The vultures come home to roost

Well, it’s a very exciting day in IT. Or terrifying, depending on your perspective.

Just last week I hosted an educational event that posed the idea you could be fired for not accelerating your migration to Windows 10. That’s just not for no reason – you can’t survive in the new world of patch compliance if you aren’t using the current branch of everything (Windows, tools, applications).

For a little background, today we witnessed a large-scale global ransomware attack, known as Wcry (or WannaCry), targeting an (*ahem*) allegedly nation-state sourced exploit known as Eternalblue. Here are the broad strokes:

  • It is a self-propagating ransomware payload based on the Eternalblue exploit
  • The vulnerability is mitigated by MS17-010 released in March 2017
  • All supported (mainstream or extended) versions of Windows and Windows Server are affected

How this is going to get sysadmins fired is CIO’s finding out the vulnerability was patched in March. You know, like 2 months ago.

What did your April patch compliance report show for MS17-010?

Right now there are only two types of people in this world, let’s see what you should expect based on which one you are.

I’ve been infected. What can I do?

Near-term action:

  • Forget change control exists, and deploy MS17-010 immediately. Everywhere. To everything running Windows. Even remote computers. Even the CEO’s computer.
  • Disable SMBv1 at endpoints
  • Force update of endpoint protection definitions / engine everywhere
  • Take appropriate steps at your network perimeter
  • Restore or re-provision infected endpoints
  • Throw your Windows XP computers into the Sun, or a nearby gorge
  • Double-check your compliance reports and prepare for Monday’s super awesome status meeting

Long-term strategy:

  • Modernize your systems management toolsets
  • Migrate to Windows 10
  • Eat, sleep and implement Critical Security Controls
  • Shorten your patch compliance window to less than 30 days
  • Implement complementary vulnerability management solutions to verify your patch solution’s reported compliance

I don’t know I’ve been infected.

Near-term action:

  • Yes you have. Avoid the CSO, see advice above.

PS – There’s likely nobody that’s not going to be infected. In only a few hours, nearly 100 countries have been affected.

PSS – If you have 100% patch compliance and you can prove it I will buy you a Coke Pepsi.

2FA for Apple ID is available, do it now! (or don’t, see within)

On March 21st, Apple made two-factor authentication available for certain devices running iOS 9.3 or MacOS X El Capitan.

Now, let me save you some time.

If you are following the instructions, but not seeing 2FA available in your iCloud security settings, you probably have two-step verification already enabled.

In order to configure 2FA, you will have to disable two-step verification from one of your devices. This will require you to provide some inane ‘security question’ answers, but don’t worry – you won’t use them a single time.

One other note – if you’re signing into a MacOS X device with your iCloud credential, that goes away as well. You will be required to set a new local password that will be used to gain access if you cannot access your 2FA device(s). This may be a challenge for centrally managed environments, and could violate one of more of your internal policies. So please ask your IT department before doing this on a company-owned or managed device.

Once you’ve disabled two-step verification, you can follow the instructions linked above to configure 2FA. It’s pretty slick!

Here’s the notification I received on my Mac when changing a setting on my iPhone that required iCloud authentication:Screen Shot 2016-05-02 at 6.40.20 PM

You don’t know it all (and neither do I)!

As I approach the big four-oh and nearly twenty years in IT, I’m starting to get a taste of what wisdom brings to your perspective and hot damn, it is awesome.

In my business (see: IT consulting) you are forever proving yourself to your clients. You are sometimes seen as some know-it-all faux engineer strolling in to turn over rocks and look for jobs to eliminate. And sometimes, you turn over a rock and bam – there is someone underneath that rock looking to poke you in your dollar sign eyes with a stick.

Why? Because they hate you.

Not really, but in any form of advisory you are going to deal with that difficult person in that organization. In fact, it’s very likely they will have proximity to the thing you have been hired to build, fix or evaluate.

But this isn’t about the hardships of your IT consultant (oh, boo-hoo!)… this is about guarding technology culture and organizations against an infection that will limit the potential of what is typically a large group of very, very smart people.

A healthy host can innovate, a sick one is too busy fighting the infection.

So what do you look for?

knowitalls

> look for a perpetually grumpy ‘network administrator’ of 15+ years

> listen for someone using snark as standard verbal currency

> wait for them to tell everyone they are the smartest person in the room / team / company (they will)

Why they are really important!

Like it or not, they probably hold sway in that IT organization, possibly up to and including your CIO or other key leaders (but sometimes it’s Stockholm syndrome all over the datacenter… hardly anybody in a suit understands the witchcraft going on in there).

If you think you are that person in your organization…

You know that ‘slap a coworker day’ meme that says if you don’t know who that person is, stay home? Did you have to think really hard about who that person was and came up empty? There you go… you’re the troll.

Fear not though, friends. There is still time to pivot.

The best way forward is radical candor, backed up with collaboration and a principle that is probably new to you:

You don’t have to share all your rules

What’s the point?

I think it’s really hard for smart people to let go of the guiding principles and frameworks that make them good at what they do. But ultimately, you either figure out how to plan for the group win or you go away.

IT used to be a loose-knitted cabal of highly skilled individual contributors. That worked when you had a thing that you controlled. But you don’t control anything in today’s world of I-want-it-now-and-I-want-it-my-way end users.

The only way IT survives in the business is by forming a special operators group that integrates disciplines, links silos and focuses very limited (and increasingly so!) resources on a specific set of problems that matter to the business.

So, what does the status quo look like?

If you are following my blog, you know I focus on systems management. If you’re new to my world, check this out for a primer.

Goggie

When it comes to managing infrastructure, deploying content and enabling productivity – there is a right way, and then there’s everyone else. I’m not making the argument that this is a simple binary equation (e.g. either you are optimized or you are not). What I’m going to lay out in this piece are the signatures of an incomplete or immature strategy. It’s not meant to insult anyone, rather I have found in my hundreds of exposures to enterprise IT organizations that there are some key indicators upon which we can rely. Maybe as starting points, or in some cases, switches we can ‘flip’ to radically increase productivity.

Let’s take a look:

Indicator #1: Upgrade Hamster Wheel

So, something doesn’t work and the team thinks we need to upgrade to get it? Or maybe the vendor said “that feature is in our next release.” None of this is new to IT, but what you might be missing is how your internal maturity can affect this decision tree. That is, if you have a decision tree (zing!). 

More often than not, you are upgrading because you think you need a new feature or capability. Let’s back up the software truck a minute though, and consider how we got here.

IT Director says “Godfather (probably the CIO) wants Windows 10 on his desktop. When will it be ready?”

IT Admin says “Well, if I drop everything I can have an image ready by next month. But…”

IT Director says “Great! I’ll go tell him now (so I can look like I get things done)!”

IT Admin /logs off mentally

How many times have you seen this interaction in your IT organization? How many times has it happened to you?

There are sooooooooo many shiny things out there. Even this guy (points thumbs backwards) is known as Shadow IT ™ around the ITS offices. What can YOU do differently?

It’s pretty simple, but it’s not something the IT Admin or IT Pro can do (without some risk to themselves). Better decision making, and higher maturity, begins with the CIO. And that CIO should be embedding a process-driven decision tree framework in their directors and managers. I’m not going to give away all the secrets here, but let’s look at how that conversation goes in a higher-maturity shop:

IT Director says “Godfather (probably the CIO) wants Windows 10 on his desktop. When will it be ready?”

IT Admin says “Excellent, I’m also excited about Windows 10 and what it can do for our business. I have been thinking a lot about how we can streamline our patch compliance ops with Windows Updates for Business and that will be a key part of our Windows deployment strategy. Who can we leverage internally to build the business case? I’m happy to lead this effort and why don’t we aim for a presentation to the CIO in 30 days?”

IT Director says “Uh, yeah. That sounds good. I’ll set up the meeting (so I look competent at least) for you to present your findings.”

IT Admin /sips coffee, enjoys living in a world where decisions are not made outside of business processes and feels internal joy

You’re right though – it’s not that simple.

However, I will argue there are a few things that must be in place to ensure a better outcome. You may not think these are relevant to systems management, but they are.

Behold, thy truths:

  1. There are defined release and support cycles for operating systems
  2. There is a rapid-response protocol for new device form factors and use cases
  3. There is a cross-functional IT architecture team that drives all decision making for new releases
  4. Your business unit has an approved financial model in which you can evaluate the business benefits of any change or new release

Indicator #2: You always need consulting

I have been a consultant, and now I help manage an IT consultancy. Might seem crazy that I suggest this is a problem… let me explain why!

My view has always been that you shouldn’t bring a consultant in because you don’t know how to do something. You bring in outside expertise to get the benefits of their field experience and help accelerate your project. It’s about wisdom, not skill. We are all smart people… and frankly why would you pay someone else to push the Next button?

Anyways, where we see this problem become business-impacting is when your operations or project offices default to consulting for any change or incident. This is a leading indicator that your team is either under-staffed (meaning they don’t have time, and need outside augmentation) or unsure of how to proceed (there is a process problem).

The real point here is you should have a set process that includes a step to consider outside consulting. The process should not start with nor rely upon outside resources.

Indicator #3: FTE’s go up, but productivity does not

If you are an IT manager or director, you probably have a handful of key people that get things done for you. When a new solution is brought in, or IT expands operations, it is natural to take on additional staff to manage the new workloads.

There are a couple different ways to measure your productivity here: inside the IT team, and within the end user community. Let’s dive in:

IT Pros

Teams should have a defined set of responsibilities, and those should be matched against the available time and broken down by service or product owners. You cannot improve what you don’t measure, and if you’re not measuring you are stuck.

End Users

The ultimate metric for most systems management teams is the relative happiness of their end users. These are the folks that need apps & data to be productive. If you’re not giving them what they want, they way they expect and without compromises – you are probably losing traction with the community that can provide the most leverage for budget allocation – or worst case, your right to exist in the larger organization.

Give people what they want, or they will find someone else who will.

Indicator #4: Process questions are answered with vendor terminology

Finally, this one is a red light and air raid siren for most CIO’s. If you ask your team how something will get done, and the answer is specific to one vendor or product – you’re starting from the wrong place.

Systems and processes need to be born from hard wrenching the chanlleges to your business, not the tools or suppliers that help you deliver the necessary outcomes.

When you break it down to the most basic level, you need to define your why, which will lead you to developing the how. This all needs to happen before you start talking to vendors about how their offerings can help you deliver that.

An introduction to conditional access in ConfigMgr (current branch)

Do you want to keep non-compliant devices from accessing critical company data and prevent otherwise authenticated end users from opening their Exchange store from a non-compliant device, whether it is hosted or on-premise?

Oh snap, y’all.

Something relatively (but not, really) new in ConfigMgr is conditional access for managed devices. Now, this is not your father’s NAC solution, but rather a way for Microsoft to leverage the integration among its services to give you some push-button protection. I’ll do my best to explain how it all works, but you can read this TechNet article for a primer.

First component to this magic is Office 365. You may already be leveraging the mobile device management features that are built in. They look like this:

office protection center

While that is some really nice functionality, if you have ConfigMgr deployed and are feeling froggy – you can go waaaaaaaaaaaay beyond MDM.

Here’s where the conditional access chickens come home to roost, and your investment in Office 365 gets weaponized.

You see, when your Exchange and Sharepoint services are already in the cloud (remember, the magic IT thing?) and you have a management conduit to those services (a la ConfigMgr service connection points) that enables you to do unicorn-level rocket ship engineering with just a few clicks.

Hint: If you need some background on integrations available with ConfigMgr read this article on TechNet.

Let’s dig a little deeper and see how this works. The following diagram is taken from this TechNet article covering ConfigMgr 2012 R2 and shows the basic workflow for conditional access:

The first thing you’ll notice is that two things are checked before conditional access policy is evaluated:

  1. Am I targeted by a policy?
  2. Am I exempted from the targeted policy?

If you are not targeted or are exempted from that policy, then the device is permitted to connect to the service.

If the device is non-compliant in any way, whether that policy comes from Intune or ConfigMgr, or the device is not joined to an authorized domain it will be denied access to the protected service.

Why is this important?

It’s pretty simple – by combining ConfigMgr with Intune (and EMS!) and leveraging the conditional access feature set you are able to limit or deny access to services and data that properly authenticated end users would otherwise be able to obtain and potentially exfiltrate – with no additional systems or software.

Of course, there are some limitations and gotchas here – depending on the device operating system, whether the device is managed by standalone ConfigMgr or a hybrid implementation with Intune… and the specifics of your Office 365 subscription.

Interested? Make sure you check here ‘before you start’ start any implementation design.

Want updates? Better deploy Windows 10 now

A reasonable IT Pro may cast suspicion here…

However, in a post on the Windows Experience Blog, EVP Terry Myers states the following:

…Today we are clarifying our Windows support policy:

Windows 7 will continue to be supported for security, reliability, and compatibility through January 14, 2020 on previous generation silicon. Windows 8.1 will receive the same support through January 10, 2023. This includes most of the devices available for purchase today by consumers or enterprises.

Going forward, as new silicon generations are introduced, they will require the latest Windows platform at that time for support. This enables us to focus on deep integration between Windows and the silicon, while maintaining maximum reliability and compatibility with previous generations of platform and silicon. For example, Windows 10 will be the only supported Windows platform on Intel’s upcoming “Kaby Lake” silicon, Qualcomm’s upcoming “8996” silicon, and AMD’s upcoming “Bristol Ridge” silicon.

Through July 17, 2017, Skylake devices on the supported list will also be supported with Windows 7 and 8.1. During the 18-month support period, these systems should be upgraded to Windows 10 to continue receiving support after the period ends. After July 2017, the most critical Windows 7 and Windows 8.1 security updates will be addressed for these configurations, and will be released if the update does not risk the reliability or compatibility of the Windows 7/8.1 platform on other devices.

The bottom line is that Intel and Microsoft have made a deal, and that deal involves you not getting updates for the magical combination of new hardware and old operating systems.

What should you do here?

In my opinion, there’s not much reason to hold off on Windows 10 at this point anyways. The stability is there, and the experience is compelling. When you look at the capabilities of your systems management tool for Windows 10, combined with the Enterprise Mobility Suite, you really can manage any device, anywhere.

If your organization has a refresh cycle for end user computing, and I hope that’s the case, make sure you understand these key dates:

  • Windows 7 will receive updates through 1/14/2020 on previous generation chipsets
  • Windows 8.1 will receive updates through 1/10/2023 on previous generation chipsets
  • Windows 10 will be required for any new chipsets going forward from now
  • All in, you should be executing on a migration to Windows 10 with a completion date before 7/17/2017

Finally, there has been an update to the original blog post that clarifies which Skylake devices (broken out by manufacturer) will support Windows 7 and 8.1 until 7/17/2017.

Update (3/18/2016): Yet another modification to this policy, with an extension to 7/18/2018. Details at this TechNet article.

The status quo isn’t working

Warning: Bold claims within!

OK, let me give you some background first.

If you read my post about what you don’t know about systems management might kill you, you know I’ve been very focused on systems management for quite some time. Having seen several generations of tools and processes, I wanted to share some best practices.

Whether you are evaluating, deploying, optimizing or scanning your logs in a desperate attempt at remediation you are probably seeing at least one of these conditions:

Architecture health is < 100%

If the platform is not healthy, your site infrastructure won’t be either. If your sites are not healthy, you can’t manage end points. If you can’t manage end points, you can’t do anything.

You have more > 1 deployment process

When I see more than a single hardware-independent deployment or provisioning process, I think of the good ol’ XP and Vista days. When I think about Windows Vista, I get angry. You don’t want to make me angry – and you don’t want to update more than one disk image or task sequence.

Are you leveraging offline servicing to keep your disk images up-to-date?

Patch compliance is < 98%

You simply cannot afford anything less. Sure, the number is arbitrary. But the process know-how to get to a high performance metric and back it up with analytics will help drive your protection and threat mitigation strategy to a high maturity. That’s what you want, by the way 🙂

It takes more than 5 minutes to produce actionable asset intelligence

Do you get drop-by’s from Really Important People who want to know “how many copies of Adobe Acrobat Pro are installed, which version and are they being used?” Do you panic at the invisible complexity no one else sees and doesn’t think about. If you can’t produce results on demand, there’s something out of best practice.

If you’d like more information about how we approach systems management at ITS, you can grab a copy of our newest insights whitepaper at the company website. If you’d like to learn more about the new ConfigMgr-as-a-Service offering from my team please let us know here.