Upload
leo-adams
View
217
Download
0
Embed Size (px)
Citation preview
7/31/2019 The Complete Systems Management Book
1/81
TheCompleteSystemsManagementeBook
2010KACENetworks.Allrightsreserved.
TheCompleteSystemsManagementBook
AnintroductiontointegratedandautomatedITsystemmanagement.
POWER
MANAGEMENT
CONFIGURATION
MANAGEMENT
OS IMAGING
NETWORK OS
INSTALL
CENTRALIZED
DEPLOYMENT LIBRARY
USER STATE
MIGRATION
RECOVERY
KACE K2000Deployment Appliances
KACE K1000
KACEK2000
KACE K1000anagement Appliances
SECURITY & PATCHING
DISCOVERY & INVENTORY
ASSET MANAGEMENT
SOFTWARE
DISTRIBUTION
REMOTE CONTROL
SERVICE DESK
7/31/2019 The Complete Systems Management Book
2/81
1
TableofContents
IntroductiontoITSystemsManagement ........................................................................................................ 2
DeviceDiscoveryandComputerInventory ..................................................................................................... 8
AssetManagementandSoftwareCompliance ............................................................................................. 14
SystemDeploymentandOperatingSystemImaging .................................................................................... 19
SoftwareDistributionandManagement....................................................................................................... 26
PatchManagement ........................................................................................................................................ 33
ConfigurationManagementandScripting..................................................................................................... 38
SecurityAuditandEnforcement.................................................................................................................... 44
Administration ................................................................................................................................................ 48
ServiceDesk.................................................................................................................................................... 56
RecoveryandRepair....................................................................................................................................... 62
EvaluationCriteria .......................................................................................................................................... 67
7/31/2019 The Complete Systems Management Book
3/81
IntroductiontoITSystemsManagement
2
IntroductiontoITSystemsManagementITsystemsmanagementincludesthepersonnel,processes,andsoftwaretoolsutilizedtodeploy,track,
update,andsecurehardwareandsoftwareresourcesacrossanorganization.Buildinganefficient
managementsystemrequiresunifyingalloftheseITresourcestocoordinateITefforts,streamlinetasks
intocohesiveworkflows,andautomateadministrationservices.
AgoodsystemsmanagementstrategyoptimizesITteamefficiencyandeffectivenessby(1)identifying
thebasicuserservicestobeprovidedbytheITteam,(2)definingprocessestoprovidetheseservices,
and(3)employingmanagementtoolswithpoliciestostreamlineandautomatethedefinedprocesses.
ITmanagementtoolsareemployedbytheITteamtocoordinatemanagementtaskssuchasinventory
collectionandreporting,softwaredelivery,patchupdates,anddiskimaging,plussecurityenforcement
andotheradministrativetasks.Handlingtheseroutine,repetitivemanagementtasksusingcoordinated
policiesandtoolssupportedbyaconsolidatedmanagementsystemallowstheITteamtofocusonmore
pressingandstrategicissues.
7/31/2019 The Complete Systems Management Book
4/81
IntroductiontoITSystemsManagement
3
ChallengesConfrontingITTeams
Pressuresto"domorewithless"areuniversalforITdepartments,withexpectationsfrommanagementtocontinuecurrentsupportstandards.Atthesametime,newresponsibilitiesemergefortheIT
engineer:
Supportforahigherratioofat-homeandremoteemployeesandcontractors, Adaptingtooperatingsystemsanddevicesforbusinessusers, Leveragingserverandclientvirtualizationtechnologies.
AstheITprofessional,youneedtojugglecurrentchallengeswhilekeepingabreastoffuture
possibilities.
OngoingAdministrationTasksRegardlessofsize,mission,ormarket,eachorganization'sITteamshearsthesamedailyproblemslikea
risingchorusofdiscontent:SalesmenaccusetheITengineerofslowingdowninnovationandrevenue
opportunitiestomeetobscurecorporatesecurityregulations.Developmentengineersclaimtoneed
specialaccesstotheInternetcloudbutwillnotbudgeinsupportingaVMorroguenetworkpolicy.
Finally,asalways,usersjustwantwhattheywantwhentheywantit.Thecacophonyofvoicesand
demandsdirectedattheITteamarerelentlessandattimesblurintobackgroundchatter.
ButthereishopeinmeetingallITchallengesbyimplementingacentralized,collaborativeIT
managementsystem.AcentralizedmanagementsystemoptimizesITresourcesandestablishes
repeatableprocessestoreduceITcosts,meetongoingdailychallenges,andserveasafoundationfor
implementingnewpracticesandtoolsforthefuture.
7/31/2019 The Complete Systems Management Book
5/81
IntroductiontoITSystemsManagement
4
IdentifyingBasicManagementPractices
Systemsmanagementstrategiesdifferbasedonvaryingverticalmarketsandbusinessopportunities,but
ingeneralthefollowingbasicpracticesarerequiredtoimplementabaselineITmanagementsystem:
Devicediscoverandcomputerinventory.Discoverandidentifycomputerresourcesandconfiguration.
Assetmanagementandsoftwarecompliance.Trackhardwareandsoftwareusage. Systemdeploymentandoperatingsystemimaging .Deploycomputersusingdiskimagingor
scriptedinstalls.
Softwaredistributionandmanagement.Makesoftwareavailabletotherightpersonnel. Patchmanagement.DistributeOSandapplicationupdates. Configurationmanagementandscripting.Updatenetworkandsystemsettingpolicies. Securityauditandenforcement.Verifyappropriatesecurityisenforcedinanenvironment. Administration .Viewalertsandgeneratein-depthreports. Servicedesk.Manageticketsandestablishworkflows.
Recoveryandrepair.Accessandrepaircomputerdevicesremotely. Evaluationcriteria. Purchasingtherightsystem.
EachorganizationneedstoevaluateitsspecificneedsinprovidingandimplementingcoreIT
managementservices.Whateverthesize,challengesandopportunitiesofacompanyororganization,
therearealwaysrisksinvolvedwhenupdatingasystemandforecastingareturnoninvestment.In
general,theITteamneedstodefinethelevelofservicesinsupportinganorganizationanddesigna
managementsystemthatemploystoolsthatconformtoitsspecificneeds.
7/31/2019 The Complete Systems Management Book
6/81
IntroductiontoITSystemsManagement
5
FindingtheRightITManagementSystem
BasicITmanagementsystemsneedtoconformtoanorganization'scurrentsupportpracticeswhileallowingforgrowth.Matchingmanagementpracticesforanorganizationwiththerightmanagement
toolscanbeperplexingwithoutafewguidelines.
IncompletePointSolutions
WhetheryouareadirectorofITsupporting10,000nodesforabio-agriculturalconglomerateorthelead
ITengineermanagingadistributedlawgroup,youmostlikelystruggletounifyyourITstrategyand
consolidateallofthedisparatemanagementtools.Manyorganizationsrelyonsingle-taskpoint
solutionsdesignedforaspecificjob,suchasseparatesoftwaremanagement,assettracking,ordisk
imagingproducts.Thesedisparatetoolsandisolatedprocessesultimatelyleadtoincreasedcostsand
wastedresources.Mixingmultiplemanagementtoolsleadstooverlappingprocesses,remotedatastores,andtheneedforadditionalpersonneltotrainanduseallofthesedissimilartools.
Gatheringinventoryandassetinformationwithoutassociatingdataandthenusingittoimplement
softwaredeliverytasks,imagingjobs,orhelpdeskassistance,orusingittoperformsecurityauditchecks
precludesanytypeofautomationorinteractionofservices.Furthermore,withoutafirststeptoward
consolidatedsystemsmanagement,therewillnotbeasecondsteptowardevent-drivenremediation,
reactiveconfiguration,orcost-reducingvirtualsoftwaredeployments.
SystemOverkillWhiletoolittleattentiontobuildingacomprehensivemanagementsystemeventuallyinhibits
productivityandaffectsbottom-lineprofits,socanimmersingtoodeeplyinanITmanagementsystem
thatistoocomplexandcostlyforyourneeds.
ManyITmanagementsystemstrytobridgethegapbetweenlargeenterprisecustomizationsandsmall-
mediumbusinessneeds.Butstraddlingbothmarketsisdifficult,anditalsoleadstoinordinate
customizationrequirementsandlargeimplementationbillstosetup,train,andmaintaineachphaseof
7/31/2019 The Complete Systems Management Book
7/81
IntroductiontoITSystemsManagement
6
acontract.Inmanycases,theinitialpurchasepriceofsettingupanenterprise-levelmanagement
systemistheleastexpensivepart.Ongoingandaftermarketcostsmaybeprohibitivegiventhebusiness
requirements.
BetweentoolittleinvestmentandtoomuchinvestmentinITsystemmanagement,thereismiddle
ground.Theanswerisasimple,efficient,integratedsystemthattakescareofthebasics,requireslittle
timetogetupandrunning,andissimpletouse,train,andimplement.
7/31/2019 The Complete Systems Management Book
8/81
IntroductiontoITSystemsManagement
7
ChoosingaSimpleandUnifiedITManagementSystem
AcollaborativeITmanagementsystemthatiseasytoimplementandemployisthefoundationofanyITstrategy.Unlikepointsolutions,aunifiedsystemassociatesdatafromacommondatabaseandallows
toolstointeractassequencedworkflows.Unlikecomplexenterprisesystemsrequiringexcessivesetup
andconfigurationcosts,acollaborativeandstraightforwardITmanagementsystemfurnishestheIT
teamwitheasyinstallation,aneasy-to-navigateconsole,andeasilyaccessiblefeatures.
GoodITsystemsmanagementcombinesandbalancesITpersonnel,processes,andtoolsforeach
environment.BalancingthesethreeingredientsrequiresanevaluationofthegoalsestablishedfortheIT
teamandthepracticesrequiredtomeetyouruniquechallenges.
ITServices
ITservicesdiscussedindetailinthesechaptersinclude:
DeviceDiscoveryandComputerInventory AssetManagementandSoftwareCompliance SystemDeploymentandOperatingSystemImaging SoftwareDistributionandManagement PatchManagement ConfigurationManagementandScripting SecurityAuditandEnforcement Administration ServiceDesk RecoveryandRepair EvaluationCriteria
7/31/2019 The Complete Systems Management Book
9/81
DeviceDiscoveryandComputerInventory
8
DeviceDiscoveryandComputerInventory
Discoveryofhardwaredevicesacrosstheorganizationandtakinganinventoryofthehardware
propertiesandinstalledsoftwareisacriticaljobforanyITengineer.Determiningwhatcomputerresourcesexistonthenetwork,howthedevicesareconfigured,andhowtoeffectivelyusethis
informationisafundamentalrequirementingeneratingcorporateauditreportsandtheday-to-day
monitoringofresources.Accessibleandassociateddevicedatagatheredandorganizedasbaseline
informationisalsoanecessitybeforeventuringintoanylevelofautomatedITmanagementservices.
Runningaperiodic,in-depthinventoryofdevicesprovidesupdatedinformationthatshouldbestoredin
thedatabase,allowingfortheeasygenerationofcustomauditreportsandreal-timedashboardviewsto
monitordevicestatus.Butbeyondbasicreportingfeatures,collectingandassociatingdeviceinventory
dataalsoallowsforstandardconfigurationsetswithcommoncharacteristics.Establishingstandard
groupswithcommoncharacteristicsandsupportneedsreducesreactive,one-offsupporttasksfromthe
servicedesk,andprovidesforeffectivegroupingwhendesigningautomatedsystemmanagement
policies.
7/31/2019 The Complete Systems Management Book
10/81
DeviceDiscoveryandComputerInventory
9
ChallengesofDeviceDiscoveryandInventoryManagement
WhatcomputerdevicesamIsupporting?Whatstatearetheyin?HowdoIbestcollect,organize,and
usethisinventoryinformation?ThesearebutafewofthemostpressingquestionsfortheITmanager.
Identifyinghardwareandsoftwareresourcesacrosstheorganization.Basicdiscoveryofdevicesand
periodicinventoryscansprovidesaclearviewofthedigitalassetsandtheircharacteristicsfortheIT
engineer.Acompleteinventoryisneededtounderstandwhatisrequiredinordertoproactivelyplan
andimplementasupportableinventorymanagementprocess.
Managinggroupsofdevicesbasedoncharacteristics,configuration,andothercommonproperties.
Insteadofpiecemealadministrationofdevices,theITengineerneedstodesignpoliciesandruntasksfor
groupsofcomputerswiththesameconfiguration.Identifyingandgroupingdevicetypesbasedon
criteriasuchasmanufacturer,operatingsystems,installedsoftware,devicelocation,departmentandconfigurationsettingsallowstheITteamtobuildpoliciesandsupportone-to-manyadministration
tactics.
Gatheringinventorydatafromremotesitesandusers.Thecurrentworkforceformanyorganizationsis
geographicallydistributedandreliantoncontractorsorat-homeworkers,aswellassupportforsatellite
officesortravellingusers.Today'sITengineermustbeabletogatherinventoryforalldevicesand
installedsoftwareregardlessoflocationortravelschedule.
Generatingreports.TheITmanageralsoanswerstohisorherexecutive,andlikeallmanagersneedsto
accountforresourceexpenditureswhileoptimizingresources.Thisrequirespre-configuredorcustom
reportingfeaturestomeetstandardandadhocreportingneedsacrosstheorganization.
TomeettheseITchallengestodiscoverandinventorycomputerdevices,theITteamdesignsprocesses
andpracticestoimplementbasicinventoryservices.
7/31/2019 The Complete Systems Management Book
11/81
DeviceDiscoveryandComputerInventory
10
BestPracticesforInventoryManagement
Inventorymanagementrequiresdiscoveringdevices,runninganinventorytogatherandstoredevice
data,andassociatingdatatostandardizeconfigurationsetsandrationalizecontent.Bestpractices
includebothagentlessdiscoveryfeaturesandagent-basedcommunicationbetweentheclientdevice
andmanagingserver.Additionalbestpracticesdefineregular,frequentpollingperiodstoupdate
inventorydataandsetupqueriestogeneraterequiredreportsanddisplays.
Acompleteinventorymanagementsystemincludesseveralbasicpractices,asfollows.
Devicediscoveryandagentlessinventory
DiscoveryofcomputerdevicesonthenetworkusingbasicSNMPcallsorICMPpingswithoutanagent
installedallowstheITengineertoidentifycomputerdevicesonthenetworkto(1)installanagentfor
fullmanagementsupport,or(2)touseagentlessprotocolstotrackcomputerdevices,printers,routersandfirewallswhereinstallingagentsisnotpracticalorpossible.Agentlessscansacrossthenetwork
identifyandcatalogallconnectednetworkdevicesusingSNMPorIPaddressscansandopenportdata
onthenetworkforeachdevice.Discoveringdevicesonthenetworkrequirestheabilitytoaccessand
synchronizedeviceanduserdatafromthenetworkdirectory(ADorLDAP),ortoscanacrossthe
networkwithagentlesssearchesusingpingsorSNMPandotherstandardopenprotocols.
Networkdirectoryintegration.Real-timeintegrationwithdirectoryservicessuchasLDAPandActiveDirectory(AD)allowsorganizationstoaccessdatadynamicallythroughtheirdirectory
servicesforthecreationandmanagementofdeviceandusergroups,aswellassetupuser
authentication.Updatingdevicedatafromthedirectoryservicesallowsorganizationstoquickly
setupmanagementgroupsanddefineusers.Asdirectorieschange,groupswilldynamicallyupdateandautomaticallyrespondtoanynewcredentialsforuserauthenticationwhenchanges
aremadeinLDAPorAD.
ICMPpings.InternetControlMessageProtocol(ICMP)isacoreprotocolintheInternetProtocolSuite.Itisprimarilyemployedbyoperatingsystemstosenderrormessagesindicatingthata
requestedserviceisnotavailableorthatacomputerdevicecannotbefound.BasicICMP
7/31/2019 The Complete Systems Management Book
12/81
DeviceDiscoveryandComputerInventory
11
discoveryacrossdefinedIPaddressrangesallowsthemanagementsystemtoreceiveICMP
echoresponserepliestodiscoverindividualdeviceswithoutaninstalledagent.
SNMP.SimpleNetworkManagementProtocol,orSNMP,isacomponentoftheInternetProtocolSuite(commonlyknownasTCP/IP)andincludesstandardsfornetworkmanagement
toolstodescribeandreportasystemconfiguration.SNMPexposesmanagementdataonthe
managedsystemsanddescribesthesystemconfiguration.
Fororganizationsthatcanutilizetherichcontentandmanagementtacticsinherentinagent-based
inventoryfeatures,discoveryofdevicesalsoallowstheITengineertoefficientlydeploythe
managementagent.
Agent-basedinventoryforhardwareandsoftware
Managedcomputerdeviceswithaninstalledagentcommunicateatscheduledintervalswitha
managementserverthatsavesdeviceinformationtoadatabase,capturingarichandcurrentdataset
foreachdevice.Thisallowsforreliablereportingandfilteringtogeneratedynamiccollectionsof
devices.Server-to-agentcommunicationallowsforupdatesofconfigurationsettings,anup-to-datelist
ofinstalledsoftwareapplications,andtheabilitytocapturesignificantdeviceattributesasdefinedby
theITteam.
Oncetheagentisinstalled,theITmanagementsystemcanrunamoredetailedhardwareandsoftware
inventorytoaccessandviewinformationforeachdevice.Datacanbeassociatedwithotherservicesto
syncwithassetinformationinassociatingdiscovereddeviceswiththeirwarrantyinformation,andto
generateanemailwhenthatwarrantyexpires.
Gathereddatafromagent description
Configurationsettings Capturenetwork,device,BIOSsettings.
Operatingsystemstatus Identifyinstalledpatches,memoryusage,personalsetting.
Hardwaremodelsandattachments Reportvendor,modelnumbers,RAM,components.
Networkconfiguration ViewandmodifyIPaddress,LANs,VLANs,Routers
Installedsoftwareapplications Listinstalledsoftwareapplicationsandsettings.
Anagent-basedinventoryallowsyoutocaptureallinformationrequiredforreportsandintegrated
workflowswithothermanagementcomponents.
7/31/2019 The Complete Systems Management Book
13/81
DeviceDiscoveryandComputerInventory
12
AutomatedPolicies
Gatheringinventorydataisonlythefirststepinsettingupacomprehensiveagent-basedinventory
system.WithrichinventorydatacollectedandstoredinacommonITmanagementdatabase,the
managementsystemcanthenusethedevicedataforongoingITtasks.
Forexample,whendeployingalaptopforthefirsttime,vendorserialnumbersorservicetagscanbe
enteredinthesystem.Whenthedevicelogsintothenetwork,thedeviceisrecognizedandinventory
datacapturedandcomparedtoensuresystemrequirementsaremetfordeliveryofauthorizedsoftware
ortosynchronizelicenses.ListingandcomparingdeviceinventorydatawithassetinformationletstheIT
teamsyncupthedevicewithhardwarewarrantyinformationforassettracking.
Basedonconfigurationsetsdefinedbydevicecharacteristics,ITengineerscandesignautomated
policiestodeploysoftwarebasedonaspecificmodelorapplicationtoacertainbusinessunit.Dynamic
groupscanbefilteredtopatchanoperatingsystembasedonservicepack,orassesssecuritysoftware
andsettings.Basedonestablishedpolicies,thehardwareandsoftwareinventorydatacanbeupdated
eachtimetheagentconnectstoproactivelyremediateanyflaggedissuesbasedonconfiguration
settingsandotherselectedcharacteristics.
DynamicGroups
Aftercapturinganinventoryofhardwareconfigurationvalues,thenextstepistypicallytosetupfilters
thatcreatecollectionsorgroupsofdevicesbasedonhardwaretypes,installedsoftware,or
organizationalunitforreportingandadvancingmanagementoperations.ThisallowstheITteamto
quicklyidentifythehardwareandsoftwarestatusandschedulejobssuchassoftwaredeliveryandpatch
updates.Filteringoutpropertiesbasedonoperatingsystems,physicallocation,orevenavailabledisk
spaceallowsyoutosetpoliciesdirectedspecificallyatthecorrectdevices.
7/31/2019 The Complete Systems Management Book
14/81
DeviceDiscoveryandComputerInventory
13
Groupscanbecreatedusingafilterbasedoncriteriaofanyidentifiedcomputerproperties,including:
organizationalunitsetinthedirectory locationofthedevice typeofoperatingsystem hardwarespecsandadd-ons softwareinstalled customfieldstoallowflexiblegrouping
Byusingestablishedgroupssuchasoperatingsystemtype,devicetype,ororganizationalunitsIT
teamscanquicklypushoutpatchesordistributerequiredsoftwaretotherightdepartments.Tocreate
uniquegroups,afilteringsystemisrequiredtoassociatedevicesbasedondatasetsinthedatabase.On-
the-flygroupsmaybebasedondiskspaceunusedvalues,OStype,vendor,orwarrantyinformation.
Reporting
Inventoryinformationgatheredfromeachcomputerdeviceonthenetworkprovidesthebaselinedata
usedtopopulatetheITsystemmanagementdatabase.Fromthisdatabase,anytypeofinventory,audit
(suchasSarbanes-Oxley),orcustomreportcanbegenerated.TheITmanagementtoolshouldoffer
commonlyusedpre-configuredreportsandaneasy-to-useinterfaceforcreatingcustomreportsfrom
anytablesinthedatabase.
Withacommondatabasepopulatedwithup-to-datedeviceandconfigurationdata,inventory
managementtoolscangeneratereportsthroughawebpageorhighlightaneventthatdisplaysasan
alertonareal-timedashboardview.Completereportingofhistoricalinformation,detailssuchas
registryentries,files,servicepackstatus,oranyotherdatacapturedcanbedisplayedalso.Software
reportingexamplesincludeoperatingsystemstatus,installedapplications,registryentries,andpatchstatus.
Capturedinventorydatamustbeplacedintomeaningfulreports.Theabilitytoquicklygenerate
informationformanagementbasedonvariouscriteriaisanecessaryfeatureofanygoodmanagement
system.CustomreportingfeaturesrequiredallowITteamstocalculateanddisplaydataasneeded.The
reportingtoolsmustbeeasilycustomizablewithwizards,andprovidetheoptionfornativestandard
SQLsearchestoensurefullaccesstothereportingdataforpowerusersand3rdpartySQLreporting
tools.Finally,reportingfeaturesintheITmanagementsystemtypicallyprovidewebinterfacestoview
theinventoryinformationandresultsofwizard-basedreports.
7/31/2019 The Complete Systems Management Book
15/81
DeviceDiscoveryandComputerInventory
14
7/31/2019 The Complete Systems Management Book
16/81
AssetManagementandSoftwareCompliance
15
AssetManagementandSoftwareCompliance
Trackingallhardwareandsoftwareassetsacrossanorganizationisbestaccomplishedusingthe
collaborativedatacapabilitiesofarelationaldatabaseandanintegratedassetmanagementsystem.
Collaborativeassetmanagementincludestrackingeachproduct'sassociatedsoftwarelicenses,
warranties,audittrails,configurations,contracts,assignmentsandservicehistory.Successfulasset
managementautomatestherepetitiveaccountingdutiesofassettrackingandfurnishestheITteam
withadministrationworkflowsthatgiveactionableinformationforongoingdeployment,configuration
andpurchasingdecisions.
Capturingassetdataprovidesbaselineinformationabouteveryresourceintheenvironmentandallows
ITmanagerstosavecostsandstreamlineresourcesusingconsolidatedandcentralizedasset
managementpractices.AcollaborativeITmanagementsystemhandlesongoingreportingand
configurationmanagementservices,butalsopopulatesthedatabaseforusewithotherservices.In
additiontobasicproducttrackingandauditreporting,assetmanagementtoolscaptureandassociate
datatogeneratetargetedreportsandemployintegratedworkflowsbyworkingwithinventory,
softwaredistribution,helpdeskandothersystemmanagementservices.
7/31/2019 The Complete Systems Management Book
17/81
AssetManagementandSoftwareCompliance
16
ChallengesofAssetManagement
ITteamstrackandreportallcomputerassetsaswellasnon-computerproductsfortheorganization.
Theteamensureslicensecompliance,tracksserviceanduserhistoryofeachasset,andassociatesassetdatawithothersystemsandmanagementsolutions,aswellassomeotherbasictasks,coveredhere.
Trackcomputerandnon-computerassets.Throughoutthelifecycleofanasset,theITengineerneeds
processesandtoolstoformallytrackproductsandgeneratereportsforauditandmanagementneeds.
Verifysoftwarecompliance.Softwareisanassetthatrequirestrackingandtheabilitytoinstallon
variouscomputersfordifferentneeds,includingincreasinglypopularvirtualapplications,whileensuring
licensesmeetactualinstallations.
Reconcileassets.ITteamsneedtoreconcilewhatisonthebalancesheetwithwhatisactuallyin
physicalinventory.Thisrequiresfeaturestodocumentlicensecomplianceandgaininsightintoassetdispositionandownership.
Notifywhenawarrantywillsoonelapse. Linkwarrantyinformationwithanemailpolicythatwillsend
analertaboutcomputerstatusandoptionstoupgradepoliciesorproducts.
Tracksoftwareusage.Howoftensoftwareisusedandwhenitisusedcanleadtobetterpurchasing
contractsatminimum,orbeusedtoreconcilelicensesfordeployingvirtualinstallationsforspecific
projects.
Viewassethistory. Actionsandmodificationstoanassetaswellasattachmentsandinstalledsoftware
canbesavedtoacommondatabaseforcustomauditreports,troubleshootingassistance,orforviewingwarrantyorserviceinformation.
Importdatafromothersystems.ITteamsveryoftenneedtoimportdatafromotherdatabases,
spreadsheetsorlegacypointsolutions.Thereafter,systemsforpurchasing,shippingandreceivingand
humanresourceinteractioncanbeestablished.
TomeettheseITchallengestodiscoverandinventorycomputerdevices,theITteamdesignsprocesses
andpracticestoimplementbasicassetmanagementservices.
7/31/2019 The Complete Systems Management Book
18/81
AssetManagementandSoftwareCompliance
17
AssetManagementBestPractices
Successfulassetmanagementandsoftwarecomplianceincludesthefollowingbestpractices.
Creatingnewassetrecordsandassigningtousers
CreatingassetrecordsinanITmanagementsystemfallsundertwomaincategories:(1)Establishingan
ongoingassettrackingworkflowforaddingnewassetsusingautomateddevicediscovery,barcode
scanning,vendordataorsimpleinput;and(2)migratingassetdatafromlegacyapplications,
independentdatabasesorsimpleExcelspreadsheetstothenewConfigurationManagementDatabase
(CMDB).AssigningassetstotherespectivepersonnelnumbersandintegratingwithHRrecordsor
downloadingassetwarrantyinformationfromthevendorisalsohandled.
Incorporatingassetmanagementpracticesrequiresasystemthatisflexibleenoughtocreateormodify
assettemplatesandtosupportadditionalfieldtypesthatassociatetheassetwithitsattachments,
installedsoftwareapplications,andcreateothermeaningfulassociations.
AssigninguserstotheassetuponreceivingtheassetoperationallowstheITteamtoidentifythe
resourceandcreatearecordtoassociatewithongoinginventoryandsoftwaredeliveryworkflows.
Creatingnewassettypes
Successfulassetmanagementstrategiesrequireflexiblecreationofnewassettypestomeeteach
organization'suniqueinventoryofassets.TheITmanagementsystemshouldprovidepre-configured
assettemplatesforstandardhardwareandsoftwareresources,licensesandorganizationalelements,as
wellasfeaturestoeasilycreatenewassettypesormodifyexistingassettemplates.Newormodified
assettypescanbelinkedtoanyotherassettypeandsupportacomprehensivelistoffieldtypesto
defineattachments,installedsoftwareandotherassetproperties.Aboveall,addingandmodifyingassettypesshouldbeeasytouseandcustomizabletomeeteachorganization'suniqueassetmanagement
andcomplianceneeds.
Assettrackingandhistory
Basicassetmanagementshouldincludeafullaudittrailofallassetchanges,includingsoftware
upgradesandhardwareattachment,anddriverandconfigurationchangesthroughouttheproduct's
lifecycle.Thisallowsforbetterassetmanagementcontrolandaccountability.
7/31/2019 The Complete Systems Management Book
19/81
AssetManagementandSoftwareCompliance
18
Viewingtheassethistoryallowsthehelpdesktotroubleshootproblemsandmakedecisionstorepairor
replacetheasset.Departmentmanagerscanevaluatethelifeofthewarrantyandprioritizepurchases
basedonvalueoftheassetandstatus,andbalancebudgetandproductivityrequirements.
VerifyingsoftwarecomplianceEnsuringthatinstalledsoftwareapplicationscomplywiththeITteam'sreckoningofthenumberof
purchasedlicensesrequiresaninteractionbetweeninventorymanagementtasks(anditsresultingdata
savedtothedatabase)andassetmanagementtasks.Bycomparingrecentinventorydatawithasset
datathatreferenceslicensing,warrantyandspecificationinformation,ITmanagerscansign-offon
compliancereports,harvestlicenses,reducevolumelicensesanddiscoverunapprovedsoftware
installations.
Trackingsoftwarecompliancemustbeautomatedandinvisible.Behindthescenes,assetmanagement
candefinegroupsbasedonaninstalledapplicationversionandmonitorthenumberoflicenses
installed,evenasnewversionsbecomeavailable.Automatedassetmanagementandreportingfeatures
allowforcomprehensivemanagementofsoftwarelicenseagreementsforupgrades.Thisinformation
canbevaluablewhennegotiatingongoingvolumesoftwarepurchases.
Meteringsoftwareusage
MeteringsoftwareusageallowsITteamstoidentifywhatsoftwareisusedacrosstheorganization
comparedtowhatisactuallyinstalled.Reportingongenuineusageallowsforlicensestobereassigned,
7/31/2019 The Complete Systems Management Book
20/81
AssetManagementandSoftwareCompliance
19
harvestedforfutureusers,orretiredcompletely.Thispracticecansignificantlyreducesoftware-
licensingcosts.
Meteringsoftwareusagedatacanincludeacountofapplicationlaunches,totalminutesusedorwhen
theapplicationwaslastused.Automatedsoftwarealertsandemailcanbesetandsynchedtoacontract
expirationandsubsequentrenewalifwarranted.
Managingnon-computerassets
Informationaboutassetsthatarenotconnectedtothenetworkcanalsobeaddedtotheassetdatabase
byaccessingvendor,serviceandmaintenancecontractsfromthewebsite,orenteredmanually.IT
teamscanpostdriversandutilitiesforhardwareassetsinthesoftwarelibraryandreferencedfromthe
databaseforeachproduct.
7/31/2019 The Complete Systems Management Book
21/81
7/31/2019 The Complete Systems Management Book
22/81
SystemDeploymentandOperatingSystemImaging
21
ChallengesofDeploymentandOperatingSystemImaging
AsafundamentalpartofanyITmanagementsystem,aquickrewriteoftheharddriveusingimaging
toolsisawell-knowntacticinsolvingvariousadministrationchallenges,whichwillbediscussedhere.
Initialsetupofnewcomputerdevicesorrestoringbadharddrives .Imagefilesaremostoftenused
tosetupdeviceswithanorganization'sbaselineOS,softwareandpersonalsettingstoanewor
reassignedcomputer.Settingupasystemtocaptureandeditmasterimagesanddeploy
computersisamajorchallengeformostITteams.
Migratingtoanewoperatingsystem .ImagingtoolsusedinconcertwithotherITmanagement
toolsisthemostefficientwaytoperformanorganization-wide"forklift"upgradewhenmoving
tonewoperatingsystems.AcomprehensivedeploymentsystemletsITengineersmigratefrom
XPtoVistatoWindows7,orfromMacLeopardtoSnowLeopard,ortooneofmanyLinux
platformsusingdiskimagescontainingthenewOS,newdriversandsecuritysettingsandthepersonalitysettingsoftheprevioususer.
Createreferencesystemsorinstallserversusingscriptedinstallations .Buildingreferencesystems
manuallycanrequirehoursoftimeandisnotanefficientuseofresources.Ascriptedinstall
(seedescriptioninbestpracticessection)allowstheITengineertoautomatethecreationof
referencesystemsbysupplyingconfigurationsettingsduringtheinstallprogramusingan
answerfilewithprescribedsettings.Likewise,buildingoutservers,includingthebare-metal
installationoftheBIOS,OS,securitysettingsandapplications,requiresrunningthroughthe
installationprogramratherthanusingdirectimagingpractices.
Resettingcomputersfortesting,trainingoreducationallabs. Imagingtechnologieswereinitiallydesignedtoreimagetestbedsofcomputerracksandresetcomputersbacktotheiroriginal
state.Imagingisstillthebestanswerfortheseneeds.
Recoveringdevicestooriginalstate .Harddrivescanbeimagedperiodicallytocaptureaspecified
stateanddataofaspecificdevice.Reimagingfromthesavedimagefilecanrestoredevices.
OngoingchallengesfortheITteamincludedefiningpracticesandstrategiestointegrateandautomate
deploymentprocessesandsupportimagingstandards.Designinganeffectivediskimagingand
deploymentsystemneedstosolvethefollowingbasicITnecessitiesaswell:
Buildingandauthorizingmasterimagefiles. Partoftheprocessofsettingupadeploymentsystem
isconstrainingsupporttoasetofdevices,therebyallowingITtocreatemasterimageswithall
driversandspecificsettings.
Buildingacompletedeploymentsystem .Diskimagingisonlypartalargerdeploymentsystem.Also
requiredisathinOSsuchasWinPE,DOSoraLinuxshelltobootuptheimageapplicationnot
installedonthepartitionthatistobeimaged.Adeploymentsystemalsorequiresanimage
librarysetupatdifferentlocations,asolutionforcross-platformdiskimaging(forWindow,Mac
7/31/2019 The Complete Systems Management Book
23/81
SystemDeploymentandOperatingSystemImaging
22
andLinux),andpoliciestosetpost-imagingconfigurationsuchasauniquecomputername,
securityID,networksettingsandotherdistinctiveconfigurationsettings.
Integratingwithothermanagementtools .Combineinventory,asset,softwaredeliveryand
deploymenttoolstoidentify,assess,imageanddeploynewcomputersusingasequenced
workflow.ConsolidatingtoolsallowstheITengineertoautomateandintegratesystemsfora
varietyofITjobsincludingdiskimaging.
Diagnose,repairandrecovercomputerdevicesafterdeployment.Toremediateproblems
throughoutthelifecycleofthecomputerdevice,diskimagingtechniquesallowtheITengineer
torepairandrecoveracomputerdevicetoapristinestateafterdiagnosingmajorproblemsand
recoveringcriticaluser-specificfiles.
MeetingtheseITchallengesrequirespracticestointegrateandautomatedeploymentprocesses.
7/31/2019 The Complete Systems Management Book
24/81
SystemDeploymentandOperatingSystemImaging
23
BestPracticesforDiskImagingandDeviceDeployment
Practicesfordiskimaginganddevicedeploymentcanbeassimpleasimagingtheharddriveofa
standardimagefileforanewbusinesslaptoppurchaseorascomplexasdevisingpoliciestomonitorandremediatedamagedbladeserversusingsequencedimagingandprovisioningtasks.
BasicDiskImaging
Diskimagingprovidesefficientstorage,captureanddeploymentofcomputerdevices,renderingthe
contentsofaharddiskasasingleimagefilethatreplicatesthestructureandcontentsofaharddiskor
otherstoragedevices.Bestpracticesforimagingcomputersincludesimagingcomputerstoinstallthe
operatingsystem,setuprequiredapplications,establishdeviceandnetworksettings,andmovedata
aftertheinstallationoftheOS.
ThinimagesallowtheITteamtoprovideonlythebasicOSandapprovedapplicationsrequiredbyall
usersinanorganization.Eachdepartmentthendistributestheiruniquebusinesssoftwaretousers
basedonrequirementsforeachdepartment.Thinimagessignificantlyreducethenumberandsizeof
imagesfortheITteamtobuildandmaintain,increasingdeploymentreliabilityandefficiency.
CentralizedImagingandDeploymentProcesses
DiskimagingisemployedbyITteamstorestoreharddrives,upgradeoperatingsystems,resetcomputer
labsandhandlemuchoftheheavyliftingforday-to-daycomputerdeployment.Savingimagefilesasa
baselineinstallationofspecificcomputerdeviceswithallsettingsanddriversintactallowsITteamsto
restore,upgradeanddeploycomputerresourcesquicklyandefficientlyaspartofacomprehensive,
automateddeploymentsystem.
7/31/2019 The Complete Systems Management Book
25/81
7/31/2019 The Complete Systems Management Book
26/81
SystemDeploymentandOperatingSystemImaging
25
Initialsetupofreferencecomputersisanotherchoreforscriptedinstallationsinadditiontoremote
installationorsetupofservers.Thescriptedinstallcanbeusedaspartofanimaginganddeployment
systemtosetupanoriginalreferencecomputerfromwhichtocreateamasterimagefile.Afterthe
referencecomputerissetupandanimagefilegenerated,thefilecanthenbeedited,approvedfordistributionandsavedtoadefinitivesoftwarelibrary.
Scriptedinstallsrequireaccesstotheinstallprogramsandstandardizeddefinitionoftheanswerfiles.IT
managementsystemsthatinstalltheoriginaloperatingsystem,requiredservicepacksandtheeditingof
theanswerfile,assistinsettingupserverandclientcomputerswithoutrelyingonimagingpractices.
AutomatingComputerDeployment
Ready-to-useimagesrelievetheITengineerfromhavingtomanuallyrunthroughtheinstallationprogramsorcompletelyrebuildeachcomputerdevice.ITengineerssetupworkflowsthatsynchronize
datawithautomatedpracticestomakecomputerdeploymentaseasyasplugginginthecomputerto
thenetworkandrunninginitialdeploymenttasksthatsequenceandmanagethecompleteinstallation,
configurationandsetuprequirements.
AutomateddeploymentallowstheITengineertodesignateanimagefiletoautomaticallyoverwritea
computerdevice'sharddrivebydesigningpoliciesthatallowthemanagementsystemtobootuptoan
automationenvironmentandreimagethecomputeratstartup.ThisallowsITteamstoconfigure
policieswithserialnumbersprovidedbythemanufacturerevenbeforethecomputerdeviceisshipped.
Oncethemanagementsystemidentifiesthenewcomputer,imagingprocessesandsoftwaredistributiontaskscanbesequencedtoallowthecomputertorunthroughimagingtasksanddeploythe
deviceautomatically.
ManagingRemoteSites
Diskimagingandcomputerdeploymentforremotesitesrequirescentralaccessibilitytoimagefilesby
theITengineerwhileallowingforhighlevelsofperformancetoprovisiondevicesatremotesites.
BecauseimagefilesareusuallylargefilescontainingtheOSdataandrequiredapplications,conveying
7/31/2019 The Complete Systems Management Book
27/81
SystemDeploymentandOperatingSystemImaging
26
imagefilesacrosslongdistancesfromthecentralofficerequiressubstantialbandwidth.Bestpractices
formanagingsatelliteofficesincludesthereplicationoftheimagelibrarytoremotesites,strategiesto
deploynewcomputersafterreceivingthemfromthemanufacturer,andtheremotecaptureand
restorationofdevicestoindividualusers.
Themasterimagelibraryandimagedistributionpoliciescanbesynchronizedwiththemastersoftware
libraryandpoliciescoordinatedtoinstallanimagewithathinimageandinstallsoftwarefromthemain
definitivesoftwarelibrary.Seethenextchapter,SoftwareDistributionandManagement,foradditional
informationoncoordinatingtheseadministrativeservices.
7/31/2019 The Complete Systems Management Book
28/81
SystemDeploymentandOperatingSystemImaging
27
7/31/2019 The Complete Systems Management Book
29/81
SoftwareDistributionandManagement
28
SoftwareDistributionandManagement
Managingsoftwareresourcesemployedthroughoutanorganizationcustomapplications,productivity
suites,developmenttools,virtualapplications,andoperatingsystemspresentsbothproblemsand
newpossibilitiesfortheITmanager.Asalways,gettingtherightsoftwaretotherightpeopleattheright
timeisanongoingchallenge.Developingsoftwaredistributionpracticesandemployingtoolstosupport
thesepracticeshelpsstreamlineandautomateday-to-daysoftwaremanagement.
Alongwithdailymanagementofsoftwareresources,newopportunitiestoimproveefficiencyshould
alsobepursued,suchasstrategiestoemployvirtualapplicationsandwebapplications,orconsolidate
desktopsonvirtualservers.Tomeettheseever-changingneeds,managementsystemsarerequiredto
trackalltypesofsoftwareresources,streamlinedelivery,andautomatemanagementaspartofa
comprehensivedistributionsystem.
Regardlessofyourorganization'ssize,marketorgeographicalbreadth,automatingsoftware
managementpracticesusingtherightmanagementtoolscansaveagreatdealincosts,enabling
efficienciesinorganizinganddistributingsoftwarepackages,assigninglicenses,andensuring
compliancespecifictouserneedsandlocation.
ChallengesofSoftwareDistributionandManagement
ITengineersfacebasicchallengesinmanagingsoftwareresourcesandimplementingthefollowing
commonpracticestoorganize,integrate,andautomatedeliveryandmanagementservices.
Distributingandmanagingsoftware .Poorsoftwaremanagementcanleadtoanenvironmentof
softwaredisarrayrandominstallationsofillegalorunauthorizedsoftware,inordinateIToverheadmanagingdifferentversions,andevenapplication-bornesecuritybreachesduetorogueapplicationson
thenetworkorinconsistentservicepackupdates.OngoingmanagementandintegratedITmanagement
toolsallowtheITengineertocontrolandknowexactlywhatsoftwareispurchased,whousesit,and
whereitisinstalled.
Eliminatingsoftwareoverbuyingandillegalusage .Evenforthemostdiligentorganizations,failureto
harvestlicensesforreuseortoensurelicensecompliancyleadstosoftwareoverbuyingorillegal
deployment,neitherofwhichisagoodsituation.Withouttherightsoftwaremanagementprocesses
andtoolsinplace,theITengineermayneverknowtheoptimumnumberofsoftwarelicensespurchased
comparedtothesoftwareinstalled.Buyingtoomanylicensesorbeingslappedwithlawsuitsforillegal
usagearebothcostlyandeasilyprevented.
Supportingnewdevicesandtechnologies. Inadditiontoday-to-daysoftwaremanagementtasks,IT
teamsareaskedtoresearchandplanforvirtualserverinstallationsandthepossibilityofusing
virutalizedapplicationsonthedesktop.Inaddition,ITengineerscontinuetoreceivenewsoftware
requeststosupportavarietyofnewoperatingsystemsanddevicessuchasMac,Linux,netbooksand
andhandhelddevices.
7/31/2019 The Complete Systems Management Book
30/81
SoftwareDistributionandManagement
29
Reducingsoftwarecosts.ExecutivescontinuetoaskITteamstoreducesoftwarepurchasingand
managementcosts,whilestillexpectingthesamelevelofmanagementandinnovation.Many
organizationsarelookingtoonlineapplicationsanddatastoragesolutionstoreducecosts,aswellas
virtualsoftwaresolutionsthateasedeploymentandmanagement.Tocoordinateandexpediteservices,
organizationscontinuetodiscerntheapplicationsthatneedtobepurchasedandinstalledtraditionally
versusthosecapableofbeingdeliveredwithinavirtualcontainerontheendpoint,orevenrunfroma
centralapplicationoronlineserver.
Tomeetdemandsplacedonthesoftwareengineer,softwaredistributionandmanagementtoolsneed
tosupportpracticesalreadyinplaceandprovidenewstrategiesforongoingrequirements.
7/31/2019 The Complete Systems Management Book
31/81
SoftwareDistributionandManagement
30
BestPracticesforSoftwareDistribution
IntelligentsoftwaredistributionusingsoftwaremanagementtoolsallowITteamstodecreasecostsand
increaseservicesusingthesebasicpracticesandstrategies:
RepackagingSoftware
ITteamscanbuildscript-basedpoliciesorrepackagesoftwareapplicationsbeforedistributionto
provideeaseofongoingaccess,maintenance,andcontrolupdates.
SoftwarerepackagingallowsITdepartmentstoassemblepurchasedorinternally-developedsoftware
fordistributionfromthesoftwarelibrary.ITteamsrepackage,test,andstoresoftwareinthedefinitive
softwarelibraryforaccessbyauthorizedusersanddepartmentsusingacentralizedsoftwarelibrary.
Formanyorganizations,repackagingisaccomplishedusingMSIwrappersorsimilarpackagingtools,
whileotherorganizationsemployvirtualsoftwarepackagesorstreamingapplications.TraditionalsoftwareapplicationsarewrappedinMSIpackages(forWindows)beforedistributiontocomputer
devices.MSIallowsWindowscomputerstovalidateinstallationandmaintainpackages.LinuxandMac
devicesincludetheirownpackagingformatsandpackagingtools.
AfterrepackagingbytheITengineer,thesoftwarepackageistestedforqualityandpostedtoasoftware
library.Themanagementsystemthenqueriesthesoftwarecatalogstoredinthedatabasetomatch
releasepolicieswiththerightsoftwareversiontoverifysystemreadinessbeforeauthorizinguser
downloads.
ApplicationVirtualization
Agrowingtrendistodeployvirtualapplicationsthatdonotinstalltraditionallybutratherinstall
separatelyfromtheoperatingsystemandotherapplications.Byisolatingtheapplicationfromthe
operatingsystem,softwareapplicationmanagementissimplifiedfordeployment,management
practices,andeventualremovaloftheapplication.Thisavoidsapplicationconflictsanddragonthe
7/31/2019 The Complete Systems Management Book
32/81
SoftwareDistributionandManagement
31
operatingsystem.Byinstallingandremovingapplicationseasily,organizationscaninstallanapplication
foraprojectandthenremoveitforsomeoneelse.
DistributingandInstallingSoftware
Softwaredeliverytoolsfacilitatethedistributionandinstallationofsoftwareapplications,servicepacks,
applicationupdates,andotherdigitalresources.Automatedandtargetedsoftwaredistributiontakestheplaceoftime-consumingmanualtasksacrosslargeorsmalldistributednetworksusingremote
administration.
Inaddition,real-timeActiveDirectoryandLDAPintegrationfurnishestheITengineerwithfeaturesto
synchronizesoftwaredeploymentswiththeorganizationsemployeestructure.Wake-On-LANandIntel
AMTsupporthelpstoschedulecomputerstopoweronforsoftwareupdatestoreducedowntimeand
exploitenergyefficiencyfeatures.Allofthesefeaturescanbeemployedtosetupcomprehensive
distributionpractices.
Installingapplicationsforacustomizeddeploymentspecifictoeachorganizationrequiresthecorrect
commandlineandparametersforanapplication.Thiscanbeaccomplishedusingreal-timeapplication
installationpracticesfromthecommandline,orusingapplicationdeploymentbestpracticesto
significantlyreducethetimerequiredtodeployapplications.
ControllingSoftwareVersions
EstablishingadefinitivesoftwarelibraryanddistributioninfrastructureallowsITteamstomanage
differentsoftwareversionsandensurethattherightpackagegetsouttotherightpersonor
department.Authorizedversionsarepostedtothesoftwarelibraryandupdatedasnewversionsare
provided.
Inherentinrepackagingandpostingtoasoftwarelibraryistheabilitytomanageversionsofsoftwareapplications.Administratorscanhandlecustominstallationparametersbetweenapplications,ensuring
thatthecorrectcommandlinesandparametersareusedanddevoidoferrors.FormostITdepartments,
ensuringthatthecorrectcommandlinesandapplicationbestpracticesareidentifiedforeachversionis
vital.Tobesuccessfulintrackingversionswithinthesoftwarelibrary,installationinstructionsmustbe
accessibleininternaldocumentsstoredintheITsystemsmanagementtools,fromawebsite,or
automatedaspartofasoftwarecatalog.
DynamicGroupingforSoftwareDistribution
Toexpeditesoftwaredistribution,theITengineermustbeabletoselectasingledeviceoragroupof
devicesbasedonconfigurationorcharacteristics:devicetype,model,configuration,operatingsystem,
andotherfeatures.Automatedsoftwaredistributionandon-goingmaintenanceofsoftware
applicationsacrossanorganizationisbesthandledbyasystemwhichcandynamicallyupdategroups
andautomatedelivery.Flexibilitytoschedulepoliciesfordistributingsoftwaretodefinedgroupsof
computerdevicesallowtheITengineertoinstalltherighttypeofsoftwareapprovedfortheright
computersandusers.
7/31/2019 The Complete Systems Management Book
33/81
SoftwareDistributionandManagement
32
Targetingtherightcomputerwiththerightsoftwarecanbeeasyforasingledistributiontask,but
overwhelmingfortheITengineerwhenmanagingdiversecomputerdevicesanduserswithvaried
needs.Consolidatingandaccessingdataforeachdeviceallowsthemanagementsystemtocreate
groupsofcomputersbasedonforexample,modelorconfiguration,andidentifyitsneedforsoftware
updates.Groupscanbedefinedbasedonlocation,department,softwareprerequisites,operatingsystem,hardwarespecificationsandconfiguration,andothercriteria.
ManagingRemoteSitesandUsers
ITteamscanmanagegeographicallydistributedsitesorremoteusersbysettingupaglobaldistribution
infrastructurethatallowsforreplicationofsoftwarelibrariesandfeaturestominimizenetworktraffic.
Forsatelliteoffices,ITteamscansetupareplicatedsoftwarelibrarytomovepackagesclosertothe
user,allowingforremotemanagementwithlocalpackageaccess.Forremoteortravelingusers,
softwareportalscanbesetupindifferentlocationstoprovidecloseraccessorbandwidththrottlingto
minimizenetworktrafficforlongdistancedelivery.
Supplyingsoftwaretoremotesitesandthenmaintainingthedistributedsoftwarehasitsown
challenges.Formanyremotesitesortravellingpersonnel,gettingtoandspendingprolongedperiodsof
timeonahighspeedconnectionmaybeaproblem.Forsatelliteoffices,movingsoftwaretoalocal
shareisimportantbecauseofthesizeofsoftwarepackagesandtheassociatedstrainonthenetwork
bandwidth.Eachremotesitehasitsownchallenges,andrequiresoneormoreofthefollowing
strategiestoensurereliableandrapidsoftwaredistributionandongoingmanagement.
Setupasoftwareportalforremoteuserinteraction.Forremoteoritinerantemployees,asoftwareportalorwebsiteisrequiredtorequestandpulldownsoftwarewhenahigh-
bandwidthconnectionisavailable.Thisallowsuserstodownloadapplicationswhileworking
fromasmalloffice,fromhome,orfromahotelroom.
Establishaquickdeliverysystem .Adhocsoftwaredistributionallowsservicedesktechnicianstosafelydistributesoftwareon-the-flyforaspecificuser.ThisallowsITto
handleemergencysoftwarefixesorinstallcustomsoftwaretoresolveservicedesktickets.
Formanyorganizations,settingupawebportalfromthesoftwarelibraryallowsforself
serviceaccess.
7/31/2019 The Complete Systems Management Book
34/81
SoftwareDistributionandManagement
33
Minimizingnetworkimpact .Manyremoteofficesareonslowlinksthattheycannotaffordtohavesaturatedduetosoftwaredeliverytasks.Therefore,itisimportanttoemploy
featuressuchasbandwidththrottling,replicationsharing,andcheckpointrestartsto
minimizenetworkimpactandschedulereplicationtaskstonon-businesshours.
Whetheranorganizationspansacrosstheglobeorsupportsemployeesworkingoutoftheirhome
office,ITteamsneedtosupportremoteusersandofficesusingspecificandflexibledistribution
practices.
MessagingandUserInteraction
Formanyorganizations,allowingknowledgeworkersandexecutivestodeferdownloadingandinstalling
softwarebasedoncurrentactivityortocontacttheuserbeforeupdatingsoftwareisanecessaryfeature
tominimizeinterferencewithdailyactivities.Beforedownloadingandinstallingsoftwarepushedfrom
theITengineer,theusercandelaydeploymentofsoftwarepackagesforasetamountoftimefromthe
targetcomputer.
Forlargeapplicationdeploymentsorforuserssensitivetosystemperformance,furnishingtheuserwith
theabilitytodelaysoftwareupdatesuntilascheduleddowntimeisnecessaryinminimizingdisruptions
toproductivity.Equallyimportanttothis"snooze"capabilityistheabilityoftheITengineertonotifythe
userofanimpendingdeliveryandallowhimorhertoacceptordelaythesoftwareupdateprocess.
SchedulingDistribution
Toaccommodateuser'sworkroutinesandschedules,theITteamplansforoptimalnetworkdistribution
ofsoftwareaswellasallowingforuserinteraction.SchedulingsoftwaredistributionallowsITtoupdate
selecteddevicesintimesoflownetworkbandwidthusageforlargedistributionjobs,ortoreactto
ChangeManagementeventsandsupportIncidentManagementandProblemManagementservices.
7/31/2019 The Complete Systems Management Book
35/81
SoftwareDistributionandManagement
34
Foritinerantsalespeopleandremoteuserslookingtodownloadnewversionsofsoftware,accessto
softwaredownloadsmayrequirelocalaccessorahighbandwidthconnection.Formanyusers,keeping
controlofhowandwhensoftwareisdeliveredisessential.Manyusersmayrequiretheabilitytodelay
softwaredistributionandretainlimitedcontrolofthesoftwaredistributionexperience.
Economicpressurescontinuetodrivereductionsintheoverallpurchasingandmanagementcostsand
theserequirenewthinkinginstrategiestolicenseandmanagesoftwareresources.Evenas
organizationsstarttobenefitfromthesimplificationsachievablewithvirtualapplications,leveraginga
systemthatcancontrolthesevirtualizedapplicationsandautomatesoftwaremanagementtasks
reactingtosystemanduserchangesautomaticallycansavesignificantlyinbothITandsoftware
resourcecosts.
7/31/2019 The Complete Systems Management Book
36/81
SoftwareDistributionandManagement
35
7/31/2019 The Complete Systems Management Book
37/81
PatchManagement
36
PatchManagement
Vulnerabilityassessmentandremediationofcomputerdevicesstartsbyenforcingpatchupdatestothe
operatingsystem,installedsoftwareapplications,andwebbrowsersusedthroughoutanorganization.
Patchmanagementpracticesincludeprioritizingnecessaryupdatesanddownloadingandinstallingnew
versionsoftherequiredservicepacks,hotfixes,anddotreleasesfromthesoftwareprovider.The
primarygoalforITteamsenforcingandupdatingpatchesfordiversesystemsrequiressortingthrougha
multitudeofpatchesprovidedbythevendorandapplyingonlyrelevantupdates.
Automatedsoftwarepatchingstrategieswhichcanreliablyassessandremediatenetworkanddevice
vulnerabilitiesinclude:
Dynamicfilteringtotargettherightgroupofcomputerstoreceivepatchupdatesautomatically.
Runningpatchupdatesinthebackgroundusingautomatedpoliciesbasedonpriorityandsystem
requirements.
Allowingenduseroptionstodownloadandinstallpatchupdatesbasedontheirscheduleandactivitiestoavoidbusinessdisruptions.
Intelligent,automatedpatchmanagementenablestheITteamtocontrolsystemscanningschedules
andremediationpracticestofittheirenvironment.PatchupdatepracticesallowtheITteamto
downloadanddistributeonlythepatchesrelevanttotheirbusinessneedsandsystemconfigurations.
Automatedpatchingalsoprovidesfeaturestominimizebusinessdisruptionsandtargettherightgroup
ofcomputerdevicesfortherightpatchupdate.
ITengineersneedtocontrolandenforcedifferentpoliciesfordifferentcomputergroupacrossthe
organizationandkeepsystemsuptodate.Thisisaccomplishedusingfeaturestofilter,download,and
deploypatchesbasedontheneedsoftheorganizationinatimelyandsometimesautomatedprocess.
ThegoalforallITteamsistodelivertherightpatchtotherightcomputerdeviceswithminimal
interventionandreportonthestatusoftheremediatedcomputerdevices.
StandardizedPractices
Standardizedpatchingprocessesallowfordailyassessmentandremediationofclientdevicesand
weeklyassessmentandremediationforservers.Reportscanthenbegeneratedtovalidatesystem
7/31/2019 The Complete Systems Management Book
38/81
PatchManagement
37
statusonaweeklyorbi-weeklyschedule.Formany,ongoingpatchmanagementstrategiesprovidethe
firststepinstandardizingsecuritycomplianceforgovernmentcertificationsuchasHIPAAandPCIinthe
UnitedStates,andsimilarregulationsandsecurityrequirementsinothercountries.Standardized
patchingpracticesarealsoarequirementinmeetingITILandCOBITservicesandstandards.
NotJusttheOperatingSystemRunningoperatingsystemswithoutup-to-dateservicepacksorhotfixescanleavecorporatenetworks
opentocyberattacksandothersecurityvulnerabilities.Butasorganizationsmovebeyondthe
operatingsystemtoemploywebapplicationsandcloudcomputingintheirenvironment,patch
managementalsoresolvesvulnerabilitiesinthewebbrowserandothersoftwareapplicationsthatcan
renderthenetworkpronetosecuritythreats.Keepingcomputerdevicesupdatedwiththecorrect
softwareversionsallowsforastableoperatingbaselineaspartofaproactiveITmanagementstrategy.
7/31/2019 The Complete Systems Management Book
39/81
PatchManagement
38
ChallengesofPatchManagement
Theendgoalforpatchmanagementistoensurethatallsystemsareuptodateandsecuritypractices
requiringsoftwareupdatesareenforced.Thechallengesinprovidingacomprehensivepatchupdatesystemrequireautomatedprocessestoidentifyavailablepatchesfordiversedevicesandensure
compliance.
Patchingdiverseoperatingsystemsandapplications .MostITteamsareinundatedwithOSpatchesfor
supportedoperatingsystems(Windows,Mac,andLinux),versionsofoperatingsystems(Window7,
Vista,XP,andserverOS),aswellasapplicationpatches(Microsoft,Adobe,Apple,Mozilla,andmany
others).ITteamssortthroughnumerouspatchesofferedbythevendoranddeployonlythoserelevant
totheirenvironment.
Managingpatchesfordiverseusersandlocations.Beyondmanagingpatchesfordiversesoftware
installations,theITteamneedstoaddresstheneedsofvarioususertypes.Acentralcampuswith
diversedepartmentsthatincorporateengineering,sales,marketing,andqualitycontrolpersonnelneed
togroupandtargetpatchesbasedonsharedcharacteristicsandrequirementsofbothusersand
devices,ensuringthatallusersreceivetheupdatesspecifictotheirneedswhileenforcingcompliance
foroverallsecurityoftheenvironment.Remoteanditinerantusersrequireadditionalcaretoensure
compliancewhiletravellingorworkingfromahomeoffice.
Automatedpatchingpractices.Thecomplexityinprovidingpatchesformultipleproductsfrommultiple
vendorsbasedoncriticalneedsandtimesensitivityrequiresautomatedpatchingtechniques.
Automatedpatchingprocessesrequiretheabilitytoknowwhenaservicepackorhotfixisavailable
fromthesoftwarevendorandthenupdatebasedonestablishedITpolicies.ITteamsneedtomanagethecomplexityofaccessingandprovidingpatchesbasedonoperationalconstraintswithpoliciesthat
requireminimalITintervention.
Updatingvulnerabilitieswithemergencyupdates. ITteamsmustassessanddeploypatchesquicklyto
addressdiscoveredsecuritythreatsbythevendorortheITteam.Tomeetvulnerabilitiesinthefaceof
newsecuritythreats,theITteammustquicklyprioritizeandupdateselecteddevicesmanuallyto
enforcenewsecuritythreats.Thisrequirestheabilitytoidentifyasecuritythreat,accessthenewpatch
fromthesoftwarevendor,anddeployitimmediatelyusingmanualprocesses.Conversely,automated
policiescanbeimplementedbasedonperiodicupdatesastheybecomeavailableandwithout
immediateITintervention.
Confirmingpatchupdatesandcomputerstatusthroughcomprehensivereportingcapabilities.To
ensurethatallpatchesarecurrentanddevicescomplywithstandards,theITteamneeds
comprehensiveandtimelyreportingcapabilities.
7/31/2019 The Complete Systems Management Book
40/81
PatchManagement
39
BestPracticesforPatchManagement
Organizationsfacegrowingsecuritythreatsofcyberattackstothenetwork,outsourcingofIT
responsibilities,remotemanagementofpersonnel,andthechallengesofdelvingintocloudcomputingandfuturetoolsandtechnologies.Beingawareofnewpatches,targetingdevicesforupdates,and
reportingofupdatestatuscomprisethemainstepsrequiredforcomprehensivepatchmanagement
services.
TargetingPatchUpdatesforaVarietyofDevicesandUsers
Targetinggroupsofdevicestoreceivepatchupdatesrequirestheabilitytodownloadonlythepatches
relevanttogroupsofcomputerdevicesforanorganization'snetworkandeliminatepatchesthatarenot
applicable.Inaddition,theITteamneedstofilterdevicesbasedongroupsofcomputerswithsimilar
propertiesandupdaterequirements.Forremoteusers,theITteamrequiresaninfrastructuretoinstall
patcheswhentheuserconnectsandenforcecomplianceaspartofacomprehensive,globalupdate
strategy.
PatchDetection
Targetedpatchupdatesallowdefinedgroupsofcomputerdevicestohavedifferentschedulesfor
vulnerabilityassessmentandremediationusingautomatedpractices.Groupscanbedynamicallyfiltered
basedonpre-definedcriteriaonregularschedulestodiscoverinconsistenciesandensurethatdevices
receivetheirupdatesautomaticallywithminimal,ifany,ITinterventionrequired.ITengineerscan
definecustompoliciesfordifferentpopulationsofcomputerdevices,suchasprovidingweekly
assessmentandremediationofclientcomputers,whileassessingandremediatingserversonabi-weeklyschedule.
PatchDeployment
Likeinitialsoftwareinstallations,updatingsoftwarewithaservicepackordotreleaserequiresa
comprehensivesoftwaredistributioninfrastructure.Designingadeliverysystemthatidentifiestheright
patchanddeploysitbasedonanoptimumschedulereducesbandwidthcrowdingforlocalnetworksand
ensuresthatremoteuserswithlimitednetworkaccesscanperformtheupdateoperations.See
7/31/2019 The Complete Systems Management Book
41/81
7/31/2019 The Complete Systems Management Book
42/81
PatchManagement
41
7/31/2019 The Complete Systems Management Book
43/81
ConfigurationManagementandScripting
42
ConfigurationManagementandScripting
CentralizedconfigurationmanagementthatprovidesITwithcontrolovertheoperatingsystemand
applicationsettingsofeachendpointsystemisakeyelementofnetworksecurityandcompliance.
EffectiveconfigurationmanagementrequiresanITmanagementsystemtosupportpolicyenforcement
easilyacrossdifferentpopulationsofmachines.ImplementingthesepoliciesrequirestoolsthatallowIT
teamstodefineconfigurationtasks,schedulethesetaskstoupdateconfigurationsettingsforselected
computerdevices,andfinallytogeneratereportstoconfirmsettingsareinlinewithdefinedpolicies.
Automatedconfigurationmanagementalleviatestheinherentcomplexityofenforcingconfiguration
policiesacrossanorganizationbyemployingthesebasicprocedures:
1. Creatingalibraryofstandardizedconfigurationsandassociatedtasks.2. Developingconsistentschedulingpracticestodeploytheconfigurationpolicies.3. Generatingreportstovalidateenforcement.
Employingconfigurationpoliciesprovidesastandardbaselinefordevice,registry,andnetworksettings
forallcomputerdevicesintheorganization.
ForITteamstaskedwithconfigurationmanagementtasks,writingandrunningconfigurationpoliciesto
applyappropriatesettingsprovidesthemostflexibilitywhenconfiguringcomputerdevices,andallows
forextendedtaskingandexpandeddefinitionswhenusedaspartofalargerpolicy-basedworkflow.
SimplifyingtheuseofconfigurationscriptsisakeypartofacomprehensiveITmanagementsystem
whichshouldntrequireausertohavecomplexscriptingskills.Policysetupshouldallowadministrators
toleveragescriptsandestablishtheirownbasicrulesforapplyingpolicies,forexampletorefinesearch
criteriabasedonconditionsmetorthedefinitionofvariableswhenupgradingonlycertainmodelsof
deviceswithspecificproperties.Configurationpoliciescanalsobewrittentoexecutemultiple
managementtasksbasedonthestateofthedevice,dependencies,andprescribedrules,andtheymust
beabletoleveragevariousformsofscriptswhererequired.
ConfigurationCapabilities
BuildingandemployingalibraryofconfigurationpoliciesusingscriptsallowstheITteamtocustomize
managementtasksexpresslyfortheenvironmentandstandardizethosetasksforallothersupport
personnelandbusinessusers.Configurationpoliciesenforcestandardsettingsforoperatingsystems
andinstalledapplications,andbysupportingbasiclogicandoptionsforscripts,canprovideflexible
optionsindistributingsoftware,settingconfigurationvalues,andperformingothertypesof
7/31/2019 The Complete Systems Management Book
44/81
ConfigurationManagementandScripting
43
managementtasks.ScriptingallowsITengineerstocustomizenetwork,hardware,anddesktopsettings
andsupportsimplementationofconsistent,enforceableconfigurationpolicies.
Client-sideconfigurationpoliciesscheduletasks,reacttoevents,andrundefinedscriptsandprocesses
onthetargetdevicebasedonthresholdsettingsandexceptions.Whenrunonthetargetdevice,scripts
canverifydevicesettings,reportsuccessfuloperations,automaticallyremediateproblems,orreportfailureofspecificcomponents.Distributionofclient-sidescriptsrequiresITmanagementpoliciesand
toolsthatcanfilteranddistributetherightconfigurationtotherightcomputerdevice.
Theadvantageofclient-sidescriptsistoallowmobilepersonneltorunprocessesandmanagement
taskswithoutbeingconnectedtotheserver.Scriptlogicchecksforconfigurationsettingsandenforces
standardsautomaticallyonthelocaldevice,andthenallowsforpolicyandscriptupdateswhenthe
deviceisagainconnectedtothemanagementserver.
Distributionofclient-sidescriptswritteninVBScriptorJavaScriptorwrittenad-hocusingabuilt-in
wizardallowsfortheconfigurationofnetwork,hardware,desktopsettings,andcanbeusedtoimplementnewconfigurationpolicies.VM,VLAN,router,andserver-sidescriptingusingPERL,PHP,
Python,JavaScript(server),andotherserver-sidescriptinglanguagesprovidesevenmorevalue,
opportunities,andchallenges.
7/31/2019 The Complete Systems Management Book
45/81
ConfigurationManagementandScripting
44
ChallengesofConfigurationManagement
Whileconfigurationmanagementcanprovidepowerfulbenefits,implementingitthroughscriptingcan
bechallenging.First,ITadministratorsmustwriteandtestthescriptswhichcanrequirequiteabitoftechnicalexpertiseifusingstandardscriptinglanguageslikeVisualBasic.Nexttheymustfigureouta
waytodistributethescriptstoendpointsacrosstheorganization,includingtoremotesites.Finally,they
mustverifyandreportthatthescriptshaveruncorrectly.
Utilizeexistingthird-partyconfigurationscripts .ManyITdepartmentsretainavarietyofscriptsbuiltin
differentscriptinglanguagesforvaryingpurposes.Efficientconfigurationpoliciesneedtoincorporateall
typesofthird-partyscriptsandcreatenewonestointeractwithexistingscripts.
Setupconfigurationpoliciesfornon-programmingITadministrators.FormanyITadministratorsand
technicianssupportinganorganization,learningandkeepinguptodateonscriptinglanguagesisnot
highontheirprioritylist.Settingupconfigurationpolicieswithaneasy-to-usewizardisanecessityto
allowtheITadministratortoeasilywriteeffectivepoliciesandleveragescripts.
Gettherightconfigurationpolicytotherightdevice .Managingalibraryofconfigurationpolicies
requiresanITmanagementsystemthatisabletodistributetherightpolicytotherightdevicebasedon
dynamicgroupingandenforcementofconfigurationsettings.Thisrequiresanestablishedlibraryof
policysettingsandscriptsforvariousdevicesandmanagementpracticesandaninfrastructureto
distributethesesettingsandscriptstoclientdevices.
Supportadhocjobsandstandardpolicies.Whetherascriptisatemporaryfixforaspecializedjobor
partofastandardimplementationpolicy,theITteamneedstobeabletoeasilywrite,check,anddeploy
thescripttoconfigurecomputerdevices.
Enforceconfigurationsettingsonmobiledevices .Configurationsettingsonlaptops,smartphones,and
othermobiledevicesusedbytravellingandremoteemployeesneedtobeconfiguredandmaintained
whennotconnectedtothemanagementserver.Enforcingconfigurationsettingsbasedonscheduled
policiesusingclient-sidescriptsisanecessityformanyorganizations.
Verifyeffectivenesswithreportsandexception-basedalerts.ITadministratorsneedtoclosetheloop
andverifythatthescriptstheyhavewrittenanddeployedareworkingeffectively.Infact,reports
verifyingcompliancewithconfigurationpoliciesisoftenakeyelementofcompliancewithregulations
suchasHIPPAandPCI.TheITadministratoralsowantstoknowwheneventshappenoutsidesetthresholdsorrulesestablishedinapolicy.Displayingalertsonthedashboardofthemanagement
consolebasedonout-of-boundeventsthrownbythesystemallowsthesupportingITadministratorto
beawareofproblemsinreal-time.
7/31/2019 The Complete Systems Management Book
46/81
ConfigurationManagementandScripting
45
BestPracticesforConfigurationManagement
Developingasystemtowrite,distribute,andcustomizeconfigurationpoliciesallowstheITteamto
maintainpolicies,standardizedesktopandserverconfigurations,andimplementastableITenvironment.
Employingpre-packagedconfigurationpolicies
ITmanagementsystemsusuallyincludeconfigurationpoliciesthatdonotrequiremanualscripting
efforts,allowingtheITteamtoeasilyupdateconfigurationsettings"outofthebox."Thesepoliciessare
typicallydesignedtoimplementbasicconfigurationtasks.
ITteamsrequiretheabilitytocreateandenforcereliableconfigurationsandactivatepre-packaged
scriptsandpoliciesforconfigurationandbaselinestandardizationofalldevicesonthenetwork,
includingregistrysettings,desktopsettings,routerrules,andoptionenforcers.Standardconfiguration
settingscanalsobeusedtoimplementandenforcenewlyadoptedconfigurationpolicesacrossthe
organization.
Settingandenforcingconfigurationpolicies
Settingconfigurationvaluesandenforcingthesesettingsthroughbatchorindividualscriptscanbe
accomplishedthroughone-timejobsorongoingpolicies.Usingdynamicpoliciestocontrolconfiguration
settingsallowsITadministratorstoquicklyandeasilysetupongoingandautomatedenforcementas
newsystemsareintroducedortoupdatenewscriptsandsoftwarepackagesastheyarecreatedand
madeavailable.
7/31/2019 The Complete Systems Management Book
47/81
7/31/2019 The Complete Systems Management Book
48/81
ConfigurationManagementandScripting
47
logic.
Tokens.Replacementvariablescanbesetupastokensandreplacedwithvaluesandlogicatruntime.
Thisallowsforvariablescriptstobeused.
Utilizingexistingconfigurationscripts
ITadministratorswithalibraryofscriptswritteninvariousscriptinglanguagessuchasVBScript,JavaScriptorXULcanusetheITmanagementsystemtodistributethesescripts.BatchscriptingallowsIT
engineerstoauthoranddistributebatchscriptsdirectly.Existinglibrariesofscriptscanbesetupwith
dependenciesandaccessedtorunaspartofothershellscripts.
Interruptionoptions
Givinguserstheoptiontodelayrunningascheduledconfigurationpolicywhenattachedtothenetwork
isanimportantfeaturetoavoidworkdisruptions.Forremoteusers,allowingtheusertointerrupt
deploymentandactuationinordertonotinterruptworkallowsforharmonybetweentheuserandthe
ITteam.
7/31/2019 The Complete Systems Management Book
49/81
ConfigurationManagementandScripting
48
7/31/2019 The Complete Systems Management Book
50/81
SecurityAuditandEnforcement
49
SecurityAuditandEnforcement
SystemsecurityisatoppriorityforITorganizations.Developingacomprehensivesolutiontoprotect
endpointsfromvarioustypesofviruses,spywareandothermalicioussoftwarethreatsrequires
enforcementandcontinuousmonitoringinordertobecredible.Ensuringandenforcingsecurity
standardsiscriticaltobusinesscontinuityandachallengeasattacksbecomeincreasinglyvaried.
ChallengesforSecurityAuditsandEnforcement
Protectingtheconfidentialityandavailabilityofinformationfrommaliciousthreatsoraccidentallossisa
priorityrequirementfortodaysorganizations,tomeetbothoperationalandlegalrequirements.
Ensuringsecureconfigurationsandenforcingcompliancetypicallyinvolvesseveralchallenges.
Applyingappropriatesecurityconfigurationsforalldevices ,aswellasensuringthelatestservicepacks
andpatchesareapplied,firewallsettingsareenabledforeachOS,browsershavesecuritysettings,
anti-virusapplicationsarescheduledtoscan,andprogramusagerestrictionsareinplace.
EnforcingsecureconfigurationpoliciesastheITenvironmentchangesandevolves.Thisrequires
automationoftheenforcementprocess.Thevulnerabilityscanningandremediationprocessfor
discoveredproblemsmustbehandledwithoutdisruptingbusinessandnormalITusage.
Reportingforcompliancepurposes.Businessessubjecttocompliancereportingmustprovethat
appropriatesecurityconfigurationsareinplace.Reportingthatthesystemshavebeensuccessfully
configuredwithsecuritysettings,suchasthosedefinedinUSCertOVALdefinitions,isoftena
requirement.Regularconfirmationofcontinuedprotectionastheenvironmentchangesmaybe
requiredaswell.
Whendeviceswithsecurityvulnerabilitiescannotbeautomaticallyupdated,thedevicemayneedtobe
quarantinedtoprotectthenetwork.OnlyafterithasbeenaccessedandremediatedbytheIT
managementsystemwillthedevicebereadyforre-introductiontothenetwork.
7/31/2019 The Complete Systems Management Book
51/81
SecurityAuditandEnforcement
50
BestPracticesforSecurityAuditsandEnforcement
BestpracticesforITsecurityinvolvesvulnerabilityassessment,ongoingenforcementandauditing
progresstowardscompliancetominimizethebusinessrisk.AutomatingthisworksavestimefortheIT
engineerandhelpsreducesecuritybreachesandresultinglostproductivityfortheenduserandthe
organization.
VulnerabilityAssessment
TheUSDepartmentofHomelandSecuritysponsorsOVALasaninformationcommunitystandard
endorsedbyUSComputerEmergencyReadinessTeam(USCERT)topromoteopen,publiclyavailable
securitycontentandstandardizationofitstransferacrosssecuritytoolsandservices.OVALtestscanbe
usedtoscanforsecurityvulnerabilitiesandareoftenusedtoaugmentotherestablishedorcorporate
securitystandards.Vulnerabilityscanscanbechecksontheinstallationofananti-virusapplication,or
canincludenumeroussecuritymetricssettocheckontheOS,browser,network,anti-virus,andother
securityprogramsandconfigurationsettings.
VulnerabilityscansshouldbescheduledbytheITteamonarecurringbasisandcheckedagainstthe
currentlistofknownvulnerabilities.Scanscanbetargetedatgroupsofdevicesoranentiresubnet.
Reportsfromtargetedcomputerdevicesshouldbecheckedagainstalistofvulnerabilitymetricstolist
aspass/failresultsandthenusedbytheITteamtoplanandexecuteremediation.
7/31/2019 The Complete Systems Management Book
52/81
SecurityAuditandEnforcement
51
SecurityEnforcementPolicies
Enforcingsecurityconfigurationsettingsforcomputerdevicesandnetworkscanbeautomatedusing
pre-builtpoliciesprovidedbytheITmanagementsystem.ITwillcustomizepoliciesforaspecificsecurity
settingtobeautomaticallyappliedtoappropriateclassesofITsystemsastheyappearinthe
organization.Thepolicydefinitioncanalsoincluderunningscansoutsideofbusinesshoursinorderto
minimizeanyenduserimpact.Securitypoliciestypicallyincludethefollowing:
Enforcefirewallsettingspolicies.Forexample,enableportaccessinfirewallsettingstoallowtheIT
teamtoprovideremotedesktopaccessandremediationrequests.
Setbrowsersecuritypolicies.Typically,todaysbusinessusersutilizeanumberofbrowsersincluding
MicrosoftInternetExplorer,AppleSafariandMozillaFirefox,andtheseneedtheappropriate
securitysettingstobeenforcedatthebrowserlevel.
Verifyanti-viruspolicies.Regardlessoftheanti-virusprogramimplementedbytheorganization,the
ITteamneedstoupdatethedefinitionfilesandcheckthatsystemscansarescheduledregularly.
Quarantinepolicies.Forcompromisedcomputerdevices,administratorscandecidetobreak
communicationsbetweenacomputerandallothersystemswhenanetworksecurityriskhasbeen
identified.TheITmanagementsystemcanthenbeusedtocommunicatedirectlywiththe
quarantinedcomputerandresolvethesecurityissue.
Disallowprograms.Prohibittherunningofunwantedorat-riskapplications.
Withtheincreasinglymobileworkforce,securitypoliciesneedtoenforcesettingsoncomputers,
particularlylaptops,evenwhentheyarenotconnectedtotheITmanagementsystem.Securityscripts
canbesetuptorunregularlyontheclientdevicesevenwhenofflinefromthemanagementsystem.
Securitypoliciesleveragingscriptscanalsobeenabledusingeasy-to-usewizardsthatsupport
conditions,multipledependenciesandmultiplescriptingstagesinthesecurityconfiguration.Thisallows
7/31/2019 The Complete Systems Management Book
53/81
SecurityAuditandEnforcement
52
ITengineerstoeasilycreateandenforcenewsecuritypolicieswithouthavingtolearnascripting
language.
Toefficientlyremediateproblemsidentified,asecurityauditandenforcementsolutiontypically
integratestheremediationpolicieswiththevulnerabilityassessmentfunctionality.Remediationpolicies
canincludepatching,applyingconfigurationsettings,andapplicationblockingorremoval.ThisintegrationimprovesefficienciesandmakesitpossiblefortheITteamtomaintainsecuritycompliance
acrosstheorganization.
ComplianceReporting
Forsecuritycompliancepurposes,ITengineersrequirevisibilityofthevulnerabilityandthedeployment
progressofsecuritypoliciesforalldevicesonthenetwork.Compliancerequiresauditablereportsto
confirmthatpolicieshaverolledoutsuccessfullyandidentifywhereremediationoperationshavefailed.
ComprehensivecompliancereportsanddashboardalertsallowtheITteamtocompletetheupdate
processandensurethatalldevicesmeetorganizationalrequirements.Afterapplyingsecuritypolicies,
theITteamneedsreportstoconfirmthatthedevicesareuptodateandcompliant.Seethechapteron
reportingforadditionalinformation.
AsITsystemsholdvaluableinformationthatisincreasinglytargetedbycriminalelements,endpoint
securityiscrucialtoprotectingbothaccesstothatinformationaswellasoperationalbusinessintegrity.
Keepingclient-sidesystemssecureinatimelymannerisachallengeasnewvulnerabilitiesare
constantlyreportedacrossabroadeningspectrumofoperatingsystemsandwebapplications.
Automatingsecurityauditsandenforcementwitharobust,reliablesystemsmanagementsolutionhelps
theITteamquicklydiscovervulnerabilitiesandremediateproblemsandthenenforcefuturecompliance
basedonestablishingcompanysecuritypolicies.
7/31/2019 The Complete Systems Management Book
54/81
Administration
53
Administration
ITmanagementsystemsshouldbeeasytouseandcustomizeforusebyboththeseniorITengineersas
wellasnewly-hiredITtechnicians.TheyshouldalsobeeasytoimplementandadoptbytheentireIT
teamandendusersthroughouttheorganization.Systemsmanagementtoolsneedtoprovide
streamlineddevicemonitoringandmaintenancefeaturesthatavoidoverly-complexorincongruent
featuresets,relyinginsteadonintegrationofLDAPorActiveDirectorydata,coordinationofIT
managementtools,andbuilt-inreportingandalertfeatures.
Fortoday'sITteam,efficientsystemmanagementincludesacentralizeduserinterfacewithWebaccess
thatincorporatesalladministrationtoolsanddatainasingle,remotelyaccessibleuserinterface.TheIT
systemintegratesworkflowstostandardizemanagementpracticesandincreasethereachand
effectivenessoftheITteam.
7/31/2019 The Complete Systems Management Book
55/81
Administration
54
AdministrationConsole
ITmanagementsystemsthataretoocomplexandrequiretoomuchoverheadoftenunderminethe
decisiontoimplementeffective,coordinatedmanagementpractices.Toaccomplishthemyriadoftasks
associatedwithsystemsmanagement,theITteamrequiressimplifiedmanagementtoolswiththe
powerandfunctionalitytoexpeditejobsandassociatedataformeaningfuladministrationand
monitoringofhardwareandsoftwareresources.
Fromtheconsole,theITengineercanviewimportantinformationataglanceandcustomizeviews
specifictotheneedsoftheenvironment.AdministrativealertstotheITengineercanbeimplemented
fornotificationsofdevice,network,andassetirregularitiesfromacustomizedportalorhomepage.
Broadcastalertsandwarningsfortheendusercanbesetupandscheduledaswell.Agentdeployment
canbefacilitatedfromtheconsoletoprovideoperationalsupportthatincludesdynamicgroup
associations,sequencedtasks,secureconfigurationupdates,andWake-On-LANcapabilitiesdesignedto
savepowerandenablesoftwareupdatesorpatchesduringoffhours.
7/31/2019 The Complete Systems Management Book
56/81
Administration
55
Reporting
PreciseandcomprehensivereportingbytheITteamisvitalwhenmanagingmultifacetedadministration
tasksacrossanorganization.Basicreportingcapabilitiesincludeproofofsoftwarelicensecompliance,
notificationsofelapsedassetwarranties,computerinventoryinformation,assettracking,ticket
resolutionstatus,andregulatoryauditcompliance.Customizedreportingforspecificneedsand
personalizeddashboardalertsarealsoimportantforeffectiveeventmonitoringandreal-timesystems
managementspecifictotheenvironment.
TheabilitytomonitorandevaluatecriticalsystemmetricsenablestheITteamtotakepreventativeactionsforsystems-relatedeventsandtomonitortrendsacrossthenetwork.Usingpre-configuredor
customizedreports,ITteamscanidentifyproperpreventativemeasurestofacilitateongoingoperations
andmanagementstrategies.AutomatedreportingcapabilitiesallowtheITteamtoavoidtheerrorsof
manualreportingandexcessivewasteofITresources.
7/31/2019 The Complete Systems Management Book
57/81
Administration
56
AlertsandMessages
Basically,twotypesofnotificationsareusedbytheITengineer:broadcastmessagessenttoendusers,
andadministrativealertssenttotheITengineerbythemanagementsystem.Forendusers,broadcastnotificationsandwarningsofpossiblevirusesorsystemupdatesaresenttogroupsofusersbasedon
criteriasuchassubnetlocation,deviceproperties,usergroups,configurationsettings,orotherdefined
criteria.AdministrativealertsaredesignedbytheITteamtonotifytheITengineerofgeneralsystem
warnings,assetexpirationdates,componentmalfunctions,orothersysteminterruptionsorstatus
alerts.AdministrativealertsarebasedonasetofparametersdefinedwithintheeventharnessoftheIT
managementsystem.
AdministrativeAlerts
AdministrativealertsnotifytheITengineerofseriouseventsconcerninganorganization'shardwareand
softwareresources.Alertscanbescheduledtoscanforsystemirregularitiesbasedondefinedmetrics
anddisplaythemasdashboardalertstoapprisetheITengineerofpendingissues:
Computernotifications.Alertscanbegeneratedtocapturecomputerstatusbasedoncomputer
hardwaremodelormanufacturer,softwareapplications,freediskspace,orthelastinventoryreport.
Assetnotifications.AssetnotificationscanalerttheITengineeronlicenseorleaseexpirations.Alerts
canbeconfiguredtosende-mailtoindividualsortoautomaticallygenerateahelpdeskticket.
BroadcastMessages
Notifyingendusersofeventsthatcanimpacttheirworkdaycanbeanimportantaspectofeffectively
managingnetworkresources.Configurableenduserbroadcastalertsnotifyusersofimpendingoutages
andsystemschangestoensureforup-to-datesystemstatusreports.Alertsareusuallypolicydrivenand
configuredtobedistributedtogroupsofusersimmediatelyoronadefinedscheduleorconfiguredto
expireafterasettime.
7/31/2019 The Complete Systems Management Book
58/81
Administration
57
Role-basedpermissions
AdministrationrightsforeachITengineerneedstoconformtohisorherrolewithintheITteam.Access
tosensitivenetwork-wideoperationsorserveraccessneedstobelimitedbytheITmanagerwith
specificadministrativerightsdefined.Role-basedprivilegestoperformdefinedITtasksneedtobe
coupledwithpermissionstogroupdeviceanddataobjects.ThisallowstheITteamtosecurelycontrolwhichITadministratorshaveaccesstospecifiedsystemmanagementfunctionalitiesandtosetup
separateorganizationalgroupstoisolatetheserolesandrights.
AssignedITdutiesaremostoftenalignedtotheproximityoftheITengineergeographicregionsand
businessunitswithintheorganizationaswellashisorherexpertiseandexperienceforspecificIT
tasks.TheITmanagerneedstobeabledefinemanagementdomainsanddutiesforeachITengineer
basedontheirassignedroleandrequiredaccesstogroupsofusersandcomputerdevicesaswellas
specifieddatastores.
7/31/2019 The Complete Systems Management Book
59/81
Administration
58
LDAPorActiveDirectoryIntegration
Real-timeintegrationoftheITmanagementsystemwithnetworkdirectoryservicessuchasActive
Directory(AD)orLDAPallowsorganizationstoautomaticallyimport,create,andsynchronizedeviceandusergroupobjectsfromthedirectorytotheITmanagementsystem.Asdataisupdatedandchangesare
madetothenetworkdirectory,themanagementsystemcanthendynamicallyupdatenewuserand
groupinformationtoensurethatsettingsstayconsistent.Inaddition,themanagementsystemcan
automaticallyreflectanynewcredentialupdateswhenchangesaremadeintheLDAPorActive
directory.
7/31/2019 The Complete Systems Management Book
60/81
Administration
59
Remoteoffices
RemotesitemanagementandadministrationcapabilitiesallowtheITteamtoeffectivelydeploy
systemsatremotessitesfortravellingusers,at-homeworkers,orsatelliteoffices.Managingremotesitesandpersonnelfromacentrallocationisvitalinreducingthetimeandcostsassociatedwith
managingremotesystemsandeliminatesthetravelrequirementsandmanualpracticespreviouslyused
todeploysystemsbeyondthecentralcampus.
Remotemanagementallowsasingle,centralizedITmanagementsystemtostageanddeploydisk
images,OSinstallations,scriptedinstalls,drivers,andsoftwareapplicationstoremotesites.Thiscanbe
accomplishedwithorwithouttheneedfordedicatedITpersonnelatremotelocations.Formulti-site
organizations,avirtualinfrastructurewithremotetransferandupdatefeaturesallowsfordeployment
operationsthatcontroltimingandcontentofstageddeploymentassets.Scheduledupdatesand
synchronization,alongwithbandwidththrottling,helpsminimizenetworkconsumptionwhilekeeping
allremotesitesupdated.
Externaldrives,USBdrives,orCDscanbeusedbyremoteemploystobootlocallyandthenconnectto
theITmanagementsystemtoaccessthefulldeploymentlibrary.Onceconnectedtothecentral
managementsystemandsoftwarelibrary,anydeploymenttaskcanbeexecutedonthetargeteddevice.
ComputerswithoutagoodInternetconnectioncanincludeanimagefileontheUSBdriveorsavethe
datafilestoaDVD.Allimages,networkOSinstallations,andotherassetscanbereferencedfroma
7/31/2019 The Complete Systems Management Book
61/81
Administration
60
centralizeddeploymentlibrary,makingitmucheasiertoensurethatoutdatedimagesornetworkOS
installationsarenotaccidentallydeployedtomanageddevices.
Todaysadministratorbenefitsgreatlyfromacentralizedadministrationconsole,canenjoyanaccurate
pictureofthemanagedenvironmentwithreportingfeatures,andcanbealertedtoissuesastheyarise.
Beingabletoenforcerole-basedpermissionsallowstheworkloadtobesharedamonganadministrationteamwithoutexposingpotentiallydangerousfeaturestoallthosewhoparticipate.Integrationwith
LDAPiskeytoleveragingtheinvestmentalreadymadeinthesegmentationofsystemsthrougha
network,andtheabilitytointelligentlyhandlebandwidthissuesforremotesitesiscriticaltoensuring
distantsystemscanbemanagedaseasilyasthosedownthehall.Withtherighttoolsattheirdisposal,
administrationwithanintegratedsystemsmanagementsolutioncansaveconsiderabletimeand
investmentwhilemakingadministratorsmoreproductiveandbetterabletorespond(andevenprevent)
issuesthroughtheenvironment.
7/31/2019 The Complete Systems Management Book
62/81
Administration
61
7/31/2019 The Complete Systems Management Book
63/81
ServiceDesk
62
ServiceDesk
KeepinganorganizationproductiveisthechallengeforIThelpdesksupporttechnicians.Downtimeof
personnelorcomputerdevicesforanyreasonmeanslostproductivityandlostrevenueopportunities.
Tokeepresourcesupandrunning,thehelpdeskrequiresabasicsystemwiththesefeatures:
Incidentmanagement.Helpdesktechniciansrequireanincidentmanagementsystemtoreceive
andprioritizeuserrequests,assignthetickettotheappropriateITengineer,andtracktheissue
toresolution.Helpdeskpracticesrangefrombasicincidentmanagementprioritizationand
remediationofhelpdeskticketstohighlystructuredsupportofITILincident,problem,
configuration,changeandreleasemanagementservices.Incidentmanagementrequires
featuresfortrackinghelpdesktickets,prioritizingITteameffortsandsettingupqueuesto
resolveproblemsbypriorityandability.
CollaborativeITsystem. Integratedmanagementtoolsandassociatedsupportinformationallows
thehelpdesktechniciantoaccesstargetedinventoryreports,assetinformation,the
managementhistoryofeachcomputerdeviceandremotecontrolandremediationcapabilities
fromaconsolidatedmanagementconsole.ITteamsaremosteffectiveinresolvingproblems
usingamanagementsystemwithfocusedreportingcapabilitiesandintegratedtoolsemployed
fromthehelpdesk.
Sequencedandautomatedworkflows.IntegratedmanagementsystemsallowITengineersto
designworkflowstoimplementITpoliciesforcommonjobssuchassettingupnewusers,
deployingnewcomputers,updatingpatchesandperfo