My Office 365 Deployment Experience (Part 1)

This morning when I opened my office email, I receive an email form Office 365 that I could already use my Office 365 Beta account. As I clicked the link this displays on my web browser

As per checking on the country selection, Philippines is not yet  available on the list so it could not be selected. I selected Singapore for testing reasons. The “.onmicrosoft.com” shows that Office 365 Beta allows you to be a sub domain in order to be used online.

As per completing the fields, the system will register the new account.

While it is setting up the account, I remember that it has Exchange, Lync, Office and Sharepoint and I wondered how could I configure this? After the Account Setup, this displays on my browser.

Whoa! It setups by itself! No hassles on Server Management but also on Configurations as well. System Administrators can sit back and relax while the system do the setups, how swell is that 😉

After it finishes the setup of the three servers, its time to prepare the admin and the client PC for Office 365 Preparedness.

Click the “Set up now” link before installing because its prepares the PC for Office 365 Experience.

When you finish the installation already, its time to install Microsoft Lync 2010 and configure your Microsoft Office to work with Office 365.

The Microsoft Lync 2010 installation is available on both 32 and 64 bit platform and there is no configuring necessary. After installing the Microsoft Lync 2010, click the “Set up” button located on the bottom of the web page. It prepares your Microsoft Office installation for Office 365. Only Office 2007 and higher are allowed to be updated for Office 365 access.

After all of the applications and configuration has finished you will be directed to the HOME Screen on where you could access your OWA or Outlook Web Access, Office Web Apps and your Sharepoint Team and Web Site.

Trying the parts of the home page and using the Office Web apps, I’ve found out that the documents that been done in the Web Apps is been stored on the Sharepoint Team Site where you could share it with other team members or make it act as your personal file storage.

In order for others to use the cool features of Office 365, we will now add users and how would they access on it.

This is the admin screen on where we could add/remove users, reset passwords, configure Microsoft Lync and Outlook and manage Sharepoint Team and Web Sites.

For adding users, Click the “add new users” link for you to see this screen.

After completing the form, click “Next” to continue.

Assigning permissions will allow you to set if you want to make the current user to have administrative rights and the location will check on any licensing restrictions on using the system.

This allows you to manage on what application will the user may access.  After clicking the “Next” button, it will assign proper licenses to the user.

After it assigns the licenses, it will send the login information to the user by indicating the email for it to be send to.

Click “Create” button to start the process.

There you have it, this is how to add a user to Office 365. It just making a user on email while just having more that email.

The Sharepoint part of Office 365 shows the Typical screen as same as the Sharepoint on deployed on local servers. It is also viewable online.

That’ s all for now.

What does TMG Firewall and MSE has in common?

Network Security Engineers mostly say that the secured network is being not connected to the Ethernet Network at all. But now this belief is already not true, Wireless Networking is so rampant these days. This makes compromising from one machine to another very easy but was not limited to networking when it comes to compromising machine.  There are also removable media (USB, CD, DVD, Floppies, etc.) which very prevalent on our offices nowadays.

Regardless the medium used where the attack took place, it is much important that we have protection on this attack.  In earlier networking days it was mostly DOS (Denial of Service) and   gives network administrators a headache on managing their company network. Now, the Internet is the most targeted when it comes to attacks.

Their exploits became a revenue earning thing; they are paid to do their criminal thing on different company sites. Some of them are doing it not only for fame but also to show their disgust on companies and countries.

One of the good examples of those is the hacking/defacing of some of our government websites. This not only happened here in our country but on other countries as well. Not going too much of details, but on this alone we really need to protect our companies on such attacks.

 

Network Traffic Inspection

There are two ways for you to defend your network; one is putting technology on both side of the network. So it may inspect the traffic on your network.  Putting firewall on networks will help you on monitoring and defending your network. Forefront Threat Management Gateway (TMG) is of the technologies available on the market that could help the administrators to defend their network.

Most of the network based protections causes bottleneck on the network due to tight security implementation like for example, putting your TMG Firewall behind a hard ware firewall will protect you on old style network attacks instead of the TMG which do more sophisticated firewall task than the hardware firewall.

We all know that what I am talking here is an expensive type of Microsoft product and we could not put this on every part of the network but we also need protection on our host operating system. This will give you protection on both network and internet attacks.

 

Network Inspection System – Application layer

This is where the NIS or the Network Inspection System comes in. NIS is the response of Microsoft on those prevalent network attacks. NIS was introduced on Forefront TMG Firewall to promote sophisticated network IDS/IPS on the edge of the corporate network. Microsoft extent this feature before on NIS but now it also exists on Microsoft Security Essentials version 2.0.

Because of the increasing application layer attacks, Microsoft Research designed the GAPA or the Generic Application Layer Protocol Analyzer. It includes protocol specification language and an inspection engine that operates on network traffic. Because of GAPA, it is easier to develop parsers which extensively used by NIS.

The vulnerability research and the signature development are done by Microsoft’s Malware Protection Center (MMPC). For security bulletins that fix publicly-unknown vulnerabilities, NIS helps provide immediate protection shortly after the details of the vulnerability become publicly known. The MMPC also rapidly responds to zero day incidents by releasing NIS signatures for them as soon as they are known. At this time, NIS signatures help detects exploits of vulnerabilities in Microsoft products only. While this might be interpreted as a limitation when implemented with the TMG firewall (since the TMG firewall is intended to protect the entire network), it isn’t a problem at all when the NIS is included with Microsoft Security Essentials, since MSE can only be installed on Windows computers.

 

NIS Signatures

NIS uses three types of signatures when conducting IDS/IPS function.

1.       Vulnerability Based

2.       Exploit Based

3.       Policy Based

As of the moment, we don’t know which of the three was been used by Microsoft Security Essentials (MSE). As for TMG Firewall it uses all those three signatures.

 

Application Layer Protocols Supported by NIS

• HTTP
• DNS
• SMB
• SMB2
• NetBIOS
• MSRPC
• SMTP
• POP3
• IMAP
• MIME

 

This list is the most abused protocols on the network.

The TMG Firewall gives you control as a network administrator and MSE is designed for the use of the consumers and small business.

 

Future of Business Productivity – Office 365

Happy new year everyone!!! A new year, a new technology to be discussed. The future of productivity, the formerly know BPOS or Business Productivity Office Suite has been changed to Office 365. As a follow up to the Cloud Computing I have blogged before, Office 365 is a office productivity suite in the cloud.

In this discussion, we will be talking about Microsoft Exchange Online, Sharepoint Online, Lync Online, and Office Web Apps Services. We will also discuss how do they differ from the local installed software.  For what I see it’s like having your own office workspace within the cloud.

Office 365 vs BPOS

The initial idea behind BPOS is to make Microsoft Exchange, Sharepoint, Office Communication Center and Office Live Meeting without purchasing too much on software and in-house servers. By means of  collaboration of tools and messaging with this product, Microsoft could already answer the needs on the company email, messaging, calendaring, document sharing, presence, audio and video conferencing for as low as Php 400.00 per user/month.

So what could Office 365 deliver? It is an integration of both BPOS and Office Web Apps.  In the Enterprise Version it also even have a licensed  Office Professional Plus working hand in hand with Office Web Apps to promote document sharing and collaboration. This means that if there are updates on the software available on Office 365, it updates automatically and you also automatically adapt the new functions and services of the said software without the hassle of installing and administering it. It is also targeted to have an educational version of this product for schools and other educational institutions.

IT Productivity

The IT productivity transferred to the cloud, that will happen if you choose the  service based Office 365. By having this service you will have Microsoft Exchange Online, Sharepoint Online, Lync which is also known as Office Communication online. All of the software available with Office 365 were all the latest versions of the product and even there is a new update on those product, it will be updated automatically.

Not only the software updates are the advantage on having this service but also there are other takeaways that you will benefit by using this service. The following are only some of the benefits you may have while using this product.

• Data backup, you don’t have to worry about your Exchange Server because it is back up automatically across different locations but if you want to have an another backup server within your offices, you may pay a little extra for that.
• You may not worry about antiviruses and anti-spam because it is already been managed by Microsoft.
• You will still get the same Outlook experience so no training necessarily for email users.
• Just like your local Exchange Server, you may still use it on other platforms like Windows Mobile, Iphone, Mac, PC’s, Android, Blackberry, etc. It also works on different browsers.
• It supports up to 25GB of email storage. (Just like with Hotmail 😉 )
• You may use Office 365 with  you own domain email.

Sharepoint on the other hand could be used in collaborations of documents within the office. It may also be used as a document library for documents safekeeping and updating calendars to make your team updated all the time.

Lync could be used in office messaging, audio/video conferencing. You may also integrate your exchange server online with it by means of voicemail and presence. Lync Servers could also be integrated with your PBX system in the future.

What most important on the benefits that we may have in using this service is having a big Data Center that is located around the world. Imagine the Geo-Redundancy that we may have by only using this service.

Office 365 Flavors

Office 365 will be available for Small Businesses, Enterprise, Kiosk and Education.

• Office 365 for Small Business

o    Replaces Office Live  Small Business.

o    Only available for organizations within 50 users

o    Doesn’t have most of the features of the enterprise edition

o    No Blackberry Synchronization, Active Directory Federation and Email Archiving.

• Office 365 for Enterprise
  

o    May select options on which office features to use and not to use.

o    Has single sign-in feature, voicemail and Unified Communication.

o    Office 2010 Pro Plus is also an option to this feature.

• Office 365 for Kiosk

o    This is a pay per use feature for Office 365.

• Office 365 for Education

o    This is targeted for rebranding the Live@Edu offering.

Microsoft promises that Office 365 will be up and 99.9% operational so it is expected to be always online 365 days a year (Maybe that is why it is called Office 365 🙂 )

Windows Azure: A Consumer Security Point of View

One of the newest buzz today: Cloud Computing, is starting to rampant enterprise companies making them start learning on how having Software as a Service (SAAS) be beneficial for them. Organizations could create, deploy, manage and distribute their web based applications on their local network or in the internet. But the question is, how secure is this technology? Here, we will discuss the so called “Hot Spots” of how Microsoft answers the security issues of Windows Azure.

Cloud Computing has a lot of irresistible features. From its help on savings on physical hardware, scalability and ease of management, Cloud Computing is really a key player on this level. Even though it has a lot of remarkable features, companies still questions on how it was secured. This makes the turn point of companies on this technology to hang a bit.

How does Azure works?

The Azure platform is divided into three parts:

1.       Windows Azure (Operating System as a Service)

2.       SQL Azure (Cloud Based Data Storage)

3.       .NET Services

The platform could be used as Software as a Service (SAAS) or can be used locally (Software plus Service). Microsoft has invested a lot of hardware for Windows Azure to work and to be accessed over the internet. Software developers could build applications that could run on Azure. The data could be stored in SQL Azure, a cloud database based on SQL Server.

Each instance runs on separate machines using Windows Server 2008 and been manage by a Hypervisor design on Cloud Computing Environment. By this, Azure takes advantage of the technology of virtualization. Software’s could be developed by means of Web Role Instance or worker role instance. Worker Role Instance does not have IIS installed on their VM’s and no incoming connections on network but it can send information outside. The Web Role on the other hand can accept incoming and outgoing HTTP and HTTPS request.

Azure on Security

Microsoft developed Azure with a security in mind; one of the important aspects of security they work on is on verifying the identities of those who request to access it. Microsoft does have a .NET Access Control Service which works with web services and web applications to integrate common identities.

They determine the users by means of Security Assertion Markup Language (SAML) a token created by Security Token Services (STS). The STS provide digital information of the user and works like a certificate to user for them to access the cloud. STS validates the signature on the SAML which been sent by the client application such as web browser and create a new token for the application to present to the cloud application.

Microsoft Windows Azure Security Layer

Sensitive assets are protected by more sophisticated way of protection such as multi-factor authentications (Smart Card, Biometrics, and Hardware Tokens). The principle of giving least level of access on user level was also been implemented and followed.

SDL or Secure Development Lifecycle Principle (secure by design, secure by default and security in deployment + communications) was applied by Microsoft for the cloud to ensure security on the online services.

Windows Azure is deployed in Global Foundation Service Data Centers so it enjoys the security provided by GFS. GFS also help the developer to ensure that they develop applications data is secured in the application layer but it does not limit the developer on what data to be encrypted.

SQL Azure on the other had is like managing the SQL Server Locally but on this time the server is deployed into the cloud and is capable on spanning the database into more than one physical system.

Security Policies in a Consumerized IT Environment

There are a lot of technologies nowadays available to the consumers both for IT and non-IT alike. Technologies like Iphone, Itouch, Ipad, Blackberry, laptops and netbooks are easily to be availed and used. Even “Lola Techie” could attest that these technologies are easily to be adapted by people who like to understand it.

The good of this is it makes our online lives easier. It even boosts our job performance which give us promotions and higher pay. What we do is we bought more of these technologies to boost more our competencies on work.

But as long as these technologies were been introduced in our working environment, the more IT insecurities it develops. Maybe like a netbook who’s been used on a coffee shop and got infected with malwares and viruses could infect the network environment at the office and other consumer IT equipment’s as well.

Due to this scenario, it may become a problem of most IT Administrators to maintain the security of the network environment. How could we maximize the security without making it hard to be availed?

Security Concerns

IT concerns on a Consumerized Environment is could be categorized into two parts:

• Threats induced by consumer applications

o   Emails

o   Social Networking Sites

o   Web Access

• Threats induced by consumer hardware

o   Laptops

o   Mobile Phones

o   Mobile Tablets PC

By looking at this category, it looks hard to impose a security policy on this devices because it is mostly it acts as a tool for use to be more productive for our companies. Not to mention the millions of mobile workers at field and on their homes. But there’s a way to do it.

IT Administrators solve this by putting web proxy on their network disallowing employees on accessing unpermitted sites and make it an office IT policy. Disallowing personally owned consumer hardware on company premises so it could not infect you internal network and making your IT environment malware/virus free.

Threats and Risk Assessment

To properly make a guideline on securing your IT network is to define the threat and assess the risk that the network will encounter while this consumer equipment’s are on the network.

These are some issues that IT Administrators deal when consumer technologies implicates the network.

• Worms and viruses form different websites such as social networking sites and online games that may get personal company information or destroy company owned IT equipment which could result to service downtime and data theft.
• Leakage of competitor’s data when mobile computers and mobile phones are been stolen, lost or accidentally accessed by the local family.
• Uncontrolled sharing of company secrets outside and within company networks.

Defining Policy Guidelines

Because of the threats been defined above, we must develop a company policy guidelines to be enforced for mobile, consumerized IT environment. This includes:

• Security of company data on every PC and Mobile Computers
• Security of communication especially on employee to employee communications. (i.e. VPN or Direct Access)
• At least the company has a capability to wipe out stolen/lost company mobile computers remotely.
• The company network should be capable of checking the health of every mobile PC’s while connected to the network to prevent spread of viruses and malwares on company network.
• Enforce content filtering to control files to be sync from company computers and their mobile devices.
• Generate a policy on what software applications could the company employees used on corporate computers.
• Capability to have agent/agentless configuration to enforce security remotely thru company network.
• Develop a policy for employees who use social networking within company network.

Synopsis

On a consumerized IT network, we must remember that we should choose which technologies we allow to access on our networks. We should also categorize the applications to be used while on office. Lastly, we should create a policy that governs the users on how to use their consumer IT equipment in and out of our company premises. The consumer technology will be existent for a very long time and we should be prepared to dealt with the non-stop change of technology.