Managing Your Educational Computer Environment Mark Tigwell 2005 Microsoft 2 Introduction Mark Tigwell Technology Specialist, Education 2005 Microsoft 3 Managing your environment Microsofts approach to IT management 1.Common tools 2.Active Directory 3.Staying up-to-date: Patch Management 4.Managing security 5.Managing software 6.Monitoring operations 2005 Microsoft 4 Why manage anything? The old wayThe new way Simple & easy to control Awful user experience Virtually useless for education Expensive central servers that can only be run by qualified engineer$ Rich and exciting user experience Powerful education tool Easy to install and use Cheap, powerful servers that are easy to configure Management is optional Planning is unnecessary 2005 Microsoft 5 Microsoft Solutions for Infrastructure and Management MOF Microsoft Operational FrameworkMSF Microsoft Solutions Framework EnvisioningPlanningBuildingDeploying ChangingOperatingSupportingOptimizing Iterative Operations Business Desktop Deployment Server Deployment Account Management Service Monitoring Patch Management Exchange 5.5 Migration LOB Consolidation Domain Migration File & Print Consolidation 2005 Microsoft 6 1. Common tools 1.MOF 2.MeLL IT Pro edition (Demo) 3.Management console (Demo remote & performance) 4.Event viewer (Demo) 5.Virtual PC and Server (Demo) 6.*NEW AntiSpyware beta 2005 Microsoft 7 Integrated Management You probably own one of these, what is it? 2005 Microsoft 8 Windows Management Instrumentation A. Management layer technology System to be managed (eg Windows) Information collection & storage Management application (eg SMS) 2005 Microsoft 9 Integrated Management Microsoft Management Console (MMC) Microsoft Management Console (MMC) 2005 Microsoft 10 Extendable management Microsoft has extended WMI to create advanced integrated management tools SMS 2003 MOM 2005 Systems Center 2005 coming soon! 2005 Microsoft 11 Extendable management Microsofts management tools help customers manage hundreds of different platforms and systems: Citrix HP Insight Linux and UNIX Novell 2005 Microsoft Active Directory 2005 Microsoft 13 What is Active Directory? Foundation for Identity & Access Management Account InformationAccount Information PrivilegesPrivileges ProfilesProfiles PoliciesPolicies Single Sign-OnSingle Sign-On Windows Users Network ResourcesNetwork Resources File SharesFile Shares PrintersPrinters PoliciesPolicies Windows Servers ConfigurationConfiguration SecuritySecurity QuarantineQuarantine PoliciesPolicies Windows Clients DirectoriesDirectories DatabasesDatabases MainframesMainframes UNIXUNIX Other Systems Product InformationProduct Information PrivilegesPrivileges ProfilesProfiles PoliciesPolicies Automated deploymentAutomated deployment Microsoft Products ConfigurationConfiguration Quality of ServiceQuality of Service Security PoliciesSecurity Policies Single Sign-OnSingle Sign-On Network Devices ConfigurationConfiguration Security PolicySecurity Policy VPN & Remote AccessVPN & Remote Access QuarantineQuarantine Single Sign-OnSingle Sign-On Firewall Services Single Sign-OnSingle Sign-On Automated deploymentAutomated deployment ConfigurationConfiguration App-specific directory dataApp-specific directory data 3 rd Party Applications Operational EfficiencyOperational Efficiency Improved SecurityImproved Security Improved ProductivityImproved Productivity InteroperabilityInteroperability Active Directory Focal point for network & user management Focal point for network & user management Central authority for network & application security Central authority for network & application security Integration point for bringing systems together Integration point for bringing systems together 2005 Microsoft 14 Benefit: Strengthen Security Automate the Lockdown of Windows Systems Security templates can ensure enterprise-wide security Prevent end-users from modifying desktop configurations or settings Software Restriction Policies precisely control what software can be run Enable audit of events & changes Control hundreds of settings via Group Policy 2005 Microsoft Staying up-to-date: Patch Management 2005 Microsoft 16 Update Management Guidance Implementing a consistent, high quality update management process is the key to successful update management Microsoft delivers best practices prescriptive guidance for effective update management Uses Microsoft Operations Framework (MOF) Based on ITIL* (defacto standard for IT best practices) Details requirements for effective update management: Technical & operational pre-requisites Operational processes & how technology supports them Daily, weekly, monthly & as-needed tasks to be performed Testing options Three update management guidance offerings Microsoft Guide to Security Patch Management** Microsoft Guide to Security Patch Management Patch Management using Software Update Services*** Patch Management using Software Update Services Patch Management using Systems Management Server*** Patch Management using Systems Management Server *Information Technology Infrastructure Library **Emphasizes security patching & overall security management ***Comprehensive coverage of patch management using the specified technology Assess Identify Evaluate & Plan Deploy 2005 Microsoft 17 Solution Components Prescriptive Guidance Microsoft Guide to Security Patch Management Patch Management Using SUS Patch Management Using SMS Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool* Online Update Services Windows Update Office Update Content Repositories Windows Update Catalog Office Download Catalog Microsoft Download Center Management Tools Automatic Updates (AU) feature in Windows Software Update Services (SUS) Systems Management Server (SMS) *Office Inventory Tool is no longer needed MBSA 1.2 (released in January 2004) includes Office scanning functionality 2005 Microsoft 18 MBSA Helps identify vulnerable Windows systems Scans for missing security patches and common security mis-configurations Scans various versions of Windows and other Microsoft applications Scans local or multiple remote systems via GUI or command line invocation Generates XML scan reports on each scanned system Runs on Windows Server 2003, Windows 2000 and Windows XP Integrates with SUS & SMS Evaluate & Plan New Update Deploy Identify Assess 2005 Microsoft 19 Demo 2005 Microsoft 20 Windows Update (WU) Microsoft online update service (windowsupdate.microsoft.com) :windowsupdate.microsoft.com Identifies missing Windows OS* patches / updates on accessing computer Generates targeted list of missing updates Installs user selected missing updates Provides update installation history WU content can be automatically downloaded via Automatic Updates Supplemented by Windows Update Catalog site which provides: Comprehensive repository for all Windows and Designed for Windows logo device driver updates Search to find desired update Manual download of desired updates Download history for accessing computer *Windows 98 and later versions. Note: also updates 64-bit editions of Windows Server Evaluate & Plan Identify Assess New Update Deploy 2005 Microsoft 21 SUS 1.0 Deploys Windows security patches, security rollups, critical updates, and service packs only Deploys above content for Windows 2000, Windows Server 2003 and Windows XP only Provides patch download, deployment, and installation configuration options Bandwidth optimized content deployment Provides central administrative control over which patches can be installed from Windows Update Provides basic patch installation status logging Evaluate & Plan Identify Assess New Update Deploy 2005 Microsoft 22 SUS Client Component: Automatic Updates Centrally configurable to get updates either from corporate SUS server or Windows Update service Can auto-download and install patches under admin control Consolidates multiple reboots to a single reboot when installing multiple patches Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003 Localized in 24 languages 2005 Microsoft 23 SUS Server Component: SUS Server Downloads updates from Windows Update Web based administration GUI Specify server & update process configuration options View downloaded updates Approve updates & view approved updates Security by design and default Requires NTFS; Installs IIS Lockdown and URL scanner* Supports secure administration over SSL Digital signatures on downloaded content validate authenticity Uses HTTP for content synchronization only port 80 needs to be open Server side XML based logging on Web server Patch deployment & installation statistics Supports geographically distributed or scale-out deployments with centralized management for content synchronization & approvals Localized** in English & Japanese *If not already installed **Note: Delivers updates for all 24 supported client languages 2005 Microsoft 24 SMS 2003 Capabilities Application Deployment Asset Management Security Patch Management Leveraging Windows Management Services Support for the Mobile Workforce 2005 Microsoft 25 SMS 2003 Patch Management: Functionality System scanning & patch content download Content from Microsoft Download Center MBSA & Office Inventory plug-ins scan for missing patches Supports updating of remote & mobile devices Updates various versions of Windows, Office, SQL, Exchange, and Windows Media Player without need for update packaging / scripting Administrator control Update targeting based on AD, non-AD groups, WMI properties; additional options via scripting Patches content is downloaded from a central SMS repository only when the deployment process is initiated by the SMS administrator Specific start and end times (change windows); multiple change windows Easily move patches from testing into production Reference system patch configurations can be used as a template to verify or enforce compliance of systems that must mimic reference system configuration 2005 Microsoft 26 Patch download & installation Delta replication (site-site, server-server) of patches Uses BITS* for mobile / remote client-server Uses SMB* for LAN / priority situations Reminders and rescheduling of install / reboot & enforcement dates Optimized graceful reboots, but forced when enforcement date arrives Per-patch reboot-needed detection to reduce reboots Status & Compliance Reporting Deployment status as patches are attempted Standard and customized reports through read-only SQL queries Determine actual baselines in the environment before changing the environment SLA measurement and rate-of-spread SMS 2003 Patch Management: Functionality (2) *Requires SMS Advanced Client 2005 Microsoft 27 CapabilityWindows UpdateSUS 1.0SMS 2003 Supported Platforms for Content NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 Win2K, WS2003, WinXPNT 4.0, Win2K, WS2003, WinXP, Win98* Supported Content Types All patches, updates (including drivers), & service packs (SPs) for the above Only security & security rollup patches, critical updates, & SPs for the above All patches, SPs & updates for the above; supports patch, update, & app installs for MS & other apps Granularity of Control Targeting Content to Systems No Yes Network Bandwidth OptimizationNo Yes (for patch deployment) Yes (for patch deployment & server sync) Patch Distribution ControlNoBasicAdvanced Patch Installation & Scheduling Flexibility Manual, end user controlled Admin (auto) or user (manual) controlled Administrator control with granular scheduling capabilities Patch Installation Status Reporting Assessing computer history only Limited (client install history & server based install logs) Comprehensive (install status, result, and compliance details) Additional Software Distribution Capabilities Deployment PlanningN/A Yes Inventory ManagementN/A Yes Compliance CheckingN/A Yes Adopt the solution that best meets the needs of your organization Core Patch Management Capabilities Choosing A Patch Management Solution Needs-Based Selection *MBSA does not support scanning Win98 Win98 can be updated using SMS2003 inventory management and software distribution capabilities 2005 Microsoft 28 Windows Update Services future Update management solution for all Microsoft products Initially supports Windows XP Pro, Windows 2000 Pro, Windows 2000 Server, Windows Server 2003, Office XP, Office 2003, SQL Server 2000, MSDE 2000, Exchange 2003, + additional products over time** Support for additional update types security, critical and non-critical updates, update rollups, service packs, feature packs, and critical driver updates Core update management infrastructure in Windows Data Model - supersedence, update dependency & bundle relationships Built-in update scanning engine to detect missing updates Server APIs (.NET) and remoteable Client APIs (COM) Enhanced bandwidth optimization Uses BITS for client-server and server-server communication Binary delta compression technologies dramatically reduce data transfer needs Configurable update subscriptions -- specify subset of content to be downloaded *WUS is currently in beta. Microsoft does not guarantee that all capabilities listed will be in the released version. Datasheet and sign up for the Open Evaluation Program at: **Without the need to upgrade or redeploy WUS The update management component of Windows Server that enables IT administrators to more easily assess, control and automate the deployment of Microsoft software updates 2005 Microsoft 29 Windows Update Services (2) Expanded administrative control Scanning: Pre-deployment scan for missing updates Download & approval: Specify only metadata be downloaded, rules for auto-approving updates, etc. Targeting: Install or uninstall to systems grouped via enumerated lists or Group Policy Scheduling: Set new update detection frequency*, specify install deadline**, etc. Implementation: Options to use specified communication port, work with Internet proxy, deploy in hierarchical replica or independently managed server topologies, support update management for networks not connected to the Internet, etc. End-user experience: Options to notify users of new updates, reboot, etc. Status reporting Deployment status aggregation per machine/per update/per group Download / install success, failure, and error info Logs statistics to SQL Server or MSDE Improved ease of administration New, intuitive Web administration console simplifies ongoing administration and provides detailed information on new updates Command line utilities and scriptability to enable scalable, efficient administration *Max. frequency 1/hour. Can use command line option or script to trigger new update checks on demand **Deadlines also enable enforcement of update installs (re-installation of required updates removed from the system at a later date) 2005 Microsoft Managing security 2005 Microsoft 31 2005 Microsoft 32 Microsoft Management Products for the Enterprise Common Infrastructure Taxonomy Of Windows Management Solutions LessMore # of Windows IT & Admin/IT skill-set Third Party Solutions Solutions for Consumers and Small Biz Function Shipped in Windows Value-add Microsoft Products Partner solutions built on Microsoft management products or directly on Windows 2005 Microsoft 33 Integrated Offerings for Managing Windows Microsoft Operations Framework (MOF) Management Architecture Microsoft Operations Manager Systems Management Server/SUS Reskit Utilities Automated Deployment Service Terminal Services Group Policy Management Console Operations Assessment Windows Server Deployment & Business Desktop Deployment Product Operations Guides Patch Management Account Management Service Monitoring and Control 2005 Microsoft 34 Windows Firewall Basic behavior 2005 Microsoft 35 Managing Windows Firewall Manage Windows firewall via Group policy 2005 Microsoft 36 Protects Microsoft software against application layer attacks Eases deployment and management Enables quick and secure information access Maximizes existing IT investments 2005 Microsoft Managing software 2005 Microsoft 38 Application Deployment Demands IT environment is complicated Need help planning and testing Need reliable and verifiable deployment IT landscape is diverse Need controlled deployment Right time Right users Need to work with geographically dispersed clients 2005 Microsoft 39 Application Deployment SMS Delivers Makes deployment of business productivity application easy Office System Programs SAP, Siebel, etc. Planning Tool Extended and improved inventory and metering Deployment Tool Target based on business needs Right applications to the right users on time Better user experience Distribution Server Collection Program Package Client 2005 Microsoft 40 Software Delivery Status 2005 Microsoft 41 Asset Management SMS Delivers Reliable and scalable inventory Better control Reduced traffic Granular targeting Integrated software metering Usage tracking Data roll-up Robust reporting License compliance tracking Customizable reporting dashboards 2005 Microsoft 42 Inventory Capabilities Increase scale 100,000+ systems on single primary site 5-7X scale over SMS 2.0 More control over software inventory Better selection criteria Wildcards, directories, and environment variables Highlight different inventory permutations, like *.exe, m*.exe,etc. Exclude encrypted and compressed volumes (critical for servers) Ability to just get file properties improving system performance Better reporting on installed applications WMI provider to inventory Add/Remove Programs data Both the UI and Registry Information Easier to track suite of applications Enterprise Agreement True-Up report WMI provider to inventory Windows Installer component status Reduced inventory traffic Deltas generated on clients, advanced clients use compressed XML files 2005 Microsoft 43 Software Metering Metering provides application usage tracking Enables informed purchasing decisions Allows you to track concurrent licensing Reduces complexity in enterprise Administrators have control Specify what applications to meter Multi-site configuration tool allow replication of rules Summarization tasks reduces data store Tracks user, machine, time, frequency, usage Usage data can be blocked from flowing up hierarchy to reduce traffic 2005 Microsoft 44 Reporting Extensible web-based reporting tool Based on automatically maintained, high performance SQL Views Schema based on SMS Provider Documented and supported, Improvements from original web version 120 pre-built reports Dashboard functionality makes it easier to customize reports Multiple reports in a single view Integrated security support Internationalized versions Exporting Reports Can export/import report properties into other SMS environments 2005 Microsoft 45 Reporting 2005 Microsoft Monitoring operations 2005 Microsoft 47 Reporting SQL Server Reporting Services Web based reports Scheduled publishing Easily customizable Enterprise management Central console Full redundancy Rules based filtering Proactive alerting/action response Event consolidation Apps/Role Monitoring Health Model Rules libraries Built-in knowledge MOM 2005 Delivers Automation Scripts Tasks Diagnostics Advanced Capabilities Agentless monitoring Maintenance Mode Rule Override Extensible MOM Connector Framework Management pack authoring Software Development Kit.NET Connected Configurations 64-bit support Multi-homing Multi-tiering Globalized 2005 Microsoft 48 Administrator Console Microsoft Management Console (MMC) based Administrative Tasks Computer Discovery Rules Configuring and Deploying Agents Specifying Managed Mode of Managed Computers Management Pack Administration Authoring Management Packs Changing Rules Identifying Providers Creating Scripts Working with Computer Groups 2005 Microsoft 49 2005 Microsoft 50 State Terminology Role Instance Component 2005 Microsoft 51 2005 Microsoft 52 2005 Microsoft 53 2005 Microsoft 54 Web Console Web Interface to Operations Console Visibility Alerts Events Company Knowledge User Flexibility Check/modify alert status Update company knowledge View computer status (within a scope) Receivenotifications with problem links Built on the MOM SDK 2005 Microsoft 55 2005 Microsoft 56 Reporting Console Utilizes SQL Server Reporting Services Long term offline storage and analysis of data Web based reporting Dynamic Reports (drill down, sort, chart, etc) Easy customization (Visual Studio-based) Data transformation and management functionality Improved grooming for the database Ability to export data to other formats Folder- and report-based security Publisher Subscription Model Scheduled publishing and delivery Star schema for better analytics 2005 Microsoft 57 Operations Reports Management Pack Reports Capacity and Usage Reports Performance and Load Reports Security Reports Reliability and Availability Reports Configuration and Inventory Reports Ported MOM 2000 Reports Reporting Console 2005 Microsoft 58 2005 Microsoft 59 2005 Microsoft 60 Tools I referred to Software Updates Services NO COSTervices/evaluation/previous/ Microsoft eLearning Library (MELL) NO or LOW COSTMicrosoft Baseline Security Analyser (MBSA) NO COSTme.mspx Microsoft Management Console INCLUDED WITH WINDOWServer2003/operations/ Event Viewer INCLUDED WITH WINDOWServer2003/technologies/featured/ad/ Active Directory INCLUDED WITH WINDOWServer2003/technologies/featured/ad/ Systems Management Server 2003 GREAT VALUE Systems Management Server 2003 GREAT VALUEMicrosoft Operations Manager 2005 GREAT VALUE Microsoft Operations Manager 2005 GREAT VALUEMicrosoft Operations Framework (MOF) NO COSTISA Server 2004 GREAT VALUE ISA Server 2004 GREAT VALUEerver2003/technologies/featured/ad/ 2005 Microsoft 61 Thank you We would like to thank all sponsors of the Microsoft Education Roadshow National Hardware Sponsor: