Using and managing BYOD in a Windows Server 2008 environment

Enterprises are quickly seeing the benefits of allowing users to bring in their own devices and connect them to the network. The "bring your own device" initiative has really taken off and, in many situations, has taken Windows Server administrators a bit by surprise.

Traditionally, server engineers were tasked with securing their environment against malicious attacks, data loss, intrusion and a host of other server-based dangers. Now, administrators must work with foreign devices and allow them access to internal elements on the network. The workload that the end-user is connecting to, regardless of the end-point device, will still reside on a Windows Server.

Adapting current Windows Server security practices
Even though we are working with a new type of endpoint, engineers are still able to successfully secure the environment and manage it efficiently. Here are some tips and best practices to managing and securing an environment that has BYOD deployed.

Use Group Policy and Active Directory. At the server level, proper AD security groups will go a long way in managing a BYOD environment. Engineers are able to control which applications, desktops and workloads are delivered down to the end-user. Using GPO, administrators are also able to deploy appropriate clients down the end-point. This is vital so that there is a consistent client work on the end-points to allow users to seamlessly connect to the environment. Proper GPOs and AD Security Groups is the first step in effective BYOD management.

Carefully monitor permissions. Folder mapping and redirection may occur when users log into their environment. When working with BYOD they may still require a set of folders to be used. Remember, this environment is centrally managed so there isn’t any actual data at the endpoint. Still, proper folder and share management is very important. By monitoring and managing existing folder permissions, users accessing the central network with their own devices are less prone to make a mistake or accidently deleting a share.

Use Access Control Lists. Access control is the process of authorizing users, groups, and computers to access objects on the network by using permissions, user rights, and object auditing. ACLs can very quickly become the best friend of a server administrator monitoring and managing a BYOD environment. Remember, in Windows Server 2008, everyone—including the Guest user—can read and execute files in the root. Only authenticated users can create new files and folders, and when users do, they get Modify permissions on those files and folders. Use ACLs wisely within a Server 2008 environment since it can truly help lock down access coming in from BYOD hardware.

Additionally, Server 2008 gives administrators and developers a lot of good tools to work with and manage end-point users. The file system namespace has been significantly modified in Windows Server 2008 over Server 2003. User data is now in C:\Users, and other files and folders in the C:\Documents and Settings\<Username>\ namespace have also moved. This helps to separate document files and data files. Rather than storing all data files in the My Documents folder, developers can now create their own folders under the user's profile, which will be available to the user. Application data files for all users are now in a hidden folder named %systemroot%\ProgramData instead of under Documents and Settings\All Users\Application Data. These folders can be further managed with permissions and control settings. This helps protect a user profile from accidental deletion or unnecessary modifications.

Update and management. In a virtualized environment it’s always important to keep servers updated and patched. There are many ways to do this – WSUS, third-party software, provisioning services and golden images. By keeping a Windows Server secure we prevent a BYOD instance which can lead to a security hole. Even though users are on their own devices, they are still accessing a centralized dataset house on Windows Servers. These servers must be kept updated and backed up.

Image control. Many administrators are virtualizing their Windows Servers and creating a master golden image snapshot. They are then able to clone that image and apply patches and updates to it in a test environment. Then it can be tested against their isolated server to see if there are any incompatibilities with the latest update. Even in a production environment if a patch fails or produces a management flaw, a server administrator can simply roll back to the latest working version of their Windows environment.

End-point access and management. It is very important to keep Windows Servers behind a firewall or access gateway, unless it's needed for an application or web service. In a BYOD environment users are able to access their workload from any location, on any device and at any time. Create a connection policy allowing only certain types of devices to connect which have the latest clients installed. This level of management helps plug security holes and improve the computing experience. Always monitor who is connected to the server and what resources are being utilized. This applies to both physical and virtual servers; improper server load balancing can create a degraded Windows Server environment. Resource allocation will fall hand-in-hand with server-side BYOD management. Throughout the day, administrators need to monitor their resource usage in that environment and on specific servers. By isolating bottlenecks, engineers are able to quickly resolve issues on their servers before there is an impact on the user.

Every environment is unique, so management of a BYOD initiative will be relative to the server infrastructure. However, with proactive planning and a well-patched and updated Windows Server environment, administrators are able to deliver a powerful end-point option while using their existing server tools.

ABOUT THE AUTHOR
Bill Kleyman, MBA, MISM, is an avid technologist with experience in network infrastructure management. His engineering work includes large virtualization deployments as well as business network design and implementation. Currently, he is a Virtualization Solutions Architect at MTM Technologies.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.