Infrastructure + Security: Noteworthy News (December, 2017-Part 1)

Hello there! Stanislav Belov here to bring you the next issue of the Infrastructure + Security: Noteworthy News series!  

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis. Enjoy! 

Microsoft Azure
Transforming your VMware environment with Microsoft Azure

Microsoft on November 21, 2017, announced new services to facilitate your VMware migration to Azure.

  • On November 27, 2017, Azure Migrate, a free service, will be broadly available to all Azure customers. Azure Migrate can discover your on-premises VMware-based applications without requiring any changes to your VMware environment.
  • Integrate VMware workloads with Azure services.
  • Host VMware infrastructure with VMware virtualization on Azure.
Free e-book download: Enterprise Cloud Strategy
In the second edition of the Enterprise Cloud Strategy e-book, we’ve taken the essential information for how to establish a strategy and execute your enterprise cloud migration and put it all in one place. This valuable resource for IT and business leaders provides a comprehensive look at moving to the cloud, as well as specific guidance on topics like prioritizing app migration, working with stakeholders, and cloud architectural blueprints. Download now.
Azure Hybrid Benefit for Windows Server
For customers with Software Assurance, Azure Hybrid Benefit for Windows Server allows you to use your on-premises Windows Server licenses and run Windows virtual machines on Azure at a reduced cost. You can use Azure Hybrid Benefit for Windows Server to deploy new virtual machines from any Azure supported platform Windows Server image or Windows custom images. As long as the image doesn’t come with additional software such as SQL Server or third-party marketplace images.
Azure Reserved VM Instances (RIs) are generally available for customers worldwide

Effective November, 16th.  Azure RIs enable you to reserve Virtual Machines on a one- or three-year term, and provide up to 72% cost savings versus pay-as-you-go prices.

Azure RIs give you price predictability and help improve your budgeting and forecasting. Azure RIs also provide unprecedented flexibility should your business needs change. We’ve made it easy to exchange your RIs and make changes such as region or VM family, and unlike other cloud providers, you can cancel Azure RIs at any time and get a refund.

Azure Interactives

Stay current with a constantly growing scope of Azure services and features. Learn how to manage and protect your Azure resources efficiently and how to solve common design challenges.

Azure AD Pass through authentication

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience – one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.

Windows Server
Why use Storage Replica?
Storage Replica offers new disaster recovery and preparedness capabilities in Windows Server 2016 Datacenter Edition. For the first time, Windows Server offers the peace of mind of zero data loss, with the ability to synchronously protect data on different racks, floors, buildings, campuses, counties, and cities. After a disaster strikes, all data will exist elsewhere without any possibility of loss. The same applies before a disaster strikes; Storage Replica offers you the ability to switch workloads to safe locations prior to catastrophes when granted a few moments warning – again, with no data loss.

Storage Replica may allow you to decommission existing file replication systems such as DFS Replication that were pressed into duty as low-end disaster recovery solutions. While DFS Replication works well over extremely low bandwidth networks, its latency is very high – often measured in hours or days. This is caused by its requirement for files to close and its artificial throttles meant to prevent network congestion. With those design characteristics, the newest and hottest files in a DFS Replication replica are the least likely to replicate. Storage Replica operates below the file level and has none of these restrictions.

Windows Client
Announcing Windows 10 Insider Preview Build 17035 for PC

Microsoft on November 8, 2017, released Windows 10 Insider Preview Build 17035 for PC to Windows Insiders in the Fast ring and for those who opted in to Skip Ahead. The new build features an ability to mute a tab that is playing media in Microsoft Edge, an ability to wirelessly share files and URLs to nearby PCs using the Near Share feature, improvements to Windows Update, and more.

Move away from passwords, deploy Windows Hello. Today!

Since Windows 10 originally released we have continued to make significant investments to Windows Hello for Business, making it easier to deploy and easier to use, and we are seeing strong momentum with adoption and usage of Windows Hello. As we shared at Ignite 2017 conference, Windows Hello is being used by over 37 million users, and more than 200 commercial customers have started deployments of Windows Hello for Business. As many would expect, Microsoft currently runs the world’s largest production, with over 100,000 users; however, we are just one of many running at scale, the second largest having just reached 25,000 users.

Security
Stopping ransomware where it counts: Protecting your data with Controlled folder access

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities included with Windows 10 Fall Creators Update. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files.

Defending against ransomware using system design

Many of the risks associated with ransomware and worm malware can be alleviated through systems design. Referring to our now codified list of vulnerabilities, we know that our solution must:

  • Limit the number (and value) of potential targets that an infected machine can contact.
  • Limit exposure of reusable credentials that grant administrative authorization to potential victim machines.
  • Prevent infected identities from damaging or destroying data.
  • Limit unnecessary risk exposure to servers housing data.
Cybersecurity Reference Architecture & Strategies: How to Plan for and Implement a Cybersecurity Strategy

Planning and implementing a security strategy to protect a hybrid of on-premises and cloud assets against advanced cybersecurity threats is one of the greatest challenges facing information security organizations today.

Join Lex Thomas as he welcomes back Mark Simos to the show as they discuss how Microsoft has built a robust set of strategies and integrated capabilities to help you solve these challenges so that you can build a better understanding how to build an identity security perimeter around your assets.

Securing Domain Controllers Against Attack
Domain controllers provide the physical storage for the AD DS database, in addition to providing the services and data that allow enterprises to effectively manage their servers, workstations, users, and applications. If privileged access to a domain controller is obtained by a malicious user, that user can modify, corrupt, or destroy the AD DS database and, by extension, all of the systems and accounts that are managed by Active Directory. Because domain controllers can read from and write to anything in the AD DS database, compromise of a domain controller means that your Active Directory forest can never be considered trustworthy again unless you are able to recover using a known good backup and to close the gaps that allowed the compromise in the process.
Cybersecurity Reference Strategies (Video)
Explore recommended strategies from Microsoft, built based on lessons learned from protecting our customers, our hyper-scale cloud services, and our own IT environment. Get the details on important trends, critical success criteria, best approaches, and technical capabilities to make these strategies real. Discover key learnings and guidance on strategies that cover visibility and control of cloud and mobile assets, moving to an identity security perimeter, balancing preventive measures and detection/response capabilities, focusing on the “cost of attack,” protecting information, and applying military lessons learned.
How Microsoft protects against identity compromise (Video)
Identity sits at the very center of the enterprise threat detection ecosystem. Proper identity and access management is critical to protecting an organization, especially in the midst of a digital transformation. This part three of the six-part Securing our Enterprise series where Chief Information Security Officer, Bret Arsenault shares how he and his team are managing identity compromise.
Vulnerabilities and Updates
#AVGater vulnerability does not affect Windows Defender Antivirus

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file. Windows Defender Antivirus is not affected by this vulnerability.

Update 1711 for Configuration Manager Technical Preview Branch—Available Now!

Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This month’s new preview features include:

  • Improvements to the Run Task Sequence step
  • The option for user interaction when installing applications as system
SharePoint security fixes released with November 2017 PU and offered through Microsoft Update

The article identifies the KB articles of the security fixes released on November 14, 2017, for SharePoint 2010 Suite, SharePoint 2013 Suite, and SharePoint 2016 Suite.

November 2017 security update release

Microsoft on November 14, 2017, released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, Microsoft recommends that they turn on automatic updates as a best practice. More information about this month’s security updates can be found in the Security Update Guide.

Support Lifecycle
The Azure AD admin experience in the classic Azure portal will retire on November 30, 2017. All Admin capabilities are available in the new Azure portal. The Azure Information Protection (or AIP, formerly Rights Management Service) admin experiences will also be retired in the Azure classic portal on November 30, but can be found here in the new Azure portal.
As Windows Azure Active Directory Sync (DirSync) and Azure AD Sync has reached their end of support on April 13, 2017 it is time for customers to upgrade to Azure AD Connect as DirSync will deprecate at the end of December 2017.  Azure AD Connect is the single solution replacing DirSync and Azure AD Sync and offers new functionality, feature enhancements, and support for new scenarios. Customers must upgrade to Azure AD Connect before January in order to continue to synchronize their on-premises identity data to Azure AD and Office 365. Beginning 31st of December Azure AD will no longer accept communications from Windows Azure Active Directory Sync (“DirSync”) and Microsoft Azure Active Directory Sync (“Azure AD Sync”).
Microsoft Premier Support News
Application whitelisting is a powerful defense against malware, including ransomware, and has been widely advocated by security experts. Users are often tricked into running malicious content which allows adversaries to infiltrate their network. ​Application whitelisting defines what is trusted by the IT organization and only allows those trusted applications to run. The Onboarding Accelerator – Implementation of Application Whitelisting consists of 3 structured phases that will help customers identify locations which are susceptible to malware and implement AppLocker whitelisting policies customized to their environment, increasing their protection against such attacks.
A new SQL Server – Migration from Oracle Assessment is available to help customers assess what they need to migrate an Oracle database to SQL Server. Also new, WorkshopPLUS – SQL Server: AlwaysOn Availability Groups and Failover Cluster Instances – Setup and Configuration which in-depth technical and architecture details of implementing SQL Server AlwaysOn Availability Group (AG) feature in Azure and on-premises.