This article is a preview of the keynote I'll be presenting at the Now Micro Winter Product Update event sponsored by Dell, HP, and Lenovo on Feb 18th.
We know the pace of change is accelerating, and looking ahead at 2015 there is reason to expect that to stop. As we start a new year we get an excellent opportunity to leave behind the business practices that have not served us well. It is time to seriously work to cut the boat anchors slowing us down and try to build a fast and capable ship that our customers are proud to be associated with. Sooner or later, the organizations whose IT shops look like junkers from last century will decide to bypass them entirely if they can't provide useful services or respond to their changing business needs. IT will no longer be able get away being a boat anchor on the business.
One of the key differentiators between highly-valuable IT organizations and impending-shipwrecks is their ability to proactively tackle major changes. 2015 is full of big challenges that, if approached now, can be successfully handled relatively easily. Choosing to not handle these proactively means putting your business at significant operational, security, and financial risk. Even if that’s been the modus operandi of your group before, let's try to do it better with a couple of these big challenges. Your effort (or lack thereof if you so choose) will be noticed by the organization you serve.
The three biggest challenges for 2015 are all things you can start today, so we have no excuse when you get asked about them a year for now:
Windows Server 2003 End of Support
Microsoft has been very clear for several years that Windows Server 2003 reaches end-of-life on July 14, 2015. If that's a surprise to you right now, you should take a good hard look at how you are getting information for making strategic decisions. With end of support, known security vulnerabilities in the operating system will no longer receive publicly available fixes - there will be no way to secure them against threats from even an unsophisticated attacker. If you do discover something that isn't working right on those servers, you won't be able to go through the normal support channels at Microsoft to get help fixing it. And Windows Server 2003 won't be something that Microsoft tests changes in other products like Active Directory against. If something stops working with Server 2003, it won't be something Microsoft will be likely to fix or help you with through Microsoft Support.
IT Organizations should start paying attention today to the exact number of Windows Server 2003 boxes. If your servers are all members of an Active Directory Domain, consider creating a weekly report that lists the total number of Windows Server 2003 computer objects that still exist. This number is the type of thing that should be actively monitored by the CIO of the organization - don't let it surprise him/her down the road, as knowing the scope of the problem today is the only way to get enough resources to solve the problem.
Once you have a list, you need a plan. A project manager needs to be responsible for whittling the list down overall, and they need to be able to find people to be responsible for each entry on the list. If there isn't a name next to each server identifying who is responsible for making it go away, you can safely assume that nobody is working on it. If money and resources are needed to deal with one of the items, the project manager needs to advocate that to IT leadership - and it is going to take time to get those resources, you sure as heck better start now.
For the exceptions that you just absolutely cannot make disappear by July 14th, you have two options which are defensible business decisions that can buy you time while you finish killing them off - and you need them in place before the deadline. You can 1) Purchase a custom support agreement from Microsoft, or 2) isolate these machines like they have Ebola. For the second option, that means blocking all internet access (or all except specific sites that absolutely must be accessed), restricting inbound/outbound LAN traffic to only the specific hosts they have an express business need to contact them (all traffic except to LAN systems that absolutely must be accessed), and ensuring every other mitigating security tool is in place (all released updates installed, functioning and supported anti-virus, even the Enhanced Mitigation Experience Toolkit).
It will be a lot of work to keep these things alive, and it will usually be a much better business decision to invest that time/energy into getting rid of them today instead of struggling to keep them on life support in the future. Regardless, you'll be happy you started working on this aggressively now instead of in a panic after July 14th.
On July 15th, pat yourself on the back for all the hard work, but take the opportunity to realize that this doesn't have to be a monolithic task ever again. By changing to a proactive model of infrastructure maintenance, these big reactive projects become smaller, fewer, and easier. And, you get more time for the fun stuff that actually makes our users feel like they got something out of us.
Java 1.7 End of Life
If you have Java installed anywhere in your enterprise, you must keep it up to date. After April of 2015, there will be no such thing as an up-to-date version of Java 1.7 unless you are buying an expensive support contract from Oracle. If you have Java and are connected to the internet, then the update of Java 1.8 needs be installed by the time Java 1.7 is retired.
This is the time to get out of the version trap! Oracle has committed to a clear release schedule for some time now - there will be an update to Java every 3 months. Organizations must be able to test and deploy those updates as part of their regular business operations, not as major projects. When the vendor says in big red letters that you need to get upgraded, there is just no way to explain to a Board of Directors, Senate Subcommittee, or Press Conference why you didn't do it.
If any of your internal developers or external software vendors ever try to give you something that is locked to a specific update of Java, you must not accept it! Oracle (and Sun before them) has been unequivocally clear that you should always be able to run the current update as it is backwards compatible. The discussion must be changed from "Java's update broke my app, so put this horridly insecure version back on there," to "Your app is broken, now fix it." If you do have to downgrade, be damn sure it is done with a clear end date of when they are going to fix it, and with fully informed sign-off of the organization's Chief Executive as the amount of risk being taken on is not something IT can do on its own. (Don't believe me? Ask the vendor, Homeland Security, or SANS.)
But, here's the deal… Most of the time when I encounter a Java boat anchor (even recently with an ancient Java 1.6 behemoth), the common challenge is with the new security model. If you implement the white-listing features for these old apps, you can quite often get them to keep on working just fine without a ton of pain. See Ryan Ephgrave's article here for instructions:
http://ephingadmin.com/administering-java/
In the very, very small subset of scenarios where you can't make the app go away, get upgraded, or work with a white list, then consider using remote presentation software like Microsoft RemoteApp or Citrix XenApp to allow users to access the app via a locked-down server which only has access to the ancient Java app. But, even after you've mitigated the risk, continue to have the hard conversation with the business about "If we have it, we need to maintain it. If we can't afford to maintain it, we can't afford to have it."
If there's significant push back from a business area, then the organization should be given a choice of appropriate business decisions: "Either you can have your impossible to secure Java version on your computer, or you can have access to the internet from the devices. Whichever you chose is fine with me."
ProTip: Follow the advice from the US-CERT and elsewhere; uninstall Java from any system that does not have an express business need to have it. Oracle is still years away from being able to fix the Java security mess, so zero-day vulnerabilities are going to continue being a problem. You don't have to patch Java if isn't installed!
Windows 10 and Internet Explorer 11
Windows 10 is coming in the late summer of 2015. It's coming about 3 years after Windows 8.1, which came about 3 years after Windows 7, which came about 3 years after Vista. But, this is the last time when we get 3 years between releases. Microsoft will be moving to a faster incremental release model much more akin to what we see in the mobile operating system world so they can compete with new features.
If you didn't start your Windows 7 deployment in earnest until the Windows XP End of Support date was creeping up on you (and Windows 8.1 was already released [and, yes, your end users noticed]), this is definitely the time to change your business processes. Waiting until the end of life of an operating system or "skipping" an upgrade does not actually save you any effort. That actions required to get from Windows 7 to Windows 8.1 are pretty much all still going to be required when you go to Windows 10. The only difference is that you could have invested those incremental updates several years ago and gotten more time value out of them.
Don't wait for incremental changes to pile up and become monolithic ones. Getting started with Windows 10 today is easy with the Windows Technical Preview. If you've already automated Operating System Deployment, you can of course re-use all that investment and you're ready to go forward. The in-place upgrade from Windows 8.1 to Windows 10 is looking remarkable solid even in an enterprise environment. Today is the day to get some virtual machines going on the Technical Preview and figuring out what work your organization still has to do. You'll have to do this work anyway, but by starting now you'll be ready to roll out new devices built for Windows 10 without downgrading (yes, again, your end users notice that) to a legacy operating system. While the Technical Preview isn't something for your production systems today, doing limited pilot testing now is worth your time.
And, it's looking like the hardest part of Windows 10 upgrades for enterprises is something you can start with today on Windows 7 by getting ready for Internet Explorer 11. While Windows 10 will come with IE11 by default, you will have to upgrade all of your Windows 7 and later systems to IE11 before January 12, 2016. While Microsoft is obviously not letting people's ancient boat anchor web apps hold things up for everyone else, they are providing an easy way for enterprises to make the transition: Enterprise Mode. Most legacy web apps render just fine in IE11 as long as they are run in the legacy Enterprise Mode, and you can easily pre-emptively tell browsers about these sites using group policy. Steve Jesok has a great write-up here about collecting info about when individual users hit the Enterprise Mode button to make a website work so you can add it to your group policy list for all users:
http://mnscug.org/blogs/steve-jesok/387-ie-11-enterprise-mode-tracking-part-1
Quick bullet points of what you can be doing today:
Windows Server 2003 End of Life July 14, 2015
- Get a weekly tally going of Windows Server 2003 computer objects still in Active Directory.
- Ensure someone owns each and every one of them and is actively working on migrating/decommissioning.
- If you're going to have stragglers, be ready to lock them away in jail until they can be executed.
Java 1.7 End of Life April of 2015
- Get ready to deploy Java 1.8 with a whitelist using Ryan Ephgrave's article.
- Shove any really bad Java straggler apps into the datacenter and access only through remote presentation.
- Remove anything other than the current version of Java 1.8 from all devices (or remove their internet access).
- Remove Java from all devices that do not have a significant and compelling business need for it to be there.
Windows 10 comes late Summer of 2015 - Internet Explorer required by 11 January 2016
- Start testing early - waiting will only save up the work for later. You're likely to find most things work just fine even this early in the development process.
- Internet Explorer 11 Enterprise Mode can make most legacy webapps keep working.
- In-place upgrades from Windows 7 and 8.1 to Windows 10 can be a viable solution
- Windows 10 upgrades from Windows 7 and 8/8.1 for consumer or small businesses will be free of charge if upgraded within the first year of Windows 10’s availability. Watch for more info on enterprise options.
And for fun, consider creating a "Wall of Shame" for tracking any Windows Server 2003 boxes, insecure Java apps requiring old versions or whitelist entries, or legacy webapps that need Enterprise Mode. Let the boat anchors be known!
I wish you the best of luck as you help move your organization forward in 2015!
I hope that helps,
Nash Pherson @KidMystic
FYI – If you are interested, I’m doing a Webinar on Feb 12th about bridging the gaps and making the ConfigMgr Console the #1 tool for providing support to your users by leveraging the Now Micro Right Click Tools. We’ll also show some of the tools that make it easier to manage ConfigMgr itself.
