This Week in IT, there’s a critical Alert for MS 365 Admins: Your Emails Might Be at Risk with Google’s New Anti-Spam Rules – Discover Vital Steps to Ensure Seamless Communication Now! Plus, what you can do to protect your Windows Server 2012/R2 workloads as it reaches end of support, Active Directory is getting some new features for the first time in 7 years, and Windows 11 is getting an update to Kerberos authentication.
Links and resources
This Week in IT, there’s a critical alert for Microsoft 365 admins. Your emails might be at risk with Google’s new anti-spam rules. Discover vital steps to ensure seamless communication now. Plus, what you can do to protect your Windows Server 2012 workloads as it reaches end of support. An active directory is getting new security features for the first time in seven years, and Windows 11 is getting updates to the Kerberos authentication protocol.
Welcome to This Week in IT, the show where I cover all the latest news on Microsoft 365, Windows and Azure. Before I get started, I’ve got a quick favor to ask. 80% of the people who watched last week’s video weren’t subscribed to the channel. As we’re going live with this video today, we’re at about 960 subscribers, and I’d really love it if we could push that over the 1000 mark this week. So I’d really appreciate your help if you could subscribe to the channel and hit the bell notification to make sure you don’t miss out on the latest uploads. So Google have announced some changes to Gmail in that they’re tightening up their anti-spam rules and the changes are due to come into effect by February next year. So there’s a set of guidelines that they’ve released in order to make sure that you can ensure seamless communication with any emails that you might send to Gmail. Now they say clear guidelines, I’d say that they’re probably not that clear actually.
Now one thing that I should say straight away if you’re a Microsoft 365 admin is that Microsoft does not recommend that you use its service to send bulk emails. The main reason for that is that Exchange Online Protection is designed to block bulk email sends by default. So Microsoft says if that’s what you want to do or of course need to do, then you should be using on-premises Exchange Server or a third-party bulk email sender that is designed to do that kind of thing. Having said all of that, the things that Google have laid out in the last week to protect users against bulk email and spam are just best practices that you should be following anyway. So this doesn’t only apply to people sending bulk email. So what are the things that you need to do? Well there are three main technical requirements that should be in place or at least according to Google.(…) So the first is that you should have a SPF record defined for your domain. Now SPF, so that’s sender policy framework, these are just text records in DNS.
They’ve been around for donkey’s years and I’d be very surprised if your email domain doesn’t have one set up at this point. Now there are various tools on the internet that you can use to check whether your domain has an SPF record and if it does, what it’s set to exactly. And Microsoft has some guidelines which we’re leaving the show notes about how to achieve all of these technical requirements that Google are laying out in Exchange Online. Now the second requirement that Google is setting out is domain keys identified mail or DKIM for short if you like. So SPF and DKIM, they’re two kind of foundational security aspects of email that you should probably have in place if you don’t already. So what is the difference between an SPF record and DKIM? So the main function of an SPF record is the only servers authorized to send email from your domain can send email from your domain.
Whereas DKIM is really intended to make sure that when the message is sent that it’s not changed in transit maliciously somehow so they have two different functions. Now there’s a third recommendation that Google is mentioning and that’s a DMARC. Now the point of DMARC is to really tell a domain that receives an email from you what to do with that email if it doesn’t pass SPF or the DKIM requirements. What are you going to do with it? DMARC also provides for reporting so that you can have a look to see who might be trying to impersonate you and send email from your domain. So that’s another really important feature that you should be keeping an eye on from time to time to make sure that your email domain isn’t being abused. So Google says that it identifies bulk email sends as any domain sending more than 5,000 emails a day. You’ve got those free technical requirements that have been laid out and there are a few other things that Google is saying so you have to have a clear unsubscribe policy and of course Google has to be able to identify that in the email as well. It was Patch Tuesday of course this week, nothing very exciting there to report really. I think a lot of people expected that the Windows 11 Moment 4 features might come as part of Patch Tuesday. They didn’t, clearly they’re not ready although you can still get them as an optional update if you want to check them out in advance.
The biggest thing that’s really happened as part of this Patch Tuesday is that Microsoft has ended support for Windows Server 2012 and 2012 R2. So what does this mean if you have workloads running on those server versions? So the first thing is of course that you will no longer get security updates unless you want to pay for extended security updates. Now Microsoft recommends that you try to move those server workloads into Azure. Whether you’re going to lift those workloads and put them on a modern version of Windows Server running in a virtual machine or whether you move those workloads to Azure’s platform as a service offerings like Manage Instance or SQL Server or the application service that you have in Azure. So they’re the preferred options for Microsoft of course because they get a regular fee from you to pay for those subscription services.
There’s also a free tool called the Azure Migration Tool and this will allow you to migrate those legacy workloads and move them into Azure and to move those applications into Azure. So that’s a free tool that you can go and check out and if you opt to pay for a virtual machine running Windows Server 2012 in Azure you can get free extended security updates for up to three years. Of course the other option is to upgrade your on-premises server to a supported version of Windows Server. Now it’s a little bit late to be doing all of this right now of course you should have been planning for this and I hope this is something that you already have in motion or of preferably already completed by this stage. Now this came as a little bit of a surprise this week. Microsoft announced that an insider build of Windows Server vNEXT this is expected to drop in 2025 I believe is getting a whole load of new features for the on-premises Active Directory. Now this is big news because we haven’t really seen any significant changes to Active Directory since Windows Server 2016.(…) Of course Active Directory is a mature product and while there’s a whole load of new things coming to Active Directory there are no significant new features they’re just kind of evolutionary things coming to bits and pieces in Active Directory that already exist of course. This is a mature product massive changes are not going to happen.
Nevertheless these updates are pretty significant many of them are connected to security of course to boost the security of all of those Active Directory installations around the world which is still very much relied upon to run many businesses. So let’s just go through a few of the important things that are coming in a future version of Windows Server. So something that I know has been requested for a long time is that the database the Active Directory database is getting support for a 32k page size. Now this is going to be an optional thing it will be enabled by default on new installs of Active Directory.(…) You would have to increase the domain or forest functional level if you wanted to get it from an upgraded version of Active Directory as you move to this new version of Windows Server but the idea of it is to allow a bigger object size essentially within Active Directory itself. Active Directory is getting numerous supports so what does this mean? It means that AD will be able to use all of the CPU cores in a processor group and it will be able to use even more than 64 cores.
So this is really about performance efficiency. WinZ is being disabled yet that thing still exists very outdated protocol of course now but devices will still be able to discover each other using net bios names but not based on that outdated protocol so that’s got to be good news. As I hinted at earlier some of these new features are going to require you to move up to what is going to be now the first new domain forest functional level change since Windows Server 2016.(…) So we’ve had like Windows Server 2019 2022 but Microsoft has never introduced new functional levels because there was no need to there were new new functions but now we get in some new functions and features so there’s going to be a new functional level for domains and forests with Windows Server 2025.(…) Let me know in the comments below if you’re managing a Windows Server Active Directory on premises do these changes that Microsoft is planning to introduce in the next version of Windows Server go some way to solve the daily security or management issues that you might have with Active Directory or is this not enough is Microsoft not focusing on the right things. I’d like to know what your daily challenges with on-premises Active Directory are.
Microsoft Blue Hat is starting I believe today and as part of that David Weston announced yesterday that there are going to be some changes to Windows 11 authentication they’re upgrading Kerberos support to do some of the things that we currently rely on NTLM for which is obviously a legacy protocol. So why do we still rely on NTLM in Windows to this day? So there are three main features that we still need NTLM for. So NTLM it doesn’t require connection to a domain controller so that’s the first thing whereas Kerberos does. NTLM is the only protocol at the moment that supports local accounts.(…) Yep so Kerberos can’t work with a local account it’s only for domain accounts and NTLM only works if you know what the target server is or who the target server is. So Microsoft is adding two new features to Kerberos to try and work around some of those issues.(…) So the first is IACURB and this is going to allow clients to authenticate using Kerberos in a wider variety of network topologies and the second is that Kerberos is going to get a local key distribution center which means it will be able to support authentication with local accounts. So along with all of these changes and Microsoft is hoping to move people of course away from NTLM as much as possible they’re adding more information to the event logs that will help you to identify exactly which applications in your environment are using this outdated protocol.
There are also going to be new policies added to Windows 11 to allow you to block specific applications and services from using NTLM or if you want to create a global block for NTLM in your environment you’ll be able to set exceptions to allow specific applications to use it regardless. If you’re interested in finding out more about this Microsoft is hosting a webinar called the evolution of Windows authentication on October 24th at 8 a.m pacific time so I’m going to leave a link in the show notes to that and it’s going to be like a live Q&A as far as it understands you’ll actually be able to ask Windows engineers everything you wanted to know about these Kerberos changes. Teams we couldn’t go past a whole week without talking about teams I guess of course and again another confusing name change teams live events are being replaced with a new feature called Town Hall.(…)
Not quite sure why the name change exactly but essentially this is happening because live events are based on stream classic technology which is being phased out in I think January next year it’s no longer going to exist so whatever technology Microsoft has replaced it with what stream is now based on this is all being phased out for live events and just being replaced with Town Hall using this new streaming technology and it’s available now but it’s not fully featured so Microsoft is hoping to have all of this fully featured so that you reach feature parity with what you have today in live events by September 2024.(…) So if you can move across to Town Hall then you should probably do that as soon as you can and if not obviously you’re going to have to stay on live events for the time being but hopefully you’ll be able to move across sooner rather than later. So I mentioned there September 2024 and that’s because Microsoft is planning to nevertheless support live events for the next 12 months so you don’t need to panic right yet. So Arc enabled virtual machines in system center virtual machine manager are getting support for Azure management services.
So Arc is Microsoft’s Azure cloud-based server management solution if you’d like so it’s designed to support servers running across a multi-cloud environment and on-premises as well and a lot of these features are now being extended to VMs in a virtual environment. So what does this mean Azure management services exactly? So it’s things like Microsoft Defender for cloud so you can secure your virtual machines,(…) VM insights so that you can monitor them through Azure monitor and Azure update manager so that you can patch those virtual machines. So Microsoft is saying that with this release all Azure management services that are supported in general for Arc enabled servers are also now supported in virtual machines running in system center virtual machine manager and you can install the Azure Arc agent directly from Azure across servers regardless if it’s a virtual machine managed by SCVMM. If you found this video useful I’d really appreciate it if you gave it a like because that really helps to push the video out to more people on YouTube and to build the channel and I’m going to leave you with another video on the screen now that you might also find interesting but that’s it from me for this week and I’ll see you next time.