Build a package in SCCM and hit go.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
US Air Force to Migrate 776,000 Users to Microsoft Office 365
- Thread starter Megalith
- Start date
Build a package in SCCM and hit go.
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
Are you not familiar with what Microsoft 365 is? It is an online cloud service, they would just need a web browser. Also the DoD regularly mass pushes updates, programs, etc onto systems and it is far larger than 776,000.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
NIPR is encrypted from base to base, and the boundaries to the internet are heavily guarded. Yes, we use commercial circuits for transport, but that’s why everything is bulk encrypted on the transport side. NIPR traffic and emails aren’t passing through in the clear on the internet at large. Your comment is just so far off.
The difference now is that all the exchange accounts and data will be passed to Microsoft servers/infrastructure. Sure, it’ll be encrypted, but it’s being passed to a domain the DOD doesn’t control.
And no, most of the people doing secure aren’t contractors.
Last edited:
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
Actually not exactly. And just because something is encrypted, doesn't mean it is not vulnerable. Also with 365, you will still have the same encryption being used. So I fail to see the difference there.
How do you know the DoD does not control that domain? Have you seen where the servers are located? The DoD controls most of their AWS assets.
Lol okay. Who do you think provides the encryption and communication channels technology? Who controls the comm lines? Who engineers the solutions? Who writes all the processes being used? And who is in the watch room? Because I can tell you, that is all contractors.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
You’re so far off that I won’t bother.
Ur_Mom
Fully [H]
- Joined
- May 15, 2006
- Messages
- 20,689
I've had a great experience with O365 here. It is installed locally. We've had a few activation issues (install is 'deactivated' for certain reasons, goes into reduced functionality mode), but nothing else. It's fast, it's stable, it works great.
For secure or absolutely mission critical stuff, I'm sure they'll have a different option. For day to day stuff, which most of it isn't top secret or things that are absolutely critical to the safety of our country, it's a good idea. It works great. Less admin overhead.
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
Actually, I am not, so you shouldn't.
I was going to reply to his post but when he said most of the people doing security aren't contractors i tuned out. Not worth bothering.
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
I think you mean to say, that I said most of the people securing the connections are contractors. Or are you suggesting that only military personnel engineer the solutions. Only military personnel develop the tactics to install the solutions. Only military personnel are the ones that install the solutions. Only military personnel are the ones that support the solutions. Only military personnel are the ones that monitor the comm lines. Only military personnel are the ones that monitor the traffic. Only military personnel are the ones that write the search algorithms to alert on. Only military personnel are the ones that configure the firewalls, routers, and rules to secure the network. Is that what you are suggesting?
i'm saying the opposite, there are more contractors than military personnel, i used to be one i know.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
There are a fuck ton of contractors, but that’s not what I’m talking about.
Not completely, military email accounts are not [email protected], they are all @mail.mil meaning a single unified exchange domain for the entire DoD, a change to Office 365 won't effect that and many other services at all because those services are not local to the branch but span the DoD as a whole.
And again I will reiterate, 10 of the DoD network footprint is unclassified work, the other 90% is classified on networks that are not connected to the internet so you can't off-load these services to commercial vendors and commercial services. At best you can replicate them in house on each of these many classified networks which really can cut back on the savings and benefits. I work on four different networks, off loading users on one of them to Office365 just means I have one less but I still have to do everything on the others, I'm still being paid and were still buying licenses and servers.
I think you have some things backwards.
The same thing happened for the Army and it was because of a war that it happened. AA contractor is much cheaper to use than a soldier or airman. The Soldier has to do weapons training, medical requirements short term and long term are steeper, you can add another contractor easily compared to training another military member because the contractor comes already skilled and doesn't need all the additional military skills. It frees trained military members to go do what they do and when your war slows down or ends, you just drop the contract and send the contractors home, the military guys have to be transitioned out, get their counseling, and the VA, and will likely draw benefits even if they don't stay in. Something else, I never served in a war zone while on active duty, my retirement pay is small and if I ever start drawing VA medical payments, they come out of my retirement pay unless they exceed it, then I get the greater of the two. But a combat vet who retires receives both, separately. That comes to some money man.
So after 10 years of war it's hard to say that they are idiots and don't know what would happen if there is a war, there has been a war. What they are doing is in reaction to what they did already, "because we were in a war". Contractors coming to work wasn't an iffy thing during this last war. I always thought it amusing that I never saw a war zone until after I retired and became a contractor.
I agree with you about the threat when it comes to OPSEC and Open Source Intelligence. Yes, there is a lot of business that goes on on NIPRNET and is unclassified. I disagree that moving to Office365 is going to be a major cost saving and logistical boon if you consider the IP landscape as a whole. If you only look at NIPRNET, sure it might save some money, but the reality is less significant from what I see.
No it doesn't. The Air Force doesn't run their own exchange, hasn't for years.. It's managed by the DoD which is why everyones' email account is now @mail.mil
(I have to correct this, apparently the Air Force has not yet transitioned to the DoD exchange service and do still run their own exchange, but this is going to happen and they will not be going to Office365 for their email.)
Office will not be on the local machines, that is what Office365 is, a cloud based Office app. And transitioning to Office365 doesn't mean the Air Force has decide to move their data repositories and sharepoint farms to a cloud service and relinquish direct control of their file servers. Did you see that stated in the article because I did not, and it would not be a requirement in order to adopt Office 365.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
You're actually wrong on that. AFIN and 99%+ of USAF users are still on an AF managed exchange..
I won't comment much more on what the AF plans on doing, but needless to say the data is going to be stored on the cloud - And it's not a DoD owned cloud. That's why i'm largely concerned with the move. Sure, it'll be logically sectioned off terrain on Microsoft's servers - But I still don't like it.
Point taken, but I was trying to point out that the Classified Networks are in no way threatened by this move.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
How do they properly deal with CMI's on Microsoft owned terrain? We're also making the assumption Microsoft isn't compromised in some way.
No, classified networks aren't threatened. If you've got free wheeling access to every NIPR email/exchange account out there though that gives a good window into revealing Ops as it is. Never mind all the other avenues it opens to fucking with logistics, security/PII management, and people's pay.
If the Air Force does it like the Army, they have their own custom build for Windows, we just switched to Win10. The way they install things is by creating a master image and booting the machine to a networked install image, easy, I can do dozens of computers at a time and never need a CD or even a license key, my CAC Smart Card is good enough. If I want to a new app on everything, I change the master image or I can push the deployment with SCCM and basically trigger a remote installation of the app acrossed the network, no user need be involved and I don't have to go to all the machines. These are things that happen on Enterprise Networks. I don't actually do these things myself, others do, I manage servers doing virtualization and SAN / NAS storage systems.
Just a correction, there is a link between every classified network and the internet. Its just not l
its not real cloud, its basically remote hosted managed services with dedicated machines and equipement
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
If it's just going to be an internal to AFIN contracted out solution then I don't have a problem with it. Of course, then I have to ask why the fuck the USAF is wasting more money on their own solution and not conforming to DISA/JIE by going with mail.mil.. Because while this will be cheaper then locally managed exchange servers at every base it's still not moving to @mail.mil which means we're just wasting more money on another interim step.
Slow down some, two separate issues, I'm not sure what your asking in the first sentence, I'm not familiar with what you mean by a CMI.
I'm not saying that an enemy couldn't cause havok although I understand how someone would have taken my statement as such. There are just a great number of people who think all the militarys sensative stuff is sitting on Army.com and USAirforce.com and don't understand that those are only public facing portals for recruiting and shit. Further they think that if the Army's facebook page was hacked that there might have been a risk to Army classified information. These kinds of things, they think the military only runs their own single big network for all their business and do not know that the classified ones aren't connected to the unclass. They don't get that you can't even ping a classified military computer much less hack one from their basement. Not physically possible.
This was the point of my comment.
They don't even share the same physical communications equipment, not even a common satellite.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
You aren't correct, and I won't say much more - But needless to say almost everything rides over the same commercial backbones leased by DISA at some point. There can be exceptions, but that's not the norm.
Air Force is going to move to mail.mil, they just haven't done it yet. The Army completed that move a few years ago, I don't know where the other services are in the process.
I suppose it's not the place to argue it.
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
So please explain what you are talking about because...
Which is managed and secured by who again? That's right, contractors, which brings us back to the my point in the first place. Also there are quite a few exceptions to what rides over those comm lines. But those leased lines are managed, monitored and maintained by contractors.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
Contractors do some of it - Yes. At the end of the day there are a number of critical functions that contractors simply aren't doing because they aren't allowed to do it.
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
I will just continue to let you live in that fantasy then. I am just sitting here thinking about who the WOs are, right, contractors. And then who do they go to when there is an issue, oh right, contractors. Who advises and helps write the filter rules, oh right, contractors. I could go on and on. I am not sure what critical functions you think are being "controlled" without any inclusion of contractors.
So I work in this software development activity and the entire IT team is contractors, but we do have a DA civilian who is in charge of the server room. He makes all the decisions regarding our work. But he comes to us on everything, asks us about everything, it's our recommendations he relies on for his decisions. Now that doesn't mean he does what we tell him to do, because sometimes he has to make choices based on directives we might not even be told about. But he certainly listens to us and values our input and he comes to us when he wants to learn how things work. That's because he isn't a data center guy, he was a developer who became a GS and now he's in charge of a data center but has no data center experience. But he listens and for that we are thankful.
As for guys in uniform, I'm sure there is a Colonel or two up there somewhere, but we never see or hear from them, not that anyone on our team cares about. We do the work, we configure and maintain and do it according to security standards and guidance and the govy makes all the decisions and we keep ourselves straight by remembering that it's his (the govy's) server room and it's his equipment, and we just have the privilege to work on it, and to work with someone who values our work and diligence.
As messed up as some things can seem, there are worse ways to make a buck.
Mchart
Supreme [H]ardness
- Joined
- Aug 7, 2004
- Messages
- 6,552
You guys realize that all the comms down at the tactical level are largely maintained by soldiers/sailors/airmen, correct? Yes - Contractors largely are doing day to day for the big enterprise mothership, but once the enterprise delivers to a base boundary / tactical level it's all done largely by blue suits. On top of that, contractors aren't even allowed to do crypto that all the transport leases rely on, and they aren't doing much on the Cyber ops side either besides development - But they aren't executing.
We appreciate your hard work but your perspective is limited to what you know..
Bandalo
2[H]4U
- Joined
- Dec 15, 2010
- Messages
- 2,660
Speaking for the Navy (and somewhat the AF), we've got contractors all over the place. When you deploy, it's all sailors, but as soon as you hit port with broken gear, contractors show up to fix it. When your shit breaks underway, the guy on the other end of the help desk call is a contractor or GS 90% of the time. Contractors are all over the place in cyber ops as well. The only reason they don't get attached to the more mobile cyber teams is because it's cheaper to send active duty guys.
Most execs are short-sighted, and the lower annual cost of subscription schemes may seem attractive, until the true horror of the thing may finally dawn on them: its pay-forever. F that sideways.
And the dirty little secret is that Microsoft has actually been losing revenue with the migration from fixed, ELA based Office to O365. Of course they're hoping to make it up in the long run, but with the boneheaded moves MS has been making the past few years in just about every division except Azure, I don't know that they've got a "long run" left in them.
Last edited:
Yup, I worked on FOB Falcon in Iraq for a year supporting BAT and Hide biometric system while 4/1 and later 1/4 ran the show. I worked in my own little room with my server running 24/7 and no one around to call boss. I answered to no one except my company at FOB Slayer who manned the "BAT Cave" which was all contractors except one Colonel who we called the Boss except she wasn't really the boos whether she thought so or not. And my room mate was a contractor who worked the FOB DOIM(?), and he did 12 hour shift work and I know there were probably soldiers with him and over him, but it didn't effect me. And when they came around telling me I had to put my server on the Domain I just pulled out my letter signed by a General that said "No, the BAT servers will not go on the domain". And when 1/4 ripped in and took over for 4/1 and spent a few weeks completely fucking up the networks I was there for that as well and yes I know they were soldiers and I also know how much they don't know about how shit actually works cause they are always running around fucking shit up that we have to fix.
See, you have this nice need hierarchy of soldiers who all play at being real IT people, but when you go to Ft. Huachuca to NETCOM and see who really runs NIPRNET, they are not in uniforms and the doers are contractors and the ones who sit in chairs and make decisions either used to be contractors or just came from somewhere else and have contractors keeping them straight, or not.
And contractors do maintain crypto cause I know contractors the maintain crypto on Ft. Huachuca so if you've worked somewhere where some leader decided contractors can't be trusted with crypto then that was a local decision by a local command cause there sure as fuck is no DoD or DISA or NSA policy that mandates this. It's just some bullshit decision a local commander decided was prudent, (which is within a commander's authority so).
I got 16 years in Army, most of it in SIGINT. I have another 19 years now as a DoD cleared contractor doing IT support mostly for MI tactical systems. You certainly must be experienced as well, but my experience tells me that yours has been different than mine. Maybe what you have seen isn't the same as what is common across the board.
that is true in a general sense, but there are links. There literally isn't a 100% segregated network (this really pisses me off)
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
Limited to what I know... So when you deploy, who controls the comms and maintains the equipment at the main AO HQ? Those are contractors. They work with the soldiers, but all the engineering, most of the maintenance, and almost all the original TTPs are written by the contractors. As far as the cryptos, that is not correct either. Contractors apply for and receive leases for many crypto devices. They also set up most of the main VPN, TLS, MPLSs that are used. Yes at forward deployed bases where you don't usually have any contractors, soldiers maintain that equipment, but also note they have far more outages there.
But what do I know...
No, no they aren't. The entire DoD does not use @mail.mil, cause they don't want to be under DISA control, nor pay for those services. So....
USAF = @us.af.mil
USN = @navy.mil
USMC = @usmc.mil
USA = @mail.mil
It's only a matter of time until they can offload classified workloads to commercial vendors. There's a reason they have already made the different impact level classifications. Once a company is approved for Impact Level 6, they can start taking over classified services up to Secret. As of right now, there isn't any, but I know Amazon is gearing up for it.
Another thing to look as is workload, not what the network is actually being used for, but what work the admin has to do to maintain it and keep it within security compliance. Since it touches the outside world, there's a lot more work to do on it to keep those unauthorized out. The less services, the less you need to have to STIG.
Depends on branch and how they decided to set it up. Army at the smaller level, no one there is taking care of it. As in an OP, COP, and sometimes FOB. They simply have a satellite to connect them to the services and those satellites will be take care of blue suits. The enterprise services are taken care of elsewhere, where it could be blue suits doing it or contractors. When I was deployed, our COP connected to FOB Shank, where the enterprise services lived. That was all blue suits, could have easily been contractors, but my guess. They wouldn't be able to get enough contractors to work there. FOB Shank use to get mortared like a couple times a month.
Crypto also isn't limited to blue suits only. That's more just a local policy probably. We do crypto at Patch Barracks. Now it's blue suits that are the overall Comsec custodians. I don't think they'll contract that out, but I don't know. Maybe there's bases that do. We just take care of the comsec for out own taclanes and such.
When I was in the AF, we didn't have any contractors except for TBMCS and the *nix based system for classified systems. I know the Navy is heavy on contractors, same with the Army. I've never worked with the Marines, but I'm not even certain if they even have military IT folks. I figured they ride off the Navy, but not a clue there.
Very branch specific on the layout. As I mentioned, I was in the AF, so all that you mentioned, was blue suits. I was part of the TDC (Theatre Deployable Comm) shop, so we did all the engineering, maintenance, wrote all the TTPs, trained additional manning who'd deploy with us, etc. We had all the servers and maintained all the services. AD, Exchange, Lync, SCCM, VTC, etc.
My first deployment, we didn't have a single contractor on base. The only contractors we had to deal with were DISA ones who just gave us a connection to the outside world. Not sure why, they could have easily got contractors there. It was in Pakistan for 6 months. Never got attacked. Didn't carry a weapon, wasn't wearing any body armor. It was very peaceful, just shitty living conditions.
You say the Air Force isn't transitioning to DEE (DoD Enterprise Exchange) under the JIE, but that isn't nearly as true as you claim.
Starting in 2015;
https://www.govtechworks.com/why-most-of-dod-still-wont-buy-defense-enterprise-email/
And now in 2017;
http://www.153aw.ang.af.mil/News/Ar.../869676/153rd-airlift-wing-migrates-to-afnet/
http://www.peterson.af.mil/News/Display/Article/734030/siprnet-email-to-migrate/
But it does look like my information is dated and or, just incorrect. It looks like much of CONUS based Air Force will not go to DEE because they just awared a lrge contract for cloud services to a contractor team, sole sourced.
In fact, I suppose it's even possible that after the Navy takes everything that's not already on DEE and gets it's cloud up and running, they could even migrate their DEE accounts underneath their new cloud service as well.
And it still looks like the Navy/Marines are wanting to stay with what they have.
Crow tastes so yummy on an early Monday morning.
I didn't think the AF took to DEE, as I'm still stuck having to deprovision their SIPR DEE and NIPR DEE accounts, when they leave this command. The problem with having a DEE account, then going to a place that doesn't have it, is that the email on your CAC/Alt token gets set as an alias on the DEE account. So anyone on DEE sending you an email to that non-DEE email, it'll go to the DEE account, not the non-DEE email account. So they have to get deprovisioned.
Guess I was wrong on them not moving to it. Looks like quite a few have, based off the GAL.
Ahh it's just what the military does, change their minds and change them back. Build a bridge move a bridge replace a bridge with a new bridge while leaving the old bridge up and then deciding the new bridge is going to cost too much and stopping work before it's finished, and then tearing down the old bridge anyway.
Last edited: