CYBERSECURITY PADAWAN

Designing a functional asset management architecture can be a daunting endeavor if one takes into account all the tasks, sub-tasks, and micro-tasks an IT engineer must perform to set up this intricate contraption. Some time ago, I’ve done a write-up on the prerequisites of ASM deployment. To say that the topic is extensive would be a major understatement. Licensing alone can make you question your own sanity, not to mention the fact that the documentation resembles a small novel. So, to address all the (unanswered) concerns about the asset management system, I’ve created this ‘meager’ FAQ guide for ASM.  Enjoy!

The Microsoft Licensing Conundrum

While researching this topic, I came across the same question more than a dozen times: “Why is Microsoft Licensing so complicated?” And because every journey starts with that first, timid step, let’s take it from there. Microsoft has three types of licensing tiers: FPP, OEM, and Volume.

FPP, which is short for Full Packaged Product, is the ‘boxed’ version of the (licensed) software. Remember the last time you went shopping for computer parts and found yourself in front of this big shelf stacked with Win10 or MS Office boxes? That’s FPP licensing. Usually, these packages contain a single license, some type of media, and, of course, the documentation. A great choice for a small, home office or for personal use, but not the right choice if the volume’s what you’re after. I’ll get to that in a second.

OEM or Original Equipment Manufacturer is the second Microsoft licensing option and a cost-effective one at that because it bundles software and hardware – some vendors sell PCs or servers with preinstalled software (e.g., operating systems, MS Office, etc.). It’s a dealbreaker for small businesses since you don’t have to purchase them separately. Still, OEM doesn’t solve the volume issue any more than FPP does.

That’s where Volume Licensing comes into play – Microsoft’s VL plan is designed to accommodate the businesses that need multiple licenses, but not multiple copies. The major advantage of Volume Licensing is the speed of deployment – the software’s most likely distributed via the cloud. In addition, this licensing tier comes with other benefits such as customization, easier management, direct contact (i.e., one-on-one with a dedicated AM that will walk you through the entire licensing process), and more.

Now that you’ve got some idea about what you’re up against in terms of software licensing, let’s tackle the specifics. We’ll begin with OEM.

OEM Licensing – Phases and PKIs

We’ve already established that OEM licensing is, by far, the most cost-effective option for a small business or even an SMB. OEM licensing has two phases: system builder agreement and the end-user licensing terms.

The SBA (also called the system builder license) is an agreement between the system builder (i.e., the hardware vendor) and Microsoft. The first phase of OEM is concluded once the hardware vendor agrees to the terms and conditions associated with the primary OEM licensing phase (i.e., end-user support, certificate of authenticity, software distribution agreement, and pre-installation support when using the OEM Pre-Installation Master Kit).

Once the agreement is in place, the hardware vendor can ‘ship’ the endpoints with the pre-installed Microsoft software to the end-user. Not so fast; there’s still the end-user software licensing phase. In simple terms, the ‘transaction’ can only be closed when the end-user (i.e., buyer) agrees to the terms and conditions superimposed by the OEM License. As Avenet explains in its Microsoft Licensing visual guide, the hardware supplied to the end-user contains an inactive version of one or more pre-installed software.

The activation process takes place when the user agrees to the software licensing terms. This ‘document’ must contain the following information: non-exclusivity clause (i.e., the software can be licensed to other parties), the non-transferability clause (i.e., you’re not allowed to transfer the license to another entity), rights, breach of contract, device usage, limitation of liability (i.e., you’re to accept the software as it is and not sue the software’s creator for damaged sustained during misuse), terms of termination, and governing law. Yes, I know that no one takes the time to read the software license agreement, but you should. Your AMS infrastructure depends on you ‘digesting’ all the aspects related to the software you’re about to deploy.

That’s OEM basic licensing in a nutshell. But what about server licensing? Similar to ‘basic’ licensing, Microsoft’s OEM Server licensing is a two-sided process: system builder and reseller. The system builder bit allows the customer (i.e., you) to purchase server-type software along with the hardware support. First in line is the OEM System Builder License; it either comes as a part of the OEM system builder’s pack or with the OPK (i.e., OEM Pre-Installation Master Kit).

Once the agreement between the system builder and Microsoft has been confirmed, the server software along with the hardware support can be shipped to the end-user who will need to activate it on the very first run. Up next is the OEM Licensing for resellers, a phase that focuses on solution customization and activation. ROKs or Reseller Option Kits are the best solution if your company is searching for a more ‘tailored’ approach.

This phase ends when the end-user agrees to the terms and conditions as laid down in the Software Licensing Terms.  Some benefits associated with ROKs –   ease of deployment, pre-customized and BIOS-locked media, and the ability to fine-tune them on the go.

A few words on PKCs – Product Key Cards are a form of FPP. They consist of a 25-character code that can be utilized either to activate Windows-family products or to determine if a certain product has been activated on more than one endpoint. As you might imagine, PKCs are great for a smaller operation, but expensive and hard to manage in a corporate setting.

Volume Licensing

The core definition of volume licensing is finding the balance between software cost and the number of endpoints available in your company. According to Microsoft:

By acquiring software licenses through Microsoft Volume Licensing programs, you only pay for the software license. On the other hand, boxed software (FPP) may include additional components such as media (CDs/DVDs), a user’s guide, and other packaging items. Eliminating these physical costs and purchasing in volume often reduces cost and provides more customized purchasing options and improved software management.

Source

Another essential aspect of MS’ Volume Licensing is the so-called Software Assurance program, an ‘offering’ that allows the customer to get the most of his software investment. Basically, it’s a tech support feature that combines IT tools, specialized training sessions held by MS representatives, phone support, and auxiliary services.  Design-wise, volume licensing takes into account the size and type of the licensee, the family of products the customer wants to license, and the manner in which the soon-to-be licensed products will be utilized. As a result, the Volume Licensing tree will have the following constitution:

SMB (Small Businesses) – Available license types: OV (Open Value) [maximize investment and standardize IT], OVS (Open Value Subscriptions) [lower up-front costs, decrease\increase no. of licenses on the go], and OL (Open License) [pay as you go]

Midsize and Large Businesses: OV, OVS, Select Plus [pay-as-you-go, agreement never expires, mixed software environment], Select [pay-as-you-go, acquire the latest MS tech, optional software assurance , Enterprise Agreement [standardize IT, additional software assurance benefits], and Enterprise Subscription Agreement [same benefits as EA, but lower up-front costs and the possibility of reducing or increasing the license count].

ESA (i.e., Enterprise Subscription Agreement) has two kinds of enrollments – EAP (Enrollment for Application Platform) and ECI (Enrollment for Core Infrastructure Licensing), the latter being the best way to construct a cost-efficient and protected IT infrastructure.

Small Government Organization: OL for Government, OV for Government, OVS for Government.

Midsize to Large Government Organization: Enterprise Agreement for Government, Enterprise Subscription Agreement for Government, Select Plus for Government, and Select License for Government. The brochure for small, midsize, and large government organization licensing options can be viewed here.

Educational Institutions: EES (Enrollment for Education Solutions, School Enrollment, and Campus. The brochure can be viewed here.

Perpetual Licensing Programs: OL for Academic, Select License for Academic, and Select Plus for Academic.

Charitable Institutions: Open License for Charities.

Small Government Healthcare Organization: OL, OV, and Open Value Subscriptions.

Midsize to Large Government Health Organizations: Enterprise Agreement, Enterprise Subscription Agreement, Select Plus, and Select License. The offer can be viewed here.

Service Providers, Hosters, and Application-as-a-Service providers, and ISVS (Independent Software Vendors): SPLA Essentials (the Service Provider License Agreement Essentials offers basic rights for hosting businesses, sign-up experiences, and more), SPLA ( the Server Provider License Agreement premium tier offers additional services such as data center services outsourcing, client-side customization, and more).

Additional MS licensing FAQs

  • What are Windows Server Standard Additional Licenses “APOS”?

After Point of Sales Licenses are licenses for Windows Server that have additional licensing rights.

  • Do all MS licenses come with a COA?

Not all Microsoft products have a certificate of authenticity (COA). Only FFPs and OEMs have these certificates. For additional information, refer to Microsoft’s guide about checking FPPs for COA holograms.

  • Can I transfer an OEM license to another server?

Yes, you can, but only if you acquired the right to do so. MS’s Software Assurance contains the provisions regarding the transfer of an OEM license to a server other than the one you’ve purchased the license for in the first place.

  • What do I do if the MPKI (manual product key injection) process does not activate Windows?

Follow these instructions. Please note that the below procedure requires internet access.

  1. Run CMD with admin rights.
  2. Paste the following line: vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX (replace X sequence with the product key found on your certificate of authenticity label). Hit Enter.
  3. Paste the following line: slmgr.vbs /ato. Hit Enter to confirm.
  • What is AVMA?

Microsoft’s Automatic Virtual Machine Activation is a licensing failsafe whose role is to ensure that the purchased products are activated and used as stipulated in the Software License Terms and the Product Use Rights documents.

  • Can I downgrade Windows Server Foundation or Windows Server Essentials?

Both can be downgraded as per the Software License Terms. However, you will not be able to downgrade them with the OEM Downgrade, since Microsoft hasn’t supplied downgrade keys.

  • Can you virtualize a SQL Server?

Please refer to the Licensing Microsoft server products for use in virtual environments documentation.

 

What are the Cybersecurity challenges for Shadow IT?

I hope that the subsection dedicated to licensing managed to answer some of the questions you had on the process. Moving on, let us now address the issue of Shadow IT. According to Gartner’s glossary, the term “Shadow IT” refers to any device, software, or service that operates outside the ownership and\or control of the company’s IT department. More than that:

Shadow IT is being qualified as IT systems/solutions/services adopted by certain business units within an organization without explicit IT department endorsement/approval. Such challenges include: the IT systems/solutions/services might not follow/comply to enterprise-wide IT security, governance, audit, or even regulatory requirements e.g., some companies do not allow IT systems to “Call Home” to the Shadow IT service provider for proactive support/analytics, etc.

Source

So, based on the above statement, Shadow IT can include any type of operation of service that takes place without the written consent of the IT department. Another Shadow IT example would be conducting business using a personal email address or using an unsanctioned /unmonitored software to present sensitive information (i.e., utilizing FaceTime over Microsoft Teams or Zoom to present quarterly revenue results).

Microsoft has thoroughly documented this phenomenon and urges business owners as well as IT heads to make reparations in this regard as:

There is a risk that Shadow IT not including security measures as part of their initial solution design or implementations e.g. pilot study, production deployment, etc. rendering the solution being vulnerable for cyber-attack, ransomware attack, etc.

Source

and

There is a risk that Shadow IT including “backdoor” into their solutions knowing the end users/business users are not IT savvy.

Source

Additional Shadow IT FAQs

  • How to detect Shadow IT?

The most common way to detect shadows in IT is to examine DLP logs, web proxy logs, firewall logs, and to use network-aware monitoring solutions. Microsoft’s Shadow IT Cloud Discovery is also a solution worth investigating.

  • How do I evaluate discovered Shadow IT apps and services compliance level?

After detection, check to see if the discovered applications and servers are in compliance with your company’s standards. Microsoft Tools such as Cloud App Security can help you figure out the overall compliance score and identify nonconformities.

 

What Is the Difference Between EAM Software and a CMMS?

One of the most curious questions that pop during a discussion about any asset management system is “how can one tell the difference between an EAM and CMMS?” For those of you unfamiliar with the topic, an EAM, which is short for Enterprise Asset Management, is a blend of services, systems, and software that are utilized to maintain equipment (hardware) and operating assets.

EAM is the ‘technical’ extension of Enterprise Asset Management, a management sub-field that focuses on supply chain management, EHS initiatives, work management, planning, scheduling, and asset management. Now for the CMMS – short for Computerized Management System, a CMM is a type of software that helps you improve maintenance, reduce cost, increase asset reliability, and standardize operations. The reason why most people confuse EAM with CMMS or the other way around is that many EAM solutions have CMMS-type capabilities and vice-versa.

EAM vs CMMS usually boils down to a chicken-or-the-egg dilemma – which came first? Historically speaking, CMMS has been around since the late ‘60s, when punching cards were introduced as an alternative to pen-and-paper asset management.

The modern computerized CMMS version would be the logical link in the asset management evolutionary chain. Without delving too deep inside the technical aspects, the most important difference between EAM and CMMS is that the former focuses solely on maintenance while the latter has numerous other ramifications. Tracy S. Smith’s CMMS vs EAM article on Reliability Web captures the most important differences between the two asset management systems. What’s the most important takeaway here? EAM is the master key, while CMMS unlocks only one door.

A few (more) words about digital asset management (DAM) – as an emergent asset management methodology, DAM is a solution to organize, maintain, store, retrieve, and find all the digital assets owned by a company. In other words, as opposed to CMMS and EAM that converge on physical assets and TCOs, DAM curates media files (e.g., photos, videos, audios, presentations, and documents).

Additional CMMS & EAM FAQs

  • What are the main features of EAM?

Here’s what to look for in an EAM solution: auto data backup, maintenance overview, work orders overview, cost analysis, and automatic property mapping.

  • How do you define the installation parameters?

Please follow these steps:

  1. Got Administration. Click on Security and then on Install Parameters.
  2. Click on the New Record button.
  3. Type in the installation parameter’s unique code and a brief description. Type in a value for the parameters.
  4. Click on the Save Record button.
  • How do you create regional codes?

Please follow these instructions:

  1. Click on Administration.
  2. Highlight Setup and click on Regions.
  3. Click on the New Record button.
  4. Input the following info: region description, postal code, region, organization, class, out of service, degree day reference point, actual temperatures sources, actual temperatures sources, Fahrenheit or Celsius.
  5. Click on the Save Record button to finish the process.

Parting thoughts

Designing a functional asset management system is no small feat. As you can clearly see, you’ve a lot of ground to cover in the area of licensing, shadow IT, EAM, CSMM, and DAM. For all your asset management needs, Heimdal™ Security has your back – our Patch & Asset Management solution comes with all the bells and whistles an IT manager needs in order to set up an efficient and secure AMS environment. As always, your questions are more than welcome, so don’t forget to subscribe to our newsletter and flood that comments section with everything that pops into your head. Stay safe!

What Is IT Asset Inventory Management (ITAM)?

Understanding IT Asset Lifecycle Management

IT Asset Management Best Practices: An Overview

Everything You Need to Know About IT Asset Management

Asset Tracking Software: What Is It and How Does It Work?

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP