Microsoft Cloud Solutions Provider

Microsoft Cloud Solutions Provider


The 1-Tier partner is approved by Microsoft and orders seats on behalf of customers directly from Microsoft, rather than through another partner type. To get that relationship, a partner must have a series of capabilities. To qualify for 1-Tier, a partner must be able to bill, provide 24×7 support, do technical integration and handle customer lifecycle management. Microsoft is also looking for partners with a business model around managed services IP and with broad market reach.

There’s also what Microsoft calls a 2-Tier model. In that one, the distributor or companies that were formerly part of the Microsoft Syndication Partner program handle the capabilities with Microsoft. Those partners are called 2-Tier distributors or cloud distributors. They in turn work with the bulk of Microsoft partners, who are the 2-Tier resellers. Depending on a given cloud distributor’s offering, those resellers may still have control over customer billing and may also be able to outsource white-labeled support services to the distributor. For much more detail on the emerging 2-Tier ecosystem, see the related feature in this section.

New investments will vary based on your current practice. Areas to consider:

  • Local tax implications of selling a subscription product versus a service
  • Adjustments to your sales incentive programs to reflect monthly revenue recognition
  • Management of credit risk and collections
  • Ability to transact billing on a monthly and/or annual basis
  • 24/7 end Customer Billing and Technical Support in local language
  • Pass through Microsoft service credits to customer service.  Approved service credits are provided to Partners, and it’s the Partners’ responsibility to pass through these service credits to their affected Customers since they own the Customer billing relationship.

A critical component of the CSP program is that the partner is the first point of contact for a customer support incident. Some types of support that partners are responsible for providing include:

  • Frontline billing and subscription
  • Provisioning
  • Answers to questions
  • Service and software updates
  • Software configuration
  • Performance issues within a partner’s span of control
  • Client connectivity and client desktop
  • Service availability issues within a partner’s span of control

Some types of incidents can be escalated to Microsoft, such as:

  • Supported tasks that are outside the functionality provided with available tools
  • Break/fix — undocumented problems with the service
  • Availability — service not accessible
  • Not operating according to service descriptions
  • Bugs and other irregularities that affect service appearance or operation
  • Large-scale network disruptions
  • Regional, multi-tenant impact




SPLA for On-Premises Servers – Microsoft’s best kept secret?

SPLA for On-Premises Servers – Microsoft’s best kept secret?

There is much talk about moving your IT into the cloud so you can enjoy the benefits of OPEX.  But what if keeping your servers on-premises still makes sense.  For example:

  • The server has not yet been financially written off
  • The server is still in great shape, but you need updated software
  • Your network bandwidth is not enough for the services you require access to
  • You have contractual or legislative agreements that dictate deployment options
  • You need for quick physical access to the server
  • Etc etc

In these circumstances the most likely response from a software distributor/reseller will be that you need to purchase software through a traditional volume license agreement.  This may be the right answer, however it does lock you into an upfront software purchase cycle.

But what happens if you need the flexibility to adapt to changing circumstances and enjoy a monthly subscription model that allows you to pay-as-you-go and pay-as-you-grow?

Cloud service providers have, for many years, been able to deliver this within their cloud infrastructure, using the Service Provider License Agreement (SPLA). However it was not possible with customer owned hardware deployed in customer premises.

HOWEVER in October 2013 this changed when Microsoft updated the terms of the SPLA.  This now allows your service provider (System integrator, reseller, managed service partner etc) to offer you a Cloud-like consumption model on your existing hardware, deployed in your premises.  This allows you to maximize existing hardware and network investments, within an OPEX model and provides flexibility to adapt to your changing IT needs.  Also by not having to buy licenses upfront you can repurpose you budget into other high value business areas.

What benefits are there with Microsoft SPLA vs Microsoft Open/Select Licensing?

  • Access all the most recent versions of Microsoft software for a standard monthly price. All are available to download, so there is no need to wait to receive physical copies.
  • Pay at the end of the month only for what you have consumed. This allows for minimal startup costs and better cash-flow management.
  • Licensing kept simple: No need for Server and CAL licensing calculation.
    • The per processor and per core model provides an unlimited number of users, access to the server software.  No separate SAL is required.
    • The Subscriber Access License (SAL) model, allocates a license for each unique user or device that is authorised to access the software.  No separate server license is required

So the next time you want to buy any Microsoft license, ask about SPLA and how you can enjoy the benefits of the OPEX way of subscribing and deploying these licenses on your own hardware on your premises

System Center Config Manager 2012 R2 – Windows 2012 R2 OSD Task Sequence

System Center Config Manager 2012 R2 – Windows 2012 R2 OSD Task Sequence



Desktop Support Escalation Tests

Desktop Support Escalation Tests

Level 1 HelpDesk

  • Document the exact error message and process to replicate the issues with the end user or process

Level 2 Desktop Support

  • Can you replicate the problem
  • Can you replicate the problem with another User Account
  • Can you replicate the problem with another Computer
  • Can you replicate the problem with Elevated privileges
  • Can you reset the Profile
  • Is the problem affecting single user or multiply user

Level 3 Server Support

  • Check all existing Settings
  • Check Eventlogs
  • Google the User error message
  • What has changed


Exploiting Unicode Character RTL ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

Exploiting Unicode Character ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)


This is one of the easiest exploits to implement in a Microsoft Windows systems. Yet, its impossible to meditate against. This exploit can be used for domain names as well. :-



Obfuscating Executables



  • CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.
  • SexyAlexe.ppt – > SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\u202Etpp.exe
  • \xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe
  • \u202Ecod.yrammus_evituc\u202D2011.exe
  • \xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr
  • \u202Etpp.stohsnee\u202Dfunny.scr

Microsoft Partner Information

Microsoft Partner Information

OSD – Injecting the Windows 7 Kernel Mode Driver Framework (KMDF)

OSD – Injecting the Windows 7 Kernel Mode Driver Framework (KMDF)

  1. Download the Kernel-Mode Driver from
  2. Open the MSU file with 7Zip software kmdf-1.11-Win-6.1-x64.msu and extract to a foldercalled Windows 7 KMDF 1.11
  3. Copy the contents to the OSD Folder location
  4. Identify location of the OSD WIM file
    1. Open ConfigMgr \ Software Library \ Operating Systems \ Operating System Images \ Select the Imaged and Open Properties \ Select Data Source and take note of image path
    2. \OSD\Operating System\Windows 7 Enterprise with Sp1 x64 – WIM only\install.wim
  5. Run Deployment and Imaging Tools Environment with Elevated Administrator Privileges – C:\Windows\system32\cmd.exe /k “C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\DandISetEnv.bat “
  6. DISM.exe /Get-WimInfo /WimFile:C:\test\images\myimage.wim /Index:1
  7. MD E:\Scratch Folder
  8. DISM.exe /Mount-Wim /WimFile:C:\test\images\myimage.wim /index:1
  9. DISM.exe /Image:C:\test\offline /Get-Packages
  10. Dism /image:C:\test\offline /Add-Package /PackagePath:C:\packages\
  11. dism /get-packages /image e:\scratch
  12. dism /unmount-Image /mountdir E:\Scratch /commit
  13. dism /unmount-wim /mountdir E:\Scratch \wimMount /discard
DISM.exe /Mount-Wim /WimFile:"E:\OSD\Operating System\Windows 7 Enterprise with Sp1 x64 - WIM only\install.wim" /index:1 /MountDir:E:\Scratch
DISM.exe /Image:E:\Scratch /Get-Packages
Dism /Image:E:\Scratch /Add-Package /PackagePath:"E:\OSD\Operating System\Windows 7 KMDF 1.11\"
DISM.exe /Image:E:\Scratch /Get-Packages

Package Identity : Package_for_KB2685811~31bf3856ad364e35~amd64~~
State : Install Pending
Release Type : Update
Install Time : 28-Nov-2014 5:10

dism /unmount-Image /mountdir:E:\Scratch /commit


Defending against CryptoLocker with Group Policy Software Restriction

Defending against CryptoLocker with CryptoLocker Group Policy Software Restriction

Latest variants of CrytoLocker can bypass Microsoft Endpoint Protection and latest Definitions.. :-

Please use the following Group Policy to stop its ability to execute from %AppData%:-

Computer Configuration\Policies\Windows Settings\Security Settings\Software Restrictions Policies\Additional Rules

*.SCR *.TMP are known virus extensions

  • %AppData%\*.exe Disallowed
  • %AppData%\*\*.exe Disallowed
  • %TEMP%\*.exe Disallowed
  • %TEMP%\*.\*.exe Disallowed
  • %TMP%\*.exe Disallowed
  • %TMP%\*.\*.exe Disallowed

2014-11-27 16_23_29-Group Policy Management Editor


** I would suggest block all files *.* or just selected executable file extensions:-

.bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh,.htm

2014-12-19 16_53_21-Group Policy Management

More Locations to protect:

  • %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • %UserProfile%\Local Settings\Temp\7z*\*.exe
  • %UserProfile%\Local Settings\Temp\wz*\*.exe
  • %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • %LocalAppData%\Temp\Rar*\*.exe
  • %LocalAppData%\Temp\7z*\*.exe
  • %LocalAppData%\Temp\wz*\*.exe
  • %LocalAppData%\Temp\*.zip\*.exe

Registry lock down

I would suggest restricting these keys for users, but more testing is required

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Command to check: accesschk -w -s -q -u Interactive “C:\Windows”

2014-11-27 16_34_01-Command Prompt


If you do get hit:

  1. Shutdown the the affected workstation ASAP.
  2. Stop all File Shares
  3. Recover from the last known good backup. (We had VSS and NetApp) So only lost 4 hours of work
  4. Check Personal Storage Software like Dropbox, which got hit as well
  5. Upload the Virus File to or (This way virus engines will create a definition and help others not to get infected)

Deep Investigation

I looked a bit closer how these virus actually get executed:

  1. First method is to update the ICON file which is a executable *.exe to a of a PDF icon. Users normaly can’t see file extensions and will double click it thinking its a PDF File
  2. “Unitrix” exploit by Avast Unicode character is U+202E: Right-to-Left Override

 Other protection

  1. Edcuate Users
  2. Turn on Data Execution Prevention – System Properties / Advanced / Performance Options / Data Execution Prevention / Turn on DEP for essential Windows programs and services only
  3. User Access Control Settings – Always notify
  4. Internet Options / Security Settings – Local Intranet Zone
  5. Application Whitelisting

Educate Users

This kind of malware authors are releasing updates very quickly and changing significant characteristics of the malware families involved, evading anti-malware signatures. We see on a daily basis a lot of ransomware around 50 new sub-variants per day. The people who write this malware constantly make changes to the malware and test it against a large group of AV engines with the latest definitions to make sure it is not detected. Compare this with a website like only they have their own private environment. So it just like a race between the malware author with the AV software.

The use of public/private key cryptography makes it infeasible to discover/calculate the decryption key.
The malware encrypts files locally and on any mapped network drives expands the potential for damage.

Encrypted files are registered here : -HKEY_CURRENT_USER\Software\CryptoLocker\Files

Here is a latest blog from Microsoft Malware Protection Center for this kind of ransom. You can get some information about the common infection vectors.

Some others blogs;

  • Word OneNote Blog -
  • BGP Blog -
  • Excel Blog -

Emphasis the importance about educating the users, the attacker always try to infected the users by spam email and malicious website.

  1. On most of the infecting vectors, the attacker relies on social engineering to get you to run the program much the same way a con man gets your bank account details. Therefore the VERY FIRST line of defense to prevent this virus is DO NOT RUN ATTACHMENTS UNLESS YOU KNOW THEY ARE SAFE. You may also need to educate the users about the common attacking method the attacker use.
  2. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    Please also evaluate the write permission the share folder. Remove the unnecessary write permission.
  3. Always keep your patch levels up-to-date. Especially the Java, Adobe and IE. This may help to get rid of the attacker to use known vulnerabilities to infected the users. Simply visiting a compromised Web site can cause infection if certain vulnerabilities of the browser or the add-in are not patched.
  4. Filter the spam email on the email server. you can use some anti-spam software. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  5. We also need to back up our important documents regularly.

Offical Symantec MSS Alert


Symantec MSS Threat Landscape Update – Cryptowall 2.0


On October 15th, 2014, researchers from the Bleeping Computer forum released a blog article about a new variant of Cryptowall, a.k.a Cryptodefense. This malware is your traditional “ransomware” with some added features.


This new variant provides a unique bitcoin payment address to every infected user. Previously, all infected users paid into the same payment address, which meant that one infected user could redirect funds paid by another infected user.

Another new feature is the ability to securely delete the original files after they are encrypted. In the previous version, deleted files could be recovered using file recovery tools. Cryptowall 2.0 wipes the original files, making recovery impossible unless you pay the ransom or restore from backup.

All of Cryptowall’s ransom servers are located on the anonymous TOR network. Before, users had to install TOR on their systems in order to pay the ransom. This was a confusing process for the user, so the attackers moved to a web-to-TOR gateway which allows users to access TOR servers without having to install software. The old version of Cryptowall used a third party provider for this service, but once this was discovered it was blacklisted. The new version of TOR now uses its own web-to-TOR gateways, avoiding any blacklisting.

Cryptowall currently uses four web-to-TOR gateways as outlined by Bleeping Computer. They are the following:

  • Tor4pay[.]com
  • Pay2tor[.]com
  • Tor2pay[.]com
  • Pay4tor[.]com

This new variant is being distributed through phishing emails using the RIG Exploit kit.


For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

MSS SOC Analytics Detection

  • URL Analytics (WSM Signatures)

[MSS URL Detection] Possible Trojan.Cryptodefense(Cryptowall) C&C Traffic

Vendor Detection

  • Symantec AV




  • Symantec IPS

System Infected: Trojan.Cryptodefense Activity

Web Attack: Exploit Toolkit website 47

Web Attack: Malicious Executable Download 2

Web Attack: MSIE CVE-2013-2551 3

Web Attack: Rig Exploit Kit Website 5

Web Attack: Rig Exploit Kit Website 9

Web Attack: Rig Exploit Kit Website 4

Web Attack: Rig Exploit Kit Website 21

  • Snort/Emerging Threats (ET)

SID – 2809047 – ETPRO TROJAN Possible Cryptowall Infection in Windows Roaming Profile (DECRYPT_INSTRUCTION.URL ascii)

SID – 2018452 – ET TROJAN CryptoWall Check-in

SID – 2016809 – ET TROJAN Likely CryptoWall .onion Proxy DNS Lookup

SID – 2018610 – ET TROJAN Likely CryptoWall .onion Proxy Domain in SNI

SID – 2018397 – ET TROJAN Cryptodefense DNS Domain Lookup

  • Snort/Sourcefire

SID – 31450 – MALWARE-CNC Win.Trojan.CryptoWall Outbound Connection Attempt

SID – 31449 – MALWARE-CNC Win.Trojan.CryptoWall Downloader Attempt

SID – 32225 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31223 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31447 – BLACKLIST DNS Request for Known Malware Domain mediaocean[.]home[.]pl – Win.Trojan.CryptoWall

SID – 31448 – BLACKLIST DNS Request for Known Malware Domain nofbiatdominicana[.]com – Win.Trojan.CryptoWall

SID – 31369 – EXPLOIT-KIT Rig Exploit Kit Outbound Microsoft Silverlight Request

SID – 31455 – EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request

  • TippingPoint

HTTP: CryptoWall Communication Attempt

  • FireEye


This list represents a snapshot of current detection. As threats evolve, detection for those threats can and will evolve as well.


  • Rig Exploit Kit Used in Recent Website Compromise

  • Updated CryptoWall 2.0 ransomware released that makes it harder to recover files

  • Recovering Ransomlocked Files Using Built-In Windows Tools

  • CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Thank you for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at

Global Client Services Team

Symantec Managed Security Services

MSS Portal:

MSS Blog: