Support  |  News & Events  |  Blog  |  About  |  Help  

Tag Archives: Microsoft

eDiscovery Part 2 - PST Files vs. Exchange Archiving

October 24, 2014 4:11 pmLeave a Comment

This is the second in a series of blog posts on eDiscovery, which will include video excerpts from the presentation we made at the O365 Nation Fall Conference held in Redmond last month. In Part 1 of this series, we discussed the lifecycle of an Exchange email message, what the “Recoverable Items” folder is all about, and the role of the “Single Item Recovery” feature in Microsoft Exchange.

In this segment, we discuss PST files - why you may not want people using them, how to prevent their use, and the archiving functionality that is built into Exchange 2010 and 2013 and why it’s a better option.

Posted in: Best Practices, eDiscovery, Microsoft, SecurityTagged: , , ,

eDiscovery Part 1 - Lifecycle of an Email Message

October 1, 2014 8:53 pm1 Comment

Last Friday, September 26, VirtualQube was invited to present at the O365 Nation fall conference in Redmond on the subject of eDiscovery and Organizational Search in Microsoft Office. O365 Nation is a new organization created by our long-time friend Harry Brelsford, the founder of SMB Nation, and, as you might expect, most of the content at the conference was related to Office 365. However, since the eDiscovery and Search tools in question are built into Exchange, SharePoint, and Lync, the subject matter of our presentation is equally applicable to on premises deployments of these products.

This is the first of a series of blog posts on this topic, which will include video excerpts from the presentation.

It is important to note that the Microsoft tools discussed here only cover a portion of the Electronically Stored Information (“ESI”) that an organization may be required to produce as part of a discovery action. ESI can include Web content, social media content, videos, voice mails, etc., in addition to the information contained in email and Lync messages, and SharePoint content. The primary purpose of these tools is to enable you to preserve email, Lync, and SharePoint content in its original form, perform integrated searches across all three platforms - plus file shares that are being indexed by SharePoint, and export the results in an industry-standard format that can be ingested into third-party eDiscovery tools for further processing.

Since, by sheer volume, email is likely to be the largest component an organization will have to deal with, this series will begin with a discussion of the lifecycle of an email message in Microsoft Exchange - specifically, what happens to an email message when the user’s “Deleted Items” folder is emptied, and how we can insure that if a user attempts to modify an existing message, a copy of that message in its original form is preserved.

Posted in: Best Practices, eDiscovery, Microsoft, SecurityTagged: , , ,

Countdown to July 14, 2015

July 28, 2014 2:10 pmLeave a Comment

In case you haven’t heard, Microsoft will end support for Windows Server 2003 on July 14, 2015. A quick glance at the calendar will confirm that this is now less than a year away. So this is your friendly reminder that if you are still running 2003 servers in production, and you haven’t yet begun planning how you’re going to replace them, you darn well better start soon. Here are a few questions to get you started:

  • Are those 2003 servers already virtualized, or do you still have physical servers that will need to be retired/replaced?
  • If you have physical 2003 servers, do you have a virtualized infrastructure that you can use for their replacements? (If not, this is a great opportunity to virtualize. If so, do you have enough available capacity on your virtualization hosts? How about storage capacity on your SAN?)
  • Can the application workloads on those 2003 servers be moved to 2008 or 2012 servers? If not, what are your options for upgrading those applications to something that will run on a later server version?
  • What impact will all this have on your 2015 budget? Have you already budgeted for this? If not, do you still have time to get this into your next budget?
  • Would it make more sense from a budget perspective to move those application workloads to the cloud instead of purchasing server upgrades? (Maybe a monthly operating expense will be easier to deal with than the capital expenditure of purchasing the upgrades.)

According to Microsoft, there are more than 9 million 2003 servers still in production worldwide…and the clock is ticking. How many of the 9 million are yours?

Posted in: Best Practices, Microsoft, VirtualizationTagged: , , ,

The Elusive Windows “Companion Subscription License” - a Solution In Search of a Problem

July 25, 2014 12:10 pm1 Comment

In our post entitled “What Licenses Do I Need,” we discussed the licensing required, from both Citrix and Microsoft, for a XenApp or XenDesktop deployment. But there was still an unknown factor: When that post was published, Microsoft had recently announced something that, at the time, was being referred to as a “Companion Device License” – but no information was available yet on what it would cost or how it would be licensed.

The fog has finally cleared, and, unfortunately, it’s not particularly good news if you are a Small or Medium Enterprise.

The question at hand is what Microsoft licenses are required to legally operate a Virtual Desktop Infrastructure that serves up virtual instances of Windows 7 or Windows 8.x to your users. And the answer is that it depends on what the client device is that will be used to access the virtual desktop. If the client device is a Windows PC covered by Software Assurance, no problem – the right to access a virtual desktop instance is one of the benefits of Software Assurance. But if the client device is a Windows PC that is not covered by Software Assurance, or if it is not a Windows PC at all (e.g., Mac, Linux, thin client, etc.) then you must purchase a Virtual Desktop Access (“VDA”) license for that client device. That VDA license is available through Open Value Subscription licensing for roughly $100/year each.

So far, so good. But things start to get more complicated if you want to access that virtual desktop from a personally-owned client device.

According to the Microsoft Product Use Rights document (on pages 74 & 75 of the April, 2014, edition, in case you want to read along), the primary user of a Windows PC covered by Software Assurance, or of another client device to which a VDA license has been assigned, has “roaming use rights” that allow a virtual desktop to be accessed from a “Qualifying Third Party Device” such as a personal PC, MacBook, iPad, etc…”from anywhere off your or your affiliates’ premises.” And therein lies the problem: The user is not entitled to bring a personal device into the office and use it there to access a virtual desktop.

So, if your objective is to enable BYOD and let your people bring in whatever kind of device they want to use, and then use that device to access your virtual desktop infrastructure, what do you have to do? This question is what Microsoft attempted to address with what is now called a “Windows Companion Subscription License.” But it doesn’t address it very well. First of all, the Companion SL must be associated with another client device that is…yep, either a Windows PC with Software Assurance or some other client device that you’ve assigned a VDA license to. For every one of those you have, you can purchase a Companion SL, which will entitle the primary user of that device to access a virtual desktop from up to four Companion Devices in any given 90 day period. Therefore, the Companion SL doesn’t truly enable BYOD in the sense of eliminating the need to purchase company-owned client devices that are covered by either Software Assurance or a VDA license – because you have to have one of those before you can even purchase a Companion SL.

To make matters worse, unless your organization is large enough to have a Microsoft Enterprise, Select, or Select Plus agreement, you’re out of luck, because the Companion SL is not available through any Open License program. So, if you’re an SMB, your only option for legally licensing employee-owned devices for use on your premises to access your virtual desktop infrastructure is to purchase VDA licenses for those employee-owned devices.

If you do have an Enterprise or Select agreement, you can expect to pay an estimated $48 - $84 per year for a Companion SL, depending on your agreement, the size of your organization, and the concessions you’ve been able to wrangle out of your Microsoft account rep. So that may offer some cost savings for large enterprises that want to institute a BYOD policy – although it’s not clear to me how great the savings would be considering that you have to have a client device with either Software Assurance or a VDA license before you can even purchase the Companion SL.

For most organizations, in our opinion, the Companion SL is a solution in search of a problem.

Posted in: Licensing, Microsoft, VDI, XenDesktopTagged: , , , ,

A Brief Respite from CryptoLocker

June 4, 2014 4:00 pmLeave a Comment

A couple of days ago (June 2), the UK’s National Crime Agency announced that law enforcement agencies have effectively disabled key nodes of the GOZeuS network, which provided a key delivery mechanism for CryptoLocker’s ransom malware. They’ve also identified a person believed to be the leader of the criminal enterprise behind GOZeuS, and international officials say that other arrests are “in progress.”

While this is good news, it’s unlikely to be a permanent solution to the ransomware problem, given the distributed nature of Internet-based malware. It does, however, give us some breathing room – perhaps as much as a couple of weeks - to think about how to protect against it.

In case you’re not familiar with what CryptoLocker is, it is a particularly nasty form of malware that first appeared in the fall of 2013, and is typically spread by tricking a user into clicking on a disguised executable. Disguised executables are, in part, enabled by the unfortunate design choice Microsoft made in Windows XP that continued through Windows 7, which was to “Hide extensions for known file types” by default. (Personally, this always annoyed me, and one of the first things I always did when setting up a new PC was to deselect that option. It does appear that it is no longer selected by default in Windows 8 and 8.1.)

This meant that, for example, a Word document that was called “My Important Customer Proposal.docx” would display in Windows Explorer (and elsewhere within the OS) as, simply, “My Important Customer Proposal.” That also meant that if someone sent you an email with a file attachment called MalwareDesignedToStealYourMoney.pdf.exe, it would display in Windows as, simply, MalwareDesignedToStealYourMoney.pdf. An unsophisticated or careless user – or someone who perhaps was just exhausted from a long day and not thinking clearly – might look at the file name and think it was an ordinary Adobe PDF file, and double-click on it to open it up…not realizing that the “.exe” that was hidden from them meant that it was really an executable that was designed to install malware on their system.

“But why,” you might ask, “wouldn’t my anti-virus software protect me against this?” The answer is that some anti-virus products might protect you, depending on how the options are set. But many, if not most, users have local administrator rights to their PCs. (Yes, arguably they shouldn’t, but every IT admin that’s ever tried to take those rights away has had to deal with the howls of protest when users – often top executives – suddenly can’t install iTunes or some other equally essential utility on their PCs.) So unless your AV product is set to scan files whenever they are accessed – a setting that often isn’t enabled even on products that are capable of doing it because it can slow your system down – you won’t know that you’re installing something bad until it’s too late. Local administrators, by definition, have the authority to install software. You launched the installation program, you’re a local administrator, so it’s going to get installed.


Once installed, CryptoLocker checks in with a server on the Internet that assigns a public/private key pair to that PC, and CryptoLocker then happily goes to work using the public key to encrypt all the documents, spreadsheets, pictures, etc., on your system. The latest variants will even encrypt files on network drives if they’re mapped using a drive letter. (So far, it doesn’t appear that CryptoLocker knows how to navigate across UNC paths.) There is even some evidence that the latest variants may wait up to two weeks before locking you out of your files, in the hopes that you will move through a full cycle of backups during that time, meaning that all your backups will also be encrypted and therefore useless to you. Once it’s done its dirty work, you will suddenly be unable to access any of your files, and will be presented with a screen that tells you that you have, typically, 72 hours to submit payment – typically via untraceable money cards or bitcoin – in order to obtain the private key that will decrypt your files. Otherwise, the private key will be automatically destroyed, and your files will be forever out of your reach.

If the thought of having to cough up the equivalent of $300 US or lose all your data leaves you with cold chills (as it does me), what can/should you do?

  • First and foremost, educate your users. One of the most basic rules of computer safety is that you simply don’t open email attachments from people you don’t know – and, for that matter, don’t open them from people you do know unless you were expecting them and know what they are. Remember that it’s not that tough to impersonate someone’s email address. At the moment, most CryptoLocker payloads are disguised as invoices from financial institutions, messages from shipping companies, notices from law enforcement agencies, etc., often with scary messages about account closures, final notices, and amounts due. Also beware of zip file attachments. Make sure your users are aware of these common tricks, so they don’t reflexively click to see what a file attachment is.
  • If you’re still running Windows 7 or earlier, deselect the “Hide extensions for known file types” option. This will at least make it slightly more likely that someone will notice that there’s something not quite right about the file they’re about to click on.
  • Keep your anti-virus products up to date.
  • Restrict permissions on shared folders.
  • Consider removing local admin rights from users.
  • Consider using a prevention tool like “CryptoPrevent” from the folks at Foolish IT, LLC. This is a tool that is free for both private and commercial use – although there is a paid version that will automatically update itself and offers additional features like email alerts when applications are blocked. When installed, it will, silently and automatically, lock down a Windows system by, among other things, preventing executables with double extensions (like “something.pdf.exe”) from running, and preventing executables from running if they’re located in folders where you wouldn’t expect legitimate programs to be located. It implements over 200 rules that will help protect you from other forms of malware as well as CryptoLocker.

    It should be noted that, if you’re running a Professional version of Windows that is joined to a Windows domain, all of these rules could be set via group policies, and there are even pre-packaged prevention kits, such as CryptolockerPreventionKit.zip, available at www.thirdtier.net/downloads that will make it easier to set those group policies. But if you’re not comfortable with the whole concept of group policies and/or you’re not in a Windows domain or you’re running a home version of Windows, CryptoPrevent is a fast and easy way to deal with the issue.

Please do not assume that the latest law enforcement announcements mean that we don’t have to worry about CryptoLocker anymore. It’s estimated that CryptoLocker raked in as much as $30 million just in the first 100 days after it appeared in the wild. With that much money in play, it – or something else like it – will inevitably reappear sooner or later.

Posted in: Best Practices, Security, Windows 7, Windows 8Tagged: , ,