Microsoft Lync Zero Day Attack

On 5th November the Microsoft zero-day vulnerability was reported by McAfee Labs senior security researcher Haifei Li. The bug affects a range of products including Lync clients. Microsoft have been informed of on-going targeted attacks mostly in the Middle East and South Asia that have exploited this flaw.

The vulnerability is due to a bug in the handling of TIFF files and results in memory corruption which can be exploited to gain elevated access to the targeted system.

Lync products affected include:

Microsoft $100,000 Bug Reward

Lync 2010 x86, x64
Lync 2010 Attendee
Lync 2013 x86, x64
Lync Basic 2013 x86, x64
Office 365 is not affected by the exploit.

Microsoft have released a temporary patch to block rendering of the TIFF format using the registry mod below: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1

Microsoft advise installing EMET (the Enhanced Mitigation Experience Toolkit) that is able to mitigate this exploit in advance when any of the following mitigations are enabled for Office binaries:
Multiple ROP mitigations (StackPointer, Caller, SimExec, MemProt) available in EMET 4.0
Other mitigations (MandatoryASLR, EAF, HeapSpray ) included in EMET 3.0 and 4.0

EMET can be deployed via group policy or SCCM for blanket coverage of all vulnerable clients.

Lync is Microsoft Fastest Growing Business – ComputerWorld got it Wrong

ComputerWorld published an article earlier this month entitled “Microsoft pushes into crowded Unified Communications market”. The article provides a reasonably balanced view of the current state however there are a few caveats I have, in one section it states:

Lync - Revenue exceeds $1Bn

“In the crowded UC market, it (Lync) competes against offerings from vendors including Cisco, IBM, Avaya, Siemens, Alcatel-Lucent, Mitel and ShoreTel.
However, Lync isn't being hailed as a product that stands out from the rest in any significant way nor that is blazing trails of innovation in this UC market.”

I disagree, Lync does stand out from the rest in one very important and deal-making way; Lync is fully integrated with the more traditional Microsoft products, it embeds itself into Office, SharePoint and Exchange making Lync an extension of the existing business worker stack. It was designed from the outset to operate in this way, Microsoft intended the deep integration that Lync provides into existing workflows and indeed only they can achieve this as they produce all of the other software as well.
The competition developed its products to be competitors for traditional telephony, a separate isolated system, only producing the allusion of integration using applications such as CUCILync.

Lync is now Microsoft’s fastest growing business with 30% growth this year to exceed the billion dollar revenue mark.
There are also a billion registered users of Microsoft Office out there and Exchange is an immensely popular corporate e-mail platform; a large percentage of this user base will migrate from either old PBX systems or other VoIP systems onto Lync as the benefits to that coupling are great and enterprise licensing cost outlay is minimal. In addition if they are already using Office and Exchange then they are a Microsoft shop and likely to be in a position to adopt the technology faster and with better in-house support. Lync has a lot of growing to do and a lot of market cap to take.

Voice engineers I talk to accept that the products they work with are separate systems and are quite happy to keep developing these for their clients. They just don’t get it that voice has no future as a stand-alone product with its own dedicated infrastructure. Voice is already part of unified communications stacks and for a system to have a future it must provide all of the core communication modalities equally well with transition between IM, e-mail, voice, video and application / desktop sharing being as seamless as possible. Only Lync currently comes anywhere close to offering this.

Cisco rely on their rock solid reputation as justification to buy into their systems; telephony is mission critical so you must have the most reliable platform with its own dedicated everything.
But Lync is the only system thus far to pass the Miercom Sip torture test for reliability.

Zeus Kerravala, founder and principal analyst with ZK Research was quoted in the article referring to Lync, stating "It's a good, competitive, traditional UC tool." The most important thing is that Lync isn’t traditional, it’s ground breaking.

The significance of the Lync – Skype integration was skimmed over in the article. They mention that it will allow support teams to move into an era of customer partnership models, but Skype is also a readymade global VoIP network and it’s free. Almost all of us have devices that can run Skype; its user base is already huge giving Microsoft a distinct advantage in the UC market place and decisions as to which UC platform to migrate to, will in part depend on the answer to the question “is it compatible with our Skype customers?” Cisco realise this as a serious threat, hence the pending legal case between them.
See http://www.reuters.com/article/2013/05/28/cisco-microsoft-court-idUSL5N0E933220130528

It’s clear in this new UC landscape those clutching at the past and pushing products that see voice as a separate entity to be placed on the desk alongside the ubiquitous in-trays of the world will be relegated to history. Some very big players in the market today that initially claimed Lync as a non-threat will be pushed out of that market by the very same product.

The UC space may be crowded with products but saturation is still only at 51% globally and 90% of the fortune 100 already have Lync investment that is surely only going to grow as they retire more traditional systems many of which are listed among the competition. The big blow here for them will be the loss of those very lucrative support and maintenance contracts.

Microsoft have done a rare thing; produced a world beating product in a space where they have very little experience and in a comparatively short period of time.

Lync is going to be very big. Don’t believe me? Then check back here in two years and leave your comments then.

Lync Server 2013 CU2 Paired Pool Update

On Monday 1st July 2013 Microsoft released their second cumulative update for Lync server 2013. Unlike the first which involved breaking SQL mirrors for Enterprise edition it seems like Microsoft have listened and improved the Lync upgrade process; now fully supporting SQL mirrors and no need to rebuild your HA arrangements afterward.
However, all is not as simple as it may seem.

Technet guidelines on deploying the Lync CU's are causing confusion, the following is an extract from the site:

Lync Server 2013 Update Installer

"The front end servers in an Enterprise Edition pool are organized into upgrade domains. These upgrade domains are subsets of front end servers in the pool. Upgrade domains are created automatically by Topology Builder.
You must upgrade one upgrade domain at a time, and you must upgrade each front-end server in each upgrade domain. To do this, take one server in an upgrade domain offline, upgrade the server, and then restart it. Then, repeat this process for each server in the upgrade domain. Make sure that you record which upgrade domain and servers that you have upgraded".

Fairly straightforward so far. Unlike Lync 2010, 2013 uses the Windows fabric, organises its users into groups and its FE servers into upgrade domains; logical constructs which contain one or more FE servers. Use the following command to see which FE servers have been assigned to which upgrade domains (numbered 1,2,3 etc):

Get-CsPoolUpgradeReadinessState

If the command returns a status of True against each upgrade domain it is ready for upgrade. Proceed to upgrade each server listed in turn by firstly draining the server with:

Stop-CsWindowsService –Graceful

Then once active sessions on that server have ceased, launch the upgrade package, LyncServerUpdateInstaller.exe.

Once the upgrade on the first server is complete, restart all Lync services and verify it's status prior to proceeding onto the next server.

Once all servers within the first upgrade domain have been upgraded proceed to the next upgrade domain and repeat the above process.

However,Technet goes on to state the following if the status returned by upgrade readiness status is not True:

"If the State value of the pool is Busy, wait for 10 minutes, and then try to run the Get-CsPoolUpgradeReadinessStatecmdlet again. If you see Busy for at least three consecutive times after you wait 10 minutes in between each attempt, or if you see any result of InsufficientActiveFrontEnds for the State value of the pool, there is an issue with the pool. If you cannot resolve this issue, you may have to contact Microsoft Support. If this pool is paired with another front end pool in a disaster recovery topology, you must fail the pool over to the backup pool, and then update these servers in this pool".

It seems that this is being interpreted in one of two ways;

Firstly if uprgade readiness returns "busy" or anything other than "true" persists then you must contact Microsoft for assistance unless you are running paired pools in which case you can invoke failover and then commence the upgrade.

Secondly regardless of busy or true states for upgrade readiness, if you are running a paired pool topology then you must invoke a pool failover to be able to upgrade prior to failing the pool back to upgrade the second pool of the pair.

The first interpretation is correct and there's a supporting flowchart on Technet to confirm it.
If the upgrade readiness command returns true then regardless of anything else your environment can be updated. However, replies from Microsoft support for clarification have suggested that "you must fail over the FE pool to it's DR pair to perform the upgrade, then fail back and upgrade the DR pool". This is not correct and is in conflict with the procedure on Technet. Come on Microsoft, if your own people aren't on the same page here then how are we expected to manage.

Regardring the rest of the CU2 update, once all FE servers are upgraded you now have the remaining Lync infrastructure to tackle including the backend.

Microsoft have also posted a warning that if you install the CU2 update and then roll back to CU1 your Lync databases will revert to the RTM version, please see the link below for further details:

http://support.microsoft.com/kb/2819565

Outlook.com Claim your address now


Microsoft have released Outlook.com as a true cloud replacement for the Live.com and Hotmail.com systems we have used for years converging on the now familiar interface of Windows Server 2012, Windows 8 and Windows Phone. While having a Hotmail.com address on your resume was slightly embarrassing an Outlook.com address is a lot more credulous.


You could rename your existing Live / Hotmail account to a new Outlook.com account, or simply start again with a new Outlook.com address, but there is another way. Continue using your existing Hotmail account, but with the Outlook.com interface and create a new Outlook.com alias with the Outlook.com domain name.

An alias works just like a real email address but it’s not a separate account. If you have Xbox Live achievements, Zune purchases, Windows Live ID or you have a Windows Phone and don’t want to  hard-reset it, then they will all still work because you retain the Live / Hotmail account but also have a new Outlook address which you can use for your email.

There are however a few things to consider, you can only create up to five aliases each year. You won’t be able to use an alias on Windows Phone or any other mobile client or email application; it will only work from the Outlook.com web interface and you can’t sign in to Outlook.com with an alias you must continue using the original Hotmail account.

To set up an Outlook.com alias:

Log into Outlook.com with your Hotmail credentials. This will enable the Outlook.com user experience on your Hotmail account and going forward it won't matter where you sign in hotmail, live or outlook you'll get the new look.

1. Once in, click the engine wheel located on the top right of the page.
2. In this menu, select "More mail settings".
3. Now, look for the option "Create an Outlook Alias" under the "Managing your account title"
4. Enter your chosen alias and click create.
5. You have an option of receiving mail in a separate folder or in your hotmail inbox, personal choice here.

My advice is get in quick before your chosen address is taken by others. Microsoft are working towards decommissioning Hotmail / Live accounts and Live Messenger ceases to exist this coming March. Outlook.com and Skype are the next generation communication tools and non corporate versions of Exchange and Lync.
With Outlook.com, you get the new Metro-style interface and the brawn of what is one of the most powerful email services around.

Microsoft Kill Conferencing

Conferencing is dead. But that doesn't mean web, audio and video conferencing are thing of the past. They are merging into integrated components for a larger collaboration platform that includes conferencing tools as well as chat, shared white board, etc. Conferencing implies a single-purpose tool that is used independently and procured separately; a conferencing “system”.

This type of environment, a unification of many communication modalities, provides Visual Conversations (see zkresearch.com) a natural mode of communication more aligned to “real” meetings of old.

Audio Conference

It is Microsoft that is farthest along this road to true communication unification. At their Lync conference 2013 a work / life balance was a central theme of the keynote with phrases like "re-humanization of communication," "bring the living room to the boardroom," and "you're not just a worker" were used often. This consumer-driven theme felt very Skype oriented, but is new to the Lync discussion. Reference points for the future of Microsoft's Lync and Skype evolution all related to a focus on users, minimizing barriers, multiple platforms, and support for mission critical operations. Innovations like WebRTC are clearly key to full unification; currently Lync Web app for browsers lets any user join a meeting from a PC or Mac browser, but requires a plugin for the browser. Once this standard is ratified (and Microsoft is going against the grain with this one) any user on any browser can enjoy the benefits of full Lync / Skype communication modalities with no barriers.

The Lync – Skype integration is central to Microsoft’s UC plans, Skype brings to the Lync ecosystem over 300 million users, targeting a scale of billions of users and transactions. When compared to the number of Lync Enterprise Voice users, 5 million, these numbers are indeed staggering. In addition the importance of the Microsoft Office installed user base isn’t lost on Microsoft with nearly 1 billion Office users out there scope to grow an installed user base for UC modalities is vast.

Microsoft's core value proposition to the Enterprise is not a sea of Skype users it’s an end-to-end communications ecosystem that includes an identity engine and central directory (AD), email (Exchange), content creation (Office), content management (SharePoint), real-time communications including presence, IM, audio, video, data sharing, and conferencing (Lync) all tightly integrated and available across the user's preferred devices. Making it easier and more intuitive to interact across these broad layers of the communications ecosystem is the name of the game. Replicating a familiar experience between Office applications, with which a billion users are familiar, in the Lync environment is a very logical place for Microsoft to focus.

Missing from this picture are the social networking aspects of B2C or B2X communications, a corporate Facebook for collaboration. This is in Microsoft’s plans and comes in the shape of Yammer, a fully established enterprise social network. Expect integration to come with the next major release of Lync – 2014.

Additionally, the advent of the Lync Room System (LRS), and the tight integration it offers between Microsoft Outlook, OneNote, and Lync. The Lync Room System has the potential to eliminate historic barriers that have limited group video as a method of communications, making it easier to schedule, join, and moderate, making content sharing a more natural part of room-based collaboration. The Office and OneNote integration, on the other hand, can make group collaboration more effective making it easier to include traditional best practices such as meeting agendas, notes, and action items.

In summary, Microsoft has a set of technologies and products becoming ever more tightly integrated forming a single identifiable ecosystem, harnessing an existing user base and a new global network with familiar, intuitive, ever pervasive interfaces. How will the balance of power shift in unified communications with over a billion users relying on Lync/Skype for telephony, messaging, conferencing, presence and feeds?

Supporting Microsoft Lync Architecture

With huge financial savings to be made by fully exploiting the Microsoft enterprise license agreement, organizations needing to make efficiency savings are looking to Lync. Here in the UK and rather surprisingly, this is most prevalent within the public sector. Year on year cuts across the whole sector have forced a thorough re-evaluation of all assets. IT services is an easy target; equipment, licenses, support etc. all add up to a significant investment of Cap-ex and ongoing Op-ex. Move from VMWare to Hyper-V, Oracle to SQL and the PBX to Lync and you have saved a fortune on licenses, ongoing maintenance contracts and specialists within your teams to support the tech. 

No one is implying that Microsoft products are better in some way than the omni-present industry mainstays, rather the opposite, but they are cheaper and the senior management thinking is “migrate all of our services to Microsoft systems and our IT teams can concatenate down to just a few Microsoft guys”, implying that Microsoft SharePoint and System Center occupy the same skill set.

Whichever way you look at it Lync is replacing analogue phone systems and VoIP telephony alike, and bringing with it the deep office application integration that no one else offers, not to mention mobility.
As an organization looking to leverage the benefits of Lync for increased business efficiency and cost savings it’s easy to get it all wrong and difficult to get it right, here’s a few pointers:
Understand the components. Lync is not only gateways, phones, 3^rd party applications, load balancers and the front end / backend roles, but also the IP network, DNS, firewalls, reverse proxies and Active Directory.

Develop and share your UC strategic plan. If your Cisco experts think CUCM is the future, and Microsoft experts think Lync is the future then without buying into some common management direction, the end solution may be watered down, less efficient and provide less up-time.

Do you intend to support in-house or outsource as a managed service. Outsource if you’re moving fast and lack the required skills. If self-supporting, read on.

Align your teams. Retain experts in each key technology and bring them together to provide a shared service for the end users. Realign your teams, or at the least, break down the silos amongst Subject Matter Experts. They should commit to providing 99.999% service.

Choose systems integration partners carefully. Picking an SI with a broad portfolio and deep experience ensures your next decisions and investments will be future-proofed. Using a general Systems Integrator who handles Windows, VMWare, and Exchange may be a mistake. Lync is a complex product you need specialists.

Select components wisely. No less than five gateway manufacturers have at one point entered the market. Three remain. Even prior to Nortel being acquired by Avaya, the LG-Nortel IP phones were being discontinued. Ensure the SI partner offers a broad range of hardware and advice on who is exiting the market and who is investing.

Develop custom SOPs. The first-tier help desk should not always call the Lync expert if there’s an issue impacting Lync, because the issue may well be the Hypervisor, the LAN, or the trunk. Offer training enabling them to qualify issues and triage them to the correct tier-2 expert.

Get comprehensive, custom training. Effective Lync training for systems administrators is hard to come by. You can find installation/administration training on the market, but it’s aimed at certification and so once the system is installed half of the training is redundant. Consider using an expert to help your team understand how to diagnose and resolve issues relevant to your system and not an exam scenario.  

Retain an SME. Ensure you hold the contact details for a Lync subject matter expert, possibly the one that designed the solution. Bring them in at consultancy rates when you hit a problem that can’t be resolved in-house.

It’s easy to sell UC solutions to end users, specifically Lync UC. Unlike much of the IT technology we invest in within business, routers, firewalls, SANs etc. its high impact; the users get to see it, interact with it, it’s a shiny new toy. But it’s providing a critical service and moreover it’s replacing a device which we have come to rely on for even the most trivial operations; the PBX, the telephone. When it works it’s a look into the future of business, when it fails it will be your worst nightmare.

Current Top 7 Operating Systems by Internet usage.

Based on current trends we will see the standings shown below from June 2013.
Windows 8 has leapfrogged Windows Vista and Apples OSX to sit behind Windows XP.

As XP now enjoys only extended support and each new computer system ships with Windows 8 we can expect XP to drop to the number 3 spot in the future.
 
The debate as to whether Windows 8 will ever see widespread use within industry will continue until it does and inevitably eventually occupies the number one spot ahead of Windows 7.

1. Windows 7
2. Windows XP
3. Windows 8
4. Mac OSX
5. Windows Vista
6. iOS
7. Linux