IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hi there! Stanislav Belov here, and you are reading the next issue of the Infrastructure + Security: Noteworthy News series!
As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.
|Azure Cost Management now generally available
As enterprises accelerate cloud adoption, it is becoming increasingly important to manage cloud costs across the organization. Last September, we announced the public preview of a comprehensive native cost management solution for enterprise customers. We are now excited to announce the general availability (GA) of Azure Cost Management experience that helps organizations visualize, manage, and optimize costs across Azure.
|Welcome to the new DevOps blog!
The new DevOps blog is live! The blog has a new and improved look and functionality – easily share posts, follow authors and a fresh new look! Check it out and let us know what you think!
|What’s new in Windows Server 2019
Windows Server 2019 is built on the strong foundation of Windows Server 2016 and brings numerous innovations on four key themes: Hybrid Cloud, Security, Application Platform, and Hyper-Converged Infrastructure (HCI).
|Windows 10 19H1: 7 new changes and features coming in Microsoft’s next big update
Microsoft’s next big Windows 10 feature update is currently in development, and we have a pretty good idea as to what new features and changes we can expect to see when it starts shipping in the spring. Codenamed 19H1, this next Windows 10 feature update improves upon already existing features, and adds a couple of new features and options for power users.
|RSAT on Windows 10 1809 in Disconnected Environments
Starting with Windows 10 v1809 the Remote Server Administration Tools (RSAT) is now a Feature on Demand (FoD). Features can be installed at any time and the requested packages are obtained through Windows Update.
|Top scoring in industry tests
Windows Defender Advanced Threat Protection (Windows Defender ATP) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores.
|Step 5. Set up mobile device management: top 10 actions to secure your environment
The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 5. Set up mobile device management,” you’ll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.
|Step 4. Set conditional access policies: top 10 actions to secure your environment
The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 4. Set conditional access policies,” you’ll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.
|The evolution of Microsoft Threat Protection, February update
This month, we share enhancements to identity protection, the launch of the Microsoft 365 security center, and another example of Microsoft Threat Protection mitigating a real-world attack.
|Solving the TLS 1.0 problem
We have been recommending the use of TLS 1.2 and above for some time. To help provide guidance, we are pleased to announce the release of the Solving the TLS 1.0 Problem, 2nd Edition white paper. The goal of this document is to provide the latest recommendations that can help remove technical blockers to disabling TLS 1.0 while at the same time increasing visibility into the impact of this change to your own customers. Completing such investigations can help reduce the business impact of the next security vulnerability in TLS 1.0.
|Data Loss Prevention – Human error, insider threats and the in-between
Companies dedicate large amounts of resources and money towards establishing an air tight DLP policy to detect and protect company data and prevent it from getting into the wrong hands, whether deliberately or by mistake. But no matter how good the technology, or how vigilant the security team, there is always a wildcard – end users.
|Microsoft Intune introduces MDM Security Baselines to secure the modern workplace
Today, enterprise IT pros and policy makers must frequently update Windows security settings to help mitigate evolving cyber-security threats. The one-size-fits-all security approach often does not work anymore because what is most concerning to one organization may be completely different from the threats faced by another organization. Administrators are faced with deploying the right security configuration from hundreds of available granular device management controls, without impacting operations or productivity. Microsoft Intune helps administrators navigate and select the right Windows 10 security features for their business by offering security baselines within the service.
|Microsoft’s Cyber Defense Operations Center shares best practices
Today, a single breach, physical or virtual, can cause millions of dollars of damage to an organization and potentially billions in financial losses to the global economy. Each week seems to bring a new disclosure of a cybersecurity breach somewhere in the world. As we look at the current state of cybersecurity challenges today, we see the same types of attacks, but the sophistication and scope of each attack continues to grow and evolve. Add to these the threats of nation-state actors seeking to disrupt operations, conduct intelligence gathering, or generally undermine trust. You can download the Cyber Defense Operations Center strategy brief to gain more insight into how we work to protect, detect, and respond to cybersecurity threats.
|Securing Applications with Least Privileged Service Accounts
When security is paramount (which is always) and we are deploying enterprise applications to Windows systems, we must ensure that the level of access provided to any given application is just what it requires to function. For example, if installing an application like SQL, you may hear that the service account “requires” local or even domain administrator rights to operate. While this is the EASY way and will ensure functionality, it is NOT true and can be done in a much more secure manner with a little effort… and maybe a little magic!
|Announcing the new Security Engineering website
We are sharing the results of our experiences through our new Security Engineering website, which includes updated Microsoft Security Development Lifecycle (SDL) practices that focus on development teams and what we believe to be the basic minimum steps for addressing security concerns when using open source. Additionally, we’ve included more specific Operational Security Assurance (OSA) practices, aligned with the operational lifecycle of cloud services, and we touch on how these can be brought together to deliver Secure DevOps.
|Vulnerabilities and Updates|
|ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
|Hotfix Available – Microsoft Intune connector certificate does not renew in Configuration Manager
After you update to Microsoft System Center Configuration Manager current branch, version 1806 or 1810, the Microsoft Intune connector certificate renewal process fails. This problem affects customers who have a hybrid mobile device management environment through Microsoft Intune. The problem occurs when the Service Connection Point is installed on a computer that is running Windows Server 2012 or Windows Server 2012 R2.
|Windows 10, version 1607 end of servicing on April 9, 2019
Windows 10, version 1607 for Education, Enterprise, and IoT Enterprise will reach the end of servicing on April 9, 2019. This means that version 1607, for these editions, will no longer receive security updates. Customers who contact Microsoft Support after the March update will be directed to the latest version of Windows 10 to remain supported.
|Windows 7 support will end on January 14, 2020
Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. When this 10-year period ends, Microsoft will discontinue Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences. The specific end of support day for Windows 7 will be January 14, 2020. After that, technical assistance and automatic updates that help protect your PC will no longer be made available for the product. Microsoft strongly recommends that you move to Windows 10 sometime before January 2020 to avoid a situation where you need service or support that is no longer available.
|Extended Security Updates for SQL Server and Windows Server 2008/2008 R2: Frequently Asked Questions (PDF)
On January 14, 2020, support for Windows Server 2008 and 2008 R2 will end. That means the end of regular security updates. Don’t let your infrastructure and applications go unprotected. We’re here to help you migrate to current versions for greater security, performance and innovation.
|Products reaching End of Support for 2019|
|Microsoft Premier Support News|
|The Activate Azure Stack with IaaS offering introduces you to the basics of common Microsoft Azure Stack workloads, provides guidance, and education for your IT engineers and support during initial workload deployment. This 3-day engagement begins with an education session to enhance your team’s technical and operational skills while driving operational readiness. The offering also includes an on-boarding session developed with a Microsoft engineer who works with you to create a working Proof of Concept (PoC) in your environment.|
|Release Announcement: On-boarding Accelerator – Always On VPN for Windows 10. With the On-boarding Accelerator (OA) for Always On VPN, you can plan and deploy Microsoft’s Always On VPN solution to provide mobile workers with secure access to your corporate network from domain-joined, nondomain-joined, or personally owned devices, based on robust authentication and strong encryption mechanisms. The on-boarding accelerator consists of a modular delivery structure that will speed up the deployment process and remove roadblocks.|
|Check out Microsoft Services public blog for new Proactive Services as well as new features and capabilities of the Services Hub, On-demand Assessments, and On-demand Learning platforms.|