Archive for the ‘Windows’ Category

Access to Windows Remote Desktop blocked from outside ETH

Tuesday, January 3rd, 2017

In the last few weeks we discovered some attempted attacks on the Windows Remote Desktop feature from sources outside of ETH.

In order to protect both your machines and our network, we decided to block RDP access from ETH-external networks. If you still need access from outside the ETH network (e.g. from home) you have to first open a VPN connection to ETH and then start the Remote Desktop client.

More information about installing the VPN client is available here.

Windows Server 2003 reaches its End-of-Life on July 2015

Thursday, June 25th, 2015

Microsoft will provide a final bunch of patches for Windows Server 2003 on July 14th. 2015. After then, no more security and stability fixes are going to be released. This means that still running Windows Server 2003 machines conflict with the ETH Bot (Acceptable Use Policy for Telematics) which requires that every computer connected to the ETH network must be fully updated and secured.

The central IT security group of ETHZ continuously inspects the network streams for signatures of XP and Windows Server 2003 computers. If you have a running Windows Server 2003 machine connected to the public network, please migrate the operating system to a newer version i.e Windows Server 2012.

If you have any questions or need help please do not hesitate to contact the ISG D-PHYS Helpdesk

Maintenance downtime for group share and home directory fileservers

Friday, December 19th, 2014

UPDATE 13:30 – Groupdata is back online
UPDATE 02:25 – Astrogate and Windata are back online, except groupdata
UPDATE 22:20 – Home server is back online and email working again

In order to upgrade the operating system on serveral servers, we schedule a maintenance downtime on

Sunday, 4th January 2015, starting at 22:00.

Schedule:

  • 22:15 start working on the home server (mail services disabled, incoming mail will be queued)
  • 22:20 start working on the group share servers (windata & astrogate)
  • ~ 22:45 home directories and mail services should work again
  • ~ 00:00 group shares will incrementally come back during the night
  • During the downtime you can access readonly backups of your data of the night before, take a look at our readme.

    We apologize in advance for any inconvenience this service interruption might cause.

    Computer support during christmas holidays

    Friday, December 19th, 2014

    The ETH Zurich will be officially closed between Wednesday, 24th of December 2014 and Sunday, 4th of January 2015. During this time, we can only provide limited support. Please follow these rules to save us from superfluous work:

    • Switch off printers
    • Switch off your personal workstation and notebook except for the following:
    • Do not switch off our managed Linux workstations.

    We will try to follow our e-mail, but you may also have luck and meet some of us in our IRC channel.

    How to keep your Windows XP Installations living on after End-of-Life

    Friday, February 7th, 2014

    As announced in an earlier post last year, Microsoft is going to end the support for Windows XP in April 2014.logo

    After this date the central network security group of the ETH will frequently scan our public networks to identify any existing Windows XP machines. Every Windows XP detected by such a scan will be disabled on the network level since it is strictly prohibited to keep this operating system up and running on the public network of ETH.

    Since we are aware that there may be Windows XP machines living on after the end-of-life date, we worked out a solution to support these situations and to help you not to get in conflict with the network usage regulations.

    We founded a project called eXile which provides very locked down network environments that are monitored by advanced security techniques and provide excessive firewall setups. Furthermore eXile provides easy interfaces for you to manage your computers and overview the security state and network access to your machines in eXile.

    You can send your machines to the eXile when they match one of the following scenarios:

    • Lab computers (controlling, collecting measure data, or monitoring other systems)
    • Industrial computers
    • Embedded systems

    The following applications are not suitable for eXile and need to be migrated to a supported operating system:

    • Office Computers
    • Computers on which internet access needs to be available
    • Computers on which emails are received and sent
    • Computers that provide any services to public computers in the internet

    Please note that eXile should not be seen as an excuse not to migrate your Windows XP to a supported operating system as soon as possible. The purpose of eXile is really only to address those few machines that are somehow locked to their operating system.

    Nevertheless we invented eXile to address the Windows XP end-of-live problem, it is capable to take up any other computer for which you want to have an extra level of security or on which you run any other outdated or insecure operating system.

    If you think your remaining Windows XP computers are candidates to send to eXile, we would be happy if you could send a message to isg@phys.ethz.ch  and inform us about the number of computers and what application you are using these computers for. Later this month a web interface will be made available on https://exile.phys.ethz.ch/ where you can directly register every machine you want to send to eXile.

    After eXile is fully online, another post will be submitted here.

    Computer support during christmas holidays

    Monday, December 23rd, 2013

    The ETH Zurich will be officially closed between Tuesday, 24th of December 2013 and Friday, 3rd of January 2014. During this time, we can only provide limited support. Please follow these rules to save us from superfluous work:

    • Switch off printers
    • Switch off your personal workstation and notebook except for the following:
    • Do not switch off our managed Linux workstations.

    We will try to follow our e-mail, but you may also have luck and meet some of us in our IRC channel.

    End of Life: Windows XP

    Tuesday, July 16th, 2013

    Microsoft will end the extended support cycle for Windows XP on April 8, 2014. This means that after this date no more security patches or maintenance updates will be released by Microsoft. For all practical purposes, Windows XP will be dead after this date.

    We at the Physics Department are going to face some problems when XP reaches its end of life:

    • Our client computer network is directly exposed to the Internet, thus we depend on a continuous availability of operating system patches. Furthermore we are bound to ETH’s Acceptable Use Policy for Telematics Resources (BOT), which orders every system owner to install OS upgrades to avoid security issues. Since for Windows XP no more security patches will be available after April 9, 2014, from then on it is not possible to fulfill the BOT requirements and to ensure overall system security. Running Windows XP connected to the ETH network will become a security issue after the April 8, 2014 and will not be tolerated by ETH’s network security.
    • A network scan unveiled several dozen Windows XP machines still connected to our client computer network. One reason may be that measurement instrument controller software still depends on that version of Windows. Also old hardware might be in use which does not run well with a newer operating system.

    Regarding these facts, we would like to ask you to start analyzing your Windows XP machines and the dependencies and reasons of the existence of this operating system. The following points provide some steps and hints about the process to eliminate or upgrade current Windows XP machines.

    • Check whether there are Windows XP machines still in use in your computer ecosystem and analyze whether a software or hardware component really depends on this version of Windows.
    • In case your Windows XP installation is needed to control specific lab equipment and you are locked to this OS version, please check with the manufacturer of the equipment whether new software or drivers are available or a hardware upgrade allows to migrate this Windows XP computer to a newer version of Windows.
    • If an upgrade to a newer Windows release generates extra cost, now would be a good time to spend this money to keep your systems and equipment up to date and to have a stable environment without running into IT security concerns in the near future.
    • Please draw up any possible cost to the 2014 budget so new hardware/software can be ordered prior to the end of life date of Windows XP and the system can be upgraded in advance.
    • If you face a situation in which it is not possible to upgrade to a higher version of Windows for technical or financial reasons, please contact us. We can help you analyze your specific situation and can try to find particular solutions to isolate your Windows XP installation from the network or maybe find a way to upgrade to a higher OS release.

    You are welcome to contact us in any case of questions or concerns relating the Windows XP end of life topic. We can provide help to migrate away from Windows XP as swift as possible so you can keep your systems secure and stable.

    Please note that after April 8, 2014, Windows XP will not be tolerated on the ETH network and we will be required to enforce this rule.

    Computer support during christmas holidays

    Thursday, December 20th, 2012

    The ETH Zurich will be officially closed between Monday, 24th of December 2012 and Monday, 2nd of January 2013. During this time, we can only provide limited support. Please follow these rules to save us from superfluous work:

    • Switch off printers
    • Switch off your personal workstation and notebook except for the following:
    • Do not switch off our managed Linux workstations.

    We will try to follow our e-mail, but you may also have luck and meet some of us in our IRC channel.

    Sophos Antivirus False Positives ‘Shh/Updater-B’

    Wednesday, September 19th, 2012

    Sophos Anti-Virus may tell you that a virus named ‘Shh/Updater-B’ has been detected on your Windows computer. Please ignore this alert messages! Sophos accidentially sent out a bad virus defintion database last night which causes the virus scanner to detect the above mentioned virus in several legitimate programs on your system. We take action to update Sophos with a fresh and functional database. Thanks for your patience.

    Update 10:20 21-09.2012: Sophos aknowledged the problem and issued new definition update to solve the false postive detection problem. ISG D-PHYS managed Windows machines are no more affected by this iusse. If you still encounter problems on your self-managed Windows machines running Sophos refer to the following knowledge base article which may be a good entry point to find help:

    http://www.sophos.com/en-us/support/knowledgebase/118311.aspx

    Migration of Home Directories

    Thursday, December 22nd, 2011

    In order to gain more flexibility and performance, the home directories will move to our new SAN setup.

    This will be done on Thursday, 5. January 2012, between 18:00 and 22:00.

    During this time the home directories (winhome, machome, unixhome), the mail services and some websites will not be available.

    To protect you from losing or corrupting any of your files, we strongly recommend you close all open files on the home directories before the migration.

    Since we have switched to generic names for our services, the home directories will still be accessible the same way as before after the migration is over, so you don’t have to change anything.

    Update, Jan 10: We experience some unexpected and dubious problems with 32bit binaries (and therefore, 32bit machines). The symptoms range from not being able to log in (GNOME and KDE) to acroread and mathematica not starting. Workarounds while we’re working on a solution: for failing logins, please call us. For acroread, use evince instead. For mathematica, log in to a 64bit machine, eg. login.phys, and start it remotely.

    Update, 21:25: The migration is finished and everything should work again! In case of problems please contact the ISG Helpdesk (3 26 68)