Interestingly enough, especially after my recent rant about the timing of SP2 for Windows XP and my long-time rants about simple services Microsoft could provide to help out universities, it looks like Microsoft has finally listened. I heard through the grapevine that Microsoft is going to help Stanford out in the coming weeks as we prepare for fall student arrival by pressing SP2 CDs for us to distribute to RCCs and other technical support staff. (There’s even talk that they’ll make these CDs available for free to plain ol’ folk at brick and mortar locations.) We also have access to a CD image (that I’m download right now) if we want to burn our own CDs as well. The way in which SP2 is distributed over CD is tightly controlled– as is usually the case with anything from MegaCorp– and it unfortunately reduces our ability to also distribute a little configuration tool (< 500 KB) that will open up certain ports and change IE settings, addressing the inevitable issues that will come up specifically for Stanford users. Hopefully, we'll be able to distribute this little tool on our Essential Stanford Software CD that goes out to new students (if the CD hasn't already gone to press yet), but here's the amusing user support scenario that we came up with:
An incoming junior gets a new computer right around the end of August. Because most computer vendors aren’t installing SP2 yet on their drive images, his computer doesn’t have SP2 installed. But the student comes back to school and moves onto campus around September 26th and hooks his computer up to the network. Among other reasons, because he’s living off of the “free” electricity and high speed network available to him for only $10 per month, he leaves his computer on and connected to the network all the time. Now, hopefully, he’ll have automatic updates turned on or he’ll have listened to his RCC’s recommendations to install the latest OS patches or he’ll have installed Stanford’s new BigFix client to help with keeping his computer up-to-date. So, his computer gets SP2 pretty soon after he gets onto campus and he gets to, theoretically, take advantage of all the new security features that SP2 provides.
However, once SP2 is installed and the firewall is turned on, there are certain things that don’t work. Specifically, certain ports are blocked, so now he can’t log on using PC-Leland, Stanford’s desktop application that allows Kerberos single sign-on. Well, this is kind of annoying because most likely, he’s already configured his email client to use PC-Leland for accessing his Stanford email account, so his email probably doesn’t work now. Also, every time he tries to access anything on the Web behind Stanford WebAuth, including signing up for classes, accessing Coursework (Stanford’s course management system), etc., he has to login via the authentication page on the Web. But the problem is that there’s a known caching problem with the WebAuth page and if his browser’s not checking for new content every time he visits a page, he’ll go into an endless loop after authenticating and never be able to actually get to the page he was trying to access.
But no worries. He walks down the hallway and tells his RCC about his problem. The RCC is a little overwhelmed with beginning of the year computer problems or doesn’t want to confuse his not necessarily tech-savvy resident with complicated directions on how to open up ports, so he tells him to run the little SP2 configuration tool that has been put out by Stanford. Well, he’s not a new student, so he didn’t get a copy of this year’s CD, so he’ll have to go download the tool off of the Web site. Oh, but wait, that Web site is behind WebAuth, so he’ll run into the same caching problem. Okay, well, then the RCC will take some time out to help him fix that and then finally he’ll be able to get the configuration tool, get the right ports open, and get going.
A possible addendum to this scenario: if this student had installed the BigFix client when he got onto campus, at the recommendation of ITSS, he might have gotten SP2 pushed out to him through this system rather than Automatic Update (since it’s not clear how quickly someone would get SP2 pushed out to them over AU even with constant high speed network connectivity). But the second SP2 is successfully installed, BigFix would not work thereafter since the port it uses to push out patches is now blocked with the firewall. So, BigFix was able to push out SP2, but if there are new vulnerabilities and additional critical updates (which there most certainly will be), BigFix will not be able to push those out. We’ll have to hope that the student will be able to open up the correct ports soon or have Automatic Update running so that he can get his computer patched. Ironically, BigFix could end up shooting itself in the foot– an issue outside of the major concerns we had about this new system.
Of course, many of the user support issues here are not all the fault of Microsoft or even Stanford and in the end, a large OS upgrade like this will cause user support issues no matter what (although let’s not even get into the weird conflicts SP2 causes with popular antivirus software). And in the end, I give credit to Microsoft for actually listening to the one suggestion we gave them last year after RPC Hell– to give us resources to easily put critical patches and updates onto a CD and get users patched without having to put them on the network. I have to say, after over a year of constant struggles with security, privacy, and copyright, this little victory is both surprising and welcomed.