Tag Archives: Business Practices

What’s Your Password?

Earlier this month, we posted a couple of articles on the state of cyber security. Of course, one of the biggest problems with cyber security is that too many people don’t take it seriously enough. Don’t believe me? Take a look at this:

In the words of cartoonist Walt Kelly (on Earth Day in 1971): “We have met the enemy and he is us.”

Licensing Office in a Remote Desktop Environment – Updated

Update – January 19, 2015
After posting the last update a week ago, I spent more time rooting around the Microsoft Web site, and ended up in a relatively painful 45-minute chat session with a Microsoft “Licensing Specialist.” A large portion of that time was spent just trying to get said Licensing Specialist to understand the question I was asking. Ultimately, I had to give up on my attempt to get an answer as to why Microsoft still had a live link to a Volume License Brief that appeared to be out of date and that apparently contained information that was no longer valid…because the Licensing Specialist couldn’t get to the document in question. According to her, when she clicked on the link below, she received an error message stating that the document had been removed from the Microsoft Web site. As I write this update, the link to the 2009 Volume License Brief is still live, and I just verified that the document is still there. I will leave it to you to figure out why I can still get to it but she couldn’t. She offered to have a Microsoft manager call me the next day. It’s been a week now, and I have yet to receive that call. (It’s possible that the manager attempted to call me, but, if so, did not leave a voice mail message.)

In the absence of any other information at this point, my best advice is to assume that this Volume License Brief supersedes the information in the earlier one (even though the earlier one is still available on Microsoft’s Web site), and that, to be on the safe side, you should insure that, if you are accessing Office applications via RDS, the edition and version on your RDS server(s) match the licenses you have for your client devices.
…end January 19 update…

Update – January 12, 2015
A few days ago, Markus challenged my statement (see comment below) that it was permissible to access Office Standard via Remote Desktop Services if your client was licensed for Office Pro Plus, and that it was also permissible to access an older version (e.g., Office 2010 Pro Plus) via Remote Desktop Services if your client was licensed for a newer version (e.g., Office 2013 Pro Plus). I can state definitively that this was the case, as recently as November, 2009. This Microsoft Volume License Brief, originally published in 2007, and updated in November of 2009, contained the following graphic (click to enlarge):

OfficeAccessMatrix
This graphic clearly shows that it was permissible to access Office Standard from a client device licensed with Office Pro Plus, and that it was permissible to access an older version of Office from a client device licensed with a newer version. However, a later Volume License Brief suggests that this may have changed. I am attempting to get clarification from Microsoft, and will update this post again as I get more information.
…end Jan. 12 update…

Judging from the questions we continue to be asked, lots of people are confused about how to license the Microsoft Office Suite if you are accessing it via Microsoft’s Remote Desktop Services (a.k.a. Terminal Services) and/or Citrix XenApp. Hopefully, this will help clear up the confusion. We’ve also updated this post to include information about how to license the applications in a Cloud hosting environment.

First of all, it is important to keep in mind that desktop applications such as the Office Suite are licensed per device, not per user. According to the latest Microsoft “Product Use Rights” document dated April, 2014, a “Licensed Device” is “the single physical hardware system to which a license is assigned.”

That begs the question of what “assigned” means, and the answer – particularly for devices like thin clients, where you couldn’t install the application locally if you wanted to – is that you are on the honor system. You decide, in the privacy of your own conscience, which licenses you are assigning to which devices – with the caveat that, if you’re ever audited, you’d better be able to produce a license for every device people are using to run Office apps. You can reassign a license from one device to another, but not more often than every 90 days, unless it’s due to permanent hardware failure.

Once you’ve assigned each license you acquire to a device, you have the following rights (again quoting from the Product Use Rights document, with my commentary in italics):

  • You may install the software on the Licensed Device and a network Server.
  • Unless you license the software as an Enterprise Product or on a company-wide basis, you may also install the software on a single portable device. That would cover a user who, for example, had both a desktop PC and a notebook PC.
  • Each license permits only one user to access and use the software at a time. So, technically, it would be a license violation for someone else to run Office on your desktop PC while you’re in a hotel somewhere running it on your “portable device.”
  • Local use of the software running on the Licensed Device is permitted for any user. So it’s OK to let someone else use your desktop PC to run Office, as long as you’re not simultaneously running it on your “portable device.”
  • Local use of the software running on a portable device is permitted for the primary user of the Licensed Device. So, technically, it would be a license violation for you to let someone else run Office on your “portable device” under any circumstances.
  • Remote use of the software running on the Licensed Device is permitted for the primary user of that device from any device or for any other user from another Licensed Device. So if your Licensed Device is your desktop PC, it’s OK for you to use GoToMyPC or some similar remote access method to access and run that copy of Office, using whatever kind of client device you want – including, say, an iPad. However, any other user could not remotely access your desktop PC to run that copy of Office unless they were doing so from another Licensed Device.
  • And now the most important point relative to the subject at hand… Remote use of the software running on a network Server is permitted for any user from a Licensed Device. A Remote Desktop Server falls under the definition of a “network Server.” So any user who is accessing Office via Remote Desktop Services must be doing so from a Licensed Device.

In other words, if you can walk up to a device and use it to access a Remote Desktop Server and run Office, you must have an Office license for that device. It doesn’t matter whether that device is a PC or laptop that has the Office bits installed on its local hard drive, or whether it is a thin client device that only knows how to connect to a XenApp server, you need to have “assigned” a license to that device.

It’s also important to note that all of the above came from the Product Use Rights document for Microsoft Volume Licenses. You do not, never have had, and probably never will have the right to access Office on an RDS or XenApp server from a device that has an OEM Office license installed on it. If your PC or laptop came from the manufacturer with Office pre-installed on it, then you have an OEM license, and you do not have “network storage and use” rights. There is an excellent blog post over on the Microsoft SMB Community Blog that explains this in detail. Yes, it’s an old post (from July, 2005). No, the policy hasn’t changed.

Things get a bit more complicated when you move to the Cloud. For example, if you are a VQOffice® customer, and you want to run Office apps on our cloud servers, we can, of course, bundle the Office licenses into your monthly fee under our Microsoft SPLA (“Service Provider License Agreement”). But what if you already own volume licenses for Office? According to the Product Use Rights document, we can use your licenses “provided all such Servers and other devices are and remain fully dedicated to your use.” Given the highly virtualized environments of nearly all Cloud hosting providers (including us), that’s going to drive the cost of the solution up significantly unless you have enough users to justify dedicating hardware in our data center just for your use. For most small businesses, it will be less expensive to pay us for the use of our SPLA licenses than to pay us for dedicated hardware so you can use your own licenses.

What about Office 365? Office 365 is governed by a completely different use rights document – the Online Services Use Rights document. If you read through that document, you will find that, under the E3 plan for example, each user has the rights to activate the Office software on up to five devices, which is a pretty good deal. You will also find the following statement: “Each user may also use one of the five activations on a network server with the Remote Desktop Services (RDS) role enabled…” At first blush, you might think that means you could use your Office 365 E3 licenses to cover running Office apps in our Cloud hosting environment – and you would be right, provided that you’re running on dedicated hardware. So, basically, the same rules apply to Office 365 licenses as apply to volume licenses. We’d be delighted if the rest of the world added their voices to ours to try to get that policy changed.

Disclaimer: I do not work for Microsoft, nor do I define their license terms, which are subject to change, particularly when new product versions are released. I have, however, worked with them for a very long time, and had lots of discussions about what is, or is not, legal under the terms of various license models. The foregoing is my own interpretation of information that is publicly available on the Microsoft Web site – and I have helpfully provided you with links to that information. I highly recommend that, if you have any questions, you download the relevant Product Use Rights document and read it for yourself.

The State of Cyber Security

As we move into 2015, it’s appropriate to look back and think about what we’ve learned about the threat landscape. To that end, CheckPoint’s 2014 Security Report makes for some pretty interesting reading.

According to their research, in a typical large enterprise:

  • Every 1 minute a host accesses a malicious Web site
  • Every 3 minutes a bot is communicating with its command and control center
  • Every 9 minutes a high risk application is being used
  • Every 10 minutes a known malware is being downloaded
  • Every 27 minutes an unknown malware is being downloaded
  • Every 49 minutes sensitive data is sent outside the organization
  • Every 24 hours a host is infected with a bot.

If you’re an SMB rather than a large enterprise, it doesn’t mean you’re off the hook, it just means that you may have a bit more time before the law of averages catches up with you.

Why does this happen? It’s not because your users are stupid, and (in most cases) it isn’t because they’re malicious. It’s because they’re not IT security professionals, and they’re busy trying to do whatever it is that you hired them to do. When a windows pops up with an “OK” button in it, many of them will reflexively click “OK” without realizing exactly what they just agreed to. (And it may have been permission to install malware on their system.) Busy people also often think nothing of opening a file attachment that arrives by email, not realizing that more than two-thirds of malware-infected files are either PDFs, archive files (e.g., ZIP, tar, RAR, CAB, etc.), or MS Office files (typically Word and Excel, sometimes PowerPoint as well). People who are enticed to visit a compromised Web site, and who are then prompted to install an updated video driver in order to view the Web site content, will often approve it without thinking that what they’re installing might not be a video driver at all.

It also happens because, in the continuing arms race between malware writers and security software vendors, the malware writers are getting better at evolving their malware to avoid detection by existing products – typically giving them a 2 to 3 day window of opportunity to exploit systems before the malware is detected, security definitions are updated, and security software is able to detect and block it. And with today’s do-it-yourself malware toolkits, you don’t have to be a sophisticated code jockey to generate a new malware variant. Modern security software typically includes algorithms that look for suspicious behavior in order to try to block unknown malware, but according to CheckPoint, less than 10% of antivirus engines were capable of detecting new malware variants when they were first caught in the wild.

So, in the words of the 1965 “Total” cereal commercial, “What’s a mother to do?”

First of all, you should have a written security policy, and make sure that all of your employees have a copy of it, and sign off on a statement that they have read it and understand it. That way you know that (at least once) they’ve had to give some thought to security and what they are expected to do (and not do). Also, if you ever have to take disciplinary action against an employee, you’ve protected yourself against the “Wait, I didn’t know I wasn’t supposed to…” argument. If you need assistance in crafting a security policy, contact us. It isn’t that difficult, and there are readily-available templates that can be easily modified to adapt to most organizations’ needs.

Second, use a defense-in-depth strategy. A small or mid-sized organization may not be able to afford the sophisticated network intrusion detection/prevention systems that large enterprises deploy, but a good firewall appliance (like the latest WatchGuard models) can provide a layer of virus filtering, outbound URL filtering, and intrusion prevention right at the network boundary. A third-party email filtering service such as the Mimecast service that we offer with all of our hosted Exchange plans can provide yet another layer of malware filtering using multiple anti-virus engines, as well as outbound content filtering to help prevent “data leakage” from your organization. And, of course, it is still important to have anti-virus software on your servers and workstations.

Third, insure that you have a vulnerability management and patching process in place for applications (e.g., Office apps, Java, Adobe Flash, Acrobat, etc.) as well as server and workstation Operating Systems. If your business is very small, and you can’t afford to hire someone like us to manage this for you, make sure that systems and applications are set to update automatically. Yes, occasionally Microsoft has released a patch that has broken something. But your chances of getting bitten by something like that are smaller than your chances of falling victim to an exploit if your systems are several months out of date because you didn’t have time to test and apply all the patches as they were released.

Fourth, consider blocking high-risk applications. For example, WatchGuard’s Application Control functionality can give you granular control over social media applications, instant messaging applications, and file sharing applications (e.g., DropBox, P2P apps like BitTorrent, etc.). You can selectively allow, block, or restrict access based on a user’s department, job function, and time of day – and generate usage reports so you know what applications are being run on your network, and by whom.

Fifth, ask yourself whether your users really need local admin rights to their workstations. Remember that if users have the rights to install software on their own PCs, and they inadvertently approve the installation of something that turns out to be malware, the malware is going to be installed. There are some utilities out there that can help, like CryptoPrevent from the folks at Foolish IT, which, among other things, can prevent disguised executables (e.g., mymalware.pdf.exe) from running, and prevent executables from running if they’re in folders that you wouldn’t normally expect executables to be in, but once you’ve given users local admin rights, it’s no longer possible to guarantee that they won’t shoot themselves in the foot.

Finally, talk to your employees regularly about security, so they understand the risks posed by certain applications – and understand why certain things are blocked or prohibited. Remind them about the things to look for that might tip them off that an email message may not be legitimate. Remind them not to open file attachments that they were not expecting to receive. A lot of security breaches are caused by simple human error – and people need to be reminded more than once, simply because they get busy and forget.

Here’s to a safe and prosperous 2015!

eDiscovery Part 4 – the eDiscovery Process

This is the fourth and final installment in our series of blog posts on eDiscovery, containing video excerpts from the presentation we made on September 26 at the O365 Nation Fall Conference in Redmond. This installment is a bit longer (14 minutes), but it deals with the question of how you search for and retrieve the content we’ve discussed in previous posts. To review:

  • Part 1 discussed the lifecycle of an Exchange email message, what the “Recoverable Items” folder is all about, and the role of the “Single Item Recovery” feature in Microsoft Exchange.
  • Part 2 discussed PST files – why you may not want people using them, how to prevent their use, and why the archiving function that is built into Exchange 2010 and 2013 is a better option.
  • Part 3 discussed discovery hold – the different kinds of discovery hold available in Exchange 2013, how they work, and how they differ from what was available in Exchange 2010.

In this installment, we address the discovery process itself, and specifically how to configure and use the eDiscovery Center that’s available in SharePoint 2013:



Finally, as you moved through the video series, you saw a number of URLs in the PowerPoint presentation that led to various Web resources that would provide more information on the topics discussed, and you may have wished that you could see them more clearly so you could write them down. Not to worry – here they are for your convenience:

Where Did My Document Go?

It is axiomatic that many of us (perhaps most of us) don’t worry about backing up our PCs until we have a hard drive crash and lose valuable information. This is typically more of a problem with personal PCs than it is with business systems, because businesses usually go to great lengths to make sure that critical data is being backed up. (You are doing that, right? RIGHT? Of course you are. And, of course, you also have a plan for getting a copy of your most critical business data out of your office to a secure off-site location for disaster recovery purposes. Enough said about that.)

So, with business systems, the biggest challenge is making sure that users are saving files to the right place, so the backup routines can back up the file. If users are saving things to their “My Documents” folder, and you’re not redirecting “My Documents” to a network folder on a server, you’ve got a big potential problem brewing. Ditto if people are saving things to their Windows Desktop, which is possibly the worst place to save things that you care about keeping.

But there’s an even more fundamental thing to remember, and to communicate to our users: The best, most comprehensive backup strategy in the world won’t save you if you forget to save your work in the first place! Even in our Hosted Private Cloud environment, where we go to great lengths to back up your data and replicate it between geo-redundant data centers, there’s not much we can do if you don’t save it.

Just as many of us have learned a painful lesson about backing up our data by having lost it, many of us have also had that sinking feeling of accidentally closing a document without saving it, or having the PC shut down due to a power interruption, and realizing that we just lost hours of work.

Microsoft has built an Autorecovery option into the Office apps in an attempt to save us from ourselves. Within, say, Word, go to “File / Options / Save,” and you should see this:

Word Autorecover Settings

That’s where you set how often your working document will be automatically saved, as well as the location. But be aware that Autorecovery works really well…until it doesn’t. A Google search on the string “Word autorecovery didn’t save” returned roughly 21,000 results. That doesn’t mean you shouldn’t leverage Autorecovery – you certainly should. But take a look at the Word “Help” entry on Autorecovery:

Word Autorecover Help

Notice the text that I’ve circled in red? It says “IMPORTANT The Save button is still your best friend. To be sure you don’t lose your latest work, click Save (or press Ctrl+S) often.” Bottom line: Autorecovery may save your backside at some point…or it may not. And corporate backup routines certainly won’t rescue you if you don’t save your work. So save early and often.

And if you’re a mobile user who frequently works while disconnected from the corporate network, it’s a good idea to save your files in multiple locations. Both Microsoft (OneDrive) and Google (Google Drive) will give you 15 Gb of free on-line storage. And if it’s too much trouble to remember to manually save (or copy) your files to more than one location, there are a variety of ways – including VirtualQube’s “follow-me data” service – to set up a folder on your PC or laptop that automatically synchronizes with a folder in the cloud whenever you’re connected to the Internet. You just have to remember to save things to that folder.

You just have to remember to save things, period. Did we mention saving your work early and often? Yeah. Save early and often. It’s the best habit you can develop to protect yourself against data loss.