7/31/2019 The Complete Systems Management Book

1/81

TheCompleteSystemsManagementeBook

2010KACENetworks.Allrightsreserved.

TheCompleteSystemsManagementBook

AnintroductiontointegratedandautomatedITsystemmanagement.

POWER

MANAGEMENT

CONFIGURATION

MANAGEMENT

OS IMAGING

NETWORK OS

INSTALL

CENTRALIZED

DEPLOYMENT LIBRARY

USER STATE

MIGRATION

RECOVERY

KACE K2000Deployment Appliances

KACE K1000

KACEK2000

KACE K1000anagement Appliances

SECURITY & PATCHING

DISCOVERY & INVENTORY

ASSET MANAGEMENT

SOFTWARE

DISTRIBUTION

REMOTE CONTROL

SERVICE DESK

7/31/2019 The Complete Systems Management Book

2/81

1

TableofContents

IntroductiontoITSystemsManagement ........................................................................................................ 2

DeviceDiscoveryandComputerInventory ..................................................................................................... 8

AssetManagementandSoftwareCompliance ............................................................................................. 14

SystemDeploymentandOperatingSystemImaging .................................................................................... 19

SoftwareDistributionandManagement....................................................................................................... 26

PatchManagement ........................................................................................................................................ 33

ConfigurationManagementandScripting..................................................................................................... 38

SecurityAuditandEnforcement.................................................................................................................... 44

Administration ................................................................................................................................................ 48

ServiceDesk.................................................................................................................................................... 56

RecoveryandRepair....................................................................................................................................... 62

EvaluationCriteria .......................................................................................................................................... 67

7/31/2019 The Complete Systems Management Book

3/81

IntroductiontoITSystemsManagement

2

IntroductiontoITSystemsManagementITsystemsmanagementincludesthepersonnel,processes,andsoftwaretoolsutilizedtodeploy,track,

update,andsecurehardwareandsoftwareresourcesacrossanorganization.Buildinganefficient

managementsystemrequiresunifyingalloftheseITresourcestocoordinateITefforts,streamlinetasks

intocohesiveworkflows,andautomateadministrationservices.

AgoodsystemsmanagementstrategyoptimizesITteamefficiencyandeffectivenessby(1)identifying

thebasicuserservicestobeprovidedbytheITteam,(2)definingprocessestoprovidetheseservices,

and(3)employingmanagementtoolswithpoliciestostreamlineandautomatethedefinedprocesses.

ITmanagementtoolsareemployedbytheITteamtocoordinatemanagementtaskssuchasinventory

collectionandreporting,softwaredelivery,patchupdates,anddiskimaging,plussecurityenforcement

andotheradministrativetasks.Handlingtheseroutine,repetitivemanagementtasksusingcoordinated

policiesandtoolssupportedbyaconsolidatedmanagementsystemallowstheITteamtofocusonmore

pressingandstrategicissues.

7/31/2019 The Complete Systems Management Book

4/81

IntroductiontoITSystemsManagement

3

ChallengesConfrontingITTeams

Pressuresto"domorewithless"areuniversalforITdepartments,withexpectationsfrommanagementtocontinuecurrentsupportstandards.Atthesametime,newresponsibilitiesemergefortheIT

engineer:

Supportforahigherratioofat-homeandremoteemployeesandcontractors, Adaptingtooperatingsystemsanddevicesforbusinessusers, Leveragingserverandclientvirtualizationtechnologies.

AstheITprofessional,youneedtojugglecurrentchallengeswhilekeepingabreastoffuture

possibilities.

OngoingAdministrationTasksRegardlessofsize,mission,ormarket,eachorganization'sITteamshearsthesamedailyproblemslikea

risingchorusofdiscontent:SalesmenaccusetheITengineerofslowingdowninnovationandrevenue

opportunitiestomeetobscurecorporatesecurityregulations.Developmentengineersclaimtoneed

specialaccesstotheInternetcloudbutwillnotbudgeinsupportingaVMorroguenetworkpolicy.

Finally,asalways,usersjustwantwhattheywantwhentheywantit.Thecacophonyofvoicesand

demandsdirectedattheITteamarerelentlessandattimesblurintobackgroundchatter.

ButthereishopeinmeetingallITchallengesbyimplementingacentralized,collaborativeIT

managementsystem.AcentralizedmanagementsystemoptimizesITresourcesandestablishes

repeatableprocessestoreduceITcosts,meetongoingdailychallenges,andserveasafoundationfor

implementingnewpracticesandtoolsforthefuture.

7/31/2019 The Complete Systems Management Book

5/81

IntroductiontoITSystemsManagement

4

IdentifyingBasicManagementPractices

Systemsmanagementstrategiesdifferbasedonvaryingverticalmarketsandbusinessopportunities,but

ingeneralthefollowingbasicpracticesarerequiredtoimplementabaselineITmanagementsystem:

Devicediscoverandcomputerinventory.Discoverandidentifycomputerresourcesandconfiguration.

Assetmanagementandsoftwarecompliance.Trackhardwareandsoftwareusage. Systemdeploymentandoperatingsystemimaging .Deploycomputersusingdiskimagingor

scriptedinstalls.

Softwaredistributionandmanagement.Makesoftwareavailabletotherightpersonnel. Patchmanagement.DistributeOSandapplicationupdates. Configurationmanagementandscripting.Updatenetworkandsystemsettingpolicies. Securityauditandenforcement.Verifyappropriatesecurityisenforcedinanenvironment. Administration .Viewalertsandgeneratein-depthreports. Servicedesk.Manageticketsandestablishworkflows.

Recoveryandrepair.Accessandrepaircomputerdevicesremotely. Evaluationcriteria. Purchasingtherightsystem.

EachorganizationneedstoevaluateitsspecificneedsinprovidingandimplementingcoreIT

managementservices.Whateverthesize,challengesandopportunitiesofacompanyororganization,

therearealwaysrisksinvolvedwhenupdatingasystemandforecastingareturnoninvestment.In

general,theITteamneedstodefinethelevelofservicesinsupportinganorganizationanddesigna

managementsystemthatemploystoolsthatconformtoitsspecificneeds.

7/31/2019 The Complete Systems Management Book

6/81

IntroductiontoITSystemsManagement

5

FindingtheRightITManagementSystem

BasicITmanagementsystemsneedtoconformtoanorganization'scurrentsupportpracticeswhileallowingforgrowth.Matchingmanagementpracticesforanorganizationwiththerightmanagement

toolscanbeperplexingwithoutafewguidelines.

IncompletePointSolutions

WhetheryouareadirectorofITsupporting10,000nodesforabio-agriculturalconglomerateorthelead

ITengineermanagingadistributedlawgroup,youmostlikelystruggletounifyyourITstrategyand

consolidateallofthedisparatemanagementtools.Manyorganizationsrelyonsingle-taskpoint

solutionsdesignedforaspecificjob,suchasseparatesoftwaremanagement,assettracking,ordisk

imagingproducts.Thesedisparatetoolsandisolatedprocessesultimatelyleadtoincreasedcostsand

wastedresources.Mixingmultiplemanagementtoolsleadstooverlappingprocesses,remotedatastores,andtheneedforadditionalpersonneltotrainanduseallofthesedissimilartools.

Gatheringinventoryandassetinformationwithoutassociatingdataandthenusingittoimplement

softwaredeliverytasks,imagingjobs,orhelpdeskassistance,orusingittoperformsecurityauditchecks

precludesanytypeofautomationorinteractionofservices.Furthermore,withoutafirststeptoward

consolidatedsystemsmanagement,therewillnotbeasecondsteptowardevent-drivenremediation,

reactiveconfiguration,orcost-reducingvirtualsoftwaredeployments.

SystemOverkillWhiletoolittleattentiontobuildingacomprehensivemanagementsystemeventuallyinhibits

productivityandaffectsbottom-lineprofits,socanimmersingtoodeeplyinanITmanagementsystem

thatistoocomplexandcostlyforyourneeds.

ManyITmanagementsystemstrytobridgethegapbetweenlargeenterprisecustomizationsandsmall-

mediumbusinessneeds.Butstraddlingbothmarketsisdifficult,anditalsoleadstoinordinate

customizationrequirementsandlargeimplementationbillstosetup,train,andmaintaineachphaseof

7/31/2019 The Complete Systems Management Book

7/81

IntroductiontoITSystemsManagement

6

acontract.Inmanycases,theinitialpurchasepriceofsettingupanenterprise-levelmanagement

systemistheleastexpensivepart.Ongoingandaftermarketcostsmaybeprohibitivegiventhebusiness

requirements.

BetweentoolittleinvestmentandtoomuchinvestmentinITsystemmanagement,thereismiddle

ground.Theanswerisasimple,efficient,integratedsystemthattakescareofthebasics,requireslittle

timetogetupandrunning,andissimpletouse,train,andimplement.

7/31/2019 The Complete Systems Management Book

8/81

IntroductiontoITSystemsManagement

7

ChoosingaSimpleandUnifiedITManagementSystem

AcollaborativeITmanagementsystemthatiseasytoimplementandemployisthefoundationofanyITstrategy.Unlikepointsolutions,aunifiedsystemassociatesdatafromacommondatabaseandallows

toolstointeractassequencedworkflows.Unlikecomplexenterprisesystemsrequiringexcessivesetup

andconfigurationcosts,acollaborativeandstraightforwardITmanagementsystemfurnishestheIT

teamwitheasyinstallation,aneasy-to-navigateconsole,andeasilyaccessiblefeatures.

GoodITsystemsmanagementcombinesandbalancesITpersonnel,processes,andtoolsforeach

environment.BalancingthesethreeingredientsrequiresanevaluationofthegoalsestablishedfortheIT

teamandthepracticesrequiredtomeetyouruniquechallenges.

ITServices

ITservicesdiscussedindetailinthesechaptersinclude:

DeviceDiscoveryandComputerInventory AssetManagementandSoftwareCompliance SystemDeploymentandOperatingSystemImaging SoftwareDistributionandManagement PatchManagement ConfigurationManagementandScripting SecurityAuditandEnforcement Administration ServiceDesk RecoveryandRepair EvaluationCriteria

7/31/2019 The Complete Systems Management Book

9/81

DeviceDiscoveryandComputerInventory

8

DeviceDiscoveryandComputerInventory

Discoveryofhardwaredevicesacrosstheorganizationandtakinganinventoryofthehardware

propertiesandinstalledsoftwareisacriticaljobforanyITengineer.Determiningwhatcomputerresourcesexistonthenetwork,howthedevicesareconfigured,andhowtoeffectivelyusethis

informationisafundamentalrequirementingeneratingcorporateauditreportsandtheday-to-day

monitoringofresources.Accessibleandassociateddevicedatagatheredandorganizedasbaseline

informationisalsoanecessitybeforeventuringintoanylevelofautomatedITmanagementservices.

Runningaperiodic,in-depthinventoryofdevicesprovidesupdatedinformationthatshouldbestoredin

thedatabase,allowingfortheeasygenerationofcustomauditreportsandreal-timedashboardviewsto

monitordevicestatus.Butbeyondbasicreportingfeatures,collectingandassociatingdeviceinventory

dataalsoallowsforstandardconfigurationsetswithcommoncharacteristics.Establishingstandard

groupswithcommoncharacteristicsandsupportneedsreducesreactive,one-offsupporttasksfromthe

servicedesk,andprovidesforeffectivegroupingwhendesigningautomatedsystemmanagement

policies.

7/31/2019 The Complete Systems Management Book

10/81

DeviceDiscoveryandComputerInventory

9

ChallengesofDeviceDiscoveryandInventoryManagement

WhatcomputerdevicesamIsupporting?Whatstatearetheyin?HowdoIbestcollect,organize,and

usethisinventoryinformation?ThesearebutafewofthemostpressingquestionsfortheITmanager.

Identifyinghardwareandsoftwareresourcesacrosstheorganization.Basicdiscoveryofdevicesand

periodicinventoryscansprovidesaclearviewofthedigitalassetsandtheircharacteristicsfortheIT

engineer.Acompleteinventoryisneededtounderstandwhatisrequiredinordertoproactivelyplan

andimplementasupportableinventorymanagementprocess.

Managinggroupsofdevicesbasedoncharacteristics,configuration,andothercommonproperties.

Insteadofpiecemealadministrationofdevices,theITengineerneedstodesignpoliciesandruntasksfor

groupsofcomputerswiththesameconfiguration.Identifyingandgroupingdevicetypesbasedon

criteriasuchasmanufacturer,operatingsystems,installedsoftware,devicelocation,departmentandconfigurationsettingsallowstheITteamtobuildpoliciesandsupportone-to-manyadministration

tactics.

Gatheringinventorydatafromremotesitesandusers.Thecurrentworkforceformanyorganizationsis

geographicallydistributedandreliantoncontractorsorat-homeworkers,aswellassupportforsatellite

officesortravellingusers.Today'sITengineermustbeabletogatherinventoryforalldevicesand

installedsoftwareregardlessoflocationortravelschedule.

Generatingreports.TheITmanageralsoanswerstohisorherexecutive,andlikeallmanagersneedsto

accountforresourceexpenditureswhileoptimizingresources.Thisrequirespre-configuredorcustom

reportingfeaturestomeetstandardandadhocreportingneedsacrosstheorganization.

TomeettheseITchallengestodiscoverandinventorycomputerdevices,theITteamdesignsprocesses

andpracticestoimplementbasicinventoryservices.

7/31/2019 The Complete Systems Management Book

11/81

DeviceDiscoveryandComputerInventory

10

BestPracticesforInventoryManagement

Inventorymanagementrequiresdiscoveringdevices,runninganinventorytogatherandstoredevice

data,andassociatingdatatostandardizeconfigurationsetsandrationalizecontent.Bestpractices

includebothagentlessdiscoveryfeaturesandagent-basedcommunicationbetweentheclientdevice

andmanagingserver.Additionalbestpracticesdefineregular,frequentpollingperiodstoupdate

inventorydataandsetupqueriestogeneraterequiredreportsanddisplays.

Acompleteinventorymanagementsystemincludesseveralbasicpractices,asfollows.

Devicediscoveryandagentlessinventory

DiscoveryofcomputerdevicesonthenetworkusingbasicSNMPcallsorICMPpingswithoutanagent

installedallowstheITengineertoidentifycomputerdevicesonthenetworkto(1)installanagentfor

fullmanagementsupport,or(2)touseagentlessprotocolstotrackcomputerdevices,printers,routersandfirewallswhereinstallingagentsisnotpracticalorpossible.Agentlessscansacrossthenetwork

identifyandcatalogallconnectednetworkdevicesusingSNMPorIPaddressscansandopenportdata

onthenetworkforeachdevice.Discoveringdevicesonthenetworkrequirestheabilitytoaccessand

synchronizedeviceanduserdatafromthenetworkdirectory(ADorLDAP),ortoscanacrossthe

networkwithagentlesssearchesusingpingsorSNMPandotherstandardopenprotocols.

Networkdirectoryintegration.Real-timeintegrationwithdirectoryservicessuchasLDAPandActiveDirectory(AD)allowsorganizationstoaccessdatadynamicallythroughtheirdirectory

servicesforthecreationandmanagementofdeviceandusergroups,aswellassetupuser

authentication.Updatingdevicedatafromthedirectoryservicesallowsorganizationstoquickly

setupmanagementgroupsanddefineusers.Asdirectorieschange,groupswilldynamicallyupdateandautomaticallyrespondtoanynewcredentialsforuserauthenticationwhenchanges

aremadeinLDAPorAD.

ICMPpings.InternetControlMessageProtocol(ICMP)isacoreprotocolintheInternetProtocolSuite.Itisprimarilyemployedbyoperatingsystemstosenderrormessagesindicatingthata

requestedserviceisnotavailableorthatacomputerdevicecannotbefound.BasicICMP

7/31/2019 The Complete Systems Management Book

12/81

DeviceDiscoveryandComputerInventory

11

discoveryacrossdefinedIPaddressrangesallowsthemanagementsystemtoreceiveICMP

echoresponserepliestodiscoverindividualdeviceswithoutaninstalledagent.

SNMP.SimpleNetworkManagementProtocol,orSNMP,isacomponentoftheInternetProtocolSuite(commonlyknownasTCP/IP)andincludesstandardsfornetworkmanagement

toolstodescribeandreportasystemconfiguration.SNMPexposesmanagementdataonthe

managedsystemsanddescribesthesystemconfiguration.

Fororganizationsthatcanutilizetherichcontentandmanagementtacticsinherentinagent-based

inventoryfeatures,discoveryofdevicesalsoallowstheITengineertoefficientlydeploythe

managementagent.

Agent-basedinventoryforhardwareandsoftware

Managedcomputerdeviceswithaninstalledagentcommunicateatscheduledintervalswitha

managementserverthatsavesdeviceinformationtoadatabase,capturingarichandcurrentdataset

foreachdevice.Thisallowsforreliablereportingandfilteringtogeneratedynamiccollectionsof

devices.Server-to-agentcommunicationallowsforupdatesofconfigurationsettings,anup-to-datelist

ofinstalledsoftwareapplications,andtheabilitytocapturesignificantdeviceattributesasdefinedby

theITteam.

Oncetheagentisinstalled,theITmanagementsystemcanrunamoredetailedhardwareandsoftware

inventorytoaccessandviewinformationforeachdevice.Datacanbeassociatedwithotherservicesto

syncwithassetinformationinassociatingdiscovereddeviceswiththeirwarrantyinformation,andto

generateanemailwhenthatwarrantyexpires.

Gathereddatafromagent description

Configurationsettings Capturenetwork,device,BIOSsettings.

Operatingsystemstatus Identifyinstalledpatches,memoryusage,personalsetting.

Hardwaremodelsandattachments Reportvendor,modelnumbers,RAM,components.

Networkconfiguration ViewandmodifyIPaddress,LANs,VLANs,Routers

Installedsoftwareapplications Listinstalledsoftwareapplicationsandsettings.

Anagent-basedinventoryallowsyoutocaptureallinformationrequiredforreportsandintegrated

workflowswithothermanagementcomponents.

7/31/2019 The Complete Systems Management Book

13/81

DeviceDiscoveryandComputerInventory

12

AutomatedPolicies

Gatheringinventorydataisonlythefirststepinsettingupacomprehensiveagent-basedinventory

system.WithrichinventorydatacollectedandstoredinacommonITmanagementdatabase,the

managementsystemcanthenusethedevicedataforongoingITtasks.

Forexample,whendeployingalaptopforthefirsttime,vendorserialnumbersorservicetagscanbe

enteredinthesystem.Whenthedevicelogsintothenetwork,thedeviceisrecognizedandinventory

datacapturedandcomparedtoensuresystemrequirementsaremetfordeliveryofauthorizedsoftware

ortosynchronizelicenses.ListingandcomparingdeviceinventorydatawithassetinformationletstheIT

teamsyncupthedevicewithhardwarewarrantyinformationforassettracking.

Basedonconfigurationsetsdefinedbydevicecharacteristics,ITengineerscandesignautomated

policiestodeploysoftwarebasedonaspecificmodelorapplicationtoacertainbusinessunit.Dynamic

groupscanbefilteredtopatchanoperatingsystembasedonservicepack,orassesssecuritysoftware

andsettings.Basedonestablishedpolicies,thehardwareandsoftwareinventorydatacanbeupdated

eachtimetheagentconnectstoproactivelyremediateanyflaggedissuesbasedonconfiguration

settingsandotherselectedcharacteristics.

DynamicGroups

Aftercapturinganinventoryofhardwareconfigurationvalues,thenextstepistypicallytosetupfilters

thatcreatecollectionsorgroupsofdevicesbasedonhardwaretypes,installedsoftware,or

organizationalunitforreportingandadvancingmanagementoperations.ThisallowstheITteamto

quicklyidentifythehardwareandsoftwarestatusandschedulejobssuchassoftwaredeliveryandpatch

updates.Filteringoutpropertiesbasedonoperatingsystems,physicallocation,orevenavailabledisk

spaceallowsyoutosetpoliciesdirectedspecificallyatthecorrectdevices.

7/31/2019 The Complete Systems Management Book

14/81

DeviceDiscoveryandComputerInventory

13

Groupscanbecreatedusingafilterbasedoncriteriaofanyidentifiedcomputerproperties,including:

organizationalunitsetinthedirectory locationofthedevice typeofoperatingsystem hardwarespecsandadd-ons softwareinstalled customfieldstoallowflexiblegrouping

Byusingestablishedgroupssuchasoperatingsystemtype,devicetype,ororganizationalunitsIT

teamscanquicklypushoutpatchesordistributerequiredsoftwaretotherightdepartments.Tocreate

uniquegroups,afilteringsystemisrequiredtoassociatedevicesbasedondatasetsinthedatabase.On-

the-flygroupsmaybebasedondiskspaceunusedvalues,OStype,vendor,orwarrantyinformation.

Reporting

Inventoryinformationgatheredfromeachcomputerdeviceonthenetworkprovidesthebaselinedata

usedtopopulatetheITsystemmanagementdatabase.Fromthisdatabase,anytypeofinventory,audit

(suchasSarbanes-Oxley),orcustomreportcanbegenerated.TheITmanagementtoolshouldoffer

commonlyusedpre-configuredreportsandaneasy-to-useinterfaceforcreatingcustomreportsfrom

anytablesinthedatabase.

Withacommondatabasepopulatedwithup-to-datedeviceandconfigurationdata,inventory

managementtoolscangeneratereportsthroughawebpageorhighlightaneventthatdisplaysasan

alertonareal-timedashboardview.Completereportingofhistoricalinformation,detailssuchas

registryentries,files,servicepackstatus,oranyotherdatacapturedcanbedisplayedalso.Software

reportingexamplesincludeoperatingsystemstatus,installedapplications,registryentries,andpatchstatus.

Capturedinventorydatamustbeplacedintomeaningfulreports.Theabilitytoquicklygenerate

informationformanagementbasedonvariouscriteriaisanecessaryfeatureofanygoodmanagement

system.CustomreportingfeaturesrequiredallowITteamstocalculateanddisplaydataasneeded.The

reportingtoolsmustbeeasilycustomizablewithwizards,andprovidetheoptionfornativestandard

SQLsearchestoensurefullaccesstothereportingdataforpowerusersand3rdpartySQLreporting

tools.Finally,reportingfeaturesintheITmanagementsystemtypicallyprovidewebinterfacestoview

theinventoryinformationandresultsofwizard-basedreports.

7/31/2019 The Complete Systems Management Book

15/81

DeviceDiscoveryandComputerInventory

14

7/31/2019 The Complete Systems Management Book

16/81

AssetManagementandSoftwareCompliance

15

AssetManagementandSoftwareCompliance

Trackingallhardwareandsoftwareassetsacrossanorganizationisbestaccomplishedusingthe

collaborativedatacapabilitiesofarelationaldatabaseandanintegratedassetmanagementsystem.

Collaborativeassetmanagementincludestrackingeachproduct'sassociatedsoftwarelicenses,

warranties,audittrails,configurations,contracts,assignmentsandservicehistory.Successfulasset

managementautomatestherepetitiveaccountingdutiesofassettrackingandfurnishestheITteam

withadministrationworkflowsthatgiveactionableinformationforongoingdeployment,configuration

andpurchasingdecisions.

Capturingassetdataprovidesbaselineinformationabouteveryresourceintheenvironmentandallows

ITmanagerstosavecostsandstreamlineresourcesusingconsolidatedandcentralizedasset

managementpractices.AcollaborativeITmanagementsystemhandlesongoingreportingand

configurationmanagementservices,butalsopopulatesthedatabaseforusewithotherservices.In

additiontobasicproducttrackingandauditreporting,assetmanagementtoolscaptureandassociate

datatogeneratetargetedreportsandemployintegratedworkflowsbyworkingwithinventory,

softwaredistribution,helpdeskandothersystemmanagementservices.

7/31/2019 The Complete Systems Management Book

17/81

AssetManagementandSoftwareCompliance

16

ChallengesofAssetManagement

ITteamstrackandreportallcomputerassetsaswellasnon-computerproductsfortheorganization.

Theteamensureslicensecompliance,tracksserviceanduserhistoryofeachasset,andassociatesassetdatawithothersystemsandmanagementsolutions,aswellassomeotherbasictasks,coveredhere.

Trackcomputerandnon-computerassets.Throughoutthelifecycleofanasset,theITengineerneeds

processesandtoolstoformallytrackproductsandgeneratereportsforauditandmanagementneeds.

Verifysoftwarecompliance.Softwareisanassetthatrequirestrackingandtheabilitytoinstallon

variouscomputersfordifferentneeds,includingincreasinglypopularvirtualapplications,whileensuring

licensesmeetactualinstallations.

Reconcileassets.ITteamsneedtoreconcilewhatisonthebalancesheetwithwhatisactuallyin

physicalinventory.Thisrequiresfeaturestodocumentlicensecomplianceandgaininsightintoassetdispositionandownership.

Notifywhenawarrantywillsoonelapse. Linkwarrantyinformationwithanemailpolicythatwillsend

analertaboutcomputerstatusandoptionstoupgradepoliciesorproducts.

Tracksoftwareusage.Howoftensoftwareisusedandwhenitisusedcanleadtobetterpurchasing

contractsatminimum,orbeusedtoreconcilelicensesfordeployingvirtualinstallationsforspecific

projects.

Viewassethistory. Actionsandmodificationstoanassetaswellasattachmentsandinstalledsoftware

canbesavedtoacommondatabaseforcustomauditreports,troubleshootingassistance,orforviewingwarrantyorserviceinformation.

Importdatafromothersystems.ITteamsveryoftenneedtoimportdatafromotherdatabases,

spreadsheetsorlegacypointsolutions.Thereafter,systemsforpurchasing,shippingandreceivingand

humanresourceinteractioncanbeestablished.

TomeettheseITchallengestodiscoverandinventorycomputerdevices,theITteamdesignsprocesses

andpracticestoimplementbasicassetmanagementservices.

7/31/2019 The Complete Systems Management Book

18/81

AssetManagementandSoftwareCompliance

17

AssetManagementBestPractices

Successfulassetmanagementandsoftwarecomplianceincludesthefollowingbestpractices.

Creatingnewassetrecordsandassigningtousers

CreatingassetrecordsinanITmanagementsystemfallsundertwomaincategories:(1)Establishingan

ongoingassettrackingworkflowforaddingnewassetsusingautomateddevicediscovery,barcode

scanning,vendordataorsimpleinput;and(2)migratingassetdatafromlegacyapplications,

independentdatabasesorsimpleExcelspreadsheetstothenewConfigurationManagementDatabase

(CMDB).AssigningassetstotherespectivepersonnelnumbersandintegratingwithHRrecordsor

downloadingassetwarrantyinformationfromthevendorisalsohandled.

Incorporatingassetmanagementpracticesrequiresasystemthatisflexibleenoughtocreateormodify

assettemplatesandtosupportadditionalfieldtypesthatassociatetheassetwithitsattachments,

installedsoftwareapplications,andcreateothermeaningfulassociations.

AssigninguserstotheassetuponreceivingtheassetoperationallowstheITteamtoidentifythe

resourceandcreatearecordtoassociatewithongoinginventoryandsoftwaredeliveryworkflows.

Creatingnewassettypes

Successfulassetmanagementstrategiesrequireflexiblecreationofnewassettypestomeeteach

organization'suniqueinventoryofassets.TheITmanagementsystemshouldprovidepre-configured

assettemplatesforstandardhardwareandsoftwareresources,licensesandorganizationalelements,as

wellasfeaturestoeasilycreatenewassettypesormodifyexistingassettemplates.Newormodified

assettypescanbelinkedtoanyotherassettypeandsupportacomprehensivelistoffieldtypesto

defineattachments,installedsoftwareandotherassetproperties.Aboveall,addingandmodifyingassettypesshouldbeeasytouseandcustomizabletomeeteachorganization'suniqueassetmanagement

andcomplianceneeds.

Assettrackingandhistory

Basicassetmanagementshouldincludeafullaudittrailofallassetchanges,includingsoftware

upgradesandhardwareattachment,anddriverandconfigurationchangesthroughouttheproduct's

lifecycle.Thisallowsforbetterassetmanagementcontrolandaccountability.

7/31/2019 The Complete Systems Management Book

19/81

AssetManagementandSoftwareCompliance

18

Viewingtheassethistoryallowsthehelpdesktotroubleshootproblemsandmakedecisionstorepairor

replacetheasset.Departmentmanagerscanevaluatethelifeofthewarrantyandprioritizepurchases

basedonvalueoftheassetandstatus,andbalancebudgetandproductivityrequirements.

VerifyingsoftwarecomplianceEnsuringthatinstalledsoftwareapplicationscomplywiththeITteam'sreckoningofthenumberof

purchasedlicensesrequiresaninteractionbetweeninventorymanagementtasks(anditsresultingdata

savedtothedatabase)andassetmanagementtasks.Bycomparingrecentinventorydatawithasset

datathatreferenceslicensing,warrantyandspecificationinformation,ITmanagerscansign-offon

compliancereports,harvestlicenses,reducevolumelicensesanddiscoverunapprovedsoftware

installations.

Trackingsoftwarecompliancemustbeautomatedandinvisible.Behindthescenes,assetmanagement

candefinegroupsbasedonaninstalledapplicationversionandmonitorthenumberoflicenses

installed,evenasnewversionsbecomeavailable.Automatedassetmanagementandreportingfeatures

allowforcomprehensivemanagementofsoftwarelicenseagreementsforupgrades.Thisinformation

canbevaluablewhennegotiatingongoingvolumesoftwarepurchases.

Meteringsoftwareusage

MeteringsoftwareusageallowsITteamstoidentifywhatsoftwareisusedacrosstheorganization

comparedtowhatisactuallyinstalled.Reportingongenuineusageallowsforlicensestobereassigned,

7/31/2019 The Complete Systems Management Book

20/81

AssetManagementandSoftwareCompliance

19

harvestedforfutureusers,orretiredcompletely.Thispracticecansignificantlyreducesoftware-

licensingcosts.

Meteringsoftwareusagedatacanincludeacountofapplicationlaunches,totalminutesusedorwhen

theapplicationwaslastused.Automatedsoftwarealertsandemailcanbesetandsynchedtoacontract

expirationandsubsequentrenewalifwarranted.

Managingnon-computerassets

Informationaboutassetsthatarenotconnectedtothenetworkcanalsobeaddedtotheassetdatabase

byaccessingvendor,serviceandmaintenancecontractsfromthewebsite,orenteredmanually.IT

teamscanpostdriversandutilitiesforhardwareassetsinthesoftwarelibraryandreferencedfromthe

databaseforeachproduct.

7/31/2019 The Complete Systems Management Book

21/81

7/31/2019 The Complete Systems Management Book

22/81

SystemDeploymentandOperatingSystemImaging

21

ChallengesofDeploymentandOperatingSystemImaging

AsafundamentalpartofanyITmanagementsystem,aquickrewriteoftheharddriveusingimaging

toolsisawell-knowntacticinsolvingvariousadministrationchallenges,whichwillbediscussedhere.

Initialsetupofnewcomputerdevicesorrestoringbadharddrives .Imagefilesaremostoftenused

tosetupdeviceswithanorganization'sbaselineOS,softwareandpersonalsettingstoanewor

reassignedcomputer.Settingupasystemtocaptureandeditmasterimagesanddeploy

computersisamajorchallengeformostITteams.

Migratingtoanewoperatingsystem .ImagingtoolsusedinconcertwithotherITmanagement

toolsisthemostefficientwaytoperformanorganization-wide"forklift"upgradewhenmoving

tonewoperatingsystems.AcomprehensivedeploymentsystemletsITengineersmigratefrom

XPtoVistatoWindows7,orfromMacLeopardtoSnowLeopard,ortooneofmanyLinux

platformsusingdiskimagescontainingthenewOS,newdriversandsecuritysettingsandthepersonalitysettingsoftheprevioususer.

Createreferencesystemsorinstallserversusingscriptedinstallations .Buildingreferencesystems

manuallycanrequirehoursoftimeandisnotanefficientuseofresources.Ascriptedinstall

(seedescriptioninbestpracticessection)allowstheITengineertoautomatethecreationof

referencesystemsbysupplyingconfigurationsettingsduringtheinstallprogramusingan

answerfilewithprescribedsettings.Likewise,buildingoutservers,includingthebare-metal

installationoftheBIOS,OS,securitysettingsandapplications,requiresrunningthroughthe

installationprogramratherthanusingdirectimagingpractices.

Resettingcomputersfortesting,trainingoreducationallabs. Imagingtechnologieswereinitiallydesignedtoreimagetestbedsofcomputerracksandresetcomputersbacktotheiroriginal

state.Imagingisstillthebestanswerfortheseneeds.

Recoveringdevicestooriginalstate .Harddrivescanbeimagedperiodicallytocaptureaspecified

stateanddataofaspecificdevice.Reimagingfromthesavedimagefilecanrestoredevices.

OngoingchallengesfortheITteamincludedefiningpracticesandstrategiestointegrateandautomate

deploymentprocessesandsupportimagingstandards.Designinganeffectivediskimagingand

deploymentsystemneedstosolvethefollowingbasicITnecessitiesaswell:

Buildingandauthorizingmasterimagefiles. Partoftheprocessofsettingupadeploymentsystem

isconstrainingsupporttoasetofdevices,therebyallowingITtocreatemasterimageswithall

driversandspecificsettings.

Buildingacompletedeploymentsystem .Diskimagingisonlypartalargerdeploymentsystem.Also

requiredisathinOSsuchasWinPE,DOSoraLinuxshelltobootuptheimageapplicationnot

installedonthepartitionthatistobeimaged.Adeploymentsystemalsorequiresanimage

librarysetupatdifferentlocations,asolutionforcross-platformdiskimaging(forWindow,Mac

7/31/2019 The Complete Systems Management Book

23/81

SystemDeploymentandOperatingSystemImaging

22

andLinux),andpoliciestosetpost-imagingconfigurationsuchasauniquecomputername,

securityID,networksettingsandotherdistinctiveconfigurationsettings.

Integratingwithothermanagementtools .Combineinventory,asset,softwaredeliveryand

deploymenttoolstoidentify,assess,imageanddeploynewcomputersusingasequenced

workflow.ConsolidatingtoolsallowstheITengineertoautomateandintegratesystemsfora

varietyofITjobsincludingdiskimaging.

Diagnose,repairandrecovercomputerdevicesafterdeployment.Toremediateproblems

throughoutthelifecycleofthecomputerdevice,diskimagingtechniquesallowtheITengineer

torepairandrecoveracomputerdevicetoapristinestateafterdiagnosingmajorproblemsand

recoveringcriticaluser-specificfiles.

MeetingtheseITchallengesrequirespracticestointegrateandautomatedeploymentprocesses.

7/31/2019 The Complete Systems Management Book

24/81

SystemDeploymentandOperatingSystemImaging

23

BestPracticesforDiskImagingandDeviceDeployment

Practicesfordiskimaginganddevicedeploymentcanbeassimpleasimagingtheharddriveofa

standardimagefileforanewbusinesslaptoppurchaseorascomplexasdevisingpoliciestomonitorandremediatedamagedbladeserversusingsequencedimagingandprovisioningtasks.

BasicDiskImaging

Diskimagingprovidesefficientstorage,captureanddeploymentofcomputerdevices,renderingthe

contentsofaharddiskasasingleimagefilethatreplicatesthestructureandcontentsofaharddiskor

otherstoragedevices.Bestpracticesforimagingcomputersincludesimagingcomputerstoinstallthe

operatingsystem,setuprequiredapplications,establishdeviceandnetworksettings,andmovedata

aftertheinstallationoftheOS.

ThinimagesallowtheITteamtoprovideonlythebasicOSandapprovedapplicationsrequiredbyall

usersinanorganization.Eachdepartmentthendistributestheiruniquebusinesssoftwaretousers

basedonrequirementsforeachdepartment.Thinimagessignificantlyreducethenumberandsizeof

imagesfortheITteamtobuildandmaintain,increasingdeploymentreliabilityandefficiency.

CentralizedImagingandDeploymentProcesses

DiskimagingisemployedbyITteamstorestoreharddrives,upgradeoperatingsystems,resetcomputer

labsandhandlemuchoftheheavyliftingforday-to-daycomputerdeployment.Savingimagefilesasa

baselineinstallationofspecificcomputerdeviceswithallsettingsanddriversintactallowsITteamsto

restore,upgradeanddeploycomputerresourcesquicklyandefficientlyaspartofacomprehensive,

automateddeploymentsystem.

7/31/2019 The Complete Systems Management Book

25/81

7/31/2019 The Complete Systems Management Book

26/81

SystemDeploymentandOperatingSystemImaging

25

Initialsetupofreferencecomputersisanotherchoreforscriptedinstallationsinadditiontoremote

installationorsetupofservers.Thescriptedinstallcanbeusedaspartofanimaginganddeployment

systemtosetupanoriginalreferencecomputerfromwhichtocreateamasterimagefile.Afterthe

referencecomputerissetupandanimagefilegenerated,thefilecanthenbeedited,approvedfordistributionandsavedtoadefinitivesoftwarelibrary.

Scriptedinstallsrequireaccesstotheinstallprogramsandstandardizeddefinitionoftheanswerfiles.IT

managementsystemsthatinstalltheoriginaloperatingsystem,requiredservicepacksandtheeditingof

theanswerfile,assistinsettingupserverandclientcomputerswithoutrelyingonimagingpractices.

AutomatingComputerDeployment

Ready-to-useimagesrelievetheITengineerfromhavingtomanuallyrunthroughtheinstallationprogramsorcompletelyrebuildeachcomputerdevice.ITengineerssetupworkflowsthatsynchronize

datawithautomatedpracticestomakecomputerdeploymentaseasyasplugginginthecomputerto

thenetworkandrunninginitialdeploymenttasksthatsequenceandmanagethecompleteinstallation,

configurationandsetuprequirements.

AutomateddeploymentallowstheITengineertodesignateanimagefiletoautomaticallyoverwritea

computerdevice'sharddrivebydesigningpoliciesthatallowthemanagementsystemtobootuptoan

automationenvironmentandreimagethecomputeratstartup.ThisallowsITteamstoconfigure

policieswithserialnumbersprovidedbythemanufacturerevenbeforethecomputerdeviceisshipped.

Oncethemanagementsystemidentifiesthenewcomputer,imagingprocessesandsoftwaredistributiontaskscanbesequencedtoallowthecomputertorunthroughimagingtasksanddeploythe

deviceautomatically.

ManagingRemoteSites

Diskimagingandcomputerdeploymentforremotesitesrequirescentralaccessibilitytoimagefilesby

theITengineerwhileallowingforhighlevelsofperformancetoprovisiondevicesatremotesites.

BecauseimagefilesareusuallylargefilescontainingtheOSdataandrequiredapplications,conveying

7/31/2019 The Complete Systems Management Book

27/81

SystemDeploymentandOperatingSystemImaging

26

imagefilesacrosslongdistancesfromthecentralofficerequiressubstantialbandwidth.Bestpractices

formanagingsatelliteofficesincludesthereplicationoftheimagelibrarytoremotesites,strategiesto

deploynewcomputersafterreceivingthemfromthemanufacturer,andtheremotecaptureand

restorationofdevicestoindividualusers.

Themasterimagelibraryandimagedistributionpoliciescanbesynchronizedwiththemastersoftware

libraryandpoliciescoordinatedtoinstallanimagewithathinimageandinstallsoftwarefromthemain

definitivesoftwarelibrary.Seethenextchapter,SoftwareDistributionandManagement,foradditional

informationoncoordinatingtheseadministrativeservices.

7/31/2019 The Complete Systems Management Book

28/81

SystemDeploymentandOperatingSystemImaging

27

7/31/2019 The Complete Systems Management Book

29/81

SoftwareDistributionandManagement

28

SoftwareDistributionandManagement

Managingsoftwareresourcesemployedthroughoutanorganizationcustomapplications,productivity

suites,developmenttools,virtualapplications,andoperatingsystemspresentsbothproblemsand

newpossibilitiesfortheITmanager.Asalways,gettingtherightsoftwaretotherightpeopleattheright

timeisanongoingchallenge.Developingsoftwaredistributionpracticesandemployingtoolstosupport

thesepracticeshelpsstreamlineandautomateday-to-daysoftwaremanagement.

Alongwithdailymanagementofsoftwareresources,newopportunitiestoimproveefficiencyshould

alsobepursued,suchasstrategiestoemployvirtualapplicationsandwebapplications,orconsolidate

desktopsonvirtualservers.Tomeettheseever-changingneeds,managementsystemsarerequiredto

trackalltypesofsoftwareresources,streamlinedelivery,andautomatemanagementaspartofa

comprehensivedistributionsystem.

Regardlessofyourorganization'ssize,marketorgeographicalbreadth,automatingsoftware

managementpracticesusingtherightmanagementtoolscansaveagreatdealincosts,enabling

efficienciesinorganizinganddistributingsoftwarepackages,assigninglicenses,andensuring

compliancespecifictouserneedsandlocation.

ChallengesofSoftwareDistributionandManagement

ITengineersfacebasicchallengesinmanagingsoftwareresourcesandimplementingthefollowing

commonpracticestoorganize,integrate,andautomatedeliveryandmanagementservices.

Distributingandmanagingsoftware .Poorsoftwaremanagementcanleadtoanenvironmentof

softwaredisarrayrandominstallationsofillegalorunauthorizedsoftware,inordinateIToverheadmanagingdifferentversions,andevenapplication-bornesecuritybreachesduetorogueapplicationson

thenetworkorinconsistentservicepackupdates.OngoingmanagementandintegratedITmanagement

toolsallowtheITengineertocontrolandknowexactlywhatsoftwareispurchased,whousesit,and

whereitisinstalled.

Eliminatingsoftwareoverbuyingandillegalusage .Evenforthemostdiligentorganizations,failureto

harvestlicensesforreuseortoensurelicensecompliancyleadstosoftwareoverbuyingorillegal

deployment,neitherofwhichisagoodsituation.Withouttherightsoftwaremanagementprocesses

andtoolsinplace,theITengineermayneverknowtheoptimumnumberofsoftwarelicensespurchased

comparedtothesoftwareinstalled.Buyingtoomanylicensesorbeingslappedwithlawsuitsforillegal

usagearebothcostlyandeasilyprevented.

Supportingnewdevicesandtechnologies. Inadditiontoday-to-daysoftwaremanagementtasks,IT

teamsareaskedtoresearchandplanforvirtualserverinstallationsandthepossibilityofusing

virutalizedapplicationsonthedesktop.Inaddition,ITengineerscontinuetoreceivenewsoftware

requeststosupportavarietyofnewoperatingsystemsanddevicessuchasMac,Linux,netbooksand

andhandhelddevices.

7/31/2019 The Complete Systems Management Book

30/81

SoftwareDistributionandManagement

29

Reducingsoftwarecosts.ExecutivescontinuetoaskITteamstoreducesoftwarepurchasingand

managementcosts,whilestillexpectingthesamelevelofmanagementandinnovation.Many

organizationsarelookingtoonlineapplicationsanddatastoragesolutionstoreducecosts,aswellas

virtualsoftwaresolutionsthateasedeploymentandmanagement.Tocoordinateandexpediteservices,

organizationscontinuetodiscerntheapplicationsthatneedtobepurchasedandinstalledtraditionally

versusthosecapableofbeingdeliveredwithinavirtualcontainerontheendpoint,orevenrunfroma

centralapplicationoronlineserver.

Tomeetdemandsplacedonthesoftwareengineer,softwaredistributionandmanagementtoolsneed

tosupportpracticesalreadyinplaceandprovidenewstrategiesforongoingrequirements.

7/31/2019 The Complete Systems Management Book

31/81

SoftwareDistributionandManagement

30

BestPracticesforSoftwareDistribution

IntelligentsoftwaredistributionusingsoftwaremanagementtoolsallowITteamstodecreasecostsand

increaseservicesusingthesebasicpracticesandstrategies:

RepackagingSoftware

ITteamscanbuildscript-basedpoliciesorrepackagesoftwareapplicationsbeforedistributionto

provideeaseofongoingaccess,maintenance,andcontrolupdates.

SoftwarerepackagingallowsITdepartmentstoassemblepurchasedorinternally-developedsoftware

fordistributionfromthesoftwarelibrary.ITteamsrepackage,test,andstoresoftwareinthedefinitive

softwarelibraryforaccessbyauthorizedusersanddepartmentsusingacentralizedsoftwarelibrary.

Formanyorganizations,repackagingisaccomplishedusingMSIwrappersorsimilarpackagingtools,

whileotherorganizationsemployvirtualsoftwarepackagesorstreamingapplications.TraditionalsoftwareapplicationsarewrappedinMSIpackages(forWindows)beforedistributiontocomputer

devices.MSIallowsWindowscomputerstovalidateinstallationandmaintainpackages.LinuxandMac

devicesincludetheirownpackagingformatsandpackagingtools.

AfterrepackagingbytheITengineer,thesoftwarepackageistestedforqualityandpostedtoasoftware

library.Themanagementsystemthenqueriesthesoftwarecatalogstoredinthedatabasetomatch

releasepolicieswiththerightsoftwareversiontoverifysystemreadinessbeforeauthorizinguser

downloads.

ApplicationVirtualization

Agrowingtrendistodeployvirtualapplicationsthatdonotinstalltraditionallybutratherinstall

separatelyfromtheoperatingsystemandotherapplications.Byisolatingtheapplicationfromthe

operatingsystem,softwareapplicationmanagementissimplifiedfordeployment,management

practices,andeventualremovaloftheapplication.Thisavoidsapplicationconflictsanddragonthe

7/31/2019 The Complete Systems Management Book

32/81

SoftwareDistributionandManagement

31

operatingsystem.Byinstallingandremovingapplicationseasily,organizationscaninstallanapplication

foraprojectandthenremoveitforsomeoneelse.

DistributingandInstallingSoftware

Softwaredeliverytoolsfacilitatethedistributionandinstallationofsoftwareapplications,servicepacks,

applicationupdates,andotherdigitalresources.Automatedandtargetedsoftwaredistributiontakestheplaceoftime-consumingmanualtasksacrosslargeorsmalldistributednetworksusingremote

administration.

Inaddition,real-timeActiveDirectoryandLDAPintegrationfurnishestheITengineerwithfeaturesto

synchronizesoftwaredeploymentswiththeorganizationsemployeestructure.Wake-On-LANandIntel

AMTsupporthelpstoschedulecomputerstopoweronforsoftwareupdatestoreducedowntimeand

exploitenergyefficiencyfeatures.Allofthesefeaturescanbeemployedtosetupcomprehensive

distributionpractices.

Installingapplicationsforacustomizeddeploymentspecifictoeachorganizationrequiresthecorrect

commandlineandparametersforanapplication.Thiscanbeaccomplishedusingreal-timeapplication

installationpracticesfromthecommandline,orusingapplicationdeploymentbestpracticesto

significantlyreducethetimerequiredtodeployapplications.

ControllingSoftwareVersions

EstablishingadefinitivesoftwarelibraryanddistributioninfrastructureallowsITteamstomanage

differentsoftwareversionsandensurethattherightpackagegetsouttotherightpersonor

department.Authorizedversionsarepostedtothesoftwarelibraryandupdatedasnewversionsare

provided.

Inherentinrepackagingandpostingtoasoftwarelibraryistheabilitytomanageversionsofsoftwareapplications.Administratorscanhandlecustominstallationparametersbetweenapplications,ensuring

thatthecorrectcommandlinesandparametersareusedanddevoidoferrors.FormostITdepartments,

ensuringthatthecorrectcommandlinesandapplicationbestpracticesareidentifiedforeachversionis

vital.Tobesuccessfulintrackingversionswithinthesoftwarelibrary,installationinstructionsmustbe

accessibleininternaldocumentsstoredintheITsystemsmanagementtools,fromawebsite,or

automatedaspartofasoftwarecatalog.

DynamicGroupingforSoftwareDistribution

Toexpeditesoftwaredistribution,theITengineermustbeabletoselectasingledeviceoragroupof

devicesbasedonconfigurationorcharacteristics:devicetype,model,configuration,operatingsystem,

andotherfeatures.Automatedsoftwaredistributionandon-goingmaintenanceofsoftware

applicationsacrossanorganizationisbesthandledbyasystemwhichcandynamicallyupdategroups

andautomatedelivery.Flexibilitytoschedulepoliciesfordistributingsoftwaretodefinedgroupsof

computerdevicesallowtheITengineertoinstalltherighttypeofsoftwareapprovedfortheright

computersandusers.

7/31/2019 The Complete Systems Management Book

33/81

SoftwareDistributionandManagement

32

Targetingtherightcomputerwiththerightsoftwarecanbeeasyforasingledistributiontask,but

overwhelmingfortheITengineerwhenmanagingdiversecomputerdevicesanduserswithvaried

needs.Consolidatingandaccessingdataforeachdeviceallowsthemanagementsystemtocreate

groupsofcomputersbasedonforexample,modelorconfiguration,andidentifyitsneedforsoftware

updates.Groupscanbedefinedbasedonlocation,department,softwareprerequisites,operatingsystem,hardwarespecificationsandconfiguration,andothercriteria.

ManagingRemoteSitesandUsers

ITteamscanmanagegeographicallydistributedsitesorremoteusersbysettingupaglobaldistribution

infrastructurethatallowsforreplicationofsoftwarelibrariesandfeaturestominimizenetworktraffic.

Forsatelliteoffices,ITteamscansetupareplicatedsoftwarelibrarytomovepackagesclosertothe

user,allowingforremotemanagementwithlocalpackageaccess.Forremoteortravelingusers,

softwareportalscanbesetupindifferentlocationstoprovidecloseraccessorbandwidththrottlingto

minimizenetworktrafficforlongdistancedelivery.

Supplyingsoftwaretoremotesitesandthenmaintainingthedistributedsoftwarehasitsown

challenges.Formanyremotesitesortravellingpersonnel,gettingtoandspendingprolongedperiodsof

timeonahighspeedconnectionmaybeaproblem.Forsatelliteoffices,movingsoftwaretoalocal

shareisimportantbecauseofthesizeofsoftwarepackagesandtheassociatedstrainonthenetwork

bandwidth.Eachremotesitehasitsownchallenges,andrequiresoneormoreofthefollowing

strategiestoensurereliableandrapidsoftwaredistributionandongoingmanagement.

Setupasoftwareportalforremoteuserinteraction.Forremoteoritinerantemployees,asoftwareportalorwebsiteisrequiredtorequestandpulldownsoftwarewhenahigh-

bandwidthconnectionisavailable.Thisallowsuserstodownloadapplicationswhileworking

fromasmalloffice,fromhome,orfromahotelroom.

Establishaquickdeliverysystem .Adhocsoftwaredistributionallowsservicedesktechnicianstosafelydistributesoftwareon-the-flyforaspecificuser.ThisallowsITto

handleemergencysoftwarefixesorinstallcustomsoftwaretoresolveservicedesktickets.

Formanyorganizations,settingupawebportalfromthesoftwarelibraryallowsforself

serviceaccess.

7/31/2019 The Complete Systems Management Book

34/81

SoftwareDistributionandManagement

33

Minimizingnetworkimpact .Manyremoteofficesareonslowlinksthattheycannotaffordtohavesaturatedduetosoftwaredeliverytasks.Therefore,itisimportanttoemploy

featuressuchasbandwidththrottling,replicationsharing,andcheckpointrestartsto

minimizenetworkimpactandschedulereplicationtaskstonon-businesshours.

Whetheranorganizationspansacrosstheglobeorsupportsemployeesworkingoutoftheirhome

office,ITteamsneedtosupportremoteusersandofficesusingspecificandflexibledistribution

practices.

MessagingandUserInteraction

Formanyorganizations,allowingknowledgeworkersandexecutivestodeferdownloadingandinstalling

softwarebasedoncurrentactivityortocontacttheuserbeforeupdatingsoftwareisanecessaryfeature

tominimizeinterferencewithdailyactivities.Beforedownloadingandinstallingsoftwarepushedfrom

theITengineer,theusercandelaydeploymentofsoftwarepackagesforasetamountoftimefromthe

targetcomputer.

Forlargeapplicationdeploymentsorforuserssensitivetosystemperformance,furnishingtheuserwith

theabilitytodelaysoftwareupdatesuntilascheduleddowntimeisnecessaryinminimizingdisruptions

toproductivity.Equallyimportanttothis"snooze"capabilityistheabilityoftheITengineertonotifythe

userofanimpendingdeliveryandallowhimorhertoacceptordelaythesoftwareupdateprocess.

SchedulingDistribution

Toaccommodateuser'sworkroutinesandschedules,theITteamplansforoptimalnetworkdistribution

ofsoftwareaswellasallowingforuserinteraction.SchedulingsoftwaredistributionallowsITtoupdate

selecteddevicesintimesoflownetworkbandwidthusageforlargedistributionjobs,ortoreactto

ChangeManagementeventsandsupportIncidentManagementandProblemManagementservices.

7/31/2019 The Complete Systems Management Book

35/81

SoftwareDistributionandManagement

34

Foritinerantsalespeopleandremoteuserslookingtodownloadnewversionsofsoftware,accessto

softwaredownloadsmayrequirelocalaccessorahighbandwidthconnection.Formanyusers,keeping

controlofhowandwhensoftwareisdeliveredisessential.Manyusersmayrequiretheabilitytodelay

softwaredistributionandretainlimitedcontrolofthesoftwaredistributionexperience.

Economicpressurescontinuetodrivereductionsintheoverallpurchasingandmanagementcostsand

theserequirenewthinkinginstrategiestolicenseandmanagesoftwareresources.Evenas

organizationsstarttobenefitfromthesimplificationsachievablewithvirtualapplications,leveraginga

systemthatcancontrolthesevirtualizedapplicationsandautomatesoftwaremanagementtasks

reactingtosystemanduserchangesautomaticallycansavesignificantlyinbothITandsoftware

resourcecosts.

7/31/2019 The Complete Systems Management Book

36/81

SoftwareDistributionandManagement

35

7/31/2019 The Complete Systems Management Book

37/81

PatchManagement

36

PatchManagement

Vulnerabilityassessmentandremediationofcomputerdevicesstartsbyenforcingpatchupdatestothe

operatingsystem,installedsoftwareapplications,andwebbrowsersusedthroughoutanorganization.

Patchmanagementpracticesincludeprioritizingnecessaryupdatesanddownloadingandinstallingnew

versionsoftherequiredservicepacks,hotfixes,anddotreleasesfromthesoftwareprovider.The

primarygoalforITteamsenforcingandupdatingpatchesfordiversesystemsrequiressortingthrougha

multitudeofpatchesprovidedbythevendorandapplyingonlyrelevantupdates.

Automatedsoftwarepatchingstrategieswhichcanreliablyassessandremediatenetworkanddevice

vulnerabilitiesinclude:

Dynamicfilteringtotargettherightgroupofcomputerstoreceivepatchupdatesautomatically.

Runningpatchupdatesinthebackgroundusingautomatedpoliciesbasedonpriorityandsystem

requirements.

Allowingenduseroptionstodownloadandinstallpatchupdatesbasedontheirscheduleandactivitiestoavoidbusinessdisruptions.

Intelligent,automatedpatchmanagementenablestheITteamtocontrolsystemscanningschedules

andremediationpracticestofittheirenvironment.PatchupdatepracticesallowtheITteamto

downloadanddistributeonlythepatchesrelevanttotheirbusinessneedsandsystemconfigurations.

Automatedpatchingalsoprovidesfeaturestominimizebusinessdisruptionsandtargettherightgroup

ofcomputerdevicesfortherightpatchupdate.

ITengineersneedtocontrolandenforcedifferentpoliciesfordifferentcomputergroupacrossthe

organizationandkeepsystemsuptodate.Thisisaccomplishedusingfeaturestofilter,download,and

deploypatchesbasedontheneedsoftheorganizationinatimelyandsometimesautomatedprocess.

ThegoalforallITteamsistodelivertherightpatchtotherightcomputerdeviceswithminimal

interventionandreportonthestatusoftheremediatedcomputerdevices.

StandardizedPractices

Standardizedpatchingprocessesallowfordailyassessmentandremediationofclientdevicesand

weeklyassessmentandremediationforservers.Reportscanthenbegeneratedtovalidatesystem

7/31/2019 The Complete Systems Management Book

38/81

PatchManagement

37

statusonaweeklyorbi-weeklyschedule.Formany,ongoingpatchmanagementstrategiesprovidethe

firststepinstandardizingsecuritycomplianceforgovernmentcertificationsuchasHIPAAandPCIinthe

UnitedStates,andsimilarregulationsandsecurityrequirementsinothercountries.Standardized

patchingpracticesarealsoarequirementinmeetingITILandCOBITservicesandstandards.

NotJusttheOperatingSystemRunningoperatingsystemswithoutup-to-dateservicepacksorhotfixescanleavecorporatenetworks

opentocyberattacksandothersecurityvulnerabilities.Butasorganizationsmovebeyondthe

operatingsystemtoemploywebapplicationsandcloudcomputingintheirenvironment,patch

managementalsoresolvesvulnerabilitiesinthewebbrowserandothersoftwareapplicationsthatcan

renderthenetworkpronetosecuritythreats.Keepingcomputerdevicesupdatedwiththecorrect

softwareversionsallowsforastableoperatingbaselineaspartofaproactiveITmanagementstrategy.

7/31/2019 The Complete Systems Management Book

39/81

PatchManagement

38

ChallengesofPatchManagement

Theendgoalforpatchmanagementistoensurethatallsystemsareuptodateandsecuritypractices

requiringsoftwareupdatesareenforced.Thechallengesinprovidingacomprehensivepatchupdatesystemrequireautomatedprocessestoidentifyavailablepatchesfordiversedevicesandensure

compliance.

Patchingdiverseoperatingsystemsandapplications .MostITteamsareinundatedwithOSpatchesfor

supportedoperatingsystems(Windows,Mac,andLinux),versionsofoperatingsystems(Window7,

Vista,XP,andserverOS),aswellasapplicationpatches(Microsoft,Adobe,Apple,Mozilla,andmany

others).ITteamssortthroughnumerouspatchesofferedbythevendoranddeployonlythoserelevant

totheirenvironment.

Managingpatchesfordiverseusersandlocations.Beyondmanagingpatchesfordiversesoftware

installations,theITteamneedstoaddresstheneedsofvarioususertypes.Acentralcampuswith

diversedepartmentsthatincorporateengineering,sales,marketing,andqualitycontrolpersonnelneed

togroupandtargetpatchesbasedonsharedcharacteristicsandrequirementsofbothusersand

devices,ensuringthatallusersreceivetheupdatesspecifictotheirneedswhileenforcingcompliance

foroverallsecurityoftheenvironment.Remoteanditinerantusersrequireadditionalcaretoensure

compliancewhiletravellingorworkingfromahomeoffice.

Automatedpatchingpractices.Thecomplexityinprovidingpatchesformultipleproductsfrommultiple

vendorsbasedoncriticalneedsandtimesensitivityrequiresautomatedpatchingtechniques.

Automatedpatchingprocessesrequiretheabilitytoknowwhenaservicepackorhotfixisavailable

fromthesoftwarevendorandthenupdatebasedonestablishedITpolicies.ITteamsneedtomanagethecomplexityofaccessingandprovidingpatchesbasedonoperationalconstraintswithpoliciesthat

requireminimalITintervention.

Updatingvulnerabilitieswithemergencyupdates. ITteamsmustassessanddeploypatchesquicklyto

addressdiscoveredsecuritythreatsbythevendorortheITteam.Tomeetvulnerabilitiesinthefaceof

newsecuritythreats,theITteammustquicklyprioritizeandupdateselecteddevicesmanuallyto

enforcenewsecuritythreats.Thisrequirestheabilitytoidentifyasecuritythreat,accessthenewpatch

fromthesoftwarevendor,anddeployitimmediatelyusingmanualprocesses.Conversely,automated

policiescanbeimplementedbasedonperiodicupdatesastheybecomeavailableandwithout

immediateITintervention.

Confirmingpatchupdatesandcomputerstatusthroughcomprehensivereportingcapabilities.To

ensurethatallpatchesarecurrentanddevicescomplywithstandards,theITteamneeds

comprehensiveandtimelyreportingcapabilities.

7/31/2019 The Complete Systems Management Book

40/81

PatchManagement

39

BestPracticesforPatchManagement

Organizationsfacegrowingsecuritythreatsofcyberattackstothenetwork,outsourcingofIT

responsibilities,remotemanagementofpersonnel,andthechallengesofdelvingintocloudcomputingandfuturetoolsandtechnologies.Beingawareofnewpatches,targetingdevicesforupdates,and

reportingofupdatestatuscomprisethemainstepsrequiredforcomprehensivepatchmanagement

services.

TargetingPatchUpdatesforaVarietyofDevicesandUsers

Targetinggroupsofdevicestoreceivepatchupdatesrequirestheabilitytodownloadonlythepatches

relevanttogroupsofcomputerdevicesforanorganization'snetworkandeliminatepatchesthatarenot

applicable.Inaddition,theITteamneedstofilterdevicesbasedongroupsofcomputerswithsimilar

propertiesandupdaterequirements.Forremoteusers,theITteamrequiresaninfrastructuretoinstall

patcheswhentheuserconnectsandenforcecomplianceaspartofacomprehensive,globalupdate

strategy.

PatchDetection

Targetedpatchupdatesallowdefinedgroupsofcomputerdevicestohavedifferentschedulesfor

vulnerabilityassessmentandremediationusingautomatedpractices.Groupscanbedynamicallyfiltered

basedonpre-definedcriteriaonregularschedulestodiscoverinconsistenciesandensurethatdevices

receivetheirupdatesautomaticallywithminimal,ifany,ITinterventionrequired.ITengineerscan

definecustompoliciesfordifferentpopulationsofcomputerdevices,suchasprovidingweekly

assessmentandremediationofclientcomputers,whileassessingandremediatingserversonabi-weeklyschedule.

PatchDeployment

Likeinitialsoftwareinstallations,updatingsoftwarewithaservicepackordotreleaserequiresa

comprehensivesoftwaredistributioninfrastructure.Designingadeliverysystemthatidentifiestheright

patchanddeploysitbasedonanoptimumschedulereducesbandwidthcrowdingforlocalnetworksand

ensuresthatremoteuserswithlimitednetworkaccesscanperformtheupdateoperations.See

7/31/2019 The Complete Systems Management Book

41/81

7/31/2019 The Complete Systems Management Book

42/81

PatchManagement

41

7/31/2019 The Complete Systems Management Book

43/81

ConfigurationManagementandScripting

42

ConfigurationManagementandScripting

CentralizedconfigurationmanagementthatprovidesITwithcontrolovertheoperatingsystemand

applicationsettingsofeachendpointsystemisakeyelementofnetworksecurityandcompliance.

EffectiveconfigurationmanagementrequiresanITmanagementsystemtosupportpolicyenforcement

easilyacrossdifferentpopulationsofmachines.ImplementingthesepoliciesrequirestoolsthatallowIT

teamstodefineconfigurationtasks,schedulethesetaskstoupdateconfigurationsettingsforselected

computerdevices,andfinallytogeneratereportstoconfirmsettingsareinlinewithdefinedpolicies.

Automatedconfigurationmanagementalleviatestheinherentcomplexityofenforcingconfiguration

policiesacrossanorganizationbyemployingthesebasicprocedures:

1. Creatingalibraryofstandardizedconfigurationsandassociatedtasks.2. Developingconsistentschedulingpracticestodeploytheconfigurationpolicies.3. Generatingreportstovalidateenforcement.

Employingconfigurationpoliciesprovidesastandardbaselinefordevice,registry,andnetworksettings

forallcomputerdevicesintheorganization.

ForITteamstaskedwithconfigurationmanagementtasks,writingandrunningconfigurationpoliciesto

applyappropriatesettingsprovidesthemostflexibilitywhenconfiguringcomputerdevices,andallows

forextendedtaskingandexpandeddefinitionswhenusedaspartofalargerpolicy-basedworkflow.

SimplifyingtheuseofconfigurationscriptsisakeypartofacomprehensiveITmanagementsystem

whichshouldntrequireausertohavecomplexscriptingskills.Policysetupshouldallowadministrators

toleveragescriptsandestablishtheirownbasicrulesforapplyingpolicies,forexampletorefinesearch

criteriabasedonconditionsmetorthedefinitionofvariableswhenupgradingonlycertainmodelsof

deviceswithspecificproperties.Configurationpoliciescanalsobewrittentoexecutemultiple

managementtasksbasedonthestateofthedevice,dependencies,andprescribedrules,andtheymust

beabletoleveragevariousformsofscriptswhererequired.

ConfigurationCapabilities

BuildingandemployingalibraryofconfigurationpoliciesusingscriptsallowstheITteamtocustomize

managementtasksexpresslyfortheenvironmentandstandardizethosetasksforallothersupport

personnelandbusinessusers.Configurationpoliciesenforcestandardsettingsforoperatingsystems

andinstalledapplications,andbysupportingbasiclogicandoptionsforscripts,canprovideflexible

optionsindistributingsoftware,settingconfigurationvalues,andperformingothertypesof

7/31/2019 The Complete Systems Management Book

44/81

ConfigurationManagementandScripting

43

managementtasks.ScriptingallowsITengineerstocustomizenetwork,hardware,anddesktopsettings

andsupportsimplementationofconsistent,enforceableconfigurationpolicies.

Client-sideconfigurationpoliciesscheduletasks,reacttoevents,andrundefinedscriptsandprocesses

onthetargetdevicebasedonthresholdsettingsandexceptions.Whenrunonthetargetdevice,scripts

canverifydevicesettings,reportsuccessfuloperations,automaticallyremediateproblems,orreportfailureofspecificcomponents.Distributionofclient-sidescriptsrequiresITmanagementpoliciesand

toolsthatcanfilteranddistributetherightconfigurationtotherightcomputerdevice.

Theadvantageofclient-sidescriptsistoallowmobilepersonneltorunprocessesandmanagement

taskswithoutbeingconnectedtotheserver.Scriptlogicchecksforconfigurationsettingsandenforces

standardsautomaticallyonthelocaldevice,andthenallowsforpolicyandscriptupdateswhenthe

deviceisagainconnectedtothemanagementserver.

Distributionofclient-sidescriptswritteninVBScriptorJavaScriptorwrittenad-hocusingabuilt-in

wizardallowsfortheconfigurationofnetwork,hardware,desktopsettings,andcanbeusedtoimplementnewconfigurationpolicies.VM,VLAN,router,andserver-sidescriptingusingPERL,PHP,

Python,JavaScript(server),andotherserver-sidescriptinglanguagesprovidesevenmorevalue,

opportunities,andchallenges.

7/31/2019 The Complete Systems Management Book

45/81

ConfigurationManagementandScripting

44

ChallengesofConfigurationManagement

Whileconfigurationmanagementcanprovidepowerfulbenefits,implementingitthroughscriptingcan

bechallenging.First,ITadministratorsmustwriteandtestthescriptswhichcanrequirequiteabitoftechnicalexpertiseifusingstandardscriptinglanguageslikeVisualBasic.Nexttheymustfigureouta

waytodistributethescriptstoendpointsacrosstheorganization,includingtoremotesites.Finally,they

mustverifyandreportthatthescriptshaveruncorrectly.

Utilizeexistingthird-partyconfigurationscripts .ManyITdepartmentsretainavarietyofscriptsbuiltin

differentscriptinglanguagesforvaryingpurposes.Efficientconfigurationpoliciesneedtoincorporateall

typesofthird-partyscriptsandcreatenewonestointeractwithexistingscripts.

Setupconfigurationpoliciesfornon-programmingITadministrators.FormanyITadministratorsand

technicianssupportinganorganization,learningandkeepinguptodateonscriptinglanguagesisnot

highontheirprioritylist.Settingupconfigurationpolicieswithaneasy-to-usewizardisanecessityto

allowtheITadministratortoeasilywriteeffectivepoliciesandleveragescripts.

Gettherightconfigurationpolicytotherightdevice .Managingalibraryofconfigurationpolicies

requiresanITmanagementsystemthatisabletodistributetherightpolicytotherightdevicebasedon

dynamicgroupingandenforcementofconfigurationsettings.Thisrequiresanestablishedlibraryof

policysettingsandscriptsforvariousdevicesandmanagementpracticesandaninfrastructureto

distributethesesettingsandscriptstoclientdevices.

Supportadhocjobsandstandardpolicies.Whetherascriptisatemporaryfixforaspecializedjobor

partofastandardimplementationpolicy,theITteamneedstobeabletoeasilywrite,check,anddeploy

thescripttoconfigurecomputerdevices.

Enforceconfigurationsettingsonmobiledevices .Configurationsettingsonlaptops,smartphones,and

othermobiledevicesusedbytravellingandremoteemployeesneedtobeconfiguredandmaintained

whennotconnectedtothemanagementserver.Enforcingconfigurationsettingsbasedonscheduled

policiesusingclient-sidescriptsisanecessityformanyorganizations.

Verifyeffectivenesswithreportsandexception-basedalerts.ITadministratorsneedtoclosetheloop

andverifythatthescriptstheyhavewrittenanddeployedareworkingeffectively.Infact,reports

verifyingcompliancewithconfigurationpoliciesisoftenakeyelementofcompliancewithregulations

suchasHIPPAandPCI.TheITadministratoralsowantstoknowwheneventshappenoutsidesetthresholdsorrulesestablishedinapolicy.Displayingalertsonthedashboardofthemanagement

consolebasedonout-of-boundeventsthrownbythesystemallowsthesupportingITadministratorto

beawareofproblemsinreal-time.

7/31/2019 The Complete Systems Management Book

46/81

ConfigurationManagementandScripting

45

BestPracticesforConfigurationManagement

Developingasystemtowrite,distribute,andcustomizeconfigurationpoliciesallowstheITteamto

maintainpolicies,standardizedesktopandserverconfigurations,andimplementastableITenvironment.

Employingpre-packagedconfigurationpolicies

ITmanagementsystemsusuallyincludeconfigurationpoliciesthatdonotrequiremanualscripting

efforts,allowingtheITteamtoeasilyupdateconfigurationsettings"outofthebox."Thesepoliciessare

typicallydesignedtoimplementbasicconfigurationtasks.

ITteamsrequiretheabilitytocreateandenforcereliableconfigurationsandactivatepre-packaged

scriptsandpoliciesforconfigurationandbaselinestandardizationofalldevicesonthenetwork,

includingregistrysettings,desktopsettings,routerrules,andoptionenforcers.Standardconfiguration

settingscanalsobeusedtoimplementandenforcenewlyadoptedconfigurationpolicesacrossthe

organization.

Settingandenforcingconfigurationpolicies

Settingconfigurationvaluesandenforcingthesesettingsthroughbatchorindividualscriptscanbe

accomplishedthroughone-timejobsorongoingpolicies.Usingdynamicpoliciestocontrolconfiguration

settingsallowsITadministratorstoquicklyandeasilysetupongoingandautomatedenforcementas

newsystemsareintroducedortoupdatenewscriptsandsoftwarepackagesastheyarecreatedand

madeavailable.

7/31/2019 The Complete Systems Management Book

47/81

7/31/2019 The Complete Systems Management Book

48/81

ConfigurationManagementandScripting

47

logic.

Tokens.Replacementvariablescanbesetupastokensandreplacedwithvaluesandlogicatruntime.

Thisallowsforvariablescriptstobeused.

Utilizingexistingconfigurationscripts

ITadministratorswithalibraryofscriptswritteninvariousscriptinglanguagessuchasVBScript,JavaScriptorXULcanusetheITmanagementsystemtodistributethesescripts.BatchscriptingallowsIT

engineerstoauthoranddistributebatchscriptsdirectly.Existinglibrariesofscriptscanbesetupwith

dependenciesandaccessedtorunaspartofothershellscripts.

Interruptionoptions

Givinguserstheoptiontodelayrunningascheduledconfigurationpolicywhenattachedtothenetwork

isanimportantfeaturetoavoidworkdisruptions.Forremoteusers,allowingtheusertointerrupt

deploymentandactuationinordertonotinterruptworkallowsforharmonybetweentheuserandthe

ITteam.

7/31/2019 The Complete Systems Management Book

49/81

ConfigurationManagementandScripting

48

7/31/2019 The Complete Systems Management Book

50/81

SecurityAuditandEnforcement

49

SecurityAuditandEnforcement

SystemsecurityisatoppriorityforITorganizations.Developingacomprehensivesolutiontoprotect

endpointsfromvarioustypesofviruses,spywareandothermalicioussoftwarethreatsrequires

enforcementandcontinuousmonitoringinordertobecredible.Ensuringandenforcingsecurity

standardsiscriticaltobusinesscontinuityandachallengeasattacksbecomeincreasinglyvaried.

ChallengesforSecurityAuditsandEnforcement

Protectingtheconfidentialityandavailabilityofinformationfrommaliciousthreatsoraccidentallossisa

priorityrequirementfortodaysorganizations,tomeetbothoperationalandlegalrequirements.

Ensuringsecureconfigurationsandenforcingcompliancetypicallyinvolvesseveralchallenges.

Applyingappropriatesecurityconfigurationsforalldevices ,aswellasensuringthelatestservicepacks

andpatchesareapplied,firewallsettingsareenabledforeachOS,browsershavesecuritysettings,

anti-virusapplicationsarescheduledtoscan,andprogramusagerestrictionsareinplace.

EnforcingsecureconfigurationpoliciesastheITenvironmentchangesandevolves.Thisrequires

automationoftheenforcementprocess.Thevulnerabilityscanningandremediationprocessfor

discoveredproblemsmustbehandledwithoutdisruptingbusinessandnormalITusage.

Reportingforcompliancepurposes.Businessessubjecttocompliancereportingmustprovethat

appropriatesecurityconfigurationsareinplace.Reportingthatthesystemshavebeensuccessfully

configuredwithsecuritysettings,suchasthosedefinedinUSCertOVALdefinitions,isoftena

requirement.Regularconfirmationofcontinuedprotectionastheenvironmentchangesmaybe

requiredaswell.

Whendeviceswithsecurityvulnerabilitiescannotbeautomaticallyupdated,thedevicemayneedtobe

quarantinedtoprotectthenetwork.OnlyafterithasbeenaccessedandremediatedbytheIT

managementsystemwillthedevicebereadyforre-introductiontothenetwork.

7/31/2019 The Complete Systems Management Book

51/81

SecurityAuditandEnforcement

50

BestPracticesforSecurityAuditsandEnforcement

BestpracticesforITsecurityinvolvesvulnerabilityassessment,ongoingenforcementandauditing

progresstowardscompliancetominimizethebusinessrisk.AutomatingthisworksavestimefortheIT

engineerandhelpsreducesecuritybreachesandresultinglostproductivityfortheenduserandthe

organization.

VulnerabilityAssessment

TheUSDepartmentofHomelandSecuritysponsorsOVALasaninformationcommunitystandard

endorsedbyUSComputerEmergencyReadinessTeam(USCERT)topromoteopen,publiclyavailable

securitycontentandstandardizationofitstransferacrosssecuritytoolsandservices.OVALtestscanbe

usedtoscanforsecurityvulnerabilitiesandareoftenusedtoaugmentotherestablishedorcorporate

securitystandards.Vulnerabilityscanscanbechecksontheinstallationofananti-virusapplication,or

canincludenumeroussecuritymetricssettocheckontheOS,browser,network,anti-virus,andother

securityprogramsandconfigurationsettings.

VulnerabilityscansshouldbescheduledbytheITteamonarecurringbasisandcheckedagainstthe

currentlistofknownvulnerabilities.Scanscanbetargetedatgroupsofdevicesoranentiresubnet.

Reportsfromtargetedcomputerdevicesshouldbecheckedagainstalistofvulnerabilitymetricstolist

aspass/failresultsandthenusedbytheITteamtoplanandexecuteremediation.

7/31/2019 The Complete Systems Management Book

52/81

SecurityAuditandEnforcement

51

SecurityEnforcementPolicies

Enforcingsecurityconfigurationsettingsforcomputerdevicesandnetworkscanbeautomatedusing

pre-builtpoliciesprovidedbytheITmanagementsystem.ITwillcustomizepoliciesforaspecificsecurity

settingtobeautomaticallyappliedtoappropriateclassesofITsystemsastheyappearinthe

organization.Thepolicydefinitioncanalsoincluderunningscansoutsideofbusinesshoursinorderto

minimizeanyenduserimpact.Securitypoliciestypicallyincludethefollowing:

Enforcefirewallsettingspolicies.Forexample,enableportaccessinfirewallsettingstoallowtheIT

teamtoprovideremotedesktopaccessandremediationrequests.

Setbrowsersecuritypolicies.Typically,todaysbusinessusersutilizeanumberofbrowsersincluding

MicrosoftInternetExplorer,AppleSafariandMozillaFirefox,andtheseneedtheappropriate

securitysettingstobeenforcedatthebrowserlevel.

Verifyanti-viruspolicies.Regardlessoftheanti-virusprogramimplementedbytheorganization,the

ITteamneedstoupdatethedefinitionfilesandcheckthatsystemscansarescheduledregularly.

Quarantinepolicies.Forcompromisedcomputerdevices,administratorscandecidetobreak

communicationsbetweenacomputerandallothersystemswhenanetworksecurityriskhasbeen

identified.TheITmanagementsystemcanthenbeusedtocommunicatedirectlywiththe

quarantinedcomputerandresolvethesecurityissue.

Disallowprograms.Prohibittherunningofunwantedorat-riskapplications.

Withtheincreasinglymobileworkforce,securitypoliciesneedtoenforcesettingsoncomputers,

particularlylaptops,evenwhentheyarenotconnectedtotheITmanagementsystem.Securityscripts

canbesetuptorunregularlyontheclientdevicesevenwhenofflinefromthemanagementsystem.

Securitypoliciesleveragingscriptscanalsobeenabledusingeasy-to-usewizardsthatsupport

conditions,multipledependenciesandmultiplescriptingstagesinthesecurityconfiguration.Thisallows

7/31/2019 The Complete Systems Management Book

53/81

SecurityAuditandEnforcement

52

ITengineerstoeasilycreateandenforcenewsecuritypolicieswithouthavingtolearnascripting

language.

Toefficientlyremediateproblemsidentified,asecurityauditandenforcementsolutiontypically

integratestheremediationpolicieswiththevulnerabilityassessmentfunctionality.Remediationpolicies

canincludepatching,applyingconfigurationsettings,andapplicationblockingorremoval.ThisintegrationimprovesefficienciesandmakesitpossiblefortheITteamtomaintainsecuritycompliance

acrosstheorganization.

ComplianceReporting

Forsecuritycompliancepurposes,ITengineersrequirevisibilityofthevulnerabilityandthedeployment

progressofsecuritypoliciesforalldevicesonthenetwork.Compliancerequiresauditablereportsto

confirmthatpolicieshaverolledoutsuccessfullyandidentifywhereremediationoperationshavefailed.

ComprehensivecompliancereportsanddashboardalertsallowtheITteamtocompletetheupdate

processandensurethatalldevicesmeetorganizationalrequirements.Afterapplyingsecuritypolicies,

theITteamneedsreportstoconfirmthatthedevicesareuptodateandcompliant.Seethechapteron

reportingforadditionalinformation.

AsITsystemsholdvaluableinformationthatisincreasinglytargetedbycriminalelements,endpoint

securityiscrucialtoprotectingbothaccesstothatinformationaswellasoperationalbusinessintegrity.

Keepingclient-sidesystemssecureinatimelymannerisachallengeasnewvulnerabilitiesare

constantlyreportedacrossabroadeningspectrumofoperatingsystemsandwebapplications.

Automatingsecurityauditsandenforcementwitharobust,reliablesystemsmanagementsolutionhelps

theITteamquicklydiscovervulnerabilitiesandremediateproblemsandthenenforcefuturecompliance

basedonestablishingcompanysecuritypolicies.

7/31/2019 The Complete Systems Management Book

54/81

Administration

53

Administration

ITmanagementsystemsshouldbeeasytouseandcustomizeforusebyboththeseniorITengineersas

wellasnewly-hiredITtechnicians.TheyshouldalsobeeasytoimplementandadoptbytheentireIT

teamandendusersthroughouttheorganization.Systemsmanagementtoolsneedtoprovide

streamlineddevicemonitoringandmaintenancefeaturesthatavoidoverly-complexorincongruent

featuresets,relyinginsteadonintegrationofLDAPorActiveDirectorydata,coordinationofIT

managementtools,andbuilt-inreportingandalertfeatures.

Fortoday'sITteam,efficientsystemmanagementincludesacentralizeduserinterfacewithWebaccess

thatincorporatesalladministrationtoolsanddatainasingle,remotelyaccessibleuserinterface.TheIT

systemintegratesworkflowstostandardizemanagementpracticesandincreasethereachand

effectivenessoftheITteam.

7/31/2019 The Complete Systems Management Book

55/81

Administration

54

AdministrationConsole

ITmanagementsystemsthataretoocomplexandrequiretoomuchoverheadoftenunderminethe

decisiontoimplementeffective,coordinatedmanagementpractices.Toaccomplishthemyriadoftasks

associatedwithsystemsmanagement,theITteamrequiressimplifiedmanagementtoolswiththe

powerandfunctionalitytoexpeditejobsandassociatedataformeaningfuladministrationand

monitoringofhardwareandsoftwareresources.

Fromtheconsole,theITengineercanviewimportantinformationataglanceandcustomizeviews

specifictotheneedsoftheenvironment.AdministrativealertstotheITengineercanbeimplemented

fornotificationsofdevice,network,andassetirregularitiesfromacustomizedportalorhomepage.

Broadcastalertsandwarningsfortheendusercanbesetupandscheduledaswell.Agentdeployment

canbefacilitatedfromtheconsoletoprovideoperationalsupportthatincludesdynamicgroup

associations,sequencedtasks,secureconfigurationupdates,andWake-On-LANcapabilitiesdesignedto

savepowerandenablesoftwareupdatesorpatchesduringoffhours.

7/31/2019 The Complete Systems Management Book

56/81

Administration

55

Reporting

PreciseandcomprehensivereportingbytheITteamisvitalwhenmanagingmultifacetedadministration

tasksacrossanorganization.Basicreportingcapabilitiesincludeproofofsoftwarelicensecompliance,

notificationsofelapsedassetwarranties,computerinventoryinformation,assettracking,ticket

resolutionstatus,andregulatoryauditcompliance.Customizedreportingforspecificneedsand

personalizeddashboardalertsarealsoimportantforeffectiveeventmonitoringandreal-timesystems

managementspecifictotheenvironment.

TheabilitytomonitorandevaluatecriticalsystemmetricsenablestheITteamtotakepreventativeactionsforsystems-relatedeventsandtomonitortrendsacrossthenetwork.Usingpre-configuredor

customizedreports,ITteamscanidentifyproperpreventativemeasurestofacilitateongoingoperations

andmanagementstrategies.AutomatedreportingcapabilitiesallowtheITteamtoavoidtheerrorsof

manualreportingandexcessivewasteofITresources.

7/31/2019 The Complete Systems Management Book

57/81

Administration

56

AlertsandMessages

Basically,twotypesofnotificationsareusedbytheITengineer:broadcastmessagessenttoendusers,

andadministrativealertssenttotheITengineerbythemanagementsystem.Forendusers,broadcastnotificationsandwarningsofpossiblevirusesorsystemupdatesaresenttogroupsofusersbasedon

criteriasuchassubnetlocation,deviceproperties,usergroups,configurationsettings,orotherdefined

criteria.AdministrativealertsaredesignedbytheITteamtonotifytheITengineerofgeneralsystem

warnings,assetexpirationdates,componentmalfunctions,orothersysteminterruptionsorstatus

alerts.AdministrativealertsarebasedonasetofparametersdefinedwithintheeventharnessoftheIT

managementsystem.

AdministrativeAlerts

AdministrativealertsnotifytheITengineerofseriouseventsconcerninganorganization'shardwareand

softwareresources.Alertscanbescheduledtoscanforsystemirregularitiesbasedondefinedmetrics

anddisplaythemasdashboardalertstoapprisetheITengineerofpendingissues:

Computernotifications.Alertscanbegeneratedtocapturecomputerstatusbasedoncomputer

hardwaremodelormanufacturer,softwareapplications,freediskspace,orthelastinventoryreport.

Assetnotifications.AssetnotificationscanalerttheITengineeronlicenseorleaseexpirations.Alerts

canbeconfiguredtosende-mailtoindividualsortoautomaticallygenerateahelpdeskticket.

BroadcastMessages

Notifyingendusersofeventsthatcanimpacttheirworkdaycanbeanimportantaspectofeffectively

managingnetworkresources.Configurableenduserbroadcastalertsnotifyusersofimpendingoutages

andsystemschangestoensureforup-to-datesystemstatusreports.Alertsareusuallypolicydrivenand

configuredtobedistributedtogroupsofusersimmediatelyoronadefinedscheduleorconfiguredto

expireafterasettime.

7/31/2019 The Complete Systems Management Book

58/81

Administration

57

Role-basedpermissions

AdministrationrightsforeachITengineerneedstoconformtohisorherrolewithintheITteam.Access

tosensitivenetwork-wideoperationsorserveraccessneedstobelimitedbytheITmanagerwith

specificadministrativerightsdefined.Role-basedprivilegestoperformdefinedITtasksneedtobe

coupledwithpermissionstogroupdeviceanddataobjects.ThisallowstheITteamtosecurelycontrolwhichITadministratorshaveaccesstospecifiedsystemmanagementfunctionalitiesandtosetup

separateorganizationalgroupstoisolatetheserolesandrights.

AssignedITdutiesaremostoftenalignedtotheproximityoftheITengineergeographicregionsand

businessunitswithintheorganizationaswellashisorherexpertiseandexperienceforspecificIT

tasks.TheITmanagerneedstobeabledefinemanagementdomainsanddutiesforeachITengineer

basedontheirassignedroleandrequiredaccesstogroupsofusersandcomputerdevicesaswellas

specifieddatastores.

7/31/2019 The Complete Systems Management Book

59/81

Administration

58

LDAPorActiveDirectoryIntegration

Real-timeintegrationoftheITmanagementsystemwithnetworkdirectoryservicessuchasActive

Directory(AD)orLDAPallowsorganizationstoautomaticallyimport,create,andsynchronizedeviceandusergroupobjectsfromthedirectorytotheITmanagementsystem.Asdataisupdatedandchangesare

madetothenetworkdirectory,themanagementsystemcanthendynamicallyupdatenewuserand

groupinformationtoensurethatsettingsstayconsistent.Inaddition,themanagementsystemcan

automaticallyreflectanynewcredentialupdateswhenchangesaremadeintheLDAPorActive

directory.

7/31/2019 The Complete Systems Management Book

60/81

Administration

59

Remoteoffices

RemotesitemanagementandadministrationcapabilitiesallowtheITteamtoeffectivelydeploy

systemsatremotessitesfortravellingusers,at-homeworkers,orsatelliteoffices.Managingremotesitesandpersonnelfromacentrallocationisvitalinreducingthetimeandcostsassociatedwith

managingremotesystemsandeliminatesthetravelrequirementsandmanualpracticespreviouslyused

todeploysystemsbeyondthecentralcampus.

Remotemanagementallowsasingle,centralizedITmanagementsystemtostageanddeploydisk

images,OSinstallations,scriptedinstalls,drivers,andsoftwareapplicationstoremotesites.Thiscanbe

accomplishedwithorwithouttheneedfordedicatedITpersonnelatremotelocations.Formulti-site

organizations,avirtualinfrastructurewithremotetransferandupdatefeaturesallowsfordeployment

operationsthatcontroltimingandcontentofstageddeploymentassets.Scheduledupdatesand

synchronization,alongwithbandwidththrottling,helpsminimizenetworkconsumptionwhilekeeping

allremotesitesupdated.

Externaldrives,USBdrives,orCDscanbeusedbyremoteemploystobootlocallyandthenconnectto

theITmanagementsystemtoaccessthefulldeploymentlibrary.Onceconnectedtothecentral

managementsystemandsoftwarelibrary,anydeploymenttaskcanbeexecutedonthetargeteddevice.

ComputerswithoutagoodInternetconnectioncanincludeanimagefileontheUSBdriveorsavethe

datafilestoaDVD.Allimages,networkOSinstallations,andotherassetscanbereferencedfroma

7/31/2019 The Complete Systems Management Book

61/81

Administration

60

centralizeddeploymentlibrary,makingitmucheasiertoensurethatoutdatedimagesornetworkOS

installationsarenotaccidentallydeployedtomanageddevices.

Todaysadministratorbenefitsgreatlyfromacentralizedadministrationconsole,canenjoyanaccurate

pictureofthemanagedenvironmentwithreportingfeatures,andcanbealertedtoissuesastheyarise.

Beingabletoenforcerole-basedpermissionsallowstheworkloadtobesharedamonganadministrationteamwithoutexposingpotentiallydangerousfeaturestoallthosewhoparticipate.Integrationwith

LDAPiskeytoleveragingtheinvestmentalreadymadeinthesegmentationofsystemsthrougha

network,andtheabilitytointelligentlyhandlebandwidthissuesforremotesitesiscriticaltoensuring

distantsystemscanbemanagedaseasilyasthosedownthehall.Withtherighttoolsattheirdisposal,

administrationwithanintegratedsystemsmanagementsolutioncansaveconsiderabletimeand

investmentwhilemakingadministratorsmoreproductiveandbetterabletorespond(andevenprevent)

issuesthroughtheenvironment.

7/31/2019 The Complete Systems Management Book

62/81

Administration

61

7/31/2019 The Complete Systems Management Book

63/81

ServiceDesk

62

ServiceDesk

KeepinganorganizationproductiveisthechallengeforIThelpdesksupporttechnicians.Downtimeof

personnelorcomputerdevicesforanyreasonmeanslostproductivityandlostrevenueopportunities.

Tokeepresourcesupandrunning,thehelpdeskrequiresabasicsystemwiththesefeatures:

Incidentmanagement.Helpdesktechniciansrequireanincidentmanagementsystemtoreceive

andprioritizeuserrequests,assignthetickettotheappropriateITengineer,andtracktheissue

toresolution.Helpdeskpracticesrangefrombasicincidentmanagementprioritizationand

remediationofhelpdeskticketstohighlystructuredsupportofITILincident,problem,

configuration,changeandreleasemanagementservices.Incidentmanagementrequires

featuresfortrackinghelpdesktickets,prioritizingITteameffortsandsettingupqueuesto

resolveproblemsbypriorityandability.

CollaborativeITsystem. Integratedmanagementtoolsandassociatedsupportinformationallows

thehelpdesktechniciantoaccesstargetedinventoryreports,assetinformation,the

managementhistoryofeachcomputerdeviceandremotecontrolandremediationcapabilities

fromaconsolidatedmanagementconsole.ITteamsaremosteffectiveinresolvingproblems

usingamanagementsystemwithfocusedreportingcapabilitiesandintegratedtoolsemployed

fromthehelpdesk.

Sequencedandautomatedworkflows.IntegratedmanagementsystemsallowITengineersto

designworkflowstoimplementITpoliciesforcommonjobssuchassettingupnewusers,

deployingnewcomputers,updatingpatchesandperfo