A man is sitting at the computers and monitoring graphs, charts.

IT-monitoring

IT-monitoring is process of collecting indicators of hardware and software in the IT environment. The essence of it-monitoring is to ensure that the equipment works in the right way and on the needed level of the performance,   which is required for the normal maintenance of the business.

The basic monitoring solution often consists of sending a “ping” to the device and waiting for response. In case user has received the response, it means that server or router is turned on, has been not disconnected and there is no failure. This feature allows a system administrator to be abreast of the It systems’ state just by browsing  it-resources.

Basic monitoring is performed by checking the operation of the device, while more advanced monitoring gives detailed representations of operating conditions, including average response time, the number of errors and requests, CPU usage, application availability, and others.

So, how it works ?

Monitoring includes of three layers: foundation, software, interpretation.

  • Basic level or fundamental. Infrastructure is the lowest level of the software stack and includes tracking physical or virtual devices called “hosts”, such as a Windows server, Linux server, Cisco router, VMware virtual machine, etc.
  • People call it the monitoring level as well. It analyzes that works on devices at a fundamental level, including processor usage, load, memory, and the number of virtual machines that are running.
  • Collected indicators are presented in the form of graphs or data charts, often on a dashboard with a graphical interface.

Sometimes monitoring system can use agent software. Agents are independent software, that are installed on the monitored device  to collect data of the equipment’s performance and transfer them to the management server. Agentless monitoring uses existing protocols to emulate an agent with the same features.

AlertIn order to monitor server usage an admin should install the agent on the server. The management server receives this data from the agent and displays it to the user through the interface of the IT monitoring software, often in the form of a graph of performance over time.

If the server stops working properly, the tool will warn the administrator who can restore, update or replace the item until it meets the standard for work.

Although the task of monitoring may seem relatively simple, the potential consequences of this can be huge for an organization that is dependent on IT systems. Thus, monitoring is work on the timely identification of problems, analysis of consequences and prompt eliminate.

Monitor with logos of Windows 7 and Windows 10 OS

Microsoft stops supporting Windows 7

During the life cycle of the operating system, the company provides free update support, and the end of this cycle has to come. That’s what happens to Windows 7. The strategy of Microsoft is
to refuse of support Windows 7 in order to promote and popularize Windows 10 OS. They say that  Windows 10 has more modern security features and it’s more stable.

The lack of support of Windows 7 means that the computer will no longer install updates, security patches and add new features. It will reduce the security of the PC because the system will not receive patches and patches that eliminate potential threats from malicious software. During three years security updates will be available only with a paid subscription.

The release of security updates will cease on January 14, 2020, in addition, Internet Explorer support on Windows 7 will also be stopped.

Of course, Windows 7  support termination doesn’t mean that everything will stop working at once, users can continue to use the operating system, but the computer will become more vulnerable to security risks, which is fraught with a large number of possible negative consequences for the PC.

Microsoft
Microsoft Corporation offers two solutions:

— to start using Windows 10;

— to buy a new PC with preinstalled windows 7.

In the case of purchasing a license copy of the Windows 10 operating system, the user can reinstall the operating system on his computer. Download the Media Creation Tool from the official Microsoft website, with it’s help you can download and save the Windows 10 image to USB flash drive or DVD, or update the system in the application. Microsoft has provided a loophole for a free upgrade to Windows 10, which works for licensed versions of Windows 7. You must download and run the «Upgrade to Windows 10 Assistant.»

Before upgrading, it is advisable to familiarize yourself with the computer hardware settings. The fact is that Windows 10 has higher system requirements than Windows 7 does, so there is no sense to install the «tens» on a weak computer. It will become uncomfortable to work on this computer, as the operating system and applications will work slowly. Especially, It takes laptops released many years ago.

Between Windows 7 and Windows 10 there was another operating system — Windows 8, it is an alternative for those who are ready to leave Windows 7, but don’t want to use Windows 10. Windows 8 will be supported with updates until January 10, 2023, after this time, you still have to face the same problem and change to Windows 10.

Windows 7 is most popular Microsoft’s operating system, and it seems that it will be the leading computer OS in the world for some time even after 14 January, despite reduced support.
Those users who decide to remain faithful to it after January 14, 2020 can use third-party protective equipment that will be compatible with this OS for a long time.

Windows 10 Update

Windows 10 update

The point of an update policy is to make the update process predictable, with procedures for notifying users so that they can plan their work accordingly and avoid unexpected downtime. The policy needs to address several distinct types of updates.

The most familiar are the monthly cumulative security and reliability updates that are delivered on the second Tuesday of each month (aka Patch Tuesday). The Patch Tuesday release typically also includes the Windows Malicious Software Removal Tool and may include any of the following additional types of updates:

  • Security updates for .NET Framework
  • Security updates for Adobe Flash Player
  • Servicing stack updates (which must be installed before other updates)

The update policy should include the following elements for each managed PC:

  • When to install monthly updates: Using the default Windows settings, monthly updates are downloaded and installed within 24 hours of their release on Patch Tuesday;
  • When to install semi-annual feature updates: Using the default Windows settings, feature updates are downloaded and installed when Microsoft says they’re ready.
  • When to allow PCs to restart to complete installation of updates: Most updates require a restart to complete installation.
  • How to notify PC users of pending updates and restarts: To avoid unpleasant surprises, Windows 10 notifies users when updates are pending.
  • How to handle out-of-band updates: Occasionally, Microsoft releases critical security updates outside of its normal Patch Tuesday schedule. Typically, these are intended to address security vulnerabilities that are being exploited «in the wild.»

Managing updates manually

To configure Windows Update manually you need to start at Settings > Update & Security > Windows Update. There, you can adjust two groups of settings.

First, click Change Active Hours and adjust the settings to reflect your actual work habits.

Next, click Advanced Options and adjust the settings under the Choose When Updates Are Installed heading to reflect your policy.

  • Choose how many days to delay installation of feature updates. The maximum value is 365 days.
  • Choose how many days to delay installation of quality updates, including the cumulative security updates released on Patch Tuesday. The maximum value is 30 days.

Other settings on this page control the display of restart notifications (on by default) and whether to allow updates to download on metered connections (off by default).

UpdatingManaging updates using Group Policy

A significant number of policies are exclusively for Windows 10. The most important are those associated with the Windows Update for Business feature, which are located in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.

  • Select when Preview Builds and Feature Updates are received: Choose a servicing channel and set delays for feature updates.
  • Select when Quality Updates are received: Set delays for monthly cumulative updates and other security-related updates.
  • Manage preview builds: Specify whether users can join a machine to the Windows Insider Program and, if enabled, specify the Insider ring.

An additional group of policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.

  • Remove access to «Pause updates» feature: Prevent users from interfering with installation of updates by removing the option to pause updates for up to 35 days.
  • Remove access to all Windows Update features: Prevent users from changing any Windows Update settings.
  • Allow updates to be downloaded automatically over metered connections: Allow updates to be installed on devices using a metered connection such as an LTE connection.
  • Do not include drivers with Windows Updates:  Prevent Windows Update from installing device drivers.

The following settings, all specific to Windows 10, apply to restarts and notifications:

  • Turn off auto-restart for updates during active hours: Ensure that devices don’t restart to install updates during normal working hours.
  • Specify active hours range for auto-restarts: Change the default active hours settings.
  • Specify deadline before auto-restart for update installation: Choose a deadline (between 2 and 14 days) after which a restart to apply updates will be automatic.
  • Configure auto-restart reminder notifications for updates: Increase the time prior to a scheduled restart when the user is notified. Acceptable values are 15 minutes (default) to 240 minutes.
  • Turn off auto-restart notifications for update installations: Completely disable restart notifications.
  • Configure auto-restart required notification for updates: Prevent notifications from disappearing after 25 seconds and instead require the user to dismiss.
  • Do not allow update deferral policies to cause scans against Windows Update: Use this policy to prevent PCs from checking Windows Update when a deferral is assigned.
  • Specify Engaged restart transition and notification schedule for updates: Use this policy to allow users to schedule restarts and «snooze» restart reminders.
  • Configure auto-restart warning notifications schedule for updates: Configure reminders of automatic restarts (from 4 to 24 hours) and warnings of imminent restarts (from 15 to 60 minutes).
  • Update power policy for Cart Restarts: This policy is for educational systems that remain on carts overnight and allows updates to be installed even on battery power.
  • Display options for update notifications: Use these settings to completely disable update notifications with the option to include or exclude restart warnings.

The following policies apply to Windows 10 as well as some older Windows versions:

  • Configure Automatic Updates: This powerful group of settings allows you to specify a consistent weekly, bi-weekly, or monthly update schedule, with the option to specify the day and time during which all available updates are automatically downloaded and installed.
  • Specify intranet Microsoft update service location: Use this policy to configure a Windows Server Update Services (WSUS) server on a Windows domain network. (See the following section for more on this option.)
  • Enable client-side targeting: This setting allows administrators to use Active Directory security groups to define deployment rings when using WSUS.
  • Do not connect to any Windows Update Internet locations: On PCs that are connected to a local update server, prevent any connections to outside update servers, including Microsoft Update and the Microsoft Store.
  • Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates: Enables the system to wake up a machine and install updates; the system will wake up only if updates are available.
  • Always automatically restart at the scheduled time: Use this setting to configure a timer (15 minutes to 180 minutes) and automatically restart after installing updates, rather than notifying users.
  • No auto-restart with logged on users for scheduled automatic updates installations: This policy overrides the previous policy and prevents restarts when users are signed in.

MicrosoftEnterprise management tools

There are two most popular options to bypass Microsoft’s update servers and deploy updates from a locally managed server.

Windows Server Update Services (WSUS) is the simpler of the two options. It runs as a Windows Server role and provides a central store for Windows updates within an organization. Using Group Policy, a network administrator points Windows 10 PCs to the WSUS server, which serves as the single source of downloads for the entire organization.

The second option, System Center Configuration Manager (SCCM), uses the powerful Configuration Manager for Windows, in combination with WSUS, to deploy quality and feature updates. A Windows 10 servicing dashboard lets network administrators monitor Windows 10 usage across the network and create group-based servicing plans that include information about PCs as they near their end of support life.

Windows 7

How to extend Security Updates of Windows 7

As we all know every operating system needs in support. But what will you do when the support will end? I should recommend you to look at such variant like extended Windows 7 support, cause the current support is going to end in January of 2020.

But if you need keep going to run Window 7 after January of 2020 without it being patched every month, you will risk to became a victim of external threats. Especially for such situations, Microsoft is providing three options that range from “free” to explicitly paying for updates.

A man is looking at the monitor There are three variants of maintaining a Windows 7 install :

— Using Microsoft’s new Windows Virtual Desktop service. This variant offers to move your install to the newly announced Windows Virtual Desktop platform, because Microsoft will supply three years of extended security updates for customers choosing a Windows 7 Enterprise VM.

— Be A Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security   Customer. Microsoft will provide a free year of support for Windows 7 for the customers who already pay  for Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security. For customers who are paying for Extended Security Updates (ESU) with this program, they will also receive discounts on years two ($50 per device, instead of $100) and three ($100 per device, instead of $200).

— Pay for additional updates. This option assumes that you didn’t pay for anything before but you can pay the fee to support Windows 7 after January 2020 with the following prices per device:

  • Year 1 (January 2020 through January 2021): Windows 7 Pro is $50 per device, Windows Enterprise (add-on) is $25 per device.
  • Year 2 (January 2021 through January 2022): Windows 7 Pro is $100 per device, Windows Enterprise (add-on) is $50 per device.
  • Year 3 (January 2022 through January 2023): Windows 7 Pro is $200 per device, Windows Enterprise (add-on) is $100 per device.

In case you need additional support for your Windows 7 devices after January 2020, you can choose between these variants. Also you can try to use several of these three options at once to lower the burden of running Windows 7, but after a while you will need to migrate to Windows 10 anyway.

Windows 10

How to protect your business with Windows 10 security

It would be great if the process of securing a Windows 10 device can be reduced to a simple checklist. But the process of securing is much more complicated than that. The initial setup simply establishes a security baseline. When this configuration is complete, security needs continued vigilance and ongoing effort. A big part of Windows 10 device  security work happens remotely from the device.

The best security plan pays attention to network traffic, email accounts, authentication mechanisms, management servers, and other external connections. IT specialists should be able to carry out Outsourcingthese points. What about the small business without IT staff, outsourcing could be the best way.

The updates are being installed regularly and it is one of the most important settings for Windows 10 devices. Quality updates are delivered monthly through Windows Update. They address security and reliability issues and do not include new features. All quality updates are cumulative, so you no longer have to download dozens of updates after performing a clean install of Windows 10. You need install the latest update only and you will be completely up to date. Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup.

When the updates  are available on Microsoft’s update servers  Windows 10 devices download and install them at once.

In the big companies, administrators can apply Windows Update for Business settings using Group Policy or mobile device management (MDM) software. You can also administer updates centrally by using a management tool such as System Center Configuration Manager or Windows Server Update Services.

User account management

Devices with Windows 10 edition (like Pro, Enterprise, or Education) can be joined to a Windows domain. It gives domain administrators an access to the Active Directory features and can authorize users, groups, and computers to access local and network resources. If you’re a domain administrator, you can manage Windows 10 PCs using the full set of server based Active Directory tools.

The smaller businesses have Windows 10 PCs that are not joined to a domain and they can choose of few account types: Local account on a Windows 10 PC is a member of the Administrators group and has the right to install software and modify the system configuration. Microsoft and Azure Active Directory (Azure AD)  accounts should be set up as Standard users to prevent untrained users from inadvertently damaging the system or installing unwanted software. Windows Hello feature can be used for increasing the security of the sign-in process on your device. It requires a two-step verification process to enroll the device with a Microsoft account, an Active Directory account, an Azure AD account, or a third-party identity provider that supports FIDO version 2.0.

A man is typing on a laptop

Then the user can sign in using a PIN or biometric authentication for example a fingerprint, facial recognition. The biometric data is stored on the device only and prevents a variety of common password-stealing attacks. On devices connected to business accounts, administrators can use Windows Hello for Business to specify PIN complexity requirements.

It is necessary to set-up multi-factor authentication (MFA) for protection Microsoft or Azure AD accounts on business PCs from external attacks. On Microsoft accounts, the Two-step Verification setting is available at link. For Office 365 Business and Enterprise accounts, an administrator must first enable the feature from the Office portal, after which users can manage MFA settings by going to link.

Data protection          

No one can foresee theft of laptop or left behind it somewhere else, but such situations can lead to significant risk of data loss. Even worse if we are talking about regulated industries or where data breach laws require public disclosure. But there is an encryption tool that is available in business editions of Windows, called BitLocker. With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. Using Group Policy settings or device management tools, you can increase the encryption strength from its default 128-bit setting to 256-bit. For full

Data protectionmanagement capabilities, you’ll also need to set up BitLocker using an Active Directory account on a Windows domain or an Azure Active Directory account. In either configuration, the recovery key is saved in a location that is available to the domain or AAD administrator.

On an unmanaged device running a business edition of Windows 10, you can use a local account, but you’ll need to use the BitLocker Management tools to enable encryption on available drives. Also you should encrypt portable storage devices. USB flash drives. MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive’s contents.

Blocking malicious code

Nowadays, antivirus software is just another layer in protecting system, although time ago it wat the main tool for blocking the installation of malicious code.

Installation of Windows 10 includes Windows Defender. It is a built-in antimalware software. And it updates by its own, when the new updates are available on Windows Update. But if you decide to install another security package, Windows Defender allows that software to function. Large companies that use Windows Enterprise edition can deploy Windows Defender Advanced Threat Protection, a security platform that monitors endpoints such as Windows 10 PCs using behavioral sensors. Using cloud-based analytics, Windows Defender ATP can identify suspicious behavior and alert administrators to potential threats. For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft’s SmartScreen technology is another built-in feature that scans downloads and blocks execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.

Cyber attack

Another important step for protecting your PC is to be attentive to your mail. Cause infection  PCs via attachment files in mails and links to malicious websites are common thing. Although email client software can offer some protection, blocking these threats at the server level is the most effective way to prevent attacks. An effective approach for preventing users from running unwanted programs (including malicious code) is to configure a Windows 10 PC from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Installing Apps heading, choose Allow Apps From The Store Only. This setting allows previously installed apps to run, but prevents installation of any downloaded programs from outside the Microsoft Store.

Administrators can configure this setting over a network using Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure App install Control.

Networking

The Windows 10 firewall, supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of initial setup.

If you need to configurate  basic Windows firewall settings, you should use the Firewall & Network Protection tab in the Windows Security app.  «Advanced Settings» will lead you to expert-only set of configuration tools with  Advanced Security console. These settings can be controlled through a combination of Group Policy and server-side settings.

The most complex problems with Windows 10 PC security appear when you connect to wireless networks. To increase the level of security in large organizations should add support for the 802.1x standard. It uses access controls instead of shared password.  And when there is an attempt to connect to such type of network Windows 10 will reject unauthorized connections. On Windows domain-based networks, you can use the native DirectAccess feature to allow secure remote access.

Happens that it is important to connect to an untrusted wireless network. And the best way out is to configurate a virtual private network (VPN). To set up this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.

 

June 2019 Quarterly Exchange Updates

General changes:

  • Decreasing Exchange Rights in the Active Directory – Deny ACE placed on the DNS Admins group and the ability for Exchange to assign Service Principal Names (SPN’s) was removed because these are not required by Exchange; the directory updates released today are fully compatible with all versions of Exchange Server regardless of cumulative update or update rollup version deployed and so these changes can be applied to any existing Exchange deployment by following the steps above
  • Support for .NET Framework 4.8 – support for .NET Framework 4.8 added. The minimum .NET requirement remains 4.7.2 on Exchange Servers. .NET 4.8 will be required with all updates released in December 2019 and later
  • Authentication Policies Update – enhanced the feature to provide the ability to specify it as default authentication policy at Organization level
  • Future support of Modern Authentication in on-premises Exchange – this capability in on-premises Exchange server will no longer be pursued; Modern Authentication will be restricted to customers with hybrid deployments
  • Controlled Connections to Public Folders in Outlook – added support to Exchange Online to help admins have control over which users would see public folders in their Outlook clients

Source

GDPR

How to maintain Exchange to comply with GDPR

There is a ton of information about paperwork needs to be done to comply with GDPR. Here we would answer the question: «What technically should be done at your mail server to meet requirements?»

First of all, let’s qualify what is ‘personal data’ according to the GDPR:

 

Article 4
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Mail server naturally keeps a lot of ‘personal data’. And it is not just about mailboxes’ content. Every time when an employee connects to corporate mail using a personal device, the server saves information about the device and IP address which can be linked to geolocation.

Even more, if you have CVs in your mailbox (most probably you have it), then your mail server contain specific personal data:

 

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

 

As a result, even if you are not collecting personal data purposely, just by operating in B2B segment you accumulate ‘personal data’ and need to follow GDPR.

So, what technical actions need to be taken to meet the GDPR? The law gives very general requirements:

 

Article 32 Safety of processing
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

 

We recommend are the following:

 

  1. Encryption whenever it is possible as GDPR requires organizations that keep or process personally identifiable information to protect data by design
    • Encryption for Exchange drives using BitLocker Drive Encryption
    • Hardware encryption on storages where Exchange drives are placed, if Exchange is virtualized. Most of the vendors have this feature supported.
    • Use Host Guardian Service (HGS) to protect access to the Exchange virtual machines. It prevents unauthorized access to shielded Exchange VM and protects from coping VHD.
  2. You must have backups and a disaster recovery plan(s). Periodically test consistency and recoverability of backup.
  3. For secure email transport as minimum STARTTLS must be configured on your server(s) and very recommended to configure DNS-based Authentication of Named Entities (DANE) based on DNSSEC technology
  4. Critical updates must be tested and installed in time to prevent potential security breaches
  5. Implement deleted item retention policy
  6. Configure Data Loss Prevention (DLP) rules to scan and report email containing personal information that could fall under GDPR rules.
  7. Prepare a custom script for your exchange version to manage shared mailbox and individual public folder items to delete user-defined data.
  8. Consider migration to the cloud. Оn-premises solutions are more flexible, but it is also more complicated, without outscoring partner it may be difficult to comply with GDPR rules.