May 9, 2013
Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems. UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy). UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.
Windows XP will not be supported after April 2014. Windows versions prior to Windows XP and any version of Mac OS X prior to version 10.6 should be considered unsupported.
The information in this guidance statement applies to all constituents internal to UAB.
We recommend that systems running legacy, unsupported operating systems should not be used. They should be disconnected from the network because of the significant security risk to the university’s network and environment. If the device is critical and cannot be turned off or disconnected, the device should be physically isolated from the university network. If disconnection and/or isolation are not possible, then an exemption and risk acceptance form will need to be completed, signed by the appropriate dean or vice president, and filed with Enterprise Information Security.
Unsupported legacy operating systems:
Windows XP after April 8, 2014
Mac OS X Family
Mac OS 9.x
OS X 10.5 (Leopard)
OS X 10.4 (Tiger)
OS X 10.3 (Panther)
OS X 10.2 (Jaguar)
Ubuntu 11.10 after May 9, 2013
Ubuntu 11.04 and Prior
Ubuntu 10.04.4 LTS
Debian 5.0 (lenny)
Debian 4.0 (etch)
Debian 3.1 (sarge)
Debian 3.0 (woody)
Other Unix OS
AIX prior to 6.1
Solaris prior to 9 (SunOS 5.9)
Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.
UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.
BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP. UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.
Non-Enterprise BitLocker Setup
Recommendations for using BitLocker
- Password set system BIOS
- TPM chip in the device
- You must take ownership of the TPM chip
- Before updating the BIOS, BitLocker must be suspended
- Escrow the key in some manner
- Professional/enterprise version of Windows
- Use a TPM + PIN authentication method
- System must be formatted NTFS with two volumes
Escrowing the key
With Windows 8, you may escrow the key in one of the following ways:
- Save the recovery key to a USB flash drive This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
- Save the recovery key to a file This method saves the recovery key to a network drive or other location.
- Print the recovery key This method prints the recovery key, but it is not recommended.
It will be up to the department to maintain the escrow recovery keys.
• OSX 10.8 and Java 1.7.0_13
UAB IT’s minimum recommendations for versions of Mac browsers and Java have changed as UAB systems have improved functionality that are compatible with the current version of Java. UAB IT recommends installation of Mac OSX 10.8 and Java 1.7.0_13. Apple operating systems will not run any version lower than Java 1.7.0_13.
UAB IT is also recommending using two different browsers — one for surfing the Web and one just for accessing UAB systems. For Internet Web browsing, use one of the following: Firefox with Java disabled, Safari, or Chrome. For working with just UAB systems, choose a different browser and enable Java to work in it. If you run into compatibility issues with the local browser and UAB IT systems, use the IT terminal servers to access UAB resources via RDP client. For more information, contact AskIT.
•Upgrade to Windows 7
A large-scale project is underway to upgrade all university-owned computers on the UAB campus to Windows 7 by April 8, 2014. At that time, Microsoft will cease its support for Windows XP, which has been the operating system primarily used by UAB computers in recent years. As a result of Microsoft no longer supporting this operating system, XP computers will no longer receive security updates. This creates a greater chance of XP computers being infected by viruses or compromised by malware.
This leaves one budget cycle to accomplish funding of this project. Upgrading to Windows 7 for any system needing network connectivity should be completed by April 2014.
• Install IE 9 and the most recently released version of JAVA
We are updating our minimum recommendations for versions of Internet Explorer and Java as UAB systems have improved functionality to support newer browsers and the currently secure version of Java. Internet Explorer 9 and Java (latest release) are recommended for installation on Windows 7 systems.
• Windows 8 not currently recommended for use
As XP fades away, Microsoft has rolled out its newest operating system, Windows 8. The transition from XP has prompted some users to ask why IT doesn’t upgrade to Windows 8 instead of Windows 7. The answer is that Windows 8 is currently not recommended for widespread use in the UAB environment due to the following reasons:
- Currently, not all of UAB’s business systems support Internet Explorer 10, the minimum version of IE used by Windows 8.
- Windows 8 introduces management changes that IT is not yet ready to address.
- Windows 8 is best used on hardware that is specifically made for Windows 8, such as touchscreen displays or touchpads. Other than the touchscreen/touchpad functionality, Windows 8 possesses similar functionality to Windows 7 from an end user’s point of view.
- PGP (UAB’s approved laptop encryption tool) is not supported on Windows 8 laptops. A recommended alternative is Microsoft’s Bitlocker product. (See Bitlocker with windows 8 for more information)
Based on the availability of new operating system versions and browser versions, UAB IT has updated its recommendations for both Windows and Mac versions/systems. In addition, with the release of Windows 8, PGP (UAB’s encryption tool for portable/laptop devices) is not currently supported. UAB IT is recommending Microsoft’s BitLocker product for encrypting Windows 8 devices.
For details see:Tweet
(Click above for PDF)
To find your MAC address in Windows, do the following:
- Click on Start > Run
- Type "cmd" in the Run box and hit OK.
- At the command prompt type "ipconfig /all"
- You should see a screen similar to the one below
The first highlighted Physical Address shows your Ethernet MAC address. The second shows your Wireless MAC address.
To locate your Ethernet and Wireless MAC addresses using a Mac OSX, do the following:
- Click Apple > System Preferences > Network
- With the AirPort device selected, click the Advanced button in the bottom right of the Network box.
- Your Wireless MAC address is under the Airport tab as Airport ID. It should be a mix of letters, numbers, and colons, something like the following: Airport ID: 00:1d:4f:1b:5c:fa)
- Your Ethernet MAC address is located under the Ethernet Device Advanced section. Cancel out of the Advanced section of your Airport device, and select the Ethernet device along the left-hand side of the Network box. Click the Advanced tab in the bottom right. In the Advanced section, click on the Ethernet tab at the top. Your Ethernet ID (e.g - 00:13:6b:a8:a2:d5) will be listed there.
PGP Whole Disk Encryption software (or FileVault for Macs) is designed to provide an additional layer of security for your data. Encryption is required for laptops used for UAB Business, and it is highly recommended for desktops in theft-prone areas. PGP software essentially "locks down" your hard drive, making the data accessible only to you and those you authorize. The disk encryption, in conjunction with logon and screensaver passwords, protects UAB data if the computer is lost or stolen.
- Encrypting with Mac OS X FileVault 10.7 (Lion)
- Encrypting with Mac OS X FileVault 10.6 or Below
- PGP Whole Disk Encryption: Windows Installation Instructions
- PGP Whole Disk Encryption: Mac OS Installation Instructions
- Linux Encrypted File System: Fedora
- Linux Encrypted File System: Ubuntu
- Linux Encrypted File System: Ubuntu (advanced configuration)
- Microsoft BitLocker on Windows 8
Additional PGP Documentation:
- PGP Client License Troubleshooting
- Adding and Removing Users in PGP Desktop
- Portable Drives
- Virtual Disks
- Zip Encrypted Archives
- Reporting Issues
- Drive Recovery
- PGP Guide for Campus Administrators
- Windows XP Preinstallation Environment (PE) for PGP Whole Disk Encryption
- Devices Incompatible with PGP