Licentiere Windows 10: Drepturi de virtualizare (in CSP)

Incepand cu Septembrie 2017, subscriptiile de Windows 10 Enterprise achizitionate prin programul Cloud Solution Provider (CSP), vor avea drepturi de virtualizare.

Programul CSP este destinat partenerilor de servicii Microsoft, pentru a le oferi o mai mare flexibilitate pentru implementarea serviciilor cloud in propriile solutii.

Companiile licențiate cu subscriptii Windows 10 Enterprise E3/ E5 sau VDA E3/ E5 ( licentiere per User), vor putea sa instaleze Windows 10 Enterprise intr-o mașină virtuala care ruleaza pe Microsoft Azure sau pe un server partajat la un partener  de hosting Microsoft - certificat: "Qualified Multi Tenant Hosting Partner".

Important de stiut:

- Companiile deja licentiate cu E3 sau E5 vor beneficia de noile drepturi de virtualizare, fara costuri aditionale

- Subscriptiile achizitionate prin programul CSP, nu ofera drepturi de virtualizare on-premises, ci doar in Cloud.

Pentru drepturi de virtualizare locale (on-premises) licentele trebuie achizitionate prin programele de licentiere in Volum: Open, EA, MPSA.



Autor : Catalin Iancu

Licentiere Exchange Server - update Iunie 2017

Functionalitatea "Advanced Mobile Policies" nu mai necesita licentiere cu Enterprise CAL.

Extras din Microsoft Product Terms:

Exchange Server, licentiere microsoft

Licentiere Exchange Server, Microsoft Exchange Server, Licentiere Microsoft

Autor : Catalin Iancu

Licentiere Microsoft SPLA: Modele de licentiere si Raportare

Care sunt principalele modele de licentiere Microsoft SPLA?

1. SAL - Subscriber Access License
2. Proc - Per Processor
3. Core - Per Core (Physical or Virtual Core)

Microsoft SPLA, Licentiere Microsoft,  SPLA Reseller, Service Provider

Cum se activeaza produsele Microsoft SPLA?

Produsele Microsoft SPLA se pot instala utilizand kiturile media online disponibile in portalul Microsoft: VLSC (Volume Licensing Service Centre), sau se pot comanda contra cost (disponibilitate pe mediu fizic) la orice CSR/ SPLA Reseller.

Dupa instalare, acestea pot fi activate online utilizand cheile disponibile in portalul Volume Licensing Service Centre, sau se pot activa telefonic, contactand centrul de activari Microsoft (https://www.microsoft.com/en-us/Licensing/existing-customer/activation-centers.aspx). 

Licentiere Microsoft SPLA


Cum putem identifica drepturile de utilizare ale produselor Microsoft SPLA?

Drepturile alocate fiecarui produs Microsoft, in functie de editie, versiune si model de licentiere, se regasesc in documentul Services Provider Use Rights (SPUR) care contine toti termenii si conditiile de utilizare.


Produsele Microsoft SPLA pot fi utilizate pentru Evaluare si Testare?

Da, programul de Microsoft SPLA, ofera posibilitatea furnizorilor de servicii (Service Providers) sa utilizeze produsele pentru:

- Uz intern
- Demo catre clienti
- Trial/Evaluare pentru clienti
- Evaluare si testare interna


Care este canalul de vanzare al licentelor Microsoft SPLA?

Microsoft SPLA, Licentiere Microsoft, Licentiere Microsoft SPLA,  Service Provider,

Ce este un furnizor de servicii (service provider)?

Conform programului de licentiere Microsoft SPLA si conditiilor prevazute in Microsoft Services Provider License Agreement : “Service Provider” - means an entity that provides software as a service through the internet, a telephone or private network using software either (a) licensed from Microsoft through SPLA or a third party entity; or (b) software developed by the entity itself…


Cum se face raportarea licentelor Microsoft SPLA de catre Service provider?

Furnizorii de servicii trebuie sa trimita, lunar, catre SPLA Reseller sau CSR, un raport care sa contina numarul de licente utilizate sau un raport cu zero utilizare.

Raportarea lunara

Reprezinta un raport care contine numarul de licente Microsoft utilizate de catre Service Provider, pentru a oferi servicii clientilor sai.

Acest raport trebuie sa contina :

- utilizarea aplicatilor Microsoft pentru luna anterioara
- datele clientului final, daca sunt clienti carora li se furnizeaza servicii ce inglobeaza licente Microsoft de peste 1.000 dolari.
- tara unde sunt utilizate licentele (country of usage)

Raportul se trimite catre SPLA Reseller in termen de maxim 10 zile de la ultima zi a fiecarei luni calendaristice.


Raport cu zero utilizare (Zero usage)

Daca pentru luna anterioara nu s-au utilizat licente Microsoft, tot este necesara furnizarea unui raport lunar catre SPLA Reseller (cu zero utlizare).

Aceasta raportare cu zero utilizare se poate face doar in primele 6 luni de contract (SPLA Agreement). Dupa expirarea acestei perioade, frunizorul de servicii trebuie sa raporteze utilizare, de minim 100 dolari pentru a-si mentine contractul Microsoft SPLA activ.

Licentele utilizate pentru: Uz intern,  Demo catre clienti, Trial/Evaluare pentru clienti sau Evaluare si testare interna, nu se declara.

Autor : Catalin Iancu

SAM in the Cloud: De ce este important sa monitorizam consumul de cloud?


În mod frecvent furnizorii de aplicaţii şi servicii cloud, susţin că utilizarea de cloud este un concept “setting and forgetting”, şi principalul beneficiu pentru organizaţii, este reducerea de costuri (cu licenţierea software, mentenanţă echipamente, administrare etc.).

Provocarea şi lucrul care se omite, în general, este că acest model se bazează pe consum şi fără “supravegherea” cantităţii de cloud utilizate, cheltuielile ar putea fi mult mai mari dacă ne raportăm la cele pentru soluţiile on premises.

Conform raportului Gartner de anul trecut, piaţa de cloud este în creştere, iar tendinţa este ca organizaţiile să înlocuiască modelul tradiţional de licenţiere cu cel bazat pe subscripţii şi consum.

SAM Romania, Software Asset Management, Microsoft SAM Cloud

Pentru ca migrarea aplicaţiilor către zona de cloud să fie o investiţie şi să nu se transforme într-un cost, este necesar ca organizaţiile să aibă vizibilitate permanentă asupra consumului, prin interpretarea corectă a noilor metrici de licenţiere: “per user”, “per CPU hour” etc.
Ca şi în cazul infrastructurii on premises, un program de Software Asset Management ajută la obţinerea unei imagini complete asupra modului în care sunt utilizate aplicaţiile software în cloud.


SAM Romania, Software Asset Management,

O astfel de soluţie poate răspunde în timp real întrebărilor esenţiale atunci când se discută despre achiziţii IT, planificare de buget şi/sau reduceri de costuri ale consumului de software:

Care este numărul de aplicaţii în cloud folosite în acest moment de către organizaţia noastră?

Care este procentul de utilizare al subscripţiilor actuale?

Care sunt subscripţiile neutilizate în ultimile 6 luni?

Câte subscripţii noi au fost achiziţionate în acest an în raport cu anul precedent?

Câte subscripţii oferă dreptul de utilizare a aplicaţiei, atât în cloud, cât şi în varianta desktop?

Care sunt costurile actuale pentru aplicaţiile utilizate în cloud versus costurile asociate în trecut la utilizarea acestora în mediul on premises?

Cunoscând răspunsurile la întrebările de mai sus, organizaţia va fi în măsură să analizeze dacă utilizează cele mai potrivite planuri de servicii cloud., precum şi verificarea cantitătii de subscripţii potrivită necesităţilor.

Principalele avantaje ale unui program SAM pentru cloud sunt:

Vizbilitate asupra consumului – Monitorizare cu ajutorul unei soluţii tehnice, ce permite colectarea de date prin conectare directă cu mediile de Software as a Service (SaaS): Microsoft Office 365, WebEx, Salesforce, respectiv: Amazon CloudWatch, Google Stackdriver, Microsoft Azure.

Controlul resurselor virtuale - Furnizorii de servicii cloud, permit clienţilor să realizeze maşini virtuale foarte uşor, cu ajutorul unui număr mic de clicuri. De multe ori aceste maşini se supradimensionează şi /sau se omit a fi decomisionate, fapt ce duce la un impact major din punct de vedere finaciar asupra organizaţiei.

Alegerea planului de plată potrivit, în forma de contract potrivită

Prin implementarea politicilor prevăzute într-un astfel de program, se pot face limitări automate de consum, se elimină riscul de supradimensionare a resurselor necesare şi se pot face previzionări reale de costuri pentru diferite perioade de timp: per luna sau per an.

Autor : Catalin Iancu

Licentiere Windows Server 2016: Licentiere in mediul virtual


   1. Editii si Functionalitati  
   2. Model de licentiere
   3. Licentiere in mediul fizic
   4. Licentiere in mediul virtual
   5. Upgrading, Downgrading, Volume activation, Azure Hybrid & External Users

 
Cum se licentiaza Windows Server Datacenter pentru mediul virtual?

Prin licentierea unui server fizic cu ajutorul versiunii Datacenter, un numar nelimitat de masini virtuale pot fi rulate pe server.

Conditia esentiala este licentierea tuturor nucleelor (cores) active pe serverul fizic, tinand cont de urmatoarele reguli:

- pentru fiecare procesor fizic de pe server este necesara licentierea a minim 8 cores, chiar daca sunt mai putine disponibile
- pentru fiecare server fizic este necesara licentierea a minim 2 procesoare si un total minim de 16 cores, chiar daca sunt mai putine disponibile.

Licentiere windows server, virtualizare
 Cum se licentiaza Windows Server Standard pentru mediul virtual?

 Licentierea unui server fizic cu ajutorul versiunii Standard, ofera dreptul de rulare a maxim 2 masini virtuale pe server.

Este necesara licentierea tuturor nucleelor (cores) active pe serverul fizic, tinand cont de urmatoarele reguli:

- pentru fiecare procesor fizic de pe server este necesara licentierea a minim 8 cores, chiar daca sunt mai putine disponibile
- pentru fiecare server fizic este necesara licentierea a minim 2 procesoare si un total minim de 16 cores, chiar daca sunt mai putine disponibile.

Windows Server 2016, Licente Windows Server 2016, Licentiere Microsoft, Licentiere Windows Server, Licentiere virtual, Nano Server,
Pentru fiecare doua masini virtuale suplimentare, este necesara licentierea din nou a tuturor nuceelor (cores) disponibile pe serverul fizic.

Exemplu:

Numarul minim de licențe necesare pentru fiecare server este determinat de numarul  total de nuclee (cores) disponibile :

Microsoft Windows Server 2016, Licentiere Windows Server, Licentiere per core, model licentiere server

   Daca se doreste utilizarea a 2 masini virtuale aditionale, este necesara achizitia/ asignarea  a unui numar suplimentar de 16 licente Windows Server Standard.
Microsoft Windows Server 2016, Licentiere Windows Server, Licentiere per core, model licentiere server

Tips & Tricks:

1. Daca o parte din nucleele fizice disponibile pe serverul fizic, sunt dezactivate si nu sunt utilizate de catre Windows Server 2016, inca este necesara licentierea lor?

Nu. De exemplu, in cazul unui server fizic care are disponibile 64 de cores, daca vor fi dezactivate 16 cores dintre acestea, doar 48 vor necesita licentiere.

Nota: Aceasta exceptie, nu reduce licentierea numarului minim necesar de procesoare si cores:
- pentru fiecare procesor fizic de pe server este necesara licentierea a minim 8 cores, chiar daca sunt mai putine disponibile
- pentru fiecare server fizic este necesara licentierea a minim 2 procesoare si un total minim de 16 cores, chiar daca sunt mai putine disponibile.

2. Activarea functiei hyper-threading (pentru procesoarele fizice) are impact asupra licentierii Windows Server 2016?

Nu. Windows Server 2016 se licentiaza tinand cont de numarul de nuclee (cores) fzice, nu virtuale.

 3. Incepand cu Windows Server 2016, a fost introdus suportul pentru "nested virtualization" - o masina virtuala poate rula in interiorul altei masini virtuale. 
Ce impact are asupra licentierii Windows Server in mediul virtual?

Windows Server 2016, Licente Windows Server 2016, Licentiere Microsoft, Licentiere Windows Server, Virtualizare, Licentiere virtual, Nano Server,


O masina virtuala care ruleaza in interiorul altei masini virtuale, reprezinta un scenariu care necesita licentierea a 2 masini virtuale. 

4. Cum se licentiaza Nano Server?

Nano server este o optiune de implementare a Windows Server 2016 Standard si Datacenter.

Licentierea acestuia se realizeaza tinand cont de editia de Windows Server din care provine.



Autor : Catalin Iancu


Windows Server 2016 versus Previous versions - Feature Comparison: Security



This feature comparison article compares selected feature (security) of Microsoft Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.


Windows Server 2016 delivers layers of protection that help address emerging threats and meet your compliance needs, making Windows Server 2016 an active participant in your security defenses. These include the new Shielded Virtual Machine feature that protects VMs from attacks and compromised administrators in the underlying fabric, extensive threat resistance components built into the Windows Server 2016 operating system and enhanced auditing events that will help security systems detect malicious activity.


 - Shielded Virtual Machines and Guarded Fabric help provide hosting service providers and private cloud operators the ability to offer their tenants a hosted environment where protection of tenant virtual machine data is strengthened against threats from compromised storage, network and host administrators, and malware.

- Credential Guard helps prevent pass the hash attacks by utilizing virtualization-based security to credential artifacts from administrators.. Credential Guard offers better protection against advanced persistent threats by protecting credentials on the system from being stolen by a compromised administrator or malware.
Credential Guard can also be enabled on Remote Desktop Services servers and Virtual Desktop Infrastructure so that the credentials for users connecting to their sessions are protected.

- Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.

- Device Guard uses Virtualization Based Security to ensure that only allowed binaries can be run on the system. If the app or driver isn’t trusted, it can’t run.
Device Guard can also help protect Remote Desktop Services to lock down what applications can run within the user sessions.

- AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. AppLocker and Device Guard can be used in tandem to provide a wide set of software restriction policies that meets your operational needs.

- Control Flow Guard (CFG) protects against an attacker corrupting the control flow of a process by changing the addresses of indirect calls. Windows user mode components are created with Control Flow Guard built-in and vendors can also include Control Flow Guard in their binaries using Visual Studio 2015.

- Windows Defender is malware protection that actively protects Windows Server 2016 against known malware and can regularly update antimalware definitions through Windows Update. Windows Defender is optimized to run on Windows Server supporting the various server roles and is integrated with PowerShell for malware scanning.

- Distributed firewall and microsegmentation - The distributed firewall is a network layer, 5-tuple (protocol, source and destination port numbers, source and destination IP addresses), stateful, multi-tenant firewall. When deployed and offered as a service by the service provider, tenant administrators can install and configure firewall policies to help protect their virtual networks from unwanted traffic originating from Internet and intranet networks—this process is known as microsegmentation.

- Host Guardian Service is a new role in Windows Server 2016 that enables Shielded Virtual Machines and Guarded Fabric.
Guarded Fabric: Shielded VMs can only run on Guarded hosts. These hosts need to pass an attestation check to make sure they are locked down and comply with the policy that enables Shielded VMs to run on them. This functionality is implemented through a Host Guardian Service deployed in the environment which will store the keys required for approved Hyper-V hosts that can prove their health to run Shielded VMs.

- Device Health Attestation Service - For Windows 10-based devices, Microsoft introduces a new public API that will allow Mobile Device Management (MDM) software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition to other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.

Windows Server 2016 Feature Comparison

- Privileged Access: Just Enough Administration - Administrators should only be able to perform their role and nothing more. For example: A file server administrator can restart services, but should not be able to browse the data on the server.
Just Enough Administration (JEA) provides a role based access platform through PowerShell. It allows specific users to perform specific adminstrative tasks on servers without giving them administrator rights.
JEA is built into Windows Server 2016 and you can also use WMF 5.0 to take advantage of JEA on Windows Server 2008 R2 and higher.

Windows Server 2016 Feature Comparison

- Privileged Access: Just-in-Time Administration - The concept of Just-in-Time Administration helps transform administration privileges from perpetual administration to time-based administration. When a user needs to be an administrator, they go through a workflow that is fully audited and provides them with administration privilege for a limited time by adding them to a time-based security group and automatically removing them after that period of time has passed.
The deployment of Just-in-Time Administration includes creating an isolated administration forest, where the controlled administrator accounts will be managed.

Windows Server 2016 Feature Comparison

- Virtualization Based Security (VBS) is a new protected environment that provides isolation from the running operating system so that secrets and control can be protected from compromised administrators or malware. VBS is used by Device Guard to protect kernel code, Credential Guard for credential isolation and Shielded VMs for the virtual TPM implementation.

Windows Server 2016 Feature Comparison

- Virtual TPM: Trusted Platform Module - Implemented in Windows Server 2016 Hyper-V, a Generation 2 virtual machine (Windows Server 2012 and later) can now have its own Virtual TPM so that it can use it as a secure crypto-processor chip. The virtual TPM is a new synthetic device that provides TPM 2.0 functionality.
Virtual TPM does not require a physical TPM to be available on the Hyper-V host, and its state is tied to the VM itself rather than the physical host it was first created on so that it can move with the VM. VMs with a virtual TPM can run on a guarded fabric.
The Shielded VM functionality uses the Virtual TPM for BitLocker encryption.
Client machines running on Virtual Desktop Infrastructure can now use a vTPM as well.

Windows Server 2016 Feature Comparison

- Windows BitLocker drive encryption provides better data protection for your computer, by encrypting all data stored on the Windows operating system volume and/or data drives.

- Security improvements to SMB 3.1.1 include pre-authentication integrity and SMB encryption improvements.
Pre-authentication integrity provides improved protection from a man-in-the-middle attacker tampering with SMB’s connection establishment and authentication messages. Pre-Auth integrity verifies all the “negotiate” and “session setup” exchanges used by SMB with a strong cryptographic hash (SHA-512). If your client and your server establish an SMB 3.1.1 session, you can be sure that no one has tampered with the connection and session properties.
SMB 3.1.1 offers a mechanism to negotiate the crypto algorithm per connection, with options for AES-128-CCM and AES-128-GCM.


- Dynamic Access Control -  Apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control lets you:
• Identify data by using automatic and manual classification of files. For example, you could tag data in file servers across the organization.
• Control access to files by applying safety net policies that use central access policies. For example, you could define who can access health information within the organization.
• Audit access to files by using central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.
• Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

- AD Rights Management Services - provides information protection for your sensitive information. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.


- Azure Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS).

Windows Server 2016 Feature Comparison

- Enhanced auditing for threat detection - Based on the Microsoft internal security operation center, Windows Server 2016 includes targeted auditing to better detect malicious behavior. These include auditing access to kernel and sensitive processes as well as new data in the logon events. These events can then be streamed to threat detection systems such as the Microsoft Operations Management Suite to alert on malicious behavior.
PowerShell 5.1 security features - There are several new security features included in PowerShell 5.1. These include: Script block logging, Antimalware Integration, Constrained PowerShell and transcript logging.
PowerShell 5.1 is also available for install on previous operating systems starting from Windows Server 2008 R2 and on.

Windows Server 2016 Feature Comparison



Licentiere Windows Server 2016: Licentiere in mediul fizic


   1. Editii si Functionalitati  
   2. Model de licentiere
   3. Licentiere in mediul fizic
   4. Licentiere in mediul virtual
   5. Upgrading, Downgrading, Volume activation, Azure Hybrid & External Users


Cum se licentiaza un server cu un singur procesor?

 Windows Server 2016, Licentiere, Microsoft windows server
 Conditiile de licentiere valabile pentru Windows Server 2016 (Standard si Datacenter) sunt urmatoarele:

- pentru fiecare server fizic este necesara licentierea tuturor nucleelor (cores) disponibile;
- pentru fiecare procesor fizic disponibil pe server este necesara licentierea a minim 8 cores
(minimum 8 cores/processor);
- pentru fiecare server fizic este necesara licentierea a minim 2 procesoare si un total minim de 16 cores (minimum 16 cores/server);

Nota: o licenta de Windows Server 2016 contine un pachet de 2 cores (two-core pack license)

In cazul unui server cu un singur procesor (4 cores), tinand cont de conditiile de mai sus, sunt necesare 8 licente (two cores pack) Windows Server 2016 (Standard sau Datacenter).


 Cum se licentiaza un server cu doua procesoare?
 Windows Server 2016, Licenta, Windows Server, Microsoft server
Conform condtiilor de mai sus, in cazul unui server cu doua procesoare  si un total de 8 cores, sunt necesare 8 licente (two cores pack) Windows Server 2016 (Standard sau Datacenter).

Exemplu:
Numarul minim de licențe necesare pentru fiecare server este determinat de numarul  total de nuclee (cores) disponibile.

Pentru un server cu 4 procesoare si un total de 24 cores, sunt necesare: 12 licente (two cores pack):

Windows Server 2016, Microsoft server, licentiere server

Autor : Catalin Iancu