Thursday, March 30, 2017

Reasons for choosing Microsoft messaging and collaboration solutions instead of IBM/Lotus Notes/Verse

Challenges for IBM/Lotus Notes Users

In the mid-1990th, Lotus software was the broadest suite of collaborative software. As a result, many enterprises with high demands on collaboration adopted Lotus Notes, especially in highly developed industrial countries. But since then, a lot of requirements have changed and the market has shifted away from IBM.

Collaboration has been opened up from internal collaboration to external collaboration (especially B2B) and to home and tele workers that bring their own devices (BYOD). Now is the era of convergence of communication and collaboration, which means that former collaborative platforms are being enhanced by real time communication such as audio, video and web conferencing. Hardware based telephony systems are being replaced by software solutions with voice over IP (VoIP), so that corporate telephony also becomes part of a collaboration platform choice.

In addition, the inclusion of external members to an organization’s collaboration capabilities have shifted the focus from fat client applications like the Lotus Notes client to web-based frontends and apps for mobile devices.

Microsoft Office integration and ubiquitous, but secure document sharing has become a major productivity requirement, including governance and compliance capabilities as in enterprise content management systems. And last but not least, enterprise search capabilities need to make the different information stores discoverable.

Microsoft has built the leading productivity platform and surpassed IBM and other vendors, because it is better integrated and harmonized. Integration starts with authentication natively in Active Directory and a common base infrastructure for the server operating system, database and systems management, and it continues with functional ease and usability. Many 3rd party applications integrate into the Microsoft platform by default, whereas integration for IBM/Notes does not exist or is delayed. For those customers that do not want to run their own data center, Microsoft provides the same solutions as cloud services within the Office 365 offering. Therefore, Microsoft is seen by Gartner as the most comprehensive productivity cloud provider.[1]

In the last 10 years, many corporations have migrated from Lotus Notes/Domino onto the Microsoft platform. A good overview of the mail platforms of the top 175 enterprises by revenue can be found at: http://dominoorexchange.pbworks.com/w/page/18061910/FrontPage .

Nowadays, Microsoft is leading the corporate messaging and collaboration market. In the messaging area, Microsoft has a market share of more than 85%, according to Gartner. Lotus Notes has dropped below 15%, because Millions of users have been migrated to Outlook/Exchange.

Gartner also recognizes that IBM has lost ground as a Unified Communications (UC) vendor and does not have an offering in the corporate telephony market, whereas Microsoft is seen as a leader both in UC as well as corporate telephony.

                                 Capture

 

Market share of e-mail users in organizations with 500 employees or more, worldwide

In 2011, Gartner already downgraded the rating for IBM in the “MarketScope for Email-Systems” from “Strong Positive” to “Positive” and stated that „We [Gartner] continue to see widespread interest in the Domino base in migrating to alternative platforms.”

                             Capture.JPG

The market share drop to less than 15% results in lower support for Notes users when integrating to 3rd party solutions like CRM, ERP, telephony systems and devices. Most 3rd parties deliver Outlook/Exchange integration “out-of-the-box”, whereas support for Lotus Notes does not come at the same time or even needs to be developed by the customers themselves.[1]

IBM also dropped a number of Lotus related products due to shrinking demand and cost pressures:

2005: Lotus Discovery Server (Knowledge Management System)

2005: Lotus Learning Space (E-Learning System)

2007: IBM/Lotus Workplace (Websphere version of Groupware products)

2012: Lotus Symphony (alternative Office suite)

2012: IBM Alloy (Lotus Notes to SAP integration) [2]

2013: Quickr (web-based team application)

2015: Several IBM Sametime server components for web conferencing and telephony. IBM said that customer will rely on Polycom for these components in the future.

2015: IBM’s support for Solaris as operating system for Domino Server

2016: IBM announced that IBM Verse, the new web mail solution, will only be available on a very few, very common server operating platforms in on-premises installations - currently it is not available as on-premises product at all

In 2012, Ginni Rometty, CEO of IBM, announced a shift from core Lotus products to “higher margin products” for the future, underlining that IBM is not trying to turn around the market trend anymore. She said that competing for “legacy” solutions like messaging is not profitable for IBM. In 2015, IBM introduced IBM Verse with a marketing slogan to having re-invented what messaging means. But in fact, Verse is just an updated mail interface to the same Domino backend infrastructure. It has some new features for IBM customers that Microsoft has already in place, most of them for many years like “Mute Threat”, which was mentioned as the highlight by most beta trial customers that took part at IBM’s ConnectEd Conference 2015.[1] But IBM Verse is a browser based interface only – there will be no rich client interface. In addition, IBM provides some newly designed mobile mail apps for iOS and Android which are called “Verse”, which will replace the branding of what was available before as IBM Traveler mail applications. As a new released product, IBM Verse lacks features that former Notes users will miss, like agents that help automate e-mails and full support for all the mobile and offline scenarios.[2]

There is also no API and no programmable URLs for 3rd party solution providers to integrate into Verse. So customers are missing integration with call center and telephony solutions, CRM systems, ERP solutions, fax, room booking systems and so on. IBM said that they will provide programmable URLs for Verse in March 2016, but it will take time until 3rd parties will provide their solutions integrated for Verse, especially when the market share remains low in a saturated messaging market.

The following points are limitations and difficulties in Verse (on the roadmap to be delivered in in March 2016):

  • No Offline mode – you have to work online and in IBM’s cloud
  • Meeting invitations are difficult
  • The calendar does not look consistent
  • No support for nested folders when attaching a link to an item in Connections Files
  • The default email font can’t be changed
  • The screen space is not efficiently used, i.e. the bar on top with photos of contacts can’t be resumed

The following points are ongoing limitations that will not be fixed quickly, at least not in Q1/2016. So please ask your IBM representative when they will be fixed.

  • Even if mails can be read offline, it remains unclear what actions can be taken on mails in offline mode. IBM has not communicated details about the offline mode yet despite the fact that the offline mode will be a huge HTML file.
  • Attachments can’t be managed in offline mode
  • You can’t put multiple people in the “people bubble” in the “important to me” bar
  • No seamless contact information with IBM Connections Cloud
  • There is no view/filter for unread messages only. You always have to work yourself through all messages.
  • The user settings for the interface can’t be retained
  • No calendar alarms/alerts
  • The messaging pane can’t be resized
  • There is no messaging list density control
  • Presence/awareness and chat features are very limited
  • No administrative assistant access to calendar
  • The inbox is not very actionable
  • Concerning mobile apps, Verse will only be available for iOS and Android, not for Blackberry and not for Windows Phone. So customers have less choice than they used to have in the past.
  • Verse is currently not available for installation in your on data center (on-premises). IBM has delayed an on-premise version to at least end of 2016. But even worse, IBM has not even announced on which server platforms Verse will run. They did announce though that it will only be on a very few server operating systems, probably just on one or two ones. So IBM is limiting the choice for customers, even though they long claimed broad support for multiple operating systems a competitive advantage. On top of that fact, customers will have to install additional components besides Domino server to enable the analytics features. You will probably have to install DB2 besides Domino at least, but that is also left completely unanswered by IBM as of today.

So despite the marketing hype that IBM tries to generate around Verse, there are currently still almost no customers using it – please ask IBM to talk to a reference customer before you sign-up for Verse. Even IBM themselves have just only started the internal rollout to not more than 25% of their employees yet, as they said in February 2016 at IBM Connect 2016 – almost one year after Verse was generally available. So, even at IBM internally 75% of the employees do not use Verse because of the limitations mentioned above. Instead, they keep using the old Notes client.

Due to the limitations that Verse has, the beta trial customers on stage at the IBM ConnectEd Conference 2015 such as Mitch Cohen from Colgate clearly stated that “Verse is not for every user in the organization”. So, the question for customer to ask themselves is: are we going to roll out Verse just to some users and use another messaging system for the rest of the users? And what does that mean for the total cost of ownership to maintain and support multiple messaging systems?

But the challenges for IBM and its user base go beyond messaging. Nowadays, customers are looking for a productivity platform that also includes

  • Real time communications / unified communications up to voice/telephony
  • Document sharing
  • Enterprise content management
  • Search
  • Social software capabilities

But in most of these areas, IBM has lost ground to other competitors, especially to Microsoft, which is reflected by analysts (more details in the Gartner Magic Quadrant sections at the end of this document).

And all of the capabilities are increasingly consumed as cloud services in order to increase agility and innovation and reduce costs. Whereas Microsoft is seen as one of the hyper scale productivity cloud vendors with its Office 365 offering, IBM SmartCloud for Social Business (multitenant) is based on a small scale pod architecture, based on the Softlayer acquisition. That is why Gartner’s Matt Cain states that “IBM is a distant third” compared to Microsoft and Google and IBM’s offering “feels like an SMB [Small and Medium Business] offering”. He states that the sales and support structures are also not on the same level like Microsoft’s in the cloud.[1] IBM has very few and only very tiny reference customers for their multitenant productivity cloud. In fact, the bigger references that IBM has claimed in the past have never deployed IBM’s productivity cloud, the biggest failure in delivery was Panasonic.[2]

Benefits of Moving from IBM to Microsoft

The growing market share for Microsoft results in several advantages versus IBM:

• No risk due to broad market and vendor support, whereas IBM’s partner landscape is shrinking

• Broader choice of 3rd party components (i.e. security plug-ins, mobile device support)

• High interoperability with partners in B2B scenarios, for example free/busy lookup and awareness across organizations or B2B encryption within Exchange

• Availability of service providers for hosting[1], development and support

• Availability of Microsoft experts

• Fidelity of documentation of the products, adoption of new standards, provisioning of technical events

For business units, there are also advantages such as:

• Attracting and retaining talents as an employer with a modern workplace environment

• Better usability, for example due to

• Transparent mobile „anywhere access“

• Single Sign-On

• Autodiscovery feature

• Performant clients

• Less glitches and bugs in the software products

• Less trainings needed in the long run, also in merger & acquisition scenarios (Home Use Program and online trainings included in the license contract)

• Consistent user interface and seemless integration of Office products (less overlaps and media breaks)

• Higher degree of self-services without IT involvement

• Easier integration with externals (B2B collaboration)

• Calendar and presence federation

• Conferencing internally and externally on the same platform (Lync)

• Administrative B2B encryption between two different Exchange organizations without the need for the user to encrypt mails

• Performant fulltext search on the client as well as across systems (SharePoint)

• Integrated compliance and reporting solutions

• Better protection of intellectual property with rights management

In addition, there are economic benefits that customers reported when migrating from IBM to the Microsoft platform, such as:

• Focus on Microsoft and SAP as strategic vendors saves costs. Festo, Heraeus, TÃœV Rheinland, Bayer and others reported less dependencies, test effort at upgrades and client patches

• Infrastructure: Reduction of complexity

• Avoiding extensions of the infrastructure to J2EE, Websphere, Connections, FileNet, Content Analytics etc.

• Dropping maintenance of Notes client and Domino directory

• Less 3rd party add-ons (i.e. mobile synch software, security plug-ins)

• Less need for VPN (RPC access over HTTPS, Direct Access). Accenture drove a “self financing migration” with 80% less VPN-related helpdesk calls than before.

• Automization of administrative processes via Powershell skripts with efficiency gains of up to 30%.

• Possibility to run Exchange without classic backups, just by Exchange board mechanisms. This saves costs and allows for faster and less faults when restoring information

• Consolidation of Notes applications

• Server und data center consolidation. Bayer consolidated from 50 Domino data center locations, 1200 Domino servers, 8 Sametime data center locations to a Microsoft infrastructure with 3 data center locations for SharePoint and Lync and 2 Exchange locations

• Lower performance requirements (IOPS) reduce storage costs. Deutsche Bank and Allianz both switched from SAN (Storage Area Networks) to DAS (Direct Attached Storage) with the messaging migration and saved 18,000 €/TB and year; a sum of 2 Million € per year.

• Thin client strategy at reduced costs: less RAM resource consumption by Outlook results in 30% lower performance requirements for the terminal server farm compared to running Domino.

• By replacing telephony solutions and external conferencing services with Lync, customers can reduce housing costs, carrier costs, PBX maintenance and electricity costs in addition to spending less on telephony devices. For example, when replacing 489 PBX, Sprint reports total costs of yearly savings of 13 Million €[2], of which housing costs reduced by 2.4M€ (150,000 qm x 16€), local carrier costs reduced by 5.1 M€, maintenance reduced by 1.9 M€, audio conferencing costs reduced by 3.1 M€, electricity savings of 0.5 M€. In addition, they also calculated massive cost savings due to the broader choice of devices (70% of the costs of a classical hardware based PBX are devices).

• Attractive license bundles by Microsoft (Core-CAL, E-CAL suite, cloud suites)

The cost benefits of up to 35% after a migration from IBM/Notes to the Microsoft platform have also been reviewed by analysis, such as IDC. [3]

The following shows a typical business case for an IBM/Notes customer that compared 2 scenarios, either to stay on IBM/Notes with additional products or to move to the Microsoft platform. Both scenarios were on-premises and the customer was in negotiations with the same provider, because that provider had a long-running outsourcing contract.

In the Microsoft scenario, the customer wanted to move off of Notes/Domino completely, including all their applications, within 18 months. The brown bars in year 1 and year 2 in the Microsoft scenario display the fixed price cost associated with this full application migration approach.

Capture.JPG

The cost comparison shows 40% savings in the long run (1.2M€ in the Microsoft scenario versus 2M€ in the IBM scenario from year 3 on) and 19% internal rate of return (IRR). And the case did not even include all potential savings such as moving from SAN to direct attached storage (DAS).

Recently, Forrester has conducted a study about the benefits of moving to Microsoft Office 365. In this study, they have also had interviews with several customers that came from other collaboration platforms such as IBM’s before, but the focus of the study were the savings due to the move to the Microsoft cloud.[1]

For a composite 6000 user corporation, the highlighted results of the Forrester study are:

• Server infrastructure costs replaced (benefits of $2.42M)

• Hardware, software, housing

• Implementation and maintenance, esp. upgrades are included!

• Storage included

• Users delighted of large mail boxes (50GB), without the need to constantly clean up the mailbox in order to stay below the current quota

• Unlimited mail archives

• Unlimited personal shares for document that can also easily shared with externals

• Network

• Use of the Microsoft network with local break-in/out points worldwide è low latency

• New scenarios enabled, i.e. corporate video channel

• In the future: telephony provided

• „Mobility“ (benefits of $2.81M)

• Bring your own device (BYOD) enabled

• Remote/home client installation and work from anywhere

• Office space reduced

• User based licensing

• Control and Compliance ($90k)

• Less time for eDiscovery searches (-10.7%)

• Less data breaches (-73%)

• Enterprise Social Solution with Yammer ($247k)

• More engaged workforce

Capture.JPG

 

Due to these cost savings and functional enhancements, many organizations directly move from IBM/Notes to Microsoft Office 365:

 

Customer

Industry

Number of Users

.

Chemistry

112000

.

Public Welfare

48000

.

Consumer Goods

45000

.

Manufacturing (trains)

27000

.

Retail

7500

.

Retail

6000

.

Medical Goods

6000

.

Media

2000

.

Electronics

130000

.

Chemistry (tires)

112000

.

Telecommunication

130000

.

Manufacturing (lifts)

50000

.

Chocolate

15000

.

Manufacturing

140000

.

Logistics

40000

 

The following chapters describe several areas in productivity suites in more detail, supported by the latest Gartner Magic Quadrants.

 

Unified Communications

Whereas Microsoft Lync continues to make significant gains in the market and is attractive to a broad range of enterprises, IBM's UC deployments, especially those involving telephony, remain limited[1] [2]. If IBM customers have Sametime deployed for internal presence and IM/chat, they usually have additional other solutions for external conferences such as Cisco Webex or Adobe Connect. This creates additional hurdles for the users, because they can’t easily switch from one solution to another when an external member needs to be added to a conference. It also results in additional IT costs for maintaining dual solutions.

There are also differences between Sametime and Lync in slide sharing fidelity such as pixel resolution and performance.

                Capture.JPG

Corporate Telephony

The biggest difference between Sametime and Lync is that Lync can be used as a stand-alone telephony system, whereas Sametime can only integrate with some telephony systems but not replace them. As a consequence, the current Gartner Magic Quadrant for Corporate Telephony 2015 does not even mention IBM as a vendor, but places Microsoft with its Skype for Business solutions in the challenger sector, on the line to the Leader Quadrant.[1]

                 Capture.JPG

In the 2014 report, Gartner stated that „Microsoft is the seventh-largest corporate telephony vendor with 5.1% of the global market in 2013 with significant annual growth of 106% in 2013. Microsoft continues its strong growth in 2014 and is being chosen by more enterprises as their strategic corporate telephony platform.” One year later, in the 2015 report, Microsoft already appears as fifth-largest corporate telephony vendor.
Microsoft has even bigger references in terms of users than Cisco, as Gartner recognizes in the 2014 report. “The architecture for Lync is highly scalable, with references of 200,000 users. Microsoft has a strategy of delivering software-only solutions and creating an ecosystem of partners to provide solutions such as desktop phones, media gateways, session border controllers (SBCs) and paging systems. The all-software strategy enables Microsoft to deliver a market-leading UC platform with strong messaging, conferencing, presence, telephony and mobile functionality.”

According to Gartner, one key differentiator is also the support for different mobile devices, including non-Microsoft platforms: “The Lync 2013 mobile client works on Microsoft, Apple and Android operating systems and is a strong solution for those enterprises seeking a UC and telephony client for their mobile devices.”

Social Software in the Workplace

In the past, SharePoint has been positioned as the core social product from Microsoft. Since 2013, Microsoft announced that it will rather focus on providing integrated user experiences across different products such as Dynamics CRM, Lync/Skype and on-premises SharePoint Server, which will be based on Yammer and Office 365, especially the Office Graph. Microsoft also introduced a first application on top of Office Graph, called Delve.

Gartner recognized this strategy and positioned Microsoft as the top company in the Gartner Magic Quadrant for Social Software in the Workplace[1].

        Capture

 

 

 

 


[1] See Gartner Magic Quadrant for Social Software in the Workplace, by Nikos Drakos, Jeffrey Mann, Mike Gotta, September 3, 2014 at: http://www.gartner.com/technology/reprints.do?id=1-20TBOV4&ct=140903 and Gartner Magic Quadrant for Social Software in the Workplace, 2015, http://microsoft-news.com/microsoft-recognized-as-a-leader-in-the-2015-magic-quadrant-for-social-software-in-the-workplace/

 

 


[1] See Gartner Magic Quadrant for Corporate Telephony, 2015, at http://www.gartner.com/document/3145119 (Gartner login required) and Gartner Magic Quadrant for Corporate Telephony, by Sorell Slaymaker and Steve Blood, October 21, 2014 at: http://www.gartner.com/technology/reprints.do?id=1-23HXCI1&ct=141022&st=sb

 

 


[1] See Gartner Magic Quadrant for Unified Communications, by Bern Elliot, Steve Blood, August 4, 2014 at: http://www.gartner.com/technology/reprints.do?id=1-1YWQWK0&ct=140806&st=sb

[2] See Forrester Wave: On-Premises Unified Communications And Collaboration, Q2 ’14, at: http://www.forrester.com/pimages/rws/reprints/document/85963/oid/1-RJLYLF

 

 

 


[1] See: Forrester, “The Total Economic Impact of Office 365”, October 2014. The study is available through Microsoft. It shows an average ROI of 7 months by moving to Office 365 and a net present value of 5.6M$ over 3 years for a composite company with 6000 users.


[1] There are also a number of productivity cloud providers that offer similar options to Microsoft’s Office 365 out of their data center, for example T-Systems, Atos, CSC and HP.

[2] See: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000011522

[3] See: IDC, “Strategic Elements of a Migration to the Microsoft Communications & Collaboration Platform”, Februar 2010. http://www.techfiles.de/presse/pressemappen/Compete/IDC_MS_WP_Collab_Platform.pdf

 

 

 


[1] All of these statements were made in a session by Matt Cain at Gartner’s CIO symposium in Barcelona, November 2014.

[2] Here is the press statement that IBM released on Panasonic: http://www-03.ibm.com/press/us/en/pressrelease/29189.wss. And here is an article that was launched at Heise: http://www.heise.de/ix/meldung/IBM-gewinnt-Panasonic-als-Kunden-fuer-die-LotusLive-Cloud-Services-904536.html . None of the 380,000 Panasonic employees is using IBM’s multitenant cloud mail service today, even though it was IBM’s biggest customer announcement ever.

 

 

 

 

[1] Such features are: “Mute Threat” and “actionable e-mails”, which are available in Exchange since more than 6 years. In addition, Verse includes machine learning technologies in order to filter what is important to a user so that information is prioritized. Within the Microsoft platform, this was also already available with Office Graph, Delve and Clutter, all of which are tightly integrated in Microsoft Outlook and Exchange.

[2] Currently, IBM Verse does not support apps for Windows Phone and Blackberry, for example.

 

[1] A remarkable example for that is native support for Apple’s iPhone, which only came to market for Notes with iPhone 3 in January 2010, whereas it was available for Exchange from day 1.See: http://www-03.ibm.com/press/us/en/pressrelease/27493.wss

Other examples are Salesforce.com integration with Outlook in the CRM space, see

[2] See www.Duet.com for the SAP + Microsoft partnership. In comparison, the discontinued IBM product “Alloy” http://www-01.ibm.com/software/lotus/products/alloy/

 

[1] See Gartner “Cloud Suites for Collaboration: Assessing Microsoft Office 365, Google Apps and IBM SmartCloud for Social Business”, 2013

Monday, March 27, 2017

Enable GUI in Windows Server 2012 Core

In Windows Server 2012 Core you can add (or remove) the GUI interface on the fly.

You can actually switch between Server Core and Full (GUI) Install whenever you want, making it easier to manage your servers.

There are a couple of steps to install the GUI :

1. Create a folder to mount a Windows Imaging File (WIM) in with the command

    mkdir c:\mountdir

image

2.  Determine the index number for a Server with a GUI image (for example, SERVERDATACENTER,

     not SERVERDATACENTERCORE) using this command at an elevated command prompt:

Dism /get-wiminfo /wimfile:<drive>:sources\install.wim

image

 

3. Mount the WIM file using this command at an elevated command prompt:

    Dism /mount-wim /WimFile:<drive>:\sources\install.wim /Index:<#_from_step_2>

    /MountDir:c:\mountdir /readonly

image

 

4. Start Windows PowerShell and run this cmdlet:

Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart –Source

c:\mountdir\windows\winsxs

image

Alternatively, if you want to use Windows Update as the source instead of a WIM file, use this

Windows PowerShell cmdlet:

Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart

After above procedures full GUI will be available

image

 

5. Finally we unmount WIM file by using command :

    dism /unmount-Wim /MountDir:<mountDir> /discard

image

    And also remove directory c:\mountdir by command

   rmdir C:\mountdir

Wednesday, March 22, 2017

Ransomware General Guidelines by Microsoft

The goal of this document is to share general actions to put in place against ransomwares from a reactive and preventive perspective. If those actions could avoid certain infections, this document isn’t a full guarantee against all type of ransomware infections. If even after applying those recommendations one of your machine is infected, Microsoft can’t be taken as responsible for it. In addition, this document contains references to third party blogs and tools. Thus it’s your responsibility to use it or not and Microsoft can’t be taken as responsible if any third party tools are breaking anything on your machine or aren’t working as expected.

What to do in case of attack? The first actions:

1. Supply a sample of the ransomware

If the ransomware managed to pass through the anti-malware installed on your machine(s), there’s a high potential it’s not able to detect it. In order to solve this problem, it’s important to supply a sample of the malware to the anti-malware editor to let him check if it’s well detected or not. If it’s not, a definition update will be asked as quickly as possible. Regarding SCEP/Windows Defender, a ticket should be opened with Microsoft Support or the sample could be directly submitted through the public portal:

https://www.microsoft.com/security/portal/submission/submit.aspx

Don’t submit samples anonymously, please log in with you Microsoft account else the request won’t be prioritized in the queue. This Technet article explains how to submit a sample:

https://technet.microsoft.com/en-us/library/dn762129(v=exchg.150).aspx.

The file which has initiated the ransomware infection should be collected and sent by e-mail to your support contact in a password protected compressed archive using the password "infected" (without quotes and using lowercase). If you have the original e-mail containing the ransomware, please, include it in the compressed archived. It will allow Microsoft Support to check if the ransomware is well detected. If it’s not, a sample will be supplied to the laboratory (MMPC) in order to update definitions and allow the detection of the ransomware.

There’s a double interest doing this action: First of all, the anti-malware will be able to delete the ransomware from your organization once the definitions will be updated. Then, the new definition will be shared with all users of the anti-malware and will avoid others to be infected. It could also avoid other organizations you own to be infected if they’re not located at the same place.

The easiest way to collect a sample is generally to check in the Startup folder

(C:\users\XXXX\appdata\roaming\microsoft\windows\start menu\programs\startup) if a file named XXX.tmp or XXX.exe you don’t know has been created. The ransomware looks to stay active and will generally put itself in the Startup folder to start when the machine starts. Other common locations:

 C:\users\XXXX\appdata\
 C:\users\XXXX\appdata\Local
 C:\users\XXXX\appdata\Local\Temp
 C:\users\XXXX\appdata\Roaming
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Another method using Process Explorer and the Virus Total integration could be used, however the infected machine has to be connected to Internet: http://www.sevenforums.com/tutorials/345808-process-explorer-virustotal-check-all-processes-50-avs.html

If you can’t identify the infected machine, have a look to the entry N° 5 in this section. In addition, if you can’t identify the malware, the Microsoft Support could send you a tool (WOLF) to collect data on your machine and will help to try to identify the ransomware.

2. Enable the SCEP behavior monitoring and MAPS

Ransomwares continuously modify their shape to avoid being detected by anti-malwares and this could happen several time in the same day. Their goal is to cipher a maximum of data on shares and locally. The mandatory private key to decrypt is sent to the attacker and a ransom is asked to supply the private key. The use of public/private key cryptography makes it infeasible to discover/calculate the decryption key. The behavior monitoring allows to reduce the impact of ransomwares, even without signatures, by blocking a suspect behavior, like programs doing massive encryption.

You’ll find more information on the real-time protection (with the behavior monitoring) by consulting the following links:

- Understanding real-time protection options : https://technet.microsoft.com/en-         us/library/ff823769.aspx
- Using System Center Endpoint Protection : https://technet.microsoft.com/en-us/security/jj900682.aspx
- Enhancements to Behavior Monitoring and Network Inspection System in the Microsoft anti-malware platform : http://blogs.technet.com/b/configmgrteam/archive/2013/06/24/enhancements-to-behavior-monitoring-and-network-inspection-system-in-the-microsoft-anti-malware-platform.aspx

Don’t forget to watch SCCM or the Event Viewer for event logs related to malware detection like the event 1116: https://technet.microsoft.com/en-us/library/hh144988.aspx

MAPS on its side, allows to enforce the security by providing real-time blocking responses via a cloud service and customers feedbacks.




3. Set the shared folders to Read-Only during the security crisis

It will limits the propagations of the ransomware and will avoid the encryption of additional data. The ShareEnum tools from Sysinternals could help to identify active shares with their security configuration: https://technet.microsoft.com/en-us/sysinternals/bb897442.aspx

Else, you could use the following PowerShell script: https://gallery.technet.microsoft.com/scriptcenter/a231026a-3fdb-4190-9915-38d8cd827348

4. Enable the Security Auditing

Enabling the Security Auditing (Success & Failure) on the impacted server(s) could allow to monitor the activity and identify an intrusion vector. For more information on the subject don’t hesitate to consult the following articles:

- What's New in Windows Security Auditing : https://technet.microsoft.com/en-us/library/dd560628(v=ws.10).aspx
- Security Audit Policy Reference : https://technet.microsoft.com/en-us/library/dd772623(v=ws.10)

5. Identify the machine(s) where the infection started and remove it from the network

If you discover a share with several encrypted files and you don’t know the source of the infection, you could try to identify the machine or the user by following those steps:

 Check the owner on several encrypted files and, if possible, on the explanation file generaly created during the encryption (naming examples of this file: Howtodecrypt.TXT/.HTML or READ IF YOU WANT YOUR FILES BACK.HTML/.TXT). To do so:
         o Right click on the file and select "Properties"
         o Select the "Security" tab
         o In the "Security" tab, click on "Advanced"
         o At the top of the window you should see the owner



From our experience, when a ransomware encrypts a file hosted on Windows, the file owner is modified to match the identity who executed the ransomware and did the encryption.

If it’s not possible to match the user with a specific machine, go on the server hosting the share and compare the encryption time with the logon entries for the user in the Security Event Log (it should be a logon type 3 – Network Logon). You should be able to correlate the logon for the user, the encryption time and thus the machine name.

If you don’t have access to this kind of data (for example with a NAS scenario) you could analyse the logon audit on a Domain Controller and realise the same comparison operation.

It’s also feasible to do port mirroring if the share is connected to a switch and/or collect a network trace to identify the source IP for the encryption. The following blog article explains how to filter the network trace to identify it: http://blogs.technet.com/b/kfalde/archive/2009/07/23/dealing-with-malware-that-creates-exe-s-on-file-shares.aspx

Once you’ve configured the filtering rule for example like ((ex : smb.file contains "frtrss") and (smb.create.action == 2)), the recommendation is to do a quick test to confirm it’s working as expected. Just create a file on the share with the extension used for the encryption (with a CMD, for the frtrss extension it gives: echo test.frtrss >\\server\share\test.frtrss). If you’re using Wireshark, result should be similar to this:


The article provides other methods with Procmon for example.
If the encryption goes on, you could also use the MMC.exe and load the "Shared Folders" to identify users and machines with an opened connection to your share(s):





To go further: Reduce the impact of an attack and prevent the next ones:

1. Educate users: http://www.microsoft.com/security/online-privacy/phishing-scams.aspx
Users are the first factor of infections in a company. Thus it’s essential to ensure users have the right level of knowledge to NEVER click on an e-mail attachment or a suspicious link even if it comes from a known source (colleague, family, friend…) because some ransomwares versions propagate themselves by e-mail, using the infected machine as a relay, with the infected user as sender. Furthermore, a familiar icon isn’t a guarantee of safety (Office document, PDF, folder…) as some ransomwares use those icons to dupe the user vigilance.
In addition, if an e-mail attachment asks for the execution of an application, users should NEVER accept the execution. If a user has any doubt, he has to take the habit to contact the competent IT service. It will allow you to check in a sandboxed environment the validity of the e-mail attachment or to check the link reputation: http://www.barracudacentral.org/lookups/lookup-reputation

2. Scan with Microsoft Security Essentials
If the Microsoft anti-virus detects the ransomware, you could install the "Microsoft Security Essentials" tool on every client machines to run a full scan and detect/remove the ransomware. For more information, you could consult the following link: http://windows.microsoft.com/en-GB/windows/security-essentials-download
If you want to check the last available signatures you can visit the following link: http://www.microsoft.com/security/portal/Definitions/ADL.aspx

3. Check backup availability
As the decryption key isn’t findable, the best way to get your files back is to restore them from a backup system like Shadow Volume Copy or System Restore if they’re enabled or by using the Previous versions of files or Restore files or folders using File History (Windows 8.1). The best is to put in place an Offline Backup System disconnected from the network to avoid getting the backup infected by the ransomware. This article very well describes the principles: http://www.backupassist.com/blog/support/cryptolocker-and-the-backup-impact/

4. Update machines and softwares
It’s extremely important to keep your OS updated with the last security updates and to check if all your machines have been updated to avoid an attack using a known and fixed security issue. Microsoft (Office, …) and non-Microsoft (JAVA, Adobe, …) software have to be updated too. Actually, JAVA and Adobe represent 90% of the intrusion vectors.
Check the SIR (security Intelligence Report) for more information about intrusion vectors:
http://www.microsoft.com/security/sir/default.aspx

5. Avoid letting Local Administrative right to users
It’s highly recommended to not let users as a Local Administrator of their machine. It will limit their possibility of intrusion because some specific actions won’t be allowed. In addition, any intrusion on their session will take the control of the machine and could compromised the integrity of the Active Directory.

6. Avoid the use of accounts with the Domain Administration right
The use of accounts which are able to administrate the domain should be reduce to the minimum as long as you’re not sure the system is no more compromised. If one of the domain admin account is compromised, it’s easy to imagine the consequences. Don’t hesitate to dress a list of the accounts which have the right to administrate the domain and change all the passwords once the attack is over.

7. Pay attention to the propagation
Share, e-mail,… a ransomware could use various ways to propagate itself. Limit the use of shares with write permissions and enforce the security on e-mail attachment is a very good best practice to limit infections possibilities.

8. Manage macros in Office
Many infections are coming from Office documents received by e-mail containing malicious macros. Handling macros management is a good idea to prevent users from executing macros without thinking twice about it. First of all you need to disable the automatic execution of macros:
https://support.office.com/en-ZA/Article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12#bm2

It’s a first step to avoid being automatically infected once you’ve opened the Office document containing the malicious macro. However it doesn’t prevent the user of clicking on "Enable" to execute the macro once the document is opened. Thus, you should put in place a Trusted Location for macros. A user will be able to execute macros only from this configured path:
https://support.office.com/en-us/article/Add-remove-or-change-a-trusted-location-7ee1cdc2-483e-4cbb-bcb3-4e7c67147fb4?CorrelationId=cd218d92-02cf-427b-806c-59f6a7c22809&ui=en-US&rs=en-US&ad=US

It could seems useless, but a user is generally tempted to click on every warnings until the macro is executed. This will prevent a user to execute the macro without moving the file to a specific location which should mean the user knows he wants to execute a macro and knows why he needs to move the file to a Trusted Location. It will help to enforce user education and thus a user may think twice before executing a macro contained in an untrusted Office document.

In addition, Office 2016 is offering a better protection against malicious macros which is configurable through GPO: https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

9. Enable "File Screening Management" if you use File Server

"File Screening Management" allows to protect your files and shared folders by preventing, in function of specific rules defined by yourself, the creation of files with the mentioned extension and allows to receive an alert if someone tries to create a file with a not allowed extension. For example, it’s possible to block the creation of files with the extension *.encrypted or any other extensions used to encrypt your data. You could also prevent the creation of anything except extensions listed in your whitelist. The following links should help you to configure this feature:

- File Screening Management : https://technet.microsoft.com/en-us/library/cc732074.aspx
- The basics of Windows Server 2008 FSRM (File Server Resource Manager) : http://blogs.technet.com/b/josebda/archive/2008/08/20/the-basics-of-windows-server-2008-fsrm-file-server-resource-manager.aspx
- CryptoLocker – File Screens : http://www.catalyticit.com.au/cryptolocker-file-screens/

10. Enable AppLocker (or SRP Software Restriction Policy on XP)

It’s one of the most efficient protection against ransomware with the URL filtering and compressed file filtering containing executables at proxy level and messaging level. This tool allow to block or explicitly authorize the execution of particular programs in function of various criteria as collections (a set of extensions), file versions, signatures, paths… and this for specific users/groups. Those two articles should help to configure it (don’t forget to check the Configured check box: https://technet.microsoft.com/en-us/library/ee791885(v=ws.10).aspx):

- Free, almost perfect, malware protection with GPO App Locker : http://community.spiceworks.com/how_to/59664-free-almost-perfect-malware-protection-with-gpo-app-locker
- Stopping CryptoLocker and other ransomware : https://4sysops.com/archives/stopping-cryptolocker-and-other-ransomware/

In addition, here are the CryptoLocker and some other malwares most used paths/extensions:
%OSDRIVE%\Users\*\AppData\Local\Temp\*.tmp
%OSDRIVE%\Users\*\AppData\*\*.tmp %temp%\*.tmp %OSDRIVE%\Users\*\AppData\Local\Temp\*.exe
%OSDRIVE%\Users\*\AppData\*\*.exe %temp%\*.exe

The biggest disadvantage with this tool is it could block legitimate applications to run. However, it’s possible to configure exception rules to avoid compatibility issues: https://technet.microsoft.com/en-us/library/dd759051.aspx

11. Implement Strong Filtering in Office 365

Lots of malwares use automatic execution to install and propagate themselves. It’s then recommended to configure an Exchange Transport Rule to block or mark e-mails containing executable content. The engine is based on extensions list and content scanning to determine if a file is an executable or not. I invite you to consult the following link detailing the procedure and giving additional information: http://blogs.msdn.com/b/tzink/archive/2014/04/08/blocking-executable-content-in-office-365-for-more-aggressive-anti-malware-protection.aspx

This is based on EOP (Exchange Online Protection). You’ll find below three articles bringing precisions on EOP:

- Exchange Online Protection overview: https://technet.microsoft.com/en-us/library/jj723119(v=exchg.150).aspx
- Best Practices for configuring EOP: https://technet.microsoft.com/en-us/library/jj723164(v=exchg.150).aspx
- Configure content filter policies: https://technet.microsoft.com/en-us/library/jj200684(v=exchg.150).aspx
- Using transport rules to inspect message attachments: http://blogs.technet.com/b/exchange/archive/2009/05/11/3407435.aspx (generic explanations available here https://technet.microsoft.com/en-us/library/jj919236(v=exchg.150).aspx)

12. Exchange Online Advanced Threat Protection

This Exchange Online Protection feature allows to execute attachments with unknown signatures into a sandboxed environment to determine if this is safe or not:
https://products.office.com/en-us/exchange/online-email-threat-protection

13. Put in place filtering rules at the messaging transport server level

This action is similar to the step N° 11 but for your internal servers. It will allow to filter e-mail attachments with zip files containing executables for example.

14. Put in place URL Filtering

You could also put in place URL filtering on your proxy servers (For example on TMG: https://technet.microsoft.com/en-us/magazine/ff472472.aspx). This action is your first line of defence.

15. Enable PUA (Potential Unwanted Application) in SCEP

PUA are a type of application that could increase the risk of malware infection. This article brings all the needed information on this feature:
https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/
An important note: when enabling this option it will only catch incoming PUA, not the one already installed.


As a complement, here are some useful links which give additional advices:
On ransomwares:
- Help prevent malware infection on your PC: http://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx
- Ransomware : http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
- The dangers of opening suspicious emails: Crowti ransomware: http://blogs.technet.com/b/mmpc/archive/2014/10/28/the-dangers-of-opening-suspicious-emails-crowti-ransomware.aspx
- Ransomware: Ways to Protect Yourself & Your Business: http://blogs.microsoft.com/cybertrust/2013/11/19/ransomware-ways-to-protect-yourself-your-business/
- How can I prevent encryption viruses such as 'Cryptolocker' and 'Cryptowall'?: https://www2.owens.edu/faq/entry/598/

On TMG:

- URL Filtering: https://technet.microsoft.com/en-us/library/dd897016.aspx
- Content Filtering: https://technet.microsoft.com/en-us/library/dd441062.aspx
- Capacity Planning: http://www.microsoft.com/en-us/download/details.aspx?id=15196

Useful Tools to know:

- FireEye and Fox-IT tool can help recover Crilock-encrypted files (Uses known keys collected during the police operation takedown of a Zeus/Gameover CnC server to try to decrypt your data)
- https://noransom.kaspersky.com/ (Uses known keys to try to decrypt your data)
- http://blogs.cisco.com/security/talos/teslacrypt (Tool that could decrypt data encrypted by a variant of CryptoLocker named TeslaCrypt)
- ShadowExplorer (Browse Shadow Copies)
- Recuva (Recovery tool for deleted data)
- Kaspersky RakhniDecryptor to decrypt helpme@freespeechmail.org ransomware:
http://www.bleepingcomputer.com/news/security/new-helpme-freespeechmail-org-ransomware-can-be-decrypted-for-free/
- TeslaDecoder: http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/\

Source: Microsoft

Tuesday, March 21, 2017

Security in the Cloud. Are we ready to move?


During recent years, we have witnessed the explosion of the Cloud Computing era where many companies are moving their data to datacenters around the world. The reason is mainly because organizations are benefitting from economies of scale, no capital expenditure and the quick availability of computing resources and massive access to storage that fit their requirements perfectly. Moreover, the concept of computing resource flexibility have enabled them to tune their requirements as and when they need.

However, we must be very careful and think well before moving data to datacenters; as this new concept means that we no longer have direct control on our data. This also means that data is actually being held and processed because it is happening dynamically on different systems that could be at any location in the world. Nevertheless, we must ensure that the confidentiality, integrity and availability if our data are still preserved. A cyber-attack in a cloud environment offers cyber-criminals access to vast amount of information such as personal customer information, financial data, intellectual property, business strategy, credit card details that can be used for criminal purposes.

Traditional on-premise infrastructure enabled us to have our own defence-in-depth mechanisms such as firewalls, Intrusion Prevention Systems , Intrusion Detection Systems, Data Loss Prevention Systems, DMZ etc, whereby we had full control on the data at rest and in motion. Now, with the location of our data to the Cloud, there are several important privacy, security and compliance questions that need to be answered prior to the move.