Microsoft audit defence gotchas check list
2 likes871 views
This document provides advice on common Microsoft licensing "gotchas" and risks organizations may face. It discusses issues such as packaging the wrong version of software, not having the correct licenses when using high availability features in virtual environments, and not obtaining the proper licenses when applications are accessed through terminal services. The document recommends engaging software asset managers early in projects to identify licensing risks and ensure compliance. It also suggests negotiating with Microsoft and exploring options like deploying Office 365 when licensing issues are discovered.
Microsoft audit defence gotchas check list
- 1. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk The ITAM Review UK Annual Conference 2016 Page 1 of 4 Discovery of the Microsoft applications installed on your estate is actually relatively easy. The challenging part is understanding HOW they are used in order to determine what licenses are required to support them. The majority of Microsoft Licensing ‘gotchas’ originate at the IT solutions design stage. It is vital that Software Asset Managers are engaged at Programme / Project initiation to identify potential licensing risks, as well as at the solutions design stage to ensure IT solutions are designed to be licensing efficient and that licensing costs are fully understood BEFORE the solution is deployed – we call this ‘ITAM by Design’. Below is a list of classic Microsoft Licensing ‘gotchas’. Use this list to carry out a baseline SAM risk assessment before your next audit to minimize nasty surprises. Packaging Errors What is it? A packaging error is simply where the wrong version of an application is packaged. The organization procures sufficient licenses to cover what they think is deployed, but unfortunately packages and deploys a different version which is unlicensed and therefore non-compliant. A classic case would be where Microsoft Office Standard has been purchased but Microsoft Office Pro was the application actually packaged. What is the risk? It depends on the size of the organization and the product deployed. In the example above, Microsoft will not allow you to offset the cost of the MS Office Standard licenses against the cost of the MS Office Pro licenses, and will require you to repurchase MS Office Pro licenses… it adds up very quickly. What can we do about it? Try and negotiate the option to uninstall the wrong application and reinstall the correct one. Note that Microsoft is likely to want you to commit to achieving this within a period of time, at the end of which they may want to audit your compliance. If you intend to migrate to O365 in the near future, this may be something to throw into the discussions to increase your leverage. Software Assurance in DataCentres or Cloud What is it? Applications such as SQL, Exchange, SharePoint etc do not require Software Assurance when deployed in static environments. However, if they are migrated to a Data Centre which utilizes High Availability (HA) and Distributed Resource Scheduler (DRS) (aka Load Balancing), Microsoft requires that licenses are covered by Software Assurance. This is also the case when VMs are migrated to public cloud. This is an issue because the applications are mobile – they can automatically move from physical host to physical host in contravention of the 90-day transfer rule that applies to applications that are not covered by software assurance. What is the risk? Microsoft does not allow software assurance to be attached to licenses more than 90 days after the license is purchased, so you will be required to repurchase the license plus SA – expensive if you have a large SQL estate. Microsoft Audit Defence Microsoft Licensing ‘Gotchas’ Checklist
- 2. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk The ITAM Review UK Annual Conference 2016 Page 2 of 4 What can we do about it? Once the issue has been identified in an audit, there is not much you can do about it – very few organisations would be willing to take the risk of turning of HA and DRS functionality as this could cause significant business disruption if a physical host failed. It is likely you will need to procure the appropriate licenses, BUT if you have future plans to migrate to cloud ensure you take this into account when deciding how to remediate the non-compliance – what is cost effective in a Data Centre may not be cost effective in the cloud and vice versa. If the risk is identified before an audit, organisations may take the opportunity to redesign their resilience arrangements and switch off HA and load balancing. They may also take the opportunity to rationalize their application estate, possibly introducing a SQL cluster (licensed through SQL Enterprise with SA – still expensive, but probably cheaper than re-purchasing lots of SQL Standard with SA) and test & dev clusters which are licensed through MSDN. Again, before deciding how best to remedy this issue, ensure you take into account your future cloud plans and build a thorough business case before making any decisions. Citrix / Terminal Services What is it? This is a particularly nasty risk because it is so unexpected. Citrix and Terminal Services are examples of multiplexing, and Microsoft’s rules are that where a license is consumed indirectly, it is still expected to be licensed as if it was actually deployed. The problem arises because Citrix and Terminal Services are designed to optimize user experience, and so ‘out of the box’ access controls are user based. However, Microsoft perpetual licenses such as Microsoft Office, Project and Visio are device based licenses. The result is that if a desktop application is published via Terminal Services ALL the devices that could possibly access the device must be licensed for the product – in other words every single device that can access the Citrix or Terminal Server, regardless of whether the user who is using the device has access or not. In addition, all users who have access to Terminal Services must have an RDS CAL, which a lot of organisations aren’t aware of. What is the risk? The risk can be enormous – potentially millions of pounds if Microsoft Office Pro (instead of Standard), Project Pro and Visio Pro have all been published via Terminal Services and every machine is able to access these products. What can we do about it? If this issue is identified during an audit, you should definitely try and negotiate an option to remedy this issue by implementing device-based access controls. This usually requires the deployment of an additional management tool onto the TS or Citrix servers, the identification of which machines are used by individuals who genuinely require access, and then creating a white-list of machines that are able to access the Terminal Server. It’s not an easy process and will require a project to implement, so make sure you give yourself plenty of time to actually achieve the end result. As with the Packaging Error, Microsoft is likely to require a commitment to remedy the situation within a particular timeframe. O365 Downgrade Rights What is it? Microsoft O365 Pro Plus does NOT allow downgrade rights, so a purchase of O365 cannot be used to remediate non-compliance of older perpetual licenses. An additional gotcha is that
- 3. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk The ITAM Review UK Annual Conference 2016 Page 3 of 4 organisations must be careful not to deploy Office 2016 thinking it is the same product as O365 Pro Plus – it isn’t. As an aside, Microsoft have a rule that subscription licenses cannot be purchased to remediate perpetual license non-compliance – but as with many things in Microsoft world, you can negotiate on this point and sometimes even get a favourable result! What is the risk? If O365 Pro Plus has been purchased to remediate non-compliance of older perpetual licenses, Microsoft is within its rights to ask you to purchase an appropriate number of perpetual licenses. What can we do about it? Microsoft is VERY keen to see O365 deployed, so you should definitely try and negotiate on this point. As always, Microsoft is likely to want a time commitment for you to remediate the issue, which in this case means deploying O365. Incorrect OEM Operating Systems What is it? Microsoft Windows Operating Systems (OS) can only be distributed by Original Equipment Manufacturers (OEMs). Each desktop that is produced for use with a Microsoft Windows Operating System has a unique serial number and the OEM must send records of the serial number and the Microsoft OS supplied to Microsoft as part of the conditions of purchase. The issue arises because Microsoft’s licensing rules state that if you rebuild a machine with a Microsoft Windows Operating System, then it must be reinstalled with the unique OEM version and serial number unless it is Microsoft Windows Professional, which can be installed from an image. During an audit, Microsoft will run a report showing which machine was sold with which type of OEM so that they can confirm that the correct version of Windows is installed on each machine. Companies get into trouble for two reasons: a) they have a standard Windows Professional Image which is deployed on non-Windows Professional machines; and b) they reimage machines that do not have an MS OEM operating system at all, possibly because they were intended to be deployed with a Linux operating system. What is the risk? The risks are generally fairly low. However some OEMs don’t have systems in place to prevent Home and Small Business Machines being sold to corporates who are likely to use imaging technology during deployment so this gotcha can be a bit of a shock. What can we do about it? You will be expected to procure ‘Microsoft Windows Get Genuine Licenses’ to replace the incorrect OEM license. The price varies depending on the quantity of licenses purchased, and you should be able to negotiate economies of scale with Microsoft if there are a large number of machines with the incorrect OEM. If you feel the OEM has mis-sold the incorrect OEM (ie you are an enterprise customer) then you may also be able to pursue the OEM for compensation. Enterprise Client Access License (CAL) Requirements What is it? Microsoft Applications such as Exchange, SharePoint, Skype for Business etc require CALs for each end user or end point that accesses the applications services. Many companies start off
- 4. Disclaimer: this document is intended to provide advice and information only and the accuracy of any statements are not guaranteed. Any actions taken on the basis of this document are carried out at the organisation’s own risk The ITAM Review UK Annual Conference 2016 Page 4 of 4 utilising features which require standard CALs, and license on that basis, either on a point product basis or through the purchase of the Core CAL suite. However as time goes on and the organisations requirements become more sophisticated, parts of the organisation may start using Enterprise CAL functionality, not realising that they need to purchase the additional CALs. What is the risk? The risk depends on the number of individuals or end points using the additional functionality, and how access to this functionality is controlled. What can we do about it? It can be very difficult to pin-point exactly which functionality requires an Enterprise CAL and who is using it. You will need to speak to a licensing expert to understand exactly what the requirements are and then work with the appropriate Applications Support teams to understand how usage is tracked within the applications themselves. External Connectors What is it? External Connectors are a type of CAL that is used when the number of end points or users accessing an external facing server is either un-countable or is such a large number that it is more economical to license with an External Connector than a CAL. The typical scenario is an internet server. The catch is that where you have a server in the background, such as a SQL server, providing data to the web server (an example of multiplexing) the SQL server also needs an External Connector. What is the risk? For most organisations, the risk in this scenario is relatively low compared to some of the others discussed. This is because most organisations have a limited number of servers publishing content to the web server – but of course this does depend on each organisation and how their solutions have been designed. What can we do about it? This is an example where license efficient IT solutions design can make a big difference, but if the issue is discovered after the fact the only solution is to purchase the required licenses. To ensure IT Solutions Architects implement ‘ITAM by Design’, make sure that software asset managers are engaged at programme and project initiation to ensure potential SAM risks are identified, and that they work with IT solutions architects to ensure that solutions are risk assessed BEFORE they are deployed, rather than afterwards. If you have any questions about the contents of this document or would like to discuss any of the issues raised in more detail, please contact ITAM Intelligence: Kylie Fowler Principal Consultant 07946 244 107 kylie.fowler@itamintelligence.com www.itamintelligence.com