Home » Licensing » Configuration Changes Pose Licensing Risks

Configuration Changes Pose Licensing Risks

Posted: 
November 3, 2014
Report by: 

Seemingly inconsequential configuration changes and other actions taken by IT administrators can potentially result in considerable unbudgeted costs for an organization in the event of a software license compliance check. In particular, enablement of high-end product capabilities, use of virtualization, server-based desktops, mixing multiple workload types, deployment of new software versions, and incorrect PC software installations can have unpredictable financial impact. Proper procedures including change control, proactive self-audits, and personnel training can help avoid or mitigate many of the most common sources of problems.

This report outlines some, but not all, of the many software configuration actions that can violate current licensing rules, or create the appearance of a violation, with costly consequences in a software license compliance check or audit. (See the sidebar "Software License Compliance Checks and Audits".)

Enabling Premium Client Features on a Server

When an organization enables some premium features of a Microsoft server application, the very act of turning the features on can obligate an organization to purchase expensive client-side licenses for every employee who accesses the server. For example, enabling Enterprise-level features in a SharePoint Server installation could require purchase of a SharePoint Enterprise Client Access License (CAL) for every employee or employee device, at a current cost of US$83 per device or US$95 per user. (All prices quoted in this report are U.S. Open No Level, which represents the highest price a U.S. customer would pay through Microsoft volume licensing programs.)

This problem occurs with some Microsoft server software licensed under the Server + CAL model. With these products, employees or their devices require a base CAL (usually called the Standard CAL) for the most commonly used features and an add-on CAL (usually called the Enterprise CAL) for access to advanced capabilities. SharePoint, for example, requires an Enterprise CAL to access some business intelligence, compliance, search, and application development features.

In the course of a license compliance check, server-application configuration will be checked to see if advanced features are enabled. In many cases, it will be assumed that all users have access to these features, unless the organization can show controls or produce monitoring data to prove that only employees or employee devices with Enterprise CALs have access to advanced features. For some products and features, this will be difficult to prove. With SharePoint, for example, IT administrators can enable features requiring Enterprise CALs for an entire installation (called a farm) with a single option during server software installation, and many of the features for compliance and search indexing apply globally to the entire installation. It is generally not possible to restrict such features to specific clients. Consequently, if Enterprise CAL-level features are enabled for a farm, even if they are not visible to most employees, an organization is still likely obligated to own Enterprise CALs organization-wide.

SharePoint may be an extreme case because features requiring Enterprise CALs can be enabled by a single configuration option at installation. However, similar problems arise with some other products, including the following:

Exchange Server. Compliance features such as data loss prevention (which detects messages containing sensitive data such as payment card numbers) can apply to all traffic passing through an organization. There is no way to systematically show that only a subset of the users benefits from these global features, so enabling them could obligate the organization for Exchange Enterprise CALs for all employees, at a cost of US$42 per device or US$48 per user.

Office Web Apps server software. The Office Web Apps server software enables users to view and (optionally) edit Excel, OneNote, PowerPoint, and Word documents in a browser. It is used by SharePoint Server (or SharePoint Foundation), Exchange Server, and Lync Server. By default, the software only enables viewing, which does not have specific client-side licensing requirements. However, if an IT administrator enabled editing, all users would have access to this capability. Since it would be hard to show that only a specific subset of users benefited, each client that had the ability to access the (Office Web Apps) server software would require a license for an edition of Office (generally Office Standard 2013, Office Professional Plus 2013, or Office 365 ProPlus).

Using Virtualization and Mobility

A set of licenses used to cover workloads running on dedicated physical servers can at times be insufficient to cover the same workloads when moved to virtualized server configurations, especially if the organization enables virtual machine (VM) mobility (such as VMware vMotion or Microsoft Hyper-V Live Migration) for high availability and disaster recovery. Thus, an IT administrator tasked with virtualizing existing workloads could inadvertently create software license compliance problems.

Virtualizing workloads can increase licensing expenses because many Microsoft server-side licenses cover only a specific number of VMs on the licensed device. Furthermore, while most server application licenses can be reassigned freely between computers if the licenses are covered by Software Assurance (SA), recent versions of server application licenses on their own (without SA) cannot be reassigned more frequently than once every 90 days, and server-side licenses for Windows Server are subject to this restriction regardless of SA status.

In general, a software license compliance check confirms that every physical server is licensed for the maximum number of VMs that the physical server might execute concurrently. This can be especially challenging if VM mobility features have been enabled. With VM mobility enabled, each physical server needs to be licensed for the complete set of VMs that it could ever run, compelling an organization to purchase additional licenses or to purchase SA for licenses so they can be moved with VMs.

Purchase additional licenses. For example, an organization might have 20 Windows Server workloads that are each running on its own dedicated server and licensed with a Windows Server 2012 Standard edition license. If these workloads are virtualized and consolidated onto four dual processor virtualization hosts with VM mobility enabled, then theoretically, each of the four hosts could at some point run all 20 VMs simultaneously (during maintenance or a system failure, for example). As a result, each host would require 10 Windows Server Standard licenses (each Standard edition license covers two VMs) or one Windows Server Datacenter license, which covers an unlimited number of Windows Server-based VMs on the licensed server. At a minimum, this virtualization scenario would require purchasing 20 additional Standard edition licenses or two Datacenter edition licenses.

Purchase SA for licenses. For example, an organization might have eight dedicated Exchange servers each licensed with an Exchange Server 2013 license. If these workloads are virtualized onto the same four server virtualization hosts as above with VM mobility enabled, the licensing would have to accommodate the possibility that any one of the four hosts could at some point be tasked with running all eight Exchange VMs. This can be accomplished with eight Exchange Server 2013 licenses covered with SA (with the SA providing unfettered reassignment reassignment) or the much more costly option of 32 Exchange Server licenses (eight for each of the four hosts). Note that SA can be purchased with a new license only; if a license is purchased on its own, without SA, SA cannot be added later without repurchasing the original license.

Deploying Applications Using Server-Based Desktops

Organizations often deploy centrally managed server-based desktops using Microsoft's Windows Server Remote Desktop Services role or Citrix's XenApp and XenDesktop products using either a session-based (commonly known as Terminal Services) or VM-based (called virtual desktop infrastructure, VDI) architecture. If an IT administrator makes Office, Project, or Visio available on server-based desktops without carefully restricting access, it can trigger considerable licensing liabilities.

Under traditional (i.e., not Office 365) Office, Project, and Visio licensing rules, each device used to access the client application user interface generally requires its own per-device license, regardless of whether or not Office is actually installed on the end-user device. In a license compliance check, it is likely to be assumed that all client devices in the organization have access to the applications running on these server-based desktops, unless an organization can show controls or produce monitoring data to show otherwise. For example, if an IT administrator installs Visio on a Terminal Server to satisfy the needs of a small group of users, failure to configure adequate restrictions could obligate the organization to purchase Visio licenses organization-wide, or be used as a lever to compel the customer to license Visio under Office 365's user-based licensing model.

Furthermore, even if traditional device-based application licenses have been purchased organization-wide, how an IT administrator configures access to server-based desktops can be a licensing issue. Specifically, unless the Office, Project, and Visio licenses are covered by SA, complying with licensing rules requires the IT administrator to configure the server-based desktop infrastructure to allow connections originating from an approved list of licensed devices only. However, SA-covered licenses generally make this unnecessary, since SA provides Roaming Use Rights, which allow the primary user of a licensed device to access the application inside the server-based desktop from certain non-licensed end-user devices such as a hotel kiosk.

Mixing Different Classes of Workloads on the Same Server

As a general rule, how Microsoft software is licensed depends on the context in which it is used. In particular, workloads used for development and test, production, and commercial hosting are typically licensed very differently. By inadvertently mixing different classes of workloads on the same server, an IT administrator can trigger additional licensing requirements and fees.

Mixing development/test and production workloads. For many organizations, the most practical way to license Microsoft software—including development tools, OSs, and server-applications—used in the course of developing and testing systems is by purchasing Microsoft Developer Network (MSDN) subscriptions for all developers, testers, and administrators of the system. However, these MSDN subscriptions do not license software used outside of a development and test context. In fact, under MSDN licensing rules, if a physical server normally used for development and test runs even one production workload, all workloads on the server require production licenses. This can be a particular problem in virtualized data centers, where servers can run a mix of workloads that changes frequently, unless IT administrators are careful to keep production and development/test workloads segregated on separate server hosts. It can also be an issue when an application moves from the development to production phase. For example, if an application's database needs are provided by SQL Server running in a VM, and that VM is left in place on the same "development" server when the application goes into production, an auditor following a strict interpretation of the rules would conclude that none of the workloads running on that server are covered under MSDN and all would have to be licensed for production.

Mixing commercial hosting and production workloads. Similar problems can arise when a server assigned on-premises licenses (purchased under volume licensing programs) runs a workload that Microsoft deems as commercial hosting. While in some limited scenarios Microsoft allows licenses with active SA to be used to cover commercial hosting, in other cases an organization will require a Service Provider License Agreement (SPLA) and pay additional license fees (often in the form of per-user subscription fees). For example, a company that runs a third-party project management application internally might also offer it for a subscription fee for selected customers. If the customer instance of the application is on the same physical servers as the internal instances, those servers likely need to be licensed for commercial hosting. Depending on the details of the application and who owns it, the organization might have to pay ongoing subscription fees for all users of the servers.

Adding a New Version to a Production Network

Deploying a new version of a product licensed using the Server + CAL model on a server can trigger requirements for new CALs for all employees or employee devices. For example, if an IT administrator adds a server with the latest version of Windows Server (for example, to evaluate the new version, to begin migration to the new version, or as the underlying OS for a new-version of a Windows Server-based application), the organization might have to purchase new Windows Server CALs for all employees at a cost of US$30 per device or US$34 per user.

The Server + CAL license model requires that the CAL version match or exceed the version of the server software installed. For example, access to Windows Server 2012 requires Windows Server 2012 CALs. (The one exception to the rule are Windows Server "R2" releases which do not have their own CALs; access to Windows Server 2012 R2 is licensed using Windows Server 2012 CALs, for example.) Furthermore, in general, any employee or employee device that accesses a server indirectly, such as through an intermediate system, still requires a CAL of the appropriate version. For example, if a Windows Server 2012 domain controller replicates with other domain controllers running Windows Server 2008, employees authenticated by any of the domain controllers require Windows Server 2012 CALs. (Microsoft licensing rules sometimes refer to such indirect access as "multiplexing.") Indirect access can make it very difficult for an organization to show that only a specific set of employees had access to a new software version, and thus in a software license compliance check it would likely be assumed that all employee clients need the newer CALs.

Similar considerations apply to other Microsoft products licensed under the Server + CAL model, as well as SQL Server, which offers Server + CAL as one of its two supported licensing model options (the other being per-core). A particular risk is SQL Server database software, because SQL Server databases are frequently accessed by large numbers of employees indirectly through applications, reporting systems, data warehouses, or devices such as time recorders. Multiplexing problems can arise even when not upgrading versions. For example, automated replication between an internal SQL Server database and a database used by a public Web site could obligate an organization to license every client of the Web site for access to the internal SQL Server. Because buying CALs for each end user of the Web site is likely impractical, the organization might have to switch the licensing for the internal SQL server to per-core at considerable cost.

Installing the Wrong Product Edition

Installing a software edition different than the one licensed can generate additional licensing and operations costs. One surprising and common risk is installing the Office Standard suite in an organization that has licensed Office Professional Plus. Office Standard delivers a subset of Office Professional Plus features (it lacks the Access application, for example), but organizations are prohibited by the licensing rules from installing or using Standard in place of Professional Plus. At minimum, this error could require redeploying the edition licensed to all clients and incurring a significant operations cost.

Administrators generally realize that installing a more capable edition of a product than the one licensed is not permitted. However, with some products, it might not be clear which edition is being installed. For example, some Visio 2010 packages can install either the Professional edition or the more capable Premium edition, and Premium is the default. If uncovered during a software license compliance check, customers might have to purchase rights to Premium (either by buying new licenses outright or, if the existing lower-level edition licenses are covered under SA, by acquiring Step-Up Licenses) or, if a special exception were made, redeploy the product using the edition originally purchased.

Recommendations

Organizations can proactively reduce the risks, described above, with the following actions:

Change control. An organization's IT change control and project review processes should incorporate specific checks for the most common licensing problems, along with software licensing and purchasing personnel reviews.

Proactive licensing compliance checks. Organizations can perform regular license compliance checks themselves, possibly with the help of a third party. This can catch problems while they can still be remedied inexpensively.

Training. Organizations can train IT administrators on the basic elements of licensing, focusing on preventing violations like those explained above that can have large impacts on an organization's costs.

Resources

Exchange licensing is discussed in more detail in "Exchange 2013 Packaging, Pricing, and Licensing" on page 20 of the Mar. 2013 Update.

SharePoint licensing is outlined in the Sept. 2010 Licensing Guide, "Licensing SharePoint Server 2010" and "Server-Side Licensing Changes for SharePoint 2013" on page 18 of the July 2013 Update.

Windows Server 2012 R2 pricing and licensing is covered in "Windows Server 2012 R2 Pricing and Licensing" on page 16 of the Oct. 2013 Update.

SQL Server Enterprise licensing and virtualization is discussed in "Licensing Rules May Favor SQL Server Enterprise" on page 21 of the Feb. 2014 Update.

MSDN rules are explained in more detail in "Licensing MSDN Subscriptions for Application Development" on page 16 of the Sept. 2014 Update.

Software Asset Management license compliance checking and other services are summarized in "Software Asset Management Services Overview" on page 24 of the July 2013 Update.

Office licensing is summarized in "Office 2013 Perpetual Licensing Largely Unchanged" on page 15 of the Jan. 2013 Update.

Office Web Apps licensing is covered in "Licensing Office Web Apps" on page 13 of the Aug. 2013 Update.

Licensing Office in Terminal Services and VDI scenarios is covered in "Licensing Office for Server-Based Desktops" on page 20 of the Oct. 2014 Update.