Tidy Up
Dynamic or fully automated systems that are strategic assets to an organization might seem like a far-off dream, but infrastructure optimization models and products can help get you a step closer to making IT a valuable asset.
Microsoft Infrastructure Optimization (IO), based on Gartner’s Infrastructure Maturity Model, provides a simple structure for evaluating the efficiency of core IT services, productivity and application platforms.
Though the ultimate goal is to make IT a process enabler across all three areas, you’ll need to concentrate on standardizing core services: moving your agency from a basic infrastructure (in which most IT tasks are carried out manually) to a managed infrastructure with some automation and knowledge capture.
An IDC study of 141 enterprises with 1,000 to 20,000 users found that PC standardization and security management could save up to $430 per user annually; standardizing systems management servers could save another $46 per user.
The Basics
Anyone who’s ever had to set up and maintain shared resources without a server to provide basic infrastructure services such as Domain Name System (DNS) and directory services will know how problematic that task can be. Windows Server in its various editions (Foundation, Small Business and Standard) can authenticate users and computers, and control access to systems and applications using Active Directory (AD). Other networking infrastructure services such as Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS) and DNS can be hosted on the same server.
Non-Windows devices can also authenticate against AD. For instance, why maintain a separate list of user names and passwords on a virtual private network device if it can use AD? Users would need to remember only one set of credentials for accessing network resources, which in turn would reduce support costs.
Though there are no technical requirements for configuration management in the standardized level of Microsoft IO, configuration and change management processes must be defined. It’s worth noting that you can centrally manage and enforce configuration settings for Windows clients and servers via AD Group Policy.
Many sysadmins were put off by Group Policy’s complexity when it was introduced with Windows 2000. Management tools have since matured, and the Group Policy Management Console — which can be downloaded from Microsoft and is included with Windows Server 2008 — provides a modeling tool for evaluating the results of a particular set of applied policy objects. Virtualization products such as Hyper-V and VMware Workstation also make it easy to test Group Policy in a lab. Central management can save up to $190 per PC per year.
Patching and Endpoint Security
Windows Server Update Services, a free component of Windows Server, can be used to patch operating systems, and its functionality can be extended to include third-party applications with System Center Configuration Manager (SCCM) and Essentials (SCE). Microsoft’s latest Security Intelligence Report shows that 86 percent of reported vulnerabilities affected third-party applications or other software. At a push, Group Policy can be used to distribute application patches, but it’s more difficult to manage and less flexible than SCCM.
Enterprise-class antivirus programs, such as those offered by Symantec or McAfee, should be used to protect clients, servers and special applications such as Exchange and SharePoint. Starting with XP, all Windows clients and servers include a firewall, which should be turned on and managed centrally using Group Policy. Some security suites also include endpoint firewalls with advanced functionality. Comprehensive endpoint security can save $130 per PC per year.
Any organization connected to the Internet over a shared connection is likely to have a firewall or network address translation device in place, providing some degree of protection for Intranet clients. Ideally, a good hardware firewall or server-based firewall (such as Microsoft ISA Server) with stateful inspection and application-layer filtering should be deployed at the network edge.
Disaster Recovery and Image Deployment
Although Windows provides simple backup and restore functionality, it’s likely that all but the most basic setups will require a specialized product (for example, Backup Exec) or a dedicated server (such as Microsoft’s Data Protection Manager), which can consolidate data and provide centralized backup from multiple sources.
Limiting the number of OSes that you support to a maximum of two and creating a set of standard images for deploying them can save up to $110 per PC per year. Windows Server includes Windows Deployment Services, while SCCM provides more advanced OS deployment features. Symantec’s Ghost Solution Suite 2.5 is also capable of deploying images to multiple machines. Norton Ghost 14.0 is a good imaging solution for small organizations.
Mobile Devices
Managing mobile devices to ensure they remain secure and updated is probably one of IT’s biggest challenges. Exchange Server 2007 contains a set of ActiveSync policies for controlling Windows Mobile-based devices, and SCCM provides more advanced functionality, such as the ability to distribute software. Should a device be stolen, Exchange ActiveSync remote wipe can erase confidential data. BlackBerry devices can be managed by server software from Research In Motion.
Server Monitoring
Monitoring servers and other important infrastructure devices is important for anticipating potential problems and maintaining a good level of service. System Center Operations Manager or Essentials can be used to monitor Windows servers and other devices.
Nontechnical Competencies
Technical incidents are often caused by a lack of change-control procedures. Microsoft IO standardization requires change and configuration management processes to be defined. Even a simple spreadsheet to record changes, along with limiting access to administrative privileges on servers, can provide a more stable environment. Processes must also be defined for problem, incident and service management — and be consistently applied.
It may not seem to fit with core IT services, but all software should be evaluated and tested. This is a best practice when working with standard images and security controls on desktop computers. Software shouldn’t be installed unless it is part of your agency’s approved software portfolio.