CELS Virtual Helpdesk

CELS Shared Services Systems Group

Documentation Search

Most Recent Dispatch

Site search

CELS Systems Newsletter – Q1 2024

by Stacey, Craig

Hi, everyone!  It’s been too long since I sent one of these out, and there’s a lot to cover here, so I’m going to try to make it easy for everyone to get the info they need and find the parts they’re most interested in.  I mean, it’s all very important and you should read every word and reflect on it next time you meditate, but let’s be real.  This newsletter is almost entirely focused on recent and upcoming changes in various lab policies.

Topics covered in this newsletter:

VPN Changes

In last November’s Town Hall, I mentioned some upcoming changes regarding the VPN, and I want to do a bit more of a deeper dive on it here.  The most important takeaway you need to understand is that effective April 1, 2024, only Argonne-owned and managed computers will be able to connect to the VPN.  Argonne has been required by DOE to limit what devices are able to access internal networks, and when you connect to the VPN, that puts the device you’re using smack-dab onto a trusted internal network.  If you’re a VPN user, you know that the requirements on the software you can use to connect have been limited to the Cisco Secure Client (with the necessary add-ons).  That requirement became effective in December.

Now, anyone connecting using the new client will notice there is a security posture check as part of connecting.  Right now, that check is reporting capability only, and it is not denying connections.  Whenever you connect to the VPN, if the computer you’re using does not pass the requirements check it gets noted and I get a weekly tally of who is using a non-compliant computer to connect.  When you show up on my report, I let you know what needs to happen for the computer to be compliant.

A requirement to be compliant is having CrowdStrike installed and running on your machine.  Argonne’s licensing does not cover installing CrowdStrike on equipment that is not owned by Argonne.  So, as you’ve probably surmised by now, equipment not owned by Argonne will not pass the requirements check.  Come April 1, anything that does not pass the check will be denied connection, which means only Argonne-owned equipment with CrowdStrike installed will be able to connect.

If your work requires you to be able to use the VPN from a non-compliant computer, please reach out to us at [email protected] and we’ll work with you to find a solution.  We’ve got a handy guide here that gives a number of options that allow you to get what you need done without using a VPN at all.  I’ve helped a few people with this, and it’s surprising the things people think they need a VPN for that they don’t.  Things like My Argonne, Dayforce, Workday, Concur, and Outlook Web Mail do not require a VPN, nor does Dash.

Proofpoint and email addresses

As previously announced, Argonne has started using Proofpoint to identify mail coming into Argonne that is from outside the organization.  It does a fabulous job of making you aware the mail is from an outsider.  I and the other IT admins have had this on our mailboxes for some time now and it’s generally been problem free.  It also rewrites URLs in the email so that inadvertent clicks get an extra layer of validation. Though I’ll encourage you to not rely on that entirely, and use your head (you work at Argonne, you’re smart, use it to your advantage!)

We’re working with BIS to see how we can stop it from messing with links that are in mailing list messages, that is a work in progress.  But whatever fix we come with for that will not prevent this from happening if you’re not using an @anl.gov address.

We have a lot of legacy email addresses that are still actively being used.  When I say legacy, I mean the old [email protected] or [email protected] addresses we used to use when we ran our own mail servers.  We haven’t given out those addresses for users in many years, as the official policy on email addresses is to use the @anl.gov address.

If you have one of the old legacy addresses as your active official address I’m going to be reaching out to you about making that right.  Your legacy address (if you have one) will always work for receiving mail, but with the regulations coming down on secure email signing, things get messy when these addresses are tied to your official identity and are being used for outbound mail.  We’ll have individual discussions about it, but I wanted to plant the seed that if you haven’t already started using your anl.gov address as your official address, you need to start thinking about it.

Mail and Office 365 from personal devices

We’ve become aware of a directive from DOE that is requiring tighter controls on Argonne-owned data.  There is a concern that business sensitive data (CUI is the term du jour) is being improperly handled by being stored on things other than Government Furnished Equipment (GFE).  Your Argonne laptop is GFE.  Your personal computer or mobile phone are not. Argonne has been tasked with implementing a strategy that prevents this.

The final implementation on how to do that is still in flight.  As we know more, I will pass on the relevant information to you, but at the very least I expect that before the summer, the list of allowed email clients accessing Argonne’s Office 365 will be limited to specific programs that will be able to enforce the necessary controls.  At the moment, I expect that Outlook Web will continue to be an option, and the official Microsoft Outlook Client will continue to be supported for Android and iOS.  There may be more, BIS is investigating the apps currently authorized to access Outlook and those that are able to implement the necessary controls should be allowed.

This is very much a work-in-progress, but I wanted to give a heads up as I’m sure rumors are floating around.  If you want to ask me “will <your favorite program> be authorized?” my answer right now is I don’t know.  I suspect there will be more options on the Android side of the things than iOS, but that’s just my hunch as a nerd about these sorts of things.

Speaking of CUI

It’s always useful to remind everyone that protecting Controlled Unclassified Information (CUI) is one of your basic job functions as a smart Argonne employee!  There’s annual training about this, and you can take a refresher whenever you want, but I want to highlight specific applications and services we have in CELS where sensitive data is not allowed.  Our ability to use Slack, Overleaf, and other cloud services is predicated on the fact that we do not use them for CUI, and all the conversations, data, and other documents are strictly in the FISMA Low category.

If you’ve got doubts about where to classify something, you can reach out to us at [email protected], Argonne Cyber at [email protected], or ask your supervisor.

Laptop Security, including travel and telecommuting

The rules around mobile devices (specifically laptops) regarding how they need to be configured, what you can use them for, and where you can use them have all been undergoing some updating over the past year.  I want to take a minute to highlight some specific changes you may have noticed or will soon run into.

Every laptop is required to be running the minimum security software suite and configuration laid out here.  Every time an ANL-4 (property pass) is generated, it goes through me for approval, and part of that approval is ensuring it meets those requirements.  If it doesn’t have the right configuration, the ANL-4 may not get approved.  For the real policy wonks, here is a link to LMS-PROC-244 (pdf).  Cyber has denied telecommuting requests when the laptop in question is not up to par, and we have no ability to override that.  All work for Argonne while on international travel must be done on Argonne-owned equipment; you cannot use your personal or university-owned computer.

If you have a fully managed laptop by either CELS Systems or BIS, your machine is up to speed.  If it’s not (and the vast majority of researcher laptops are not), I’m asking you to take a moment and go over those requirements to ensure you’re up to spec.  I really don’t want anyone blindsided by these requirements before some last minute-travel, or not be able to secure a loaner laptop in time.

So far, in CELS alone, these endpoint protection tools have allowed us to lock down and erase a stolen laptop, quickly identify three incidents of compromised computers, find one compromised user account, and discover a misconfigured user-installed web application that was mistakenly exposed to the internet and allowed any username/password combination to log in and use it.  These tools are working, and in fact outperforming the old McAfee endpoint protection we had been using. And to be clear, none of these tools give any of us any insight into your computer beyond very basic info. If anyone has concerns about what sort of insights this gives us, reach out to me.  I’ll set up a Teams or Slack call and show you exactly what we can see. I’m all about transparency, and I’d never advocate for anything I wasn’t running on my own equipment.

In closing

That’s all we’ll cover for this one.  As noted above, I (or someone on the team) will be reaching out to you if you if there’s a specific issue that needs addressing.  As I noted in the November IT town hall, the theme of this year is security, and we’re making some great progress in that area. Thanks for helping that happen!

Have yourself a dandy rest of this weirdly warm February, and here’s to a lovely spring!