Buying an HDTV is probably a lot like deciding on your change management process.
It starts out pretty much the same: You spec out the right hardware and look at all of the pixel and contrast ratios. You get the approval to purchase and, in your mind, you're done. But when you get home, you come to the stark realization that the picture is not quite as clear as it looked in the store. You tirelessly spend the next 48 hours tweaking the configuration settings to make them just right for you.
It's a similar story when you purchase a new server -- you have a mountain of configurations that need to occur. The real problem is that, more often than not, configuration changes can be the bearer of bad news because they weren't ever standardized.
The following framework should help you manage your configuration changes and maintain standardization:
Perhaps the biggest problems with configuration management are understanding the scope and what to include and what not to include. With so many available configurations and settings, most organizations find it difficult or even impossible to incorporate all of them into their change control process.
The idea here is not to take on the whole enchilada at once if you don't have to. Work with the key individuals at all levels of your organization to define the settings that should never be changed -- or at least those that shouldn't be changed without management approval. Once you have these settings, include them as part of the change management process by documenting the current value and requiring appropriate documentation and approvals before any changes are made.
Simple, right? Just don't forget to keep your configuration management process current with new technology.
Take password configurations, for example. By this point, most organizations have included the domain password policy as part of their change management process. If you want to change passwords from a minimum of six characters to nine characters, you would have to go through the formal process -- especially because any audit would quickly reveal any discrepancies.
However, in Windows Server 2008 Active Directory, you now have the ability to configure Fine-Grained Password Policies, or FGPP, which allows for the creation of multiple password policies within a single domain. Keep this in mind because you will most likely need to include it in your configuration management with a full 2008 deployment.
Organizations of all sizes struggle with maintaining consistent configurations across servers. Here, the change control process can go only so far -- it isn't likely to bridge the human error gap.
If you can't deploy those configuration standards consistently, then you are about to experience a significant breakdown -- no matter how well you document the changes and their approvals. At this point, people are really going to lose faith in your process.
Even though you are left almost completely in the dark -- or have become reliant on third parties to help -- with some configurations, like with FGPP where there isn't even a UI, don't give up hope. Windows Server 2008 does help administrators deliver a consistent configuration with the following tools:
- Server Manager Console in Windows Server 2008 allows you to assign the server to a role that comes with customized security settings. From a scripting perspective, you also have the option of using the command-line version (ServerManagerCmd.exe).
- Windows PowerShell is a powerful scripting language that can facilitate the automation of system configuration procedures, especially with IIS 7.0, Terminal Services, Microsoft Exchange Server 2007 and Microsoft Operations Manager.
- Windows Deployment Services is an updated version of Remote Installation Services that can ease the pain of having to be physically present to centralize the configuration images.
- Microsoft System Center Configuration Manager 2007 is an extremely robust application that will likely pay high dividends while making it easier to maintain consistent configurations – if you can stomach the price.
A well-defined audit to ensure operational compliance with the approved configurations will be the icing on your change control process. This doesn't have to be anything fancy. If your password length has been approved at a minimum length of eight characters, all of your domain and local policies should be set accordingly.
However, the difficulties grow in two dimensions -- with the number of servers and with the number of other items on your to-do list. The only way to be successful is with automation.
There are many ways to automate the process -- from a variety of GPO management tools to some simple ADSI or WMI commands. If you have the luxury of deploying Microsoft System Center Configuration Manager, you really need to check out Desired Configuration Management. This application allows a Windows shop to establish an approved configuration and automatically audit compliance.
As you push forward to establish the appropriate configuration settings, automate the configuration/implementation and complete the loop with the appropriate audit or monitoring of your key configurations. That will help ensure the success of your configuration management process.
About the author:
Russell Olsen is the CIO of a Healthcare Technology company and previously worked for a Big Four accounting firm performing technology risk assessments and Sarbanes-Oxley audits. Olsen is a CISA, GSN and MCP.
This was first published in July 2008