Skip navigation

When it comes to the education industry, IT support is a vital function to enable the business. A university or a school campus/district is a big distributed network with end-users (students & faculty) and IT equipment distributed over different sites and locations. The reality for education industry in most cases is that IT departments are not well endowed with budget and human resources to tackle this unique support challenge. So, it comes down to doing the best IT can with what they have and how efficiently they manage and deliver customer service.


HDI, an association for technical service and support professionals and organizations, published a research brief about customer service in the higher education industry. Here are some interesting findings.


The staffing ratios in higher education tell us about how many end-users are being supported for every IT support staff.

Size of the Organization

Staff to End-User Ratio

Small (< 2,000 end-users)


Medium (2,000-10,000) end-users


Large (> 10,000 end-users)



With increasing ticket volumes attributed to new applications and systems, new equipment and devices, and the number of customers supported, it is a definite challenge for higher education support centers to ensure they implement the right tools and techniques to help them improve time and efficacy of support delivery.



It’s a very interesting to find that there is still a lot of walk-up, phone and email channels use for logging service requests. Even though it may simpler for the end-users to do so, these channels do not make the process simpler and consistent to capture trouble tickets. IT pros will more often than not follow up to get additional information, spend time converting these into actual help desk tickets, etc. This is an extremely time-consuming job for the support staff. They should be spending more time towards resolving tickets than managing them.

Support Channel Used

Percentage of Organizations Using the Channel









Social Media



With an effective ticketing management system with centralized service request Web portals for end-users, all the time and management hassles in each of the channels above can be greatly reduced.



As reported by the support centers in higher education, incident management (#1), knowledge management (#2), and remote control (#3) are essential to providing successful end-user support. Most organizations are understanding need for the right technology, the affordable technology to ensure their support centers get the automation support as needed. This will certainly help boost the efficiency of support delivery.

  • 87% of higher education support centers are using incident management systems
  • 90% of support centers are using remote control technology
  • 65% are already using knowledge management systems, and 18% are planning to add them

Other popular IT service management systems used by higher education support centers are: IT asset management (53.4%), customer sat surveying (72%), and self-service (62%).



What support centers need, to manage a growing network of end-users and rising support tickets, is a cost-effective investment in an all-round tool for IT service management such as a help desk software that provides a wide array of support for incident management, problem management, IT asset management, change management, knowledge management and more. Instead of shifting gears each time and managing multiple systems, a single, central help desk solution will help

  • Automate support tasks
  • Eliminate the need to manually perform repetitive tasks
  • Unify and streamline ticket submission and service request creation
  • Increase time-to-resolution
  • And, above all, improve the efficiency of customer service


Read the full HDI research brief: Improving Efficiency & Customer Service in Higher Education »

According to current reports, over 1,000 US companies have been hit with the Backoff POS (point of sale) virus so far. Infections date back as far as October 2013, and the customers who have been hit include Dairy Queen, UPS, Supervalu, and Neiman Marcus. The impact is now in the millions—millions of customers who have had their credit card information stolen; millions of dollars it is costing the infected companies.


Many articles (including one posted by CourtesyIT on Aug 21: Backoff POS Alert ) encourage companies to follow industry-standard best practices to protect themselves, and give a high-level listing of those practices (“use firewalls to restrict access to remote desktop”).


At SolarWinds®, we realize that “industry standard best practices” are frequently NON-standard and UN-practiced. We also realize that not everyone has the expertise to implement ACL's and lock down ports on machines, or perform regular checksum comparisons on filesystems—all of which need to happen on production networks and sales systems without impacting actual business operations.


But you probably realize that you also can't afford to do nothing.


WE realized that we would couldn't sit by and do nothing either. While combating viruses may not exactly be in the SolarWinds mission statement, our decades of experience in systems monitoring, management, and automation makes us uniquely suited to help. So we are.


While we intend (over the course of the next few days) to provide concrete solutions to specific aspects of this threat, for the moment we're opening the floor up to discussion.


For a more specific list of things you can do now, jump to “Actions you Can Take Right Now”, below.


Detailed Background

The US Computer Emergency Readiness Team (US-CERT) has assembled comprehensive information about the virus. A detailed explanation of how the virus works on systems can be found here


The following link provides an overview of the virus elements (files, functions, etc.) as well as industry-standard best practices you can follow to detect whether you are infected and to block further damage:


For the rest of this post we're going to break down the CERT notice into logical groups and offer general information on high-level actions you can start taking.


While the exact attack or infection vector is still not known (see here for more:, the indicators that a system has been compromised are extremely easy to spot (in some cases, a simple “dir /s” would do the trick). These indicators include files created/written, registry keys created/written, URIs accessed, and POST requests.


As stated earlier, it's not known exactly how the infection occurs. At this time, the mechanism of compromise seems to target remote authentication mechanisms like RDP, LogMeIn, and others.


Actions You Can Take Right Now


First, let's just run through a few items that you should be able to easily lock down:


  • Remote Desktop
    Limit the use of remote desktop on your point of sale systems. Disable it if you can or limit access to specific users or computers (using GPO or routing rules) if you must permit it.

    If nothing else, you should block RDP traffic going to/from any external source.

    Along with that, you should be monitoring the network devices that control ingress/egress to the POS network for changes. You will want an alert if the firewall rules or ACLs are updated without an approved change.

  • Admin privileges
    Limit users with admin privileges to the POS systems. This can be done in a variety of ways from having your POS systems in a separate domain and thus having a separate domain admin group to simply having a separate “POS domain Admins” group and assigning that group to the POS systems instead of the regular one.

    You'll also want to monitor the systems themselves for admin logins.

  • Users and passwords
    Most of the preventative options are common sense—require complex passwords that change regularly. Limit usage/access of admin accounts. Disable/delete unused accounts, etc.



Assuming you've battened down the hatches, here are high-level descriptions of some actions you can take right now to determine if you have been affected.

  • Authentication data
    Similar to the prevention tip for locking down RDP, monitoring for RDP authentication attempts (any to start, and then filter out permitted computers/users as you get a sense of what normal usage is) will help identify unauthorized access.

    Separately, monitor for usage of service/admin accounts to watch for unexpected activity.

  • Changes on the targeted system
    It's clear from this and other viruses that you need to be much more sensitive to changes (e.g. new files or registry entries) on your POS systems than other devices. Whether you use a scan-and-checksum technique or a full inventory option, being alerted to new (and unexpected) files on your POS devices is a must.

  • Command and control access
    The whole point of this virus is that it connects to an external system and uploads keystrokes, user details, etc. Watching for those connections will give you a heads up that something is amiss. Ways you can do that include:
    • Use a proxy server to filter out record access to the unknown URI's.
    • Check firewall logs for connections to external systems (and attempts to bypass the proxy).
    • Monitor for connections to anything OTHER than the things they SHOULD be accessing. These systems shouldn’t be accessing a whole lot of network sources—especially on the Internet. So if you see activity on them that’s out of the norm, that's a big red flag.


If you find you need more, just sit tight. As mentioned earlier, we'll be posting detailed information, files you can import into your existing environment to get a leg up, and more over the next few



Please contribute your observations, opinions, or questions either in the comments below or by direct-messaging me on

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.