Keep Control

Early in my career, working on a help desk, I learned that when a computer fault is logged, one of the first questions to ask is, “What changed?” My boss would always point out that computers don’t stop working without a reason, and he was right. Intentional or not, modifications to system configuration can create unexpected results.

In the case of desktops, functionality and performance problems frequently result from user actions, often indirect, that may have accumulated over a period of time. Users often hold system privileges beyond what they require for their daily tasks and rarely appreciate why a relatively simple change, such as installing a new program or device, might stop a computer from operating as expected. Faulty hardware components can also produce strange side effects. Even administrators, who understand the risks, sometimes implement untested changes to expedite tasks.

Change and Configuration Management

Along with security best practices, change and configuration management procedures can be used to prevent undesirable changes, reduce the risks involved in modifying critical systems and lower desktop support costs.

Standardizing your environment as much as possible (per the Federal Desktop Core Configuration) and creating tested and documented baseline images for your servers and desktops are the first, and most daunting, tasks. But then, when unexpected problems occur, you can compare the current state of a system against your baselines to determine exactly what has changed and, in extreme cases, roll your systems back to an earlier configuration.

It’s essential that when changes are made to critical systems that they are tested, approved and documented. If procedures are too time-consuming or complex, users will find ways to circumvent them. Basic change management procedures should be simple to introduce.

Security plays an important role in change and configuration management. Access to privileged accounts should be tightly controlled, and least-privilege security should be the rule to prevent unwanted change. A well-understood best practice, least-privilege security policy gives users only the rights they need to be productive. This can be difficult to implement on the desktop; before Microsoft Windows Vista, Windows did not lend itself to working with nonadministrator accounts. But the right experience and knowledge can overcome the technical challenges.

Microsoft Operations Framework

Based on the IT Infrastructure Library, the Microsoft Operations Framework Version 4.0 is a practical guide for deploying and maintaining IT infrastructures. It is divided into four phases — Plan, Deliver, Operate and Manage — and offers a good foundation for managing the IT infrastructure.

Change and configuration management is included as part of MOF in the Manage layer as a Service Management Function (SMF). The basic principles outlined in MOF can be applied to an organization of any size.

MOF details the following processes for seeing a change through to completion, which I’ll group together as follows:

Change management at the simplest level should include, for each critical system in your organization, a change log that outlines who changed what, when and for what reason. A more comprehensive change management procedure should require a roll-back plan in case things go wrong, details of the potential risks, sign-off from system stakeholders and information about any post-implementation problems. The stakeholders and change management team should analyze each request for change (RFC) carefully before granting approval.

Change and Configuration Management for Desktops

A strict change management procedure for desktops might seem excessive, but restricting changes users can make, when combined with a balanced security policy, will lower support costs by helping the IT shop maintain a standard configuration across the enterprise.

Security technologies such as personal firewalls and User Account Control (UAC), which implements least privilege in Vista, can all help prevent unwanted changes. Windows XP post-Service Pack 2 comes with an enhanced (and switched on by default) firewall. Ensuring that personal firewalls are turned on, antivirus is kept up to date, patches are deployed and other defense-in-depth security technologies are enabled is crucial.

Change and Configuration Management Technologies

Although Windows doesn’t have any enterprise-class change management technologies out of the box, there are some tools that can help control and identify system changes. Vista and Windows Server 2008 include the Reliability Monitor, which tracks changes over time, such as software installs and driver updates. Management technologies such as disk imaging, Active Directory Group Policy, Access Control Lists and UAC can be used to implement and enforce configuration.

Microsoft’s Desktop Optimization Pack for Software Assurance customers includes the Advanced Group Policy Management tool, which lets administrators control who can edit Active Directory Group Policy Objects, with check-in/check-out functionality and offline editing. It also includes an approval system so that changes can’t be rolled forward into the production environment without consent.

Microsoft’s System Center Configuration Manager features the Desired Configuration Manager tool for enforcing policies and baseline configurations. ChangeAuditor from Quest Software offers comprehensive auditing for Active Directory, which is especially useful when there are many administrators with privileged access.