To verify the domain, you will require the following:

• A copy of the SSL verification script.

• The verification code for the domain (contact Mark Whitman to obtain this).

1. Login to the RDS as a domain administrator.

2. On the RDS, Download the SSL verification script to C:\SSL Certificates and Run as administrator.

3. Press any key to continue > paste the verification code into the command prompt window.

4. Once the script has closed, please send the folllowing:

To: mark.whitman@intermit.co.uk

Subject: SSL Verification Code

Hi Mark,

The SSL verification code has been put in place at the following school.

School Name: 

Thank you!

A recovery email should be set for your intermit@ account. Complete the following to set this up:

1. Open https://mysignins.microsoft.com/security-info and login as intermit@.

2. If there is already an Email method using recovery@intermit.co.uk, please stop here.

3. Select Add method > select Email from the dropdown > Add > enter recovery@intermit.co.uk > Next.

4. Message either Justin or Mark Whitman via Hangouts to receive the code > enter the code > Next.

Important: Users such as admin@ or head@ may have this role. Please confirm with the school if they wish to continue to share these rights. If they do MFA must be set up for these accounts.

You can check which users have this role by completing the following:

1. Open the Office 365 Active Users page (https://admin.microsoft.com/Adminportal/Home#/users) and login as intermit@.

2. Select Filter > Global Admins > tick a user that needs to have the role removed > Manage Roles > select User (no admin center access) > Save changes > repeat this step each user that needs to be removed.

3. Still in the Active Users list > tick any unused global admin accounts (e.g. mailadmin@, mailadmin2@, hfladmin@) > Edit sign-in status > tick Block users from signing in > Save changes.

4. Select Filter > User Admins > tick a user that needs to have the role removed > Manage Roles > select User (no admin center access) > Save changes > repeat this step each user that needs to be removed.

Please change your intermit@ Office 365 accounts to the SystemAdmin password above by navigating to https://account.activedirectory.windowsazure.com/ChangePassword.aspx

Important: You must ensure that recovery@intermit.co.uk has been added as a recovery email address prior to enabling MFA, otherwise you may become locked out of the domain! Check your recovery email here.

If you have MFA already configured, you will need to remove both the phone number and authenticator until you get the More information required screen.

1. Open https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx and login as intermit@.

2. Select the Service Settings tab > under Verification Options ensure that at least Verification code from mobile app or hardware token is ticked.

3. Select the Users tab > select the search icon and search for intermit > tick the user > select Enable > Enable multi-factor authentication.

4. Open https://admin.microsoft.com and login as intermit@.

5. Select Next to add more infomation > select I want to use a different authenticator app > Next > select Can't scan image? > scan the QR code into your authenticator app.

6. Send the Secret Key to Justin or Mark on Google Chat including:

• School Name: 

• Secret Key:

• Email account (if it's not intermit@): 

7. Next > enter the code > Next > enter the App Password as IntermAuth > Finish.

If you have MFA already configured, you will need to remove both the phone number and authenticator until you get the More information required screen.

1. Call 0800 032 6417 > select option 2 > select option 5.

2. 
   

RM Broadband (Essex)

217.181.20.0/20

RM Broadband (Hertfordshire)

217.180.32.0/22

217.181.36.0/22

185.192.228.0/22

62.171.224.0/22

A recovery email should be set for your intermit@ account. Complete the following to set this up:

1. Open https://myaccount.google.com/security and login as intermit@.

2. Under Recovery email, if recovery@intermit.co.uk already exists, please stop here.

3. Select Add an email address > enter recovery@intermit.co.uk > Next.

4. Message either Justin or Mark Whitman via Google Chat to receive the code > enter the code > Verify.

Important: You must ensure that recovery@intermit.co.uk has been added as a recovery email address prior to enabling MFA, otherwise you may become locked out of the domain!

1. Open https://myaccount.google.com/security and login as intermit@.

2. Check the Recovery phone number is set to a number that you recognise.

3. Select Recovery phone > Add recovery phone > enter your mobile number > Next > Get code > enter code > Verify.

4. Select 2-Step Verification > Get started > Next > enter your SMS verification code > Next > Turn on.

5. Select Authenticator app > Set up authenticator > scan the QR code into your authenticator app > Can't scan it

6. Send the code to Justin or Mark on Google Chat  including:

• School Name: 

• Secret Key:

• Email account (if it's not intermit@): 

7. Next > Next > enter the code > Verify.

Please complete the following process to enable geo-blocking for a school's RDS. These instructions are applicable for RM direct and HfL Broadband schools as they utilise the Fortigate firewall required for this change.

Description of change to send to schools

Send the following to the Head Teacher / SBM to request authorisation:

Following on from recent DfE emails regarding educational establishments being targeted for ransomware attacks, we would like to put a block in place to prevent access to your remote access server from anywhere outside of the UK.

Almost all attacks on remote desktop servers originate from countries outside of the UK, so putting this block in place will greatly aid in minimising the risk of your data being compromised via this method.

A downside to consider would be that any legitimate attempts to access the remote desktop server from abroad no longer work. For example, a teacher on holiday in France would not be able to logon to the server. However, countries can be whitelisted if notice is given in advance.

Please let me know if you are happy to proceed with this change and we will implement the change.

Applying geoblocking to schools with RM Broadband directly

1. Navigate to RM Support Issue Diagnostics

2. Select Internet Services Change Request > Non Standard Changes > Non Standard Changes

3. Select Any other Non-Standard Change > Next

4. Select your school from the list (if it is not present, leave Interm IT (UK) selected).

5. Copy the following into the change requirement box:

Issue Summary: Geo-blocking for RDS

Issue Description:

Please can you apply geoblocking within the FortiGate firewall for access to this IP address for all countries apart from the UK. This is for <SchoolName>, <Postcode>, <RM ID>. Thank you!

Source IP Address: UK IPs only

Destination IP address: <Internal RDS IP Address>

Ports: TCP/443 (HTTPS)

6. Select Submit.

Applying geoblocking to schools with HfL Broadband

Please send the following email to Mark Whitman: 

To: mark.whitman@intermit.co.uk

Subject: Firewall Request for <School Name> <3-digit school number>

Dear HfL,

Please can you apply geoblocking within the FortiGate firewall for access to this IP address for all countries apart from the UK.

Source IP Address: UK IPs only

Destination IP address: <Internal RDS IP Address>

Ports: TCP/443 (HTTPS)

Thank you!

The following change prevents any user in the Administrators from logging into VMs using Remote Desktop with exception of the Domain Administrator. This will help to protect against external brute force attacks on administrator accounts which are not subject to the standard password lockout policy and those that may have a shorter (weaker) password.

1. Logon each server as Domain Administrator and open local group policy (gpedit.msc) and navigate to the following:

Local Computer Policy > Computer Config > Windows Settings > Security Settings > Local Policy > User Rights Assignment > Allow log on through Remote Desktop Services

2. Remove all entries and add:

For K9 Schools

• <Domain>\Administrator

• <Domain>\HfLAdmin (for Admin servers)

• <Domain>\K9 RDS (only include this on K9Server-RDS)

For CC4 Schools

• <Domain>\Administrator

• <Domain>\XXX CC4 Access (only include this on the CC4 Access server - XXX is your 3 letter site code)

• Block RDS IP from logging onto Synology.

• Create iSCSI targets with CHAP authentication.

  • Login to the Synology > iSCSI Manager > Targets > select each target > Action > Edit > Enable CHAP

    • Name: IntermAdmin

    • Password: 1n...!!

  • K9Server > iSCSI Initiator > select target > Disconnect > remove all connections to the Synology > Connect > Advanced > tick Enable CHAP log on > Name: IntermAdmin > Target secret: 1n...!! > OK

Note: If you cannot disconnect the iSCSI drive due to "The session cannot be logged out since a device on that session is currently being used",  login to the Synology > iSCSI Manager > Target > select the affected target > Action > Disable > Yes > Action > Enable

• Create new admin account on Synology - IntermAdmin / 1n...! and disable default Admin account.

If the school uses Arbor please follow the instructions in the below link to prevent emails going to junk after turning on DMARC.

1a. Send an email request to Arbor

To: dmarc.request@arbor-education.com

Subject: DMARC Request

Dear Arbor,

Please can I request for confirmation if the school’s DNS entries for DMARC have already been verified. If not, please could you provide the required DNS entries for the following school.

Your Name: Your Name

Your Email: @intermit.co.uk

IT Manager / Support Name: Your Name 

IT Manager / Support Email: @intermit.co.uk

Your Domain(s): school.sch.uk

1b. Send DNS records received from Arbor to your DNS provider:

Once you receive an email from Arbor with the required DNS records, send an email using the template below to the DNS provider:

HfL Broadband ifladmin@rm.com

Schools Broadband ifladmin@rm.com

RM Broadband ifladmin@rm.com

Interm IT mark.whitman@intermit.co.uk

To: <Select an email address from above>

Subject: DNS Change Request

Dear <DNS provider>,

Please would you be able to process the following DNS records as per the table below for:

<School Name> <RM Customer No. OR Postcode>

Thank you!

Type / Host / Value

CNAME / XXXXXX.school.sch.uk / uXXXXXX.wlXXX.sendgrid.net

CNAME / s1._domainkey.school.sch.uk / sX.domainkey.uXXXXXX.wlXXX.sendgrid.net

CNAME / s2._domainkey.school.sch.uk / sX.domainkey.uXXXXXX.wlXXX.sendgrid.net

TXT / _dmarc.school.sch.uk / v=DMARC1; p=none;

Please note: Some DNS providers automatically append your domain name onto the end of the CNAME file. Please be aware of this and note that the HOST records above are the full location of where we would expect to find the CNAME file.

There is also a TXT record provided above for a DMARC entry. If you do not currently have one, please do add this on to your DNS zone as some email providers will require this beginning in February 2024. If you do already have a DMARC entry, you do not need to change it for the suggested entry above.

1c. Reply to original Arbor email to verify DNS changes by DNS Registrar

Once you receive confirmation from the DNS registrar that the DNS records have been configured, reply to the email sent by Arbor in step 2.

Subject: DMARC Request

Dear Arbor,

I've received confirmation from the DNS registrar that the DNS records are now in place for you to verify.

Thank you!

Below are instructions on how to test SPF, DKIM and DMARC. The screenshots below show confirmation that action is required.

SPF

1. Navigate to https://mxtoolbox.com/SuperTool.aspx?action=spf:

2. Enter the school’s domain, e.g. school.sch.uk

3. The box that appears should be green and show the following:

v=spf1 ip4:167.89.0.0/17 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20 ip4:198.21.0.0/21 ip4:192.254.112.0/20 ip4:168.245.0.0/17 ip4:149.72.0.0/16 ip4:223.165.113.0/24 ip4:223.165.115.0/24 ip4:223.165.118.0/23 ip4:223.165.120.0/23 ip4:159.183.204.6/32 ip4:50.31.43.182/32 include:outlook.com ~all

Note: For school using Google Workspace for emails, the end part of the entry should instead read include:_spf.google.com ~all

DKIM

1. Navigate to https://mxtoolbox.com/SuperTool.aspx?action=dkim:

2. Enter in format of <schooldomain>:selector1 e.g. school.sch.uk:selector1

3. If the DKIM record is not found, obtain the required details by:

   1. Navigating to https://security.microsoft.com/authentication?viewid=DKIM

   2. Login with the school’s intermit@ email.

   3. Select the school's email domain from the list. For example - school.sch.uk

   4. Copy and keep this information for later.

4.