Many Windows public labs and departmental staff systems are currently members of the Iowa State University "Windows Enterprise Domain". On these systems you must supply your ISU "NetID" and password to login to the Windows desktop. If you have an option as to which domain you login to, select the "iastate" domain (the only one your ISU NetID is valid in).

Your particular NetID will work PROVIDED you have changed your ISU NetID password since April 20, 2000. The act of changing your password propagates your NetID into the Windows account database. From that point on your NetID and password will be valid to login to a Windows Enterprise system. If you have not changed your password recently, use the Acropolis Secure Web to do so (login, select the "Manage User " option and then the "Change your Password" function). If you have never gotten an ISU NetID, you can go to Acropolis Secure Web and click the "Register" button. If you have forgotten your ISU NetID username and/or password you can get help at the AIT "Solutions Center" (195 Durham).

The Windows Enterprise structure has been in production since April 2000. Many departments have converted their old Windows NT 4 domains into "Organizational Units" within the "iastate.edu" Windows Enterprise Domain. Once the conversion is done, an ISU NetID can be used to login to the Windows desktop that is a member of the Windows Enterprise Domain. A list of departments currently using this technique is available in the Current Departmenal Organizational Units document.

You cannot place a Windows desktop system into the "iastate.edu" Windows Enterprise Domain yourself. Administrative action is required. In general this is being done by departmental IT Windows managers who have worked with AIT to create an "Organizational Unit" ("OU") and chosen to move their systems to Windows Enterprise Domain structure.

You can tell if your Windows desktop system is a member of the "iastate.edu" enterprise domain by right-clicking the "My Computer" icon on your desktop and selecting "Properties". Click the "Network Identification" tab on the "System Properties" window. If the "Domain" is "iastate.edu" your system is a member of the Windows Enterprise structure. Talk to your departmental Windows admin for more information on how your system is managed within your department.

If you can see benefits to becoming a member of the Windows Enterprise Domain structure, talk to your departmental Windows administrator. Windows Enterprise Domain membership is available to any ISU college, department or operating unit. If your departmental IT admin is unaware of the Windows Enterprise Domain you might want to point them to the Windows Enterprise IT Administrator Support page for more information. Regular meetings for departmental Windows administrators are being held where they can get more information.

Several pieces of information associated with your username in Windows Active Directory are "mastered" from official university sources. To change this information (your proper name, your department, etc.) you must change the mastering source. For ISU NetIDs this may be the Registrar's Office, Human Resources, or Payroll (depending on whether you are a student or a staff-member). Some usernames are departemental "exception accounts" and are mastered differently. For more information, refer to the Master Directory Sources docuement.

It it critical that any Windows system be updated with the latest service packs and patches and also be running anti-virus software that is updated with virus definitions DAILY. There are several proactive measures implemented at the enterprise level (such as mail virus scanning for mail passing through enteprise mail servers and certain ports being blocked at the campus borders). However, by the nature of our open environment and wide variety of systems that connect via insecure means to off-campus systems (or on-campus people with dubious spare-time activities) you must assume every system is vulnerable to attack from within or without or campus borders. There are several things you should be aware of and are encouraged to do.

• To reduce off-campus Windows account hacking, selected Windows authentication and remote procedure call (RPC) ports are blocked at the campus borders. These blocks became effective November 18, 2003. A "Virtual Private Connection" (VPN) connection will be necessary to use off-campus Windows authentication for file and print sharing after this date. See Port Blocking at the Campus Border for more information.

• Anti-virus software for clients and servers is available under a campus-wide site-license for university-owned systems (Microsoft Forefront Endpoint Protection). Non-university-owned systems can select from a number of freeware and commercial anti-virus packages. Microsoft's Security Essentials is one recommendation.

• It is recommended that any Windows system be at the current Service Pack.

• Use the "Windows Update" feature (on the "Start" menu) to make sure you have all "Critical" updates installed on your system.

• It is important to apply any security hotfixes in addition to the current Service Pack. Use the following site provided by Microsoft to see what is needed for each product you are running:
  
  Microsoft Security Hotfix List
  
  Example: Supply "Windows 8 for x64-based Systems" for the "Product:" You will see all security hotfixes which should be applied. Be sure to get the hotfix list for each Microsoft product from the list you are running on system.

  REVIEW the description of each hotfix before you apply it. Some hotfixes have been superceded by others in the list. Always apply hotfixes so they can be backed off as necessary should they create a problem with your server.

  Another good tool to use is the Microsoft Baseline Security Analyzer. This product provides a scan of your system (or a remote system that you have administrative rights on) for many security issues, including missing security hotfixes, poor passwords, open file shares, etc. Make sure you run this tool with "administrative" rights on the system being scanned!

Windows Vista requires software activation to continue to function. Information on Windows Vista software activation can be found on the ITS web page Microsoft Vista at Iowa State University. In general, systems that are not permanently "on campus" (or cannot connect regularly and reliably via VPN) should never use the KMS key-activation method. You should always get a permanent "MAK" key for these systems Laptops are always "prime candidates" for "MAK" keys. Another case is "isolated labs" or instrumentation systems that have no network connections.

A variety of software products are recommended and supported by ITS. Several software products are site-licensed and are provided at no cost for users with valid ISU NetIDs. Most site-licensed software is now being distributed from an SMB compliant file server. To locate and install the available software navigate to the following location from an Active Directory joined computer:

\\software.iastate.edu\software

Refer to the IT Handbook for complete details on the campus repository.