Phase 1: Remote Desktop and File-Sharing Applications
Security enhancements to the UW Network
The University is making important security enhancements to protect the UW network against an increasing number of malicious attacks that put personal and University data, devices and systems at risk. The following information was shared with the University of Washington and UW Medicine community about changes will affect people and groups that connect to UW resources from off-campus using a remote desktop or file-sharing application.
Changes to the UW network, beginning April 24, 2018
Starting on April 24, 2018, if you access UW resources from off-campus through a remote desktop or network file-sharing application, you will be required to first use the Husky OnNet VPN, a department/unit VPN, or UW Medicine secure virtual private network (VPN) service. A VPN is an application on your computer that establishes a secure connection to a network.
How to prepare for changes
If you are not currently using Husky OnNet, a department/unit VPN, or UW Medicine VPN, please see below for options.
Available VPN secure services include:
Current students, faculty, including emeriti, and staff can use Husky OnNet, a free service. Please review the information on this web page, and get the software.
Alumni and retirees can contact their unit or department's IT group to see if an UW department/unit VPN is available.
Departmental VPN: Contact your unit or department's IT group to see if they provide an UW department/unit VPN for your use.
College/Division/Department/Units: If you do not have a department VPN, a new for-fee Husky OnNet-Department service can provide secure access for retirees, alumni and other groups.
If you are connecting from on-campus (the Seattle campus and related facilities, UW Bothell, UW Tacoma and at UW Medicine facilities), you should not be impacted by this change.
Video about UW VPNs and how to use one:
Learn what a VPN is, your options, and how to use a VPN in this brief video. Visit UW-IT's YouTube channel for the audio described version of the video.
Not sure if you are connected to a UW network?
Use the Networks Portal tool from any computer you use to connect to UW resources to see if you are on a UW network, or see the Frequently Asked Questions section below for more information.
Examples of applications that require a VPN to connect include:
Remote desktop (but not the use of a Remote Desktop Gateway; see the Frequently Asked Questions section for more information)
Network file-sharing applications, such as those that allow you to transfer files to and from a UW-network-connected file server
Connections to devices on the UW Wi-Fi network, which includes any type of a wireless-connected device, such as printers, a remote camera, or a wireless-connected laptop
What's not changing?
These changes will not affect web-based UW resources and services, such as uw.edu web pages, Canvas, Google Drive or Office 365. It will also not affect access to Dropbox, peer-to-peer (P2P) or secure file transfer (FTP) programs. Access to UW Medicine resources via Citrix also will not be affected.
Why are these changes necessary?
In recent years, the number of malicious attacks on the UW network have increased substantially, presenting a serious security risk to the University. A large volume of this hostile traffic comes through specific network "channels" or "ports."
The most frequently attacked network ports are those related to file-sharing and remote desktop applications, and therefore, those will be blocked first. Other ports may be blocked in the future; you will be notified before any additional ports are blocked.
Blocking ports will reduce the security risks associated with the growing number of network-based vulnerabilities and the increased sophistication of network-based attacks against on-campus computers. Additionally, this action aligns UW with network security guidance and best practices and encourages everyone who uses the UW network to follow best practices for network and computer security.
These security enhancements are a common practice used by many large organizations, including numerous higher education institutions. They will apply to the entire UW network, including in Seattle and at UW Tacoma, UW Bothell and UW Medicine facilities.
See a list of network ports to be blocked on April 24, 2018.
UW college/division/department/unit
In advance of April 24, 2018, please take the following steps:
Assess the services and applications on the UW network that you make available to users.
Assess how authorized users currently access these services and applications to identify whether or not there will be an impact from these network changes.
If the use of a campus VPN is not feasible for your users, design and implement an alternative secure approach for systems and processes that currently use network ports that will be blocked. Options include:
Department/unit-managed VPN service: Some departments may choose to implement their own VPN service.
Husky OnNet - Department (HON-D) service: HON-D allows departments to establish their own authorized list of valid UW NetIDs using a departmentally managed UW Group. The department's service will have a unique set of IP addresses associated with it so that these addresses may be allowed, as required, through a department firewall.
Alternative port: Design and implement an alternative secure approach for systems and processes that currently use network ports that will be blocked. The affected unit will need to communicate to users about the alternative port.
UW-IT consultation: UW-IT's Port Blocking group members will work with UW groups to help advise on recommended solutions to systems/services affected by the blocked ports.
Exemptions Listing: Those who need more time to develop a solution can request a temporary exemption. This allows the group to keep their systems/services operational while alternative configurations/constructs can be designed and implemented to work around the blocked ports. See Exemptions below.
UW Medicine and clinical departments
Pulse Secure: Most users with AMC accounts will continue to be required to use Pulse Secure, the UW Medicine Remote Access SSL VPN service, to access UW Medicine network resources.
Critical services: UW Medicine IT Services is working with their IT staff to identify any critical patient services that rely on the affected ports.
UW Medicine IT Services consultation: UW Medicine IT Services will work with groups to help advise on recommended solutions to systems/services affected by the blocked ports. Please contact UW Medicine IT Services.
Alternative port: Design and implement an alternative secure approach for systems and processes that currently use network ports that will blocked. The impacted unit will need to communicate to users about the alternative port.
Exemptions Listing: Those who need more time to develop a solution can request a temporary exemption. This allows the group to keep their systems/services operational while alternative configurations/constructs can be designed and implemented to work around the blocked ports. UW Medicine will establish an approvals process for exemptions. See Exemptions below.
Exemptions
If alternative solutions are not available or will take more time to develop, a request for an exemption may be made. For more information on exemptions, including recommendations for other important security measures, please contact UW-IT's Service Center at help@uw.edu with the subject line: "Network Port Blocking."
UW unit exemptions will require the approval of your unit's dean, director, or chair. All requests for exemptions within UW Medicine will be forwarded to UW Medicine ITS for approval.
Frequently Asked Questions
What is a virtual private network (VPN)?
A VPN is an application on your computer that establishes a secure connection to a network. You must first connect to a UW department/unit VPN before accessing UW resources from off-campus with a remote desktop or file-sharing application. The UW offers a free VPN service for all current students, faculty and staff, called Husky OnNet. UW Medicine employees with AMC credentials should use the UW Medicine SSL VPN called Pulse Secure. Individual UW departments may offer additional VPN services.
What is a network file-sharing application?
A network file-sharing application allows you to access and transfer files to and from a remote location, such as files on a departmental or unit server. For example, you may be accessing an I: or H: drive where your department stores shared files. The drive letter may change, depending on configuration. Accessing that shared drive from an off-campus location will require the use of a UW VPN.
What is a remote desktop application?
A remote desktop application on your computer allows you to connect from one computer to another. For example, you may use a remote desktop application to connect from your laptop at home to your workstation on the UW network, and it will appear as if you are logged directly into your UW workstation. Windows computers call this a Remote Desktop Connection and Apple calls this Apple Remote Desktop or Virtual Network Computing (VNC).
How do I know if I'm using a Remote Desktop Connection vs a Remote Desktop Gateway?
Some UW departments offer a Remote Desktop Gateway. Users connect to it the same way they would via standard Remote Desktop Connection but there is an additional setting in the application that is configured to specify the Gateway server. If a Remote Desktop Gateway server is used, the use of a VPN may not be required. Check with your department to see if they offer a Remote Desktop Gateway and how to configure your computer for its use.
My college/division/department/unit operates a Microsoft RDP (MSRDP) Gateway server. If I connect via this gateway will I need an exemption?
No. Those connecting via a standard MSRDP Gateway server will not be affected and no exemption will be required.
My college/division/department/unit operates a Microsoft RDP (MSRDP) gateway server. Will this require an exemption?
Unlikely: In the standard installation and configuration, the MSRDP Gateway servers will not be impacted by the blocking of port 3389/tcp (native RDP) as it uses ports 443/tcp and 3391/udp.
Standard MSRDP Gateway server installation:
User on internet -> port 443/tcp -> MSRDP Gateway -> 3389/tcp -> user desktop on campus
The RDP port block will be implemented at the point where the MSRDP Gateway traffic is 443/tcp. Once the session has reached the gateway server and been converted to 3389/tcp, it's already past the block. The gateway effectively tunnels the traffic through the block. If you operate an MSRDP Gateway server, confirm that you're using the default ports for your installation, and if so, you will not need an exemption.
How do I know if I connect to the UW network from on-campus or off-campus?
Use the Network Portal tool
The Network Portal (networks.uw.edu) tool will report if you are connected to a UW-managed network on-campus or not.
To find out if you are on the UW network, follow these instructions:
If you are on-campus, then you will see "Your subnet is [ip subnet] on the uw network" displayed.
If you are off-campus, you will see "You do not appear to be connected to a network managed by the University of Washington" displayed.
Indicators you are off-campus
You are using a third party Internet Service Provider (e.g., Comcast, Centurylink, Wave, Verizon, etc.) to connect to the internet
Your network connection is via a third-party wireless service (e.g., at an airport, cafe, cell service provider, or other retail location)
Indicators you are on-campus
You are physically using a computer at one of these locations:
UW Seattle campus, including Health Sciences
UW Bothell campus
UW Tacoma campus
Various UW research facilities, offices, research stations and laboratories throughout the region
UW Medical Center (UWMC), including UW Medicine Neighborhood Clinics (UWMNC)
UW Medicine support facilities, for example the Consolidated Laundry, Northgate Call Center, and the IBM building
Harborview Medical Center (HMC), including the Ninth and Jefferson Building (NJB)
Northwest Hospital (NWH), including NWH clinics
Airlift NW
Will these changes affect how I access my UW email?
No. Whatever method you currently use to access your UW email should continue to work.
Will these changes affect my ability to access UW Library resources?
No. Whatever method you currently use to access UW Library resources (including restricted access resources for those who are eligible) should continue to work. For more information see UW Libraries Off-Campus Access information.
Will these changes affect my ability to access UW Medicine resources via Citrix?
No. Your access to UW Medicine resources via Citrix should not be affected.
How do I know if I should use the SSL VPN Pulse Secure?
Only people in UW Medicine with AMC credentials can use the SSL VPN Pulse Secure. Everyone else, including members of School of Medicine, should use Husky OnNet or a UW departmental VPN.
List of blocked ports
As of April 24, 2018, the following inbound ports are being blocked:
Port
Protocol
Reason for Block
135
137
138
139
445
NetBIOS
RPCMS-DS SMB
Network Basic Input/Output System (NetBIOS) and Server Message Block (SMB) services provide file sharing and related services over the network. These services are constantly under attack from off-campus, are frequently vulnerable to attacks, exploits and malware, and can expose confidential or restricted data when improperly configured.
3389
RDP
This is used for remote desktop connections to Windows computers. It is one of the most common ports used for "brute-force" or "dictionary" attacks (password guessing).
5900
VNC
This is used by the Virtual Network Computing (VNC) protocol, which is used for remote desktop connections to computers running a VNC client.
Get Help/Questions
If you need help or have any questions or concerns, please contact help@uw.edu with the subject line: "Network port blocking."