Tech Forum

(I apologize in advance if these questions are answered somewhere else- I'm still familiarizing myself with these forum, and haven't searched them all yet).

After meeting with our Stake Clerk and 2nd Counselor in the Stake Presidency to discuss meetinghouse internet access (hence the post here ), some questions arose that I present here.

1) How often is the OS on ward computers patched for security? I'm guessing it's not very often, probably on the order of when new updates to the Desktop are made. It seems to me there are lots of hooks and mods made to the OS in order for MLS to run- I realized this when I tried to create additional OS administrator accounts last fall. Do these modifications impact regular Windows security updates, or in other words, once our clerks aren't limited to dialup, I'm nervous about these machines having I.P. addresses w/o OS patches, and I'm equally nervous about applying patches if they're going to mess up the OS (how's that for a run-on sentance?).

2) As we move into the I.P. realm, what are the considerations/recommendations for spyware and anti-virus usage? Will this be incorporated into Desktop, or will that be up to the STS? If the STS doesn't do this, and an infection takes place, how much trouble will the STS be in? Even if the STS does this, and an infection takes place, how much trouble will the STS be in? With both the local unit and the Church?

3) Let's say, for the sake of argument, that the information being sent between the clerk's workstation and the router is eavesdropped on (image a creative group of youth with an affinity for technology). The workstation isn't compromised, just the connection between the workstation and the router (harder with a wired setup, but possible). If this eavesdropping is detected, what procedures does one follow? Does each member have to be sent a 'Check your credit history' letter because their information may have been compromised?

I'm comparing my STS experience with my occupational concerns (systems analyst at a public university), which has inspired these questions. If they are non-issues, let me know. If not, where can I find the answers? Help me Obi-Wan (read: fellow forum readers), you're not my only hope, but you are my most convienient option.

Yours in I.P.

The Church's Clerk and Technology Support page will have most of these "official" answers.

The Church's security suite software (at the MLS software download site) will solve your virus/malware needs.

The unanswered questions are best left for Church Headquarters (CHQ).

dtaylor26 wrote:1) How often is the OS on ward computers patched for security? I'm guessing it's not very often, probably on the order of when new updates to the Desktop are made. It seems to me there are lots of hooks and mods made to the OS in order for MLS to run- I realized this when I tried to create additional OS administrator accounts last fall. Do these modifications impact regular Windows security updates, or in other words, once our clerks aren't limited to dialup, I'm nervous about these machines having I.P. addresses w/o OS patches, and I'm equally nervous about applying patches if they're going to mess up the OS (how's that for a run-on sentance?).

All Church computers connected to the Internet are required to have Desktop 5.5 installed. Desktop 5.5 controls OS updates, so you shouldn't have to worry about this. From the Desktop 5.5 instructions:

Now that Local Unit Computer Desktop Version 5.5 is installed, Windows security patches, new virus definitions, and other updates can be received from the administration office through the data transmission process in MLS. Updates will be made available as needed, but it is important to use the Send/Receive Changes feature weekly and apply all updates promptly to make sure the computer is always protected as fully as possible. (Updates may increase transmission times.)

Also, the Church-supplied firewall will hide actual machine IP addresses from the Internet, so your risks of a wide variety of attacks will be tremendously reduced.

As for your issues with creating additional OS administrator accounts: It is true that Desktop 5.5 sets many aspects of the computer's security policy. But you should be able (and are required by policy) to create at least one additional Windows administrator account on each computer. If you are having problems with that, post your questions on this forum and we'll try to help, or call Clerk Support.

dtaylor26 wrote:2) As we move into the I.P. realm, what are the considerations/recommendations for spyware and anti-virus usage? Will this be incorporated into Desktop, or will that be up to the STS? If the STS doesn't do this, and an infection takes place, how much trouble will the STS be in? Even if the STS does this, and an infection takes place, how much trouble will the STS be in? With both the local unit and the Church?

The Desktop 5.5 includes Symantec anti-virus software. It's more than a recommendation -- it's required by policy. The Desktop 5.5 instructions give what I consider to be conflicting instructions regarding virus definition updates:

• Settings for computer security, antivirus software, and so on, are managed from the administration office during MLS transmissions. For this reason, no changes should ever be made to the Symantec products installed on the computer except for updating the virus definitions as they are received from the administration office.
• Because virus definitions can become outdated despite the best of efforts, the Member Services Support Group asks that you update the Symantec AntiVirus software manually once a quarter to ensure effective virus protection.

I have not noticed any updated anti-virus definitions being downloaded through Desktop 5.5, even though the above instructions say they will be. And if updates were being downloaded regularly, why would we have to update them manually? In any case, the only updates that happen (for machines in my stake) are when I do the manual updates. So I do those at least once a quarter, and sometimes more often.

We're typically not in the business of talking about "how much trouble" someone will be in for certain actions (or inactions). But it is certainly advisable (by that gentle word I mean "required") to follow the official instructions I posted above. If you do that, I think you can be confident that you have done your part, and if some virus slips through Symantec, the solution mandated by the Church, I don't see why you should be blamed.

dtaylor26 wrote:3) Let's say, for the sake of argument, that the information being sent between the clerk's workstation and the router is eavesdropped on (imagine a creative group of youth with an affinity for technology). The workstation isn't compromised, just the connection between the workstation and the router (harder with a wired setup, but possible). If this eavesdropping is detected, what procedures does one follow? Does each member have to be sent a 'Check your credit history' letter because their information may have been compromised?

I don't know of any policy on this. It's a serious question, and a good one, but I would seek guidance from Clerk Support if that were to happen. In the meantime, our best course of action is to use our very best efforts to keep the risk of eavesdropping as low as possible by following security practices that are in accordance with industry standards and Church policy.

dtaylor26 wrote:3) Let's say, for the sake of argument, that the information being sent between the clerk's workstation and the router is eavesdropped on (image a creative group of youth with an affinity for technology). The workstation isn't compromised, just the connection between the workstation and the router (harder with a wired setup, but possible). If this eavesdropping is detected, what procedures does one follow? Does each member have to be sent a 'Check your credit history' letter because their information may have been compromised?

It would seem to me, if the traffic were encrypted from workstation to destination, much of the eavesdropping, wireless or hardwired, issue goes away. In other words, any traffic carrying confidential information such as MLS. Worrying about any other allowed traffic seems moot, comparitively speaking.

Being new to the STS position but with several years of tech experience, I am still working at getting my geek hat to fit properly and spin the propeller in the proper direction for this calling. So, the quesiton is, would SSL be a practical consideration under the current methods in this example?