Microsoft Enterprise Agreement Policy Changes

As an existing Microsoft Enterprise Agreement customer you should have already been made aware of the policy changes coming to this type of agreement by Microsoft.
 
image
 
If you haven’t here’s the public blog post where they made it known world wide:

Another step in licensing transformation: new policy and guidance for Enterprise Agreement customers

It’s a good read to get started and gives you some talking points to discuss with your reseller & Microsoft account manager.

One key point to note is that this means that on July 1, 2016 

… the minimum Enterprise Agreement (EA) commitment for commercial customers signing new Enterprise Enrollments or Enterprise Subscription Enrollments will increase from 250 users or devices to 500. Along with this change, we are guiding new commercial customers within the 250 to 499 user or device range to our modern volume licensing solutions: the Microsoft Product and Services Agreement (MPSA) and the Cloud Solutions Provider (CSP).

For those who need some more time to adapt to the new situation and who’s needs don’t get served well by the Microsoft Products and Services Agreement (MPSA) and the Cloud Solution Provider (CPS) offerings there is an option to extend the existing EA for another 3 years. That might well be worth doing.

Heading To TechEd North America 2014

Good times ahead as today I’m making my way over to the USA (Houston Texas) or TechEd 2014 North America. I’m in good company of a few of my colleagues and I have a great number of my buddies & industry relations inbound as well.

Time for some serious education, networking & passionate discussions on the state of the industry with people form all over the globe.  I’ll also make good use of my time over there to meet up with the people in my network that are US based.

I’ll be spending time in cloud/hybrid/virtualization tracks and focus on networking and identity. That’s starts off very well with a pre conference track hybrid identity on Sunday by john Craddock, a true scholar!

Network!

No need to bring SFP+ or RJ45, don’t worry. Next to sessions & labs don’t forget to connect with others. The ability to network with peers and industry experts is a great benefit of this conference so make the best of it. There are few events with this concentration of expertise & talent, tap into that resource.

To help all you shy people out there Aidan Finn has launched the The TechEd North America 2014 Hyper-V Amigo Selfie Game. You can read all about it over here and if you play, best of luck!

On Route

But first we need to get there. As I learned during visit of the Boeing factory in Seattle “If it’s not Boeing, I ‘m not going” Winking smile. No worries it appears they’re using a 777?

british_airways-777-300er

So I’m getting out of the village, into the world so tunnel visions and blinders can be avoided. See you all there.

SSL Certs And Achieving “A” Level Security With Older Windows Versions

So a mate of mine pings me. Says they have an problem with their web mail SSL security  (Exchange 2010) running virtualized on Hyper-V.  The security guy states they need to move to a more secure platform that supports “modern SSL standards” and proposes to migrate from Exchange 2010 to Exchange 2013 in an emergency upgrade. Preferably to VMware as “MickeySoft” is insecure. Oh boy! Another profit of disaster who says the ship is lost unless …

You immediately know that the “security guy” is an incompetent fraud who only reads the IT press tabloids, runs some  freely available vulnerability toys (some are quite good) to determine what to check off on his list and shout out some “the sky is falling” rubbish to justify his daily rate and guarantee his paycheck. I’ve said it before, your mother told you not to trust strangers just like that, so why do so many companies do this with “consultants”? Choose your advisers wisely and remember Machiavelli’s notes on the use of mercenaries Winking smile!

  • VMware is not more secure than Hyper-V. That’s so wrong and so loaded with prejudice it immediately invalidates the persons credibility & reputation. If you need proof, do your research but as a recent example the “HeartBleed” issue left VMware scrambling, not Hyper-V. And for what it’s worth. IT security is like crime, statistically we’ll all be victims a couple of times in our life time.
  • Exchange 2010 running on Windows 2008R2 fully patched is just fine. So what was all the drama about? The issue was that the Qualys SSL Labs tool gave their Outlook Web Access a F grade. Why? Well they still allowed SSL 2.0, they didn’t run TLS 1.2 and they don’t have Forward Secrecy support.

My advice to my buddy? First he needs to get better security advice. Secondly, to get an “A” for secure SSL configuration all you need to is some easy tweaking. You don’t want to support any clients that can’t handle the better SSL configurations anyway. No one should be allowed to use these anyway. But what do I use? SSL 3.0? TLS 1.0/1.1/1.2? What to use & do? Here’s some documentation on how to enable/disable protocols: How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll. This will tell you how to do it? But which SSL versions can you dump today without suffering to many support calls. Server side, drop SSL 2.0 & SSL 3.0, keep TLS 1.0/1.1/1.2. On the client side you’ll need to do the same. That will keep most things working. Not ideal but the trick is to allow / enable the better protocols server side so all clients that can use it, can use it, while you block the really bad ones that just don’t have any use any more. We’ll play a bit with this.

Test 1: Disable SSL 2.0 and Enable SSL 3.0

image

As you can see this gave them an B grade. We need to enforce the current best TLS 1.2 protocol to get that and we might want to get rid of SSL 3.0 as XP &n IE 6.0 have had there time and that’s over.

Test 2: Enable TLS 1.2

There you go. I hope this helps you out if you need to make sure you environment supports only more modern, stronger protocols.

image

There it is. A- Smile Compliance achieved! Now it would best to disable SSL 2.0/3.0, TLS 1.0/1.1 on the server and forget about any browsers, operating systems and software that can’t handle it. But that’s not that easily done you’ll need Outlook 2013 for RPC over HTTP if you want to enforce TLS 1.2. But as far as the auditors go they are all so happy now and effectively you’re now supporting the more modern clients. Now my buddy can get to an A or A+ rating when they make sure to get Forward secrecy support in the future. I really advise the latter as HeartBleed made it obvious the wide use of this is long overdue.

Some Testing Fun

Grab a laptop, WireShark and a number of twitter clients, cloud storage products and take a peak a what version of SSL/TLS those apps use. Some tests you can do:

MetroTwit uses SSLv3, OneDrive uses TLSv1, Yammer seems to be at TLSv1 as well. Try disabling TSL 1.0 on a client and see how it breaks Outlook  2010 RPC over HTTPS and even OneDrive by the way.

image

What you can get away with depends on the roles of the servers and the level security the clients for that role can handle.

Won’t this break functionality?

As you’ve seen above it can but for what matters on the e-mail server, probably not. If it does you’re in need of some major work on your client infrastructure. But in most cases you’ll be fine, especially with web browsers. But I have a underpaid employee who needs food stamp support so she cannot afford to upgrade her PC from Windows XP! Dude, pay a decent living wage, please. That aside, yes you can turn on better protocol support and block the oldest, most insecure ones on your servers. You call the shots on the use of your businesses infrastructure and you are under no obligation to allow your employees to access your services with obsolete clients. You want to be in the green zone, in the right column with TLS 1.2 if possible, but that’s going to be a challenge for a lot of services.

image

Do as I say, don’t do as I do

The funny thing is that I ran the same test against the web (mainly e-mail) servers of 4 governments levels that are enforcing/promoting the (mandatory) use of security officers in an attempt to get to a more secure web for the benefit of all man kind. Not only does this fail because of such fine examples of security officers but 2/3 don’t seem to take their own medicine. The intentions are good I’m sure but the road to hell is paved with those and while compliancy is not the same a being secure, even this is hard to get to it seems.

Federal Government Department

image

Undisclosed State Government

image

Undisclosed Local Government

image

Medium Sized City (they did well compared to the above braches with more resources)

image

Don’t panic

That’s what it says on the cover of “The Official Hitchhiker’s Guide to the Galaxy Companion”. Get some good advise and if you want or read more about how the rating is done (as of 2014) then please read this SSL Labs: Stricter Security Requirements for 2014 which also provide a link to their SSL Server Rating Guide.

Speaking At The ITPROceed Event–June 12th 2014, ALM Antwerp

The Belgian IT Pro community is organizing the ITPROceed event a “technology geek fest” as they call it on their web site.

image

It’s a joint venture between the IT pro community and Microsoft Belgium to help you all proceed in designing, deploying and operating Microsoft technologies.

The sessions will not only help you proceed but succeed as well. The speakers are Microsoft MVPs, MEET members & passionate community experts. They’ll share expertise & information gather by using these technologies in real life deployments.

A rich mix of technologies you have available and need today will be discussed like the Cloud OS, System Center, SQL, Office 365, Windows 8, Unified Communications, Lync, Azure and SharePoint.

I’m speaking

I’ll be speaking about the features in Windows Server 2012 R2 that make it “The Scalable & Capable Cloud OS”.

Come see how you can leverage the capabilities of Windows Server 2012 R2, a true cloud OS, to achieve powerful and scalable solutions. We’ll demonstrate how to use technologies as SMB Direct, DVMQ/vRSS, ODX, UNMAP, VHDX and Storage QoS. This will help you get the most out of commodity infrastructure and investment in Windows today.  We’ll share our experiences with you based on real life deployments to help you proceed and succeed.

Join us!

Really, make time in your schedule and attend this event by registering here.

image

Attend the sessions, talk shop with your peers and discuss your questions with the experts. I’ll see you there.