be migrated to their domain user profiles before the local account is deleted, so that their personal files are not lost.

  • The Builtin\Administrators group on domain-joined PCs should contain an AD Security Group whose members are to be assigned Local Administrator rights to the PCs in specific Organizational Units (OUs). (These groups have already been built.)

    For instance, suppose that there are both Staff and Student computers at Addams Elementary. Then the AD Group "Addams Local Administrators" is included by Group Policy in Builtin\Administrators group for all machines at Addams Elementary in either the STAFF or STUDENTS domain, so that a member of this AD group has administrative rights to all of these PCs.

  • The domain login for the user who "owns" the PC should be added to the Builtin\Administrators group.

This allows the user to install software and peripherals as desired on his or her computer, which improves user experiences and reduces unnecessary support calls. This privilege could, of course, be remotely "revoked" for non-compliant users who deliberately and repeatedly ignore anti-malware recommendations (clicking willy-nilly on links in suspicious emails, visiting tainted web sites, etc.)

Delegation in Systems Center Configuration Manager (SCCM)

The system of AD Groups that have been created to support this new Local Admin model (example: "Addams Local Admins") can also be used to assign IT staff delegated rights to groups of computers in SCCM (whether the computers are grouped by OU, or by some other grouping method.)

As mentioned earlier, placing IT staff in these AD Groups makes it very easy to revoke privileges from users who should no longer have the ability to administer FUSD computers, and it allows rights to be "managed" so that service personnel only have unrestricted access to computers at certain sites, instead of providing them with difficult-to-revoke access to all computers everywhere, as is the current practice in that it relies on the use of a "standard" Administrator account that all support staff (and most tech savvy students) know.

The existence of this "micros" account is also exploited by malware to rapidly spread between sites, because it too has a time-invariant password that does not meet complexity requirements and confers Administrative rights to the account.

Summary

Microsoft made a wise decision to study the habits of its users, the vulnerabilities of its OS products, and the techniques used by malware writers, and to then modify the ways in which it handles privilege escalation in Windows 7 based upon the lessons it found. Looking back a decade from now, we may be able to say "Windows 7: that was the decision that changed everything for us, and made the Internet safer to use and our IT infrastructure easier to support."

Posted at 4:51 PM by Eric Tilton | Permalink | Email this Post | Comments (1)

12/16/2009

Content Filtering Brouhaha

Wednesday's TAC meeting left us with a painful dent in our credibility in the area of content filtering. While Kurt was expecting that we were not allowing Google, Yahoo, or Bing image searches to return results in other than safe search mode (or in the case of Google lately, not at all) it turns out, according to several teachers, that we were actually allowing "Moderate" safe search through on Bing. "Moderate", it turns out, is embarrassingly poor at stopping offensive imagery, as Kurt tried and discovered while hoping to prove the teachers wrong.

At first glance, it looks like we messed up pretty seriously on this one; one teacher at the TAC meeting said "why are YOU GUYS setting the search mode to Moderate instead of Safe"? Well, the truth is, "we" don't set search to Moderate at all; it turns out this is the default for Google and Bing. However, we should have been aware of that fact, and been more aggressive in our filtering (e.g. stopping both safe search off, and moderate search on.) Once I dug a little deeper, the following facts surfaced:

  1. Bing, which emerged in the spring of 2009, initially had NO means to filter adult material, by any of the 'traditional' methods: cookies, URL parameters, or domains. This was really bad, and it initially sent corporations and filter appliance makers scrambling for solutions to block adult material through Bing. It wasn't until mid-June that Microsoft offered two solutions to this problem: (1) they added a URL parameter (&adlt=strict) to allow URL rewrites to force safe search on with Bing; and (2) they moved all of the cached images and videos stored by Bing to a separate domain explicit.bing.com, which could be blocked with a simple URL match. This was an interesting and ingenious twist that leapfrogged Bing ahead of its competitors, who had not yet thought of solving the problem that way.
  2. Google, meanwhile, made a subtle change in its search filtering, although I don't know exactly when: whereas the Fortinet IDS (Intrusion Detection System) pattern we have been using for some time was looking for safesearch=off in the HTTP get stream, Google is now using URL parameters &safe=active or &safe=off (not clear yet if the cookie variable still uses safesearch=off, but the URL parameter is different.) Question: shouldn't Fortinet be updating these IDS patterns under subscription? If not, why not?

When you think about it in depth, the problem we have with Fortinet1 comes down to this: because of its design, it is really good at SUBTRACTING things at wirespeed, which is arguably its competitive advantage. That is, if it sees a pattern in the URL stream that is undesirable, it can (in a sense) SUBTRACT the HTTP response, and therefore terminate the connection to block offensive material. So we could, for example, detect either search engine settings for BOTH safe search off, and moderate search on, and inform the user through an replacement error page (while SUBTRACTING the search engine result page) that they need to first set safe search = strict in the preferences for various search engines in order to use them. But this is an annoyance that will trigger a blizzard of help desk calls until people understand it.

What we really need, in the case of the search engine URLs, is ADDITIVE behavior: for instance, we want the appliance to be able to APPEND the URL parameter &safe=active to the end of a Google query URL, or &adlt=strict in the case of a Bing query URL. Doing so would force safe search results to be returned, no matter what the user was trying to do. This is evidently what the 8e6 web filtering appliance used to do, but it could not handle anything close to the 300 Mbits/sec that we see with Fortinet (ours topped out at less than 40 Mbits/sec.) The "ADDITIVE" behavior described here is typically something you expect web proxy servers to do: because they sit "between" the client and the web server, they can rewrite the URL to append these parameters.

So the problem we need to solve is this: How can we perform URL rewrites for Bing, Google, Yahoo, and other search engines?

  1. Can the Fortigate appliance can do URL rewrites and append the &safe=active etc.? If it can, why have we been using the less effective "detect and block" IDS patterns instead? If it can't, how can Fortinet claim to have a solution for content filtering in the K12 space, where parameter forcing for safe search is pretty much demanded?
  2. If Fortigate cannot rewrite the URL, can the Cisco Firewall handle it, since it is doing deep packet inspection?
  3. Is there possibly any way to handle URL rewrites in Internet Explorer, with Group Policy?
  4. The ACE module in the data center 6509s can do URL rewrites when it acts as a load balancer; but is there any capability in the metro switch for URL rewrites? (I would suspect not, but I don't know for sure.)
  5. If none of the above work, there's always Microsoft's ISA server: it probably can do URL rewrites, since it basically is a proxy server. We already know we want to implement ISA as part of the ATLAS project; we may therefore have a need to accelerate its deployment to address this filtering problem if none o the other solutions pan out. But can ISA handle the throughput we need? I assume that there's some "load balanced" configuration for scaling ISA to higher bandwidths, but I'm not certain.

     

 

 

  1. at least, given what I know right now; calling Patrick McHale may clear this up
Posted at 10:21 PM by Eric Tilton | Permalink | Email this Post | Comments (0)

10/27/2009

Enabling OCS and UM using the STS tool

 

Provisioning OCS access with STS (Hey, it's acronym soup!)

You can now enable or disable Office Communicator R2 access, and Exchange Unified Messaging Access, from within STS, beginning with STS version 1.380 and higher.

Office Communicator allows the user to:

  • Chat with other FUSD staff members via Instant Messaging
    (coming soon: you'll be able to chat with anyone having a Windows Live! account)
  • Place and receive phone calls using your PC's audio, to both internal and external phone numbers
  • Place and receive video conference calls to small groups of people (1-3)
  • Conduct Live meetings (voice/video/desktop sharing with up to 30 people)
  • Arrange voice conference bridges through Outlook (a toolbar plugin required)

External callers can dial 457-6180 and speak the name of the OCS user they want to reach.

Unified Messaging (UM), works together with, but does not require OCS. It allows the user to:

  • set up a traditional voicemail box, using Exchange as the back end
  • Use the same 5-digit extension as OCS
  • Receive voice mail messages in Outlook

Users aren't required to use Outlook to access voicemail; it can be set up to work the "familiar" way through a phone only.

You can provision users for OCS, but not for UM, or vice versa. They are independent features.

To use these STS functions, just use the following STS commands:

  • enable ocs for "John Smith"
  • enable voicemail for "John Smith"
  • disable ocs for "John Smith"
  • disable voicemail for "John Smith"

OCS Use Cases

The scenarios we envision for people to use OCS at Fresno Unified are the following:

  • Use OCS only for Instant Messaging chats
  • Use OCS for PC-to-PC voice and video calls, but not for "traditional" phone calls
  • Us OCS as a secondary internal phone extension (with forwarding to cell phones or other numbers)
  • Use OCS as their primary phone extension, by forwarding a 'desk phone' directly to the OCS extension
  • Use OCS as the primary phone extension, with a USB-connected handset attached to their PC

About OCS extensions

We have set up a pool of 5-digit internal phone extensions in the range 50000 - 59999 for use with OCS. Certain blocks of this 10,000 number range are reserved for us to implement special calling features (50000-50010 and 59500-59999). When you enable OCS for a given user, the STS command does a table lookup against a SQL database to find the next available unused OCS extension. It uses a "gap filling" algorithm, so it will find any unassigned extensions that exist within the already assigned number range first, and thereafter start sequentially assigning extensions from the "top of the list". When you disable a user for OCS, the extension they were using will be "returned to the pool", with the result that the next person to be enabled for OCS will get that same extension. The philosophy for OCS extensions is that you would be assigned one when you start working for the district, and that you would keep that same extension throughout your career, even if you move between sites. Therefore, we don't anticipate a huge amount of "churn" where new people will get extensions that used to belong to someone else. Even so, the notion of a "phone number" is an anachronism that is slowly going away. If you use OCS to call someone internally, you find them by typing their name in a search box, or by speaking their name to an automated attendant. The importance of a "phone number" is therefore reduced; what is more important is the existence of a SIP address (it looks just like an email address, e.g. SIP:first.last@fresnounified.org . By making the SIP address the same as the email address, I can "call" someone just by knowing their email address, which I can deduce if I know just their first and last names.

Posted at 1:43 PM by Eric Tilton | Permalink | Email this Post | Comments (0)

10/5/2009

Managed vs. Unmanaged Computers in the Classroom

There have been reports from certain schools that domain-joined student laptops experience long delays--six to 10 minutes or more--on startup. This article explains what is behind these delays, and what can be done to remedy the problem.

The principal difference between "domain joined" and "non-domain joined" computers is that the former are managed computers, whereas the latter are unmanaged. It is the fact that the affected student computers are managed -- not that they are domain joined -- that is the cause of the startup delays. The reason is that a managed computer in our environment is configured to do at least two things that an unmanaged computer is not: (1) download antivirus ("malware") updates, and perform malware scans; and (2) download Windows updates, and apply them. Both of these operations are extremely important in a large enterprise network such as FUSD's. Without performing the necessary updates and scans, computers will become riddled with malware which can degrade network performance across entire campuses, or even the District as a whole.

Before the era of mini-notes, desktop computers could be left on at night, set to enter "sleep mode" at night, or could be "awakened" over the network using a Wake-On-LAN signal sent from a server. In each case, the computers would be able to download updates and apply them, or perform antivirus scans, during off-peak hours. As a result, when students wanted to use these computers, they were already "primed" and ready to go.

With the mini-notes, there are two problems:

(1) The usage pattern in the classroom is completely different than it was with traditional PCs. In a computer lab environment, computers would typically be left on, and students would go to the lab to use computers that were already running. In today's mini-note computers-in-the-classroom environment, teachers tend to keep the laptops locked up in computer carts or cabinets until just before the students want to use them; and they are either configured to "power off" when the laptop lid is down, or else the teacher manually powers the laptops off before stowing them overnight.

(2) Mini notes lack "Wake-On-LAN" technology that could be used to wake them up at night for updates and antivirus scans, and they are also mostly wireless networked, which compounds the problem further--because wireless wake-on-LAN is still very rare.

The result of these two problems is that when a teacher takes the mini-notes out of storage and hands them to the students, with the expectation that students can just "turn them on and go", the computers are just beginning their update and scan sequences, and are sluggish to start up because CPU loads are high. This is to be expected, because managed computers need to perform updates and antivirus scans. Because the computers are shut down and stowed at the end of class, there is never a long-enough window of time during which the computers are both "awake" and "idle" for them to perform the necessary updates. Even if the Windows configuration is set to delay updates and scans so that they don't happen immediately on power up, there will still be a problem: if the machines are shut down before updates can be applied later on, Windows will eventually still schedule scans and updates for the next power up cycle, regardless of whether there should be a startup delay or not.

There are at least two solutions to this problem. First, teachers can be advised to either turn the computers fully on an hour before students arrive, or leave them on overnight or over the weekend. This can be done right now, and doing so would eliminate the startup problems. However, this solution consumes power unnecessarily.

Alternatively, I.T. can configure mini-notes NOT to power off when the lids are closed, but instead to go into "sleep" mode. As long as the mini-notes are being charged overnight, this poses no real problem, because they will charge fully whether they are in sleep mode or fully powered off. However, because there is no wake-on-LAN feature on either the HP 2133 or the ASUS Eeepc mini notes, they also will need to have "scheduled tasks" defined that will wake up the machines during off peak hours so that they can run updates and scans and then "go back to sleep". Some desktop PC's have "timers" in the BIOS that allow wakeups to occur at scheduled times, but alas, the mini-notes lack this feature as well. However, we have tested "wake the computer from sleep to perform this task" settings in Windows Scheduled Tasks, and fortunately, this does enable a mini-note to wake up from sleep mode.

Why didn't we do this initially? Well, setting power features was not possible through Active Directory Group Policy ("G.P."), until very recently. The reason is that it is considered a Windows "Preference", which was not formerly addressable through G.P. As a consequence, these settings would have had to be configured by hand. However, with Windows XP Service Pack 3, there is a now a tool called 'Group Policy Extensions' that allows the setting of "preferences" which were previously unreachable through group policy--including the behavior of the power buttons and lid settings. We have quietly been "pushing" this Group Policy Extensions update out via Windows Updates for several months, so the vast majority of mini-notes should be able to be controlled by it. It also required Server 2008 Active Directory services, which we deployed a few months ago.

The plan, therefore is as follows:

1.) Using Group Policy Extensions, force the mini-notes to enter sleep mode on lid closures or power button pushes (but "push and hold" will still force the power completely off.)

2.) Using standard Group Policy, push out a scheduled task that causes mini-notes to "wake up" randomly during a window of time each night.

3.) Once awakened, force the computer to perform windows updates, malware updates, and malware scans.

4.) When complete, send the computers "back to sleep."

With this change, the problem of computers being "unresponsive" right when students want to open them up and start using them will be a thing of the past. Furthermore, having the computers resume from "sleep" instead of booting into Windows from a cold start will dramatically speed up the start time. Both of these fixes will contribute to a much more positive classroom experience for both teachers and students.

Posted at 7:23 PM by Eric Tilton | Permalink | Email this Post | Comments (0)

9/22/2009

What’s The Scoop with You-Tube?

Having problems reaching You-Tube from District computers? Here's a recent email that exchange that sheds light on the problem, including alternatives you can consider.

 

Patrick,

I apologize for the frustration you experienced.  The problem, however, is a bit complex.  Because FUSD receives almost 90% of the costs of providing Internet and communications services through the Federal E-rate program, we are required under Federal Law to have a content-filtering appliance in operation.   If we are found not to meet the stipulated filtering requirements, we risk losing the Federal funding, which amounts to several million dollars per year. 

Because of this requirement, we use an appliance called "Fortinet", which is a special device that performs Internet content filtering at the very high data rates used by the District (we have a one Gigabit/second connection to the Internet.)  Recently, there were changes made by Youtube itself to the way it secures its content for adult material.  We have been in contact with Fortinet working on a way to resolve the particular issue you are experiencing with YouTube.

Again, I apologize for the frustration, however we do offer other "pre-screened" streaming video sources with thousands of videos containing educational content (e.g. http://unitedstreaming.com, now owned by Discovery. ) If you would like more information on what else is available, please contact Patti Patrick in the Instructional Technology and Innovation group. 

 Eric Tilton, Manager, Networks and Engineering
 Information Technology Department, x50013
 Fresno Unified School District

------     

From: Patrick Casey
Sent: Tuesday, September 15, 2009 2:11 PM
To: contentfilter
Subject: Teacher us of youtube

To whom it may concern,

Can you please tell me why I have access to youtube, yet none of the videos can be accessed one on the site?  Youtube is a valuable teaching resource—with movie clips from Shakespeare productions, other literary works, poetry recitals, songs with thematic connections to literature.  It is ridiculous that these valuable resources, these enhancements to the curriculum and to achievement cannot be utilized by conscientious teachers.

I've written previously, and received no reply.  Please do not dumb down the smart classroom. 

Thank you for your time and consideration. 

Sincerely,

Patrick M. Casey
Hoover High
Language Arts Department

 

Posted at 4:14 PM by Eric Tilton | Permalink | Email this Post | Comments (0)

9/13/2009

Password controls in AD
If you didn't cheat, you should have found this reference:
 
 
Which you can test, using Quest Active Directory Powershell commands, like this:
 
$mysettings = ( get-QADObject "eric tilton" -IncludedProperties UserAccountControl | %{$_.UserAccountControl} )
 
$mysettings = <make some change>
 
set-QADObject "eric tilton" -ObjectAttributes @{UserAccountControl = $mysettings }
Posted at 2:18 PM by Eric Tilton | Permalink | Email this Post | Comments (0)

9/1/2009

Windows 7 Upgrade directions
To upgrade to Windows 7, follow these steps:
  1. Download the Windows 7 ISO file.
  2. Install the VirtualClone Drive utility. This will let you "mount" the Windows 7 ISO file as a virtual DVD drive.
  3. Right click on the ISO file and choose "Mount using VirtualClone Drive"
  4. Run the Windows 7 upgrade by clicking 'setup' on the virtual DVD drive (if it doesn't autostart.)
  5. after Windows 7 is installed, run the following two commands in a command prompt window using right-click 'Run As Administrator' to register your Windows 7 license and activate:

slmgr -skms termserv8.staff.fusd.local
slmgr -ato

Posted at 10:24 AM by Eric Tilton | Permalink | Email this Post | Comments (10)

6/22/2009

DHCP database corruption

The majority of the new DHCP scopes for wireless are flagged with errors. Expanding several of them one at a time reveals that the address pool attribute is blank (it should contain the range of addresses for the scope) and the default gateway Scope Option is missing.

Posted at 2:53 PM by Eric Tilton | Permalink | Email this Post | Comments (0)

6/12/2009

OCS R2 basics

Instructions for using the new Office Communicator R2 version

Download the new Office Communicator R2 from the IT page (there's a link at the bottom of the download area)

After Installing…

Change your sign-in address to first.last@fresnounified.org
Your username/password will still be STAFF\shortname, etc.
if you see any login prompts.

Change the Connection Options to use Automatic Configuration.
To get there, click the down arrow, and Tools-Options

Then click 'Advanced…' next to the sign-in address field (which should be first.last@fresnounified.org)
Select 'Automatic configuration' here.

To see what your 5-digit internal extension is, check your
Call forwarding settings—you'll see your number here.

Posted at 1:01 PM by Eric Tilton | Permalink | Email this Post | Comments (1)

4/21/2009

Posted at 7:47 PM by John G. Quinto | Permalink | Email this Post | Comments (0)
1 - 10 Next

 ‭(Hidden)‬ Admin Links