Exchange | Aidan Finn, IT Pro

Microsoft News – 24 February 2015

Here is the latest news in the world of Microsoft infrastructure:

Hyper-V

Hyper-V receives Red Hat certification: Add RHEL 7.0 to the list on WS2012 R2 Generation 1 and Generation 2 VMs, along with WS2012 and W2008 R2 SP1.

Windows Server

Storage Spaces Performance Tuning: A post I wrote on Petri.com

System Center

Windows Azure Pack vNext: A post by Azure MVP Marc van Eijk.
Support for SQL Server 2014 with System Center 2012 R2 Update Rollup 5: Here is the current and planned state of SQL 2014 support in System Center, assuming the latest UR is installed

Azure

Azure Site Recovery Now Supports SAN-to-SAN Replication: A post I wrote for Petri.com
Microsoft Azure Site Recovery Hyper-V Requirements: A post I wrote for Petri.com

Office 365

Microsoft Changing Its Retention Policy for Deleted Office 365 E-Mails: Deleted e-mails always will be recoverable.
Automated Hybrid Troubleshooting Experience: A new automated troubleshooting experience for hybrid Office 365 deployments.
Extended email retention for deleted items in Office 365: With this update, the length of time items remain in the Deleted Items folder is extended to indefinitely or according to the duration set by your administrator < Certain headlines don’t mention that bit!

Miscellaneous

Tales from Tech Support: A competition by Microsoft to find the funniest/worst in IT.

Technorati Tags: Microsoft,Hyper-V,Windows Server 2012 R2,Virtualisation,Windows Server 2012,Windows Server 2008 R2,Linux,Storage,System Center,WAP,SQL,Azure,Cloud,Hybrid Cloud,Cloud Computing,DR,Office 365,Exchange

Microsoft News – 5 December 2014

It’s December, and not much happens then in the world of Microsoft. However, we do have GA of Azure RemoteApp (RDS in the cloud) on the 11th!

Windows Server

Sizing Volumes for Data Deduplication in Windows Server: One of the most common questions the Data Deduplication team gets seems deceptively simple: "How big can I make my deduplicated volumes?"

Windows Client

Microsoft Details Schedule for Windows 10: News from Paul Thurrott.

Azure

RemoteApp GA coming soon & pricing is revealed: GA is on December 11th. Preview instances will automatically transition to a 30-day free trial. The limit of two app collections and 10 users per instance will continue to be enforced during the free trial period. You can exit the trial to paid service to exceed limitations. Pricing is a little complicated.
Anti-Malware Solutions for Microsoft Azure Virtual Machines: An article I wrote for Petri.com
RD Gateway High Availability with Azure Multi-Factor Authentication: Kristin L. Griffin has published a guide how to configure multiple Remote Desktop Gateway (RDG) and Azure Multi-Factor Authentication servers.

Intune

Conditional Access for On-Premises Exchange using Microsoft Intune: Admins now have the ability to set up conditional access for on-premises Microsoft Exchange Server.
Microsoft Intune Policies For Samsung Knox Enabled Devices: Manage security on Samsung mobile devices.

Technorati Tags: Microsoft,WIndows Server 2012 R2,WIndows Server 2015,Windows 10,Azure,RDS,Security,Intune,Exchange,Hardware

Microsoft News – 17 November 2014

I’ve had a crazy few weeks with TechEd Europe 2014, followed by the MVP Summit, followed by a week of events and catchup at work. Today, I’ve finally gotten to go through my news feeds. There is a LOT of Azure stuff from TEE14.

Hyper-V

What’s New in Windows Server vNext Hyper-V: A post by me on Petri.com
Cluster Shared Volume Failure Handling: How CSV handles storage failures and how it hides failures from applications.
Updating Integration Components over Windows Update: Microsoft announced that they would be releasing updated integration components over Windows Update from now on.
Windows 10 Technical Preview: Hot Add / Remove of Network Adapter: You can now add and remove network adapters from running Generation 2 virtual machines.

Windows Server

vNext Failover Clustering in Windows Server Technical Preview: A video with clustering master, Elden Christensen.
Storage Quality of Service Guide Released for Windows Server Technical Preview: A step-by-step guide.
RemoteFX vGPU Updates in Windows Server Next: Capabilities that improve the experience for end users in a Windows VDI environment for ‘Engineering/Designer’ application workloads that require OpenGL API support and all graphics applications (DX and OpenGL) that require higher video memory.

System Center

Update Rollup 4 for System Center 2012 R2: Wait 1 month. Trust me.
Update Rollup 8 for System Center 2012 Service Pack 1: See previous. Trust me.

Windows Client

Windows 10 – Making Deployment Easier: Using an in-place upgrade instead of the traditional wipe-and-load approach that organizations have historically used to deploy new Windows versions. This upgrade process is designed to preserve the apps, data, and configuration from the existing Windows installation, taking care to put things back the way they need to be after Windows 10 has been installed on the system. And support for traditional deployment tools.
Windows 10 – Manageability Choices: Ensuring that Windows works better when using Active Directory and Azure Active Directory together. When connecting the two, users can automatically be signed-in to cloud-based services like Office 365, Microsoft Intune, and the Windows Store, even when logging in to their machine using Active Directory accounts. For users, this will mean no longer needing to remember additional user IDs or passwords.

Azure

New Marketplace, Network Improvements, New Batch Service, Automation Service, more: TechEd announcement by Scott Guthrie
SAN Replication based Enterprise Grade Disaster Recovery with ASR and System Center: Enterprises that seek to leverage the snapshot and replication capabilities of their Storage Area Network (SAN) Arrays to enable high performance synchronous and asynchronous replication between their on-premises private clouds can now orchestrate end-to-end storage array-based replication and disaster recovery with ASR and System Center Virtual Machine Manager (SCVMM).

ASR SAN replication topology

Announcing the Azure Marketplace: Offers Microsoft Azure Certified and open-source community virtual machine images including SAP, Cloudera, DataStax, CommVault, Veeam, Trend Micro, and Core OS as well as virtual machine extensions including McAfee and Octopus Deploy.
Migrate your Websites to Azure in just a Few Clicks: A new tool from MSFT. See this Getting Started Guide & this video.
Windows Docker Client Demo Highlights Linux Containers on Azure: Docker, CoreOS, and Linux Documentation on Azure.
New Networking features and partnerships for Enterprise scenarios: A whole bunch of announcements: ExpressRoute enhancements include new strategic partnerships, a Meet-Me location in Australia, multi-site ExpressRoute for better disaster recovery, multiple subscriptions sharing the same ExpressRoute circuit, and support for 4,000 routes. We are improving overall security with Network Security Groups for easier subnet isolation in multi-tier topologies, Site to Site Forced Tunneling which sends network traffic back to on-premises for policy validation to meet compliance requirements, and VPN support for Perfect Forward Secrecy (PFS). A new high-performance gateway, multiple virtual NICs in a VM, access to VPN operations logs, nested Traffic Manager policies and Azure load balancer source IP affinity demonstrate our commitment to continually enhance Azure networking capabilities.
New – Azure Traffic Manager Nested Profiles: his feature enables you to create more flexible and powerful load-balancing and failover schemes to support the needs of larger, more complex deployments. Note you can also do hybrid site balancing now.
Azure Load Balancer new distribution mode: Adding a new distribution mode called Source IP Affinity (also known as session affinity or client IP affinity).
Azure Site Recovery – Announcing Windows Azure Pack integration and PowerShell Support: As part of update roll up of Windows Azure Pack UR 4.0, now cloud service providers will be able to offer Windows Azure Pack Plan or ADDONS with ASR capabilities. You now have the ASR PowerShell cmdlets for recovery solution between two on-premise hyper-V datacenters available as part of Azure PowerShell 0.8.10 release.
Using VNET integration and Hybrid connections with Azure Websites: This will outline the example of getting WordPress running on Azure Websites with a remote MySQL database and will be covered in two parts.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines: Real time protection from the latest threats, on-demand scheduled scanning, and collection of antimalware events to your storage account via Azure Diagnostics at no additional charge.
Introducing PowerShell support for Azure Site Recovery: PowerShell support for recovery between two Hyper-V sites managed by Azure Site Recovery.
Red Teaming – Using Cutting-Edge Threat Simulation to Harden the Microsoft Enterprise Cloud: How Microsoft performs penetration tests on Azure and Office 365.
Deploying Your Own Private Docker Registry on Azure: In order to ship your containerized applications to the cloud, you use Docker tools to construct a Docker container image. Although the Docker Hub is a paid service for storing private images, Docker respects developers’ needs and provides the open source “Docker Registry” software used to build the Docker Hub. It is designed to store and provide container images, but the best part about it is that you can host your own private registry with it.
Offering Managed DR for IaaS Workloads with ASR and Azure Pack: Service Providers can now offer Managed DR as a premium service to their customers on top of IaaS workloads.
Deploy to Azure Button for Azure Websites: Deploying to Azure Websites from a Git repository just got a little easier with the Deploy to Azure Button.
Azure Websites Authentication / Authorization: Azure Websites Authentication / Authorization allows you to quickly and easily restrict access to your websites running on Azure Websites by leveraging Azure Active Directory.
Encrypting Azure Virtual Machines with CloudLink SecureVM: CloudLink SecureVM Agent which enables for disk encryption for your Azure Virtual Machines.
AzCopy – Announcing General Availability of AzCopy 3.0 plus preview release of AzCopy 4.0 with Table and File support
Create a VM with multiple NICs in Azure: Done using updated version of Azure PowerShell.
Monitoring Azure Site Recovery: The monitoring capabilities of Azure Site Recovery.
Microsoft announces Exchange Support for Azure VM as a Witness Server: As of January 1, 2015, Microsoft will support using an Azure laaS file server VM as a witness server for an on-premises DAG .

Office 365

Enterprise Mobility TechEd Announcements: Lots of stuff.
Configuring AD FS Servers in an Internal Load-Balanced Set in Azure for Office365 Single Sign-On: Third post in a series on how to enable hybrid single using-in solution using a hybrid Azure deployment.
Office 365 Business Users Getting New ‘Clutter’ E-Mail Feature: Don’t know if I’d trust this.
Microsoft To Rename Lync as ‘Skype for Business’ Next Year:

Intune

New Microsoft Intune capabilities coming this week: The Intune team will be rolling out a service update between November 17, 2014 and November 19, 2014 that introduces new capabilities to Intune standalone (cloud only).

Operational Insights

Microsoft Releases Azure Operational Insights Preview: Starting with a limited free option. The preview is available in the Azure U.S. East region.

Licensing

Microsoft to make per-user Windows licensing available to enterprise customers: A popular move.

Technorati Tags: Microsoft,Hyper-V,Virtualisation,Windows 10,Windows Server 2012 R2,WIndows Server 2015,Failover Clustering,Storage,RDS,System Center,Azure,Hybrid Cloud,Cloud,Cloud Computing,Networking,DR,PowerShell,Scripting,Linux,Security,Exchange,Office 365,Intune,Licensing

Microsoft News Summary – 15 August 2014

Here’s the latest from the last 24 hours:

New – Configurable Idle Timeout for Azure Load Balancer: Microsoft announced that the Azure Load Balancer now supports configurable TCP Idle timeout for your Cloud Services and Virtual Machines. This feature can be configured using the Service Management API, PowerShell or the service model.
Integrate System Center Advisor into Operations Manager Dashboards: Drive System Center Advisor search using Operations Manager dashboards.
Introduction to Azure Backup: What we expect to be the hottest selling Azure feature for SMEs.
Old IPv4 Router Settings May Be Causing Internet Slowdowns This Week: The number of routes across the Internet is beginning to exceed the number that IPv4 routers were set to handle.
Understanding the files collected by the Test-StorageHealth.ps1 PowerShell script: Understand the results of health and capacity tests done to a Storage Cluster based on Windows Server 2012 R2 Scale-Out File Servers.
Bare Metal Post-Deployment – Running the Post-Deployment Automation and Bonus – Part 5: Final part in this VMM series.
Businesses Using Windows Server 2003 Could Face VISA & MASTERCARD Backlash: End of support in July 2015 = 2015 no more security patches = security vulnerabilities = no PCI compliance = bankruptcy.
Edge Show115 – Azure AD Connect Preview (configuring hybrid identity with Azure AD): This video takes an exclusive look at Azure AD Connect to implement hybrid identity. Jen Field (Senior Program Manager Azure AD Fabric) takes us through using the new deployment tool to deploy Active Directory Federation Services (AD FS), Directory Sync (DirSync / AAD Sync), Azure AD and the accompanying SSL certificates. These are components that you’ll commonly deploy for Office 365, Windows Intune and more.
Replacing TMG with IIS ARR for an Exchange Hybrid: Lots of people looking to replace the now-dead Microsoft Forefront Threat Management Gateway.

Technorati Tags: Azure,Cloud,Cloud Computing,Networking,System Center,Operations Manager,Backup,Hybrid Cloud,Storage,Storage Spaces,Windows Server 2012 R2,Deployment,VMM,Windows Server 2003,Active Directory,Security,Exchange,IIS

Some Windows Server 2012 R2 & Exchange 2013 Reading For You

Some of my friends have been very busy lately.

Mastering Microsoft Exchange Server 2013 was recently released. My photography buddy, former MVP, and Microsoft UK Exchange TSP, Nathan Winters had a hand in this book.

Available on:

If you want to learn about Windows Server 2012 R2 then Mastering Windows Server 2012 R2 is available on pre-order (print for now, Kindle will follow when it’s released). I have a number of friends involved in this one: headliner Mark Minasi, Irish MVP Kevin Greene, and ex-MVP and Microsoft Ireland PFE John McCabe.

Available on:

And before you ask, I will not be writing a WS2012 R2 Hyper-V book. It’s too much work and not enough reward for 9 month’s effort. I think you’ll find lots of regular authors are dropping out of traditional tech print. The WS2012 Hyper-V book covers most of what you need.

Technorati Tags: Books,Exchange,Windows Server 2012 R2

Server Posterpedia –Windows Server Poster App

A new app that features the feature poster apps for a number of server products, not just Hyper-V, has been released. You can download this app from the Microsoft Store for Windows 8.

Click on a poster, and it’s displayed for you:

You can zoom and scroll through the poster. Cleverly, the actions that you can run from the app will link you to additional information on TechNet. And there is even a link to download the original poster. What a handy way to start learning the features of server products. This is worth installing Windows 8 for!

Ben Armstrong posted about the app overnight, including a video of the app in action.

Technorati Tags: Windows Server 2012,Hyper-V,Virtualisation,Remote Desktop Services,VDI,Exchange,Active Directory,SharePoint,Azure

Early Impressions Of Office 2013 Beta

I installed Office 2013 on my Windows 8 Build slate PC on Monday night. Here are some early impressions:

It’s very different looking. The layout has been optimized to make it touch friendly, but still appears to be mouse friendly.
The new control that everyone is talking about reminds me of something in the Star Trek’s of the last 20 years.
I really like where Word has gone. Becoming a consumer of information is a great idea. It is now also a reader, can scale the doc to your tastes, and can remember where you left off. That makes it very Kindle-like. It can also open and edit PDF. Bye-bye Adobe Reader; you and your constant patching requirements (that are usually not done) won’t be missed.
As a person who writes the occasional white paper, I like how Word now allows flexible placement of images. Note that we never embed images when writing books; the editors do that in the later PDF stages.
I love the new presenter view in PowerPoint. I’ve been dreaming of presenting from my slate PC in the past. I hate being tied to behind a podium when presenting and I don’t like looking back to the screen to remind me of what I’m talking about on this slide. Plus being able to use “ink” to highlight things will be useful.
I haven’t looked into Lync or Outlook too much yet. I have them working with Office365 with no extra work other than signing in (as usual).

Don’t ask me about Lync, SharePoint, and Exchange servers. I haven’t a clue what’s new yet. To be honest, they are usually outside of my scope of work. There is a boat load of new documentation on download.microsoft.com for the “wave 15” betas of Office.

Technorati Tags: Office,Exchange,Lync,SharePoint

Exchange 2010 SP1 Virtualisation and Live Migration

A few weeks ago social media lit up with news of support for running Exchange 2010 DAG members on virtualised clusters, e.g. a vSphere farm or a Hyper-V failover cluster. That much is true. Some of the chatter implied that Live Migration was supported.

I’ve downloaded and started reading a Microsoft whitepaper called Best Practices for Virtualizing Exchange Server 2010 with Windows Server 2008 R2 Hyper V.

On page 15, under the heading of Live Migration you can see:

Exchange server virtual machines, including Exchange Mailbox virtual machines that are part of a Database Availability Group (DAG), can be combined with host-based failover clustering and migration technology as long as the virtual machines are configured such that they will not save and restore state on disk when moved or taken offline.

OK. That says to me that Live Migration = good and Quick Migration = bad. That’s fine with me.

Now move on to page 28 to the heading of Hyper-V Failover Clustering.

“All failover activity must result in a cold start when the virtual machine is activated on the target node. All planned migration must either result in shut down and a cold start or an online migration that utilizes a technology such as Hyper-V live migration”.

That confirms it. Quick Migration was a process where a VM’s state was written to disk, the VM resource was moved to a target node, and the state was read from disk to start the VM. The Exchange product group do not like that. One might be forgiven for thinking that Quick Migration was a thing of the past but there are scenarios where one can build a Hyper-V failover cluster using software based replication solutions over sub 1 Gbps WAN connections. They still use Quick Migration.

If you are in that scenario then you need to be aware that a DAG member will be evicted if it is offline for 5 seconds. See page 29 for some instructions and PowerShell cmdlets for that situation.

On the other hand, the above text confirms that Live Migration is fine for DAG members running Exchange 2010 SP1 (the text that follows in the document specifies that version). Interestingly, the Exchange and Hyper-V groups found that CSV was much better than passthrough disks (page 29) in a Hyper-V failover cluster. Page 29 gives a bunch of guidance on things like bandwidth, jump frames, and receive side buffer.

Technorati Tags: Exchange,Hyper-V,Virtualisation,Failover Clustering

How HM Treasury Was Allegedly Attacked & How to Defend Against It

I was listening to The Guardian’s Tech Weekly podcast on the way into work this morning and they were discussing some of the recent announcements from the British government about the cyberwar research that the MoD/GCHQ is doing. In the discussion they mentioned that there was a recent attempted attack on HM Treasury (department of finance), and that the attacks allegedly came in two forms:

Drive-by browsing: this is where a user innocently goes onto a legitimate website, but an outsourced advert uses a browser vulnerability to inject some software onto the user’s computer.
Malware attachments: Some piece of dodgy software is sent as a normal looking attachment in an email. This file has some sort of built in attack, like a trojan downloader, and the PC becomes a bot (something the attacker can remotely control by commands that the downloader will pull down from a service or website running on the Internet).

I am not a security expert. In fact, most of the self-proclaimed security experts that you meet are not security experts. I have met real security experts. They speak a whole other language that we IT Pros don’t understand. I’ve also met “security experts” with their recently downloaded checklists who do more damage than good. The good news is that there is lots that you can do to protect yourself from attacks such as the above. The bad news is that there is no 100% perfect defence. For example, antivirus scanners detect already known threats. Someone has to get hit somewhere before a threat becomes known. Let’s stay positive and see what could be done to protect against the above two attacks.

Defending Against Drive-By Browsing

Drive-by browsing has been around for some time. I’ve attended presentations by Microsoft’s Roger Grimes (serious security dude), where he talked about the website of a certain conservative news broadcaster. They sold advertising space on their website. Other than the space, they had no control over content. That was done by the online advertiser. And they probably did more outsourcing or bidding. Allegedly, browsing this website could cause you to become a victim of an attack that was built into one of these outsourced adverts. You’d just browse the site and *BANG* your PC downloaded a trojan downloader. In other words, it was 0wned.

The most basic defence against drive-by attacks is to keep your browser up to date with security fixes. Don’t be a fanboy sheep: all browsers are vulnerable. I remember listening to another podcast (TWiT Windows Weekly) a few months ago where they discussed how Safari took seconds to smash, and Chrome/IE lasted a bit longer but eventually gave in at some hack-athon. Google and Microsoft are constantly releasing updates. Google do it via new versions of Chrome. Microsoft do it through security hotfixes.

If you run anything but the smallest business then you need to manage these updates. This is one of IE’s strengths because it can be updated immediately (or after internal testing) via Windows Updates, WSUS, and System Center (Configuration Manager 2007 or System Center Essentials 2010). There really is no excuse for a business not to be doing this, monitoring patch update levels, and remediating any deployment issues.

This adverts are effectively downloading a trojan installer. A proxy malware scanner can help defend against this. Forefront Threat Management Gateway (TMG) includes a Malware Inspection Filter, as do many other firewall and proxy products. I’ve always like the ISA (now TMG) family because they are AD integrated, and I can reuse security groups and user accounts for rules and exceptions.

Malware Attachment

The problem with email is that is pretty open, and trusting. If I know the name or IP address of your SMTP gateway then there’s nothing to stop me from creating a malformed email that appears to come from someone you know and trust, and attaching a piece of malware to do bad things to your PC (and then your network).

Last night I read about some executive of a large corporation who sent out a memo to all employees to instruct that they should confirm the source of all emails before opening them. That certainly is one way to prevent the opening of an attachment. I just wonder if this executive answered the 20,000+ phone calls from his employees when they called to confirm that he really sent that email. Let’s get real – people have jobs to do and they cannot spend 3/4 of the day calling people to see if so’n’so really sent an email. Why would we have email at all in that case?

Sure we can do a bit of user education. I don’t need to open an attachment with a .EXE file extension. I don’t need to read an email from the wife of some deposed king. And I really don’t need pills for you-know-what Smile Common sense education helps. But as Steve Riley has said in presentations in the past: the vulnerability lies in the meat that sits between the chair and the keyboard. If we cannot fix that. then maybe we need to wrap our email system in defences to counter those weaknesses.

Lets start with the mail server. Stick some malware scanning on there, like Forefront for Exchange (or another solution). That will protect the server against external threats. I know you’ll interject here with another suggestion (and I’ll get there). Think about how IT is changing. Consumerisation of IT has caused users to bring all sorts of devices onto our networks. Lord knows what they connect to when they are not on our network. And those same devices will be used to connect to the company’s mail services. You need to protect the company’s email (and reputation) against those internal threats.

Next up is the online malware scanning service, such as Forefront Online Protection for Exchange (FOPE) or others. The company’s MX record points to this, all incoming email is scanned for spam and malware, and then sent on to the company’s SMTP gateway. You’re in complete control – you can even integrate the management of Forefront for Exchange with FOPE via a free (I believe) management console (it also can manage Forefront for SharePoint). Now you can filter out the incoming rubbish before it gets to the company’s expensive Internet connection, and you have a layered defence.

Third Party Update Catalog

We aren’t finished yet. Antivirus scanners are not perfect, especially when it comes to custom written or brand new threats. The more serious attacks out there are not done by script kiddies in a basement; they’re done by organised crime, your competitors, and state agencies. They have the time and money to create new programs to leverage discovered vulnerabilities. For example, it’s one thing to scan for Conficker, it’s another thing to fix the vulnerability that it attacks so you can prevent anyone else from attacking it.

So you can use Windows Update, WSUS, ConfigMgr, or SCE to patch Windows. Great! The attachment that was used in the allegedly attack on HM Treasury was allegedly based on an Adobe product. How often do you see Adobe products looking to update themselves to fix some security issue? It feels to me like it happens a few times a week. I bet most of you, and your users, disable these annoying updates – and that’s what the attacker is betting on! They can write a custom attack, build it into a PDF (or whatever), send it to a user in your organisation using a crafted email that appears innocent enough, it’ll sail through the scanners (because it is an unknown attack), the attachment is opened in a vulnerable reader, and *badda bing* the attacker now has control of a PC on your network.

*PANIC* This is where you uninstall Adobe Reader, Flash, etc, and use third party alternatives – not so fast, my friend! (Why do I keep quoting Lee Corso?). Adobe products, like every other, has vulnerabilities. If you think those other readers don’t then you’re fooling yourself. If you’re a big enough target, then an attacker will figure out what third party reader you use via social engineering, and craft an attack for that. With Adobe, you at least have a way to force updates for your users.

No, we cannot trust users to run Adobe updates by themselves, just like we cannot trust them to run Microsoft updates for themselves. Adobe has created software update catalogues that we can use in System Center Configuration Manager (MSFT’s main way to adopt/control consumerisation of IT) and System Center Essentials. This will allow you to centrally download, test, approve, and deploy updates to relevant machines in an automated, and scheduled manner, with deployment deadlines. Now you can force those vulnerable PCs to update, and secure your network against those vulnerabilities.

Summary

With all this you get layered defences. Is it 100% secure? No. Like I said, I’m honest enough to say that I’m not a security expert but I know that with the above systems, you could protect yourself against the same attack that allegedly targeted HM Treasury (based on the information that I heard this morning). Combine this with protection for PCs, servers, SharePoint, Lync, and so on, and you’ll have a nice fortress. You can’t rely on people to protect the castle, and that’s why you need an automated portcullis approach like this. The responsibility then falls on you as the gatekeeper to ensure that the gate is built correctly.

Note: I don’t know why some people always assume that virtual machines (on any hypervisor) assume that security should be any different for them. The virtualised workloads still need the same levels of protection that they physical alternative would.

Technorati Tags: Security,Forefront,Exchange,SharePoint,System Center,System Center Essentials,ConfigMgr

Microsoft Exchange Online Services Unbundled

This post is as much for me as anyone else – the array of products from Microsoft is mind boggling.

Once upon a time, Microsoft launched Exchange Hosted Services. Based on the name alone, it sounded like Microsoft were now hosting Exchange mailboxes, like some of their hosting customers had already been doing. But no, it was in fact a service that provided:

Online filtering of spam and malware
Archiving
Limited mailbox DR
Web portal
Mail encryption

Then along came BPOS (the product naming team strikes again) and that included mailbox hosting. At least that’s been renamed to Office 365 –> but I’m encountering a lot of people who thing that’s just an alternative to the Office you install on your PC!

You can subscribe to a bunch of online services for Exchange

Forefront Online Protection for Exchange: This is the online anti-malware (8 engines) and anti spam solution, clearing up the crud before it gets to your Internet link to reach your mail servers.
Exchange Online Archiving: what is says on the tin.
Exchange Hosted Encryption: automatically encrypting emails for you based on policies that you configure.

Exchange Hosted Services is still sold as a bundle including those 3 products.

Technorati Tags: Exchange,Cloud,Security