Infrastructure + Security: Noteworthy News (October, 2019)
Published Oct 17 2019 05:41 AM 3,364 Views

Hi there! You are reading the next issue of the Infrastructure + Security: Noteworthy News series!

As a reminder, the Noteworthy News series covers various areas, to include interesting news, announcements, links, tips and tricks from Windows, Azure, and Security worlds on a monthly basis.


Microsoft Azure

16 new built-in roles - including Global reader - now available in preview

We are excited to announce that 16 new built-in roles for Azure AD – including the highly requested Global reader – are now in public preview. We heard from you that daily admin tasks shouldn’t require you to be a Global administrator. And we couldn’t agree more! These new roles allow you to delegate administration tasks and reduce the number of Global administrators in your directory. These roles are available globally for all subscriptions. Other newly built-in roles include the Authentication administrator and Privileged authentication administrator roles for granting granular permissions for credential management, as well as a set of roles for managing Azure AD B2C.

Azure DNS private zones is now generally available

Azure DNS private zones provide reliable, secure DNS service to host, resolve and manage domain names from a virtual network without the need to add a custom DNS solution.  Azure DNS private zones enables you to effortlessly tailor your DNS namespace design to best suit your organization's needs without having to worry about scalability, security and performance issues that arise from operating a custom DNS solution. Unlike public DNS zone, private DNS zones are not accessible over internet. DNS queries made against a private DNS zones can be resolved only from the virtual networks linked to the zone.

Announcing Azure Private Link

Azure Private Link is a secure and scalable way for Azure customers to consume Azure Services like Azure Storage or SQL, Microsoft Partner Services or their own services privately from their Azure Virtual Network (VNet). The technology is based on a provider and consumer model where the provider and the consumer are both hosted in Azure. A connection is established using a consent-based call flow and once established, all data that flows between the service provider and service consumer is isolated from the internet and stays on the Microsoft network. There is no need for gateways, network address translation (NAT) devices, or public IP addresses to communicate with the service.

Azure AD + F5—helping you secure all your applications

We often hear from our customers about the complexities around providing seamless and secure user access to their applications—from cloud SaaS applications to legacy on-premises applications. Based on your feedback, we’ve worked to securely connect any app, on any cloud or server—through a variety of methods. And today, I’m thrilled to announce our deep integration with F5 Networks that simplifies secure access to your legacy applications that use protocols like header-based and Kerberos authentication. By centralizing access to all your applications, you can leverage all the benefits that Azure AD offers. Through the F5 and Azure AD integration, you can now protect your legacy-auth based applications by applying Azure AD Conditional Access policies to leverage our Identity Protection engine to detect user risk and sign-in risk, as well as manage and monitor access through our identity governance capabilities. Your users can also gain single sign-on (SSO) and use passwordless authentication to these legacy-auth based applications.

Windows Server

Windows Admin Center unleashes Server Core adoption

Since the general availability of Windows Server 2019, we have seen the fastest adoption rate of Windows Server Core in history. If you haven’t heard of Windows Server Core, then you’re really missing out! Windows Server Core is the lightest deployment option of Windows Server Standard or Windows Server Datacenter editions. Why are customers choosing to deploy Windows Server Core now? It’s Windows Admin Center. This new server management tool delivers many of the benefits of the Desktop Experience and is a free download that comes with your Windows Server license. Admins love the intuitive, graphical user interface and the ability to manage your virtual machines from any Windows 10 device. It can be used to log in and manage Windows Server running anywhere. This is a great management option for Windows Server Core because the graphical interface runs locally on your client device and not on your servers. This reduces the size of the operating system that you deploy to support your server workloads.

Windows Client

Windows Virtual Desktop is now generally available worldwide

We’re excited to announce that Windows Virtual Desktop is now generally available worldwide. Windows Virtual Desktop is the only service that delivers simplified management, a multi-session Windows 10 experience, optimizations for Office 365 ProPlus, and support for Windows Server Remote Desktop Services (RDS) desktops and apps. With Windows Virtual Desktop, you can deploy and scale your Windows desktops and apps on Azure in minutes. Since we announced Windows Virtual Desktop last September, and through the public preview announced in March, thousands of customers have piloted the service and taken advantage of the Windows 10 multi-session capability—validating the importance of this feature as a core part of the service. Customers also represented, all major industries and geographies, helping us get feedback from different customer types and locations. As a result, as of today the service is now available in all geographies. In addition, the Windows Virtual Desktop client is available across Windows, Android, Mac, iOS, and HTML 5.


In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks

In recent months, we introduced two machine learning protection features within the behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection. In keeping with the defense in depth strategy, coupled with the “assume breach” mindset, these new protection engines specialize in detecting threats by analyzing behavior, and adding new layers of protection after an attack has successfully started running on a machine.

Your password doesn’t matter — but MFA does!

Your pa$$word doesn’t matter — Multi-Factor Authentication (MFA) is the best step you can take to protect your accounts. Using anything beyond passwords significantly increases the costs for attackers, which is why the rate of compromise of accounts using any MFA is less than 0.1 percent of the general population.

All your creds are belong to us!

Compared to password attacks, attacks which target non-password authenticators are extremely rare. When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on premises and third party MFA). Until MFA is more broadly adopted, there is little reason for attackers to evolve. But MFA attacks do exist, and in this blog we’ll confront them.

Enhanced visibility into web threats with Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) has rapidly evolved with new protection, detection, and investigation capabilities. But customers continue to ask about web protection with questions like “How can we manage web threats?” and “How can Microsoft Defender ATP help us protect web browsing activities?” In response to these inquiries, we are today giving customers more visibility into web threats affecting their network through the new web protection report which complements existing alerts for web threats, machine timeline events, and detailed domain/URL profiles. Existing Microsoft Defender ATP customers with preview features turned on are now able to experience this enhanced visibility in Microsoft Defender Security Center.

How to Build a Custom AIP Tracking Portal

As adoption of Azure Information Protection continues to accelerate, the need for visibility into who has accessed your protected documents remains consistent. Although we provided a tracking portal that required the classic AIP client, the response showed that it rarely met your needs. Much of the feedback focused on the lack of control over the data displayed to users and administrators. Some of you expressed concern about the oversharing of data with end users (i.e. the location of the person who opened or tried to open the document), while others requested the ability to filter labeling activity by region. Another limitation of the tracking portal was that it required users to manually register each document they wished to track. Given the effort involved to track a file, the feature was seldom used which lead us to remove it from the Unified Labeling (UL) client. But not to worry. Beyond the solution outlined in this blog, there are plenty of other reasons why you should migrate to the UL client today.

CISO series: Lessons learned from the Microsoft SOC—Part 3a: Choosing SOC tools

The Lessons learned from the Microsoft SOC blog series is designed to share our approach and experience with security operations center (SOC) operations. Our learnings in the series come primarily from Microsoft’s corporate IT security operation team, one of several specialized teams in the Microsoft Cyber Defense Operations Center (CDOC). As part of Cybersecurity Awareness month, this installment focuses on the technology that enables our people to accomplish their mission by sharing our current approach to technology, how our tooling evolved over time, and what we learned along the way. We hope you can use what we learned to improve your own security operations.

Top 5 use cases to help you make the most of your Cloud Access Security Broker

Microsoft Cloud App Security is a CASB that allows you to protect all apps in your organization, including third-party apps across cloud, on-premises, and custom applications. Powered by native integrations with Microsoft’s broader product ecosystem, Cloud App Security delivers state-of-the-art security for multi-cloud environments. Today, we explore five of the top 20 use cases for CASBs we identified as giving you an immediate return on your investment with very little deployment effort needed before moving on to more advanced scenarios.

Microsoft Defender ATP EDR support for Windows Server 2008 R2 now generally available

To help customers stay secure while modernizing their infrastructure we’ve extended Microsoft Defender ATP’s EDR capabilities to also support Windows Server 2008 R2. This enhancement delivers a simple to deploy, and frictionless solution that equips security teams with robust behavioral-based threat detection, investigation, and response capabilities. Providing deep visibility on activities happening on server endpoints, Microsoft Defender ATP for Windows Server 2008 R2 gives security teams rich, correlated insights into activities and threats including details on suspicious processes, files, network registry, and memory activities.

Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available

Machine learning enhanced with artificial intelligence (AI) holds great promise in addressing many of the global cyber challenges we see today. They give our cyber defenders the ability to identify, detect, and block malware, almost instantaneously. And together they give security admins the ability to deconflict tasks, separating the signal from the noise, allowing them to prioritize the most critical tasks. It is why today, I’m pleased to announce that Azure Sentinel, a cloud-native SIEM that provides intelligent security analytics at cloud scale for enterprises of all sizes and workloads, is now generally available.

CIS Azure Security Foundations Benchmark open for comment

One of the best ways to speed up securing your cloud deployments is to focus on the most impactful security best practices. Best practices for securing any service begins with a fundamental understanding of cybersecurity risk and how to manage it. As an Azure customer, you can leverage this understanding by using security recommendations from Microsoft to help guide your risk-based decisions as they’re applied to specific security configuration settings in your environment. We partnered with the Center for Internet Security (CIS) to create the CIS Microsoft Azure Foundations Benchmark v1.  Since that submission, we’ve received good feedback and wanted to share it with the community for comment in a document we call the Azure Security Foundations Benchmark. This benchmark contains recommendations that help improve the security of your applications and data on Azure. The recommendations in this document will go into updating the CIS Microsoft Azure Foundations Benchmark v1, and are anchored on the security best practices defined by the CIS Controls, Version 7.

Why banks are adopting a modern approach to cybersecurity—the Zero Trust model

Many banks today still rely on a “castle-and-moat” approach—also known as “perimeter security”—to protect data from malicious attacks. Like medieval castles protected by stone walls, moats, and gates, banks that use perimeter security invest heavily in fortifying their network perimeters with firewalls, proxy servers, honeypots, and other intrusion prevention tools. Perimeter security guards the entry and exit points to the network by verifying the data packets and identity of users that enter and leave the organization’s network, and then assumes that activity inside the hardened perimeter is relatively safe. Savvy financial institutions are now moving beyond this paradigm and employing a modern approach to cybersecurity—the Zero Trust model. The central tenet of a Zero Trust model is to trust no one—internal or external—by default and require strict verification of every person or device before granting access.

Support Lifecycle

Extended Security Updates and Configuration Manager

Support for Windows 7 comes to an end on January 14, 2020, and to remain current and supported, customers need to make the shift to Windows 10. For help planning and deploying Windows 10, Microsoft offers guidance and other resources to accelerate the migration. As a last resort option for volume licensing customers running Windows 7 (Professional or Enterprise) and Windows Server 2008 after the end of support date, Microsoft recently announced the Extended Security Updates (ESU) program. Security updates released under the ESU program will be published to Windows Server Update Services (WSUS). This article describes software update management and OS deployment using Configuration Manager for clients covered under the ESU program. In general, products that are beyond their support lifecycle are not supported for use with any version of Configuration Manager as clients or in server roles. As such, following the end of support date for Windows 7 and Windows Server 2008/R2, these operating systems will no longer be tested nor supported with Configuration Manager.

End of service reminders for Windows 10, versions 1703 and 1803

Microsoft strongly recommends that you update your devices to the latest version of Windows 10 to have access to future critical security fixes.

  • Windows 10, version 1703 – Devices running the Enterprise and Education editions of Windows 10, version 1703 received their final quality update on October 8, 2019.
  • Windows 10, version 1803 – Devices running the Home and Pro editions of Windows 10, version 1803 will receive their final quality update on November 12, 2019.

Microsoft Extending End of Support for Exchange Server 2010 to October 13th, 2020

After investigating and analyzing the deployment state of an extensive number of Exchange customers we have decided to move the end of Extended Support for Exchange Server 2010 from January 14th 2020 to October 13th 2020. Our commitment to meeting the evolving needs of our customers is as strong as ever, and we recognize discontinuing support for a product that has been as popular and reliable as Exchange Server 2010 can be an adjustment. We also know that some of you are in the midst of upgrades to a newer version of Exchange Server on-premises, or more transformative migrations to the cloud with Office 365 and Exchange Online. With this in mind, we are extending end of support to October 13th 2020 to give Exchange Server 2010 customers more time to complete their migrations. This extension also aligns with the end of support for Office 2010 and SharePoint Server 2010.

Windows 7 support will end on January 14, 2020

Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. When this 10-year period ends, Microsoft will discontinue Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences. The specific end of support day for Windows 7 will be January 14, 2020. After that, technical assistance and automatic updates that help protect your PC will no longer be made available for the product. Microsoft strongly recommends that you move to Windows 10 sometime before January 2020 to avoid a situation where you need service or support that is no longer available.

Extended Security Updates for SQL Server and Windows Server 2008/2008 R2: Frequently Asked Questions (PDF)

On January 14, 2020, support for Windows Server 2008 and 2008 R2 will end. That means the end of regular security updates. Don't let your infrastructure and applications go unprotected. We're here to help you migrate to current versions for greater security, performance and innovation.

Products reaching End of Support for 2019

Products reaching End of Support for 2020

Microsoft Premier Support News

Check out Microsoft Services public blog for new Proactive Services as well as new features and capabilities of the Services Hub, On-demand Assessments, and On-demand Learning platforms.

Version history
Last update:
‎Jul 21 2021 12:59 PM
Updated by: