Like it or not, consumerization is a huge challenge we have to deal with in business today. Microsoft System Center Configuration Manager 2012 promises to help with consumerization and much more. Here’s what you need to know in the context of managing your Windows environment in its entirety.
How does Configuration Manager help ensure endpoints are properly secured?
In the context of consumerization, the key words that Microsoft is touting for Configuration Manager are “compliance” and “remediation” – two core principles of reasonably protected endpoints. Configuration Manager works in conjunction with System Center Endpoint Protection 2012 (formerly known as ForeFront) to balance operational and technical security.
While the focus of “endpoint” protection is on desktops and mobile devices, you can’t forget about your servers. They may be in more controlled environments but they’re still endpoints that need to be protected. The most valuable core components of the new Configuration Manager for Windows admins are Compliance and Settings Management, Software Update Management, Client Health and the ever-elusive function of security: Inventory. Whether a system is a workstation or a server, you cannot secure what you don’t acknowledge and these components of Configuration Manager allow to rein in the who, what and where of all your business systems.
How does Configuration Manager actually control mobile devices and how does that relate to my Windows server responsibilities?
In essence, if a device can be managed via Exchange ActiveSync (i.e. relevant devices running Android, iOS and Windows Phone) then it can be further controlled through Configuration Manager. I’ve seen ActiveSync successfully used as a mobile device management (MDM) option. Its features are more limited compared to third-party MDM products but if people and financial resources are scarce, this may be a good way to go.
If certain technologies fit your business needs then why complicate things further? The last thing you need as a server admin is for workstation technologies and related controls to distract you from your core responsibilities. I’ve seen third-party technologies promise the world but end up creating unnecessary distractions and complexities. Furthermore, consumerization extends the reach and attack surface of your server applications. You cannot reasonably manage all information risks unless and until you focus on locking down all components of the system: workstations and servers alike.
More on SCCM 2012
Microsoft SCCM 2012 built for PCs, smart enough for VDI
A look at the System Center Configuration Manager 2012 beta
Mobile device management vs. Exchange ActiveSync
System Center 2012 tries to strengthen Microsoft's cloud story
How do you know that Configuration Manager is the right product for managing your Windows environment?
Only you’ll know if it’s the right fit. You need to see it running in an environment similar to yours or, better yet, take it for a test drive. I can’t tell you how many times I’ve seen businesses invest in enterprise technologies only to find out that they’re not a good fit for their business. Before you do anything, step back and ask yourself: What’s our ultimate goal here? What are we trying to protect? Can this tool help us protect all of the endpoints that matter -- servers and workstations alike? How will this tool integrate with my existing Windows server security and management technologies?
You may be better off with more specialized Windows security and management technologies from a third-party vendor. Then again, if you’re a strictly Windows shop and you’ve already invested in some of these core Microsoft products, you may be better off staying on track with System Center Configuration Manager 2012 (download a trial here) and its related components. Either way, with the simple up-front exercise of asking the right questions, you can save yourself a ton of headache -- and risk -- down the road.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around minimizing information risks. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.
This was first published in May 2012