Garry Corcoran IO Lead Microsoft UK Session Code: SM01 Implementing Core Infrastructure Optimization: The Implementer Resource Guides Original Presenter: Eduardo Kassner Enterprise Technology Strategist
Session Objectives Why IO ? Learn how to discuss implementation of Core IO concepts and best practices. Find out how to navigate and leverage existing best practice implementation content and where to find it Learn how to create project execution plans using products, WSSRA, MOF, TechNet and Solution Accelerator guidance.
Infrastructure Optimization Model
Desktop, Server and Device Management Security and Networking Identity and Access Management Data Protection and Recovery IT and Security Process Core Model Capabilities
How It All Fits Together IO Customer Analysis Provide home & mobile workers operational access to CRM Link HR and all IT Identity systems
Best Practices Across Lifecycle Yield Optimization PCs/ IT FTE $1,320/PC 172 $580/PC 442 $230/PC 600 Improve IT efficiency Increase agility Shift investment mix Note:$/PC represent annual IT labor per PC Source:IDC, 2006; Microsoft studies, Plan / Optimize Change Operate Support Plan/ Optimize Change Operate Support Plan/ Optimize Change Operate Support Plan/ Optimize Change Operate Support
Basic Standardized Rationalized Limited PC Security PC firewall Auto patching PC Security $130/PC Savings Multiple Directories Many auth. directories No dir synchronization Manual user provisioning Single directory for Auth One authentication dir. Automated provisioning Single Sign-on Auto password reset Auto user provisioning Comprehensive PC Security Anti Spyware Enforced security compliance with Network Access Control Limited sys mgmt Single sys mgt tool Software packaging Software distribution No system-wide mgmt Poor sys mgt tool coverage Duplicate mgmt tools Manual sw, patch deploymt Standardization Defined PC lifecycle Limited policy based PC mgt Many software configs Stds Compliance Defined PC Lifecycle, stds enforcement Full policy based PC mgt Minimal hw, sw configs None No PC life cycle strategy No policy based PC mgt Many hw, sw config Minimal PC Security Anti-virus Manual patching No enforced sec. compliance Comprehensive sys mgt Hw, sw inventories Hw, sw reporting Auto/targeted sw dist. Source:IDC, 2006 Standardized desktops $110/PCCentrally managed PC config $190/PC Comprehensive directory solution $120/PC Single system management tool $110/PCAutomated software distribution $120/PC $1,320/PC$580/PC $230/PC Automated user provisioning $50/PC
Infrastructure Optimization You might have experienced: IO Assessment IO Model Presentation IT Plan Alignment
Identity & Access Management Desktop, Devices & Server Management Security & Networking Data Protection and Recovery Security Process ITIL/COBIT – based Management Process Governance Automated Patch management Software Image based deployment MOF Optimizing Quadrant MOF Team Model SLM & SLA Reviews Implement ITIL + MOF Data Protection Manager NAS/SAN Solutions Develop Security Policies Implement Group Policy through AD Implement XPSP2 as default OS MOM 2005 for managing servers Deploy a VPN solution CORE IO Customer Progression Roadmap REAL WORLD EXAMPLE
Current IO Tools You probably have seen IO over the last year, and maybe even planned your projects with this model Infrastructure Optimization Core IO Model IO Plans MOF BDD
Continuous Improvement Roadmap The Microsoft Operations Framework (MOF) provides operational guidance that enables organizations to achieve mission-critical system reliability, availability, supportability, and manageability of Microsoft products and technologies. MOF Process Model Self Assessment Tool Microsoft Operations Framework
Architecture Blueprints WSSRA contains detailed IT infrastructure planning and design guidance, tested and proven in labs. This guidance enables organizations to build highly available, secure, manageable, and reliable enterprise IT infrastructure. Logical Architecture Diagram Implementation Guides Windows Server System Reference Architecture (WSSRA)
Detailed Project Guidance and Job Aids BDD 2007 simplifies Windows Vista and the 2007 Office system deployment, including comprehensive process guidance, job aids and tools to correspond with every stakeholder and phase of a large-scale desktop deployment project. Deployment Workbench MMC TechNet Desktop Deployment Center Business Desktop Deployment (BDD) 2007 Released: January 2007
How we saw it We needed to develop implementer guidance A lot of excellent IP already created in: Solution Accelerators Reference Architecture (WSSRA) Microsoft Operations Framework (MOF) Scenario Guidance and Toolkits (BDD, IDA, BOIS, Patch, LOBSA, etc.) TechNet Solution Center Guidance Product Guidance LET’S MAKE IO ACTIONABLE FOR IMPLEMENTERS!
What we decided to do about it Contextual set of guides that lead through the How-to elements of IO Moving from Basic to Standardized (~90 pages) Moving from Standardized to Rationalized (~140 pages) Moving from Rationalized to Dynamic (~50 pages) Redesign of the public web site IO TechNet Solution Center
Released: Spring 2007 Basic to Standardized Guide IO provides a logical roadmap to progress the maturity of an IT organization. These guides describe the core concepts for implementing and managing IO-defined capabilities, linking to more detailed and actionable content for implementation. SOLUTIONACCELERATORS Act faster. Go further. microsoft.com/technet/SolutionAccelerators Core IO Capability Model Standardized to Rationalized Guide Rationalized to Dynamic Guide Core Infrastructure Optimization (IO) Implementer Resource Guides
Currently we take you to the products title page
We propose to take you to the exact reference MOF BDD
Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized
BasicStandardized Identity and Access Management Moving from Basic to Standardized No Active Directory for authentication of most usersNo Active Directory for authentication of most users No server-based identity or access managementNo server-based identity or access management Limited or inconsistent use of passwordsLimited or inconsistent use of passwords Active Directory for AuthenticationActive Directory for Authentication Security templates applied to standard imagesSecurity templates applied to standard images Desktops not controlled by group policyDesktops not controlled by group policy
Identity and Access Management Content Guide Planning and Architecting the AD Infrastructure Planning and Architecting the AD Infrastructure Defining the Service Designing the AD Logical Structure Logical Structure Design Reqs Forest Design Domain Design Forest Root Design AD Namespacing design DNS Infrastructure to support AD Creating Organizational units Rendering the AD Logical Design Deploying the AD Infrastructure Deploying the AD Infrastructure Configure Domain Configure DNS on Domain Controllers Operating Active Directory Operating Active Directory
BasicStandardized Desktop, Device and Server Management Moving from Basic to Standardized Lacking automated patch management for most desktopsLacking automated patch management for most desktops Lacking standard images for most desktops, no desktop image strategyLacking standard images for most desktops, no desktop image strategy Inconsistent plan to manage multiple operating systemsInconsistent plan to manage multiple operating systems Not monitoring most serversNot monitoring most servers No provisioning for mobile devicesNo provisioning for mobile devices Automated patch managementAutomated patch management Defined set of standard imagesDefined set of standard images Desktop image strategy in place that includes anti-virus, management tools, line of business applicationsDesktop image strategy in place that includes anti-virus, management tools, line of business applications Consistent plan to manage operating systemsConsistent plan to manage operating systems Monitoring present for most critical serversMonitoring present for most critical servers Mobile device provisioningMobile device provisioning Security policy provisioning for mobile devicesSecurity policy provisioning for mobile devices Remote wipe and policy enforcement for mobile devicesRemote wipe and policy enforcement for mobile devices
Desktop, Server & Device Management Content Guide Automated Patch Management Assess Phase Identify Phase Discover new SW Updates Obtain SW Updates in a reliable manner Develop SW Updates screening methods Identify process owners Develop and review process documentation Inventory/Discover computing assets Sources for SW Updates Assess existing infrastructure for updates Assess operational effectiveness Plan release Conduct acceptance testing Determine inventory set to be patch Determine go/ no go Evaluate and Plan Phase Deploy Phase Automated Patch Management … cont Deployment Review Preparation Stage updates on distribution point Vulnerability update Validate plan vs deployed Communicate rollout schedule Advertise SW Monitor deployment Handle failed deployments Update build images Validate risk mitigation
Desktop, Server & Device Management Content Guide Standardized Computer Images Standardized Computer Images Plan Development Define type of image to use (thick or thin) Create build Create deployment point Install a build Update the deployment points Stabilization Maintenance Test build Test deployment process Update build and log changes Consolidation of Desktop Images to 2 OS versions Multiple Standard Images Exceptions Patches and Updates Maintenance Contracts User Productivity Application Compatibility
Desktop, Server & Device Management Content Guide Centralized Management of Mobile Devices SMS 2003 Device Management Feature Pack Device Management Capabilities Exchange Server 2003 and Exchange Server 2007 Active Directory Managing Exchange ActiveSync Managing Exchange ActiveSync Users Remotely Enforced Device Security Policies Certificate-Based Authentication S/MIME- Encrypted Messaging Identity Validation, Data Protection, and Data Backup of Mobile Devices Identity Validation, Data Protection, and Data Backup of Mobile Devices User Access, Passwords Device Lockout, Certificates Data Access, Data Encryption Remote Device Wipe
BasicStandardized Security and Networking Moving from Basic to Standardized Most desktops lacking anti-virus software with automated updatingMost desktops lacking anti-virus software with automated updating Lacking centralized firewall for most systemsLacking centralized firewall for most systems No internal server for DNS and DHCPNo internal server for DNS and DHCP Standardized anti-virus solution on all desktopsStandardized anti-virus solution on all desktops Centralized firewall (above class 1 firewall)Centralized firewall (above class 1 firewall) Internal DNS, DHCPInternal DNS, DHCP
Security and Networking Content Guide Antivirus Software for Desktops Antivirus Software for Desktops Levels of Defense Client Defenses Client Antivirus Protection Steps Reduce the Attack Surface Apply Security Updates Enable a Host- Based Firewall Install Antivirus Software Test with Vulnerability Scanners Suggested Antivirus Software Centralized Firewall Services Centralized Firewall Services Class 1 – Personal Firewall Class 2 – Router Firewall Class 3 – Low-End Hardware Firewall Class 4 – High-End Hardware Firewall Class 5 – High-End Server Firewall Network Firewalls – Classes 2-5 Firewall Features Network Adapter Input Filters Static Packet Filters
Security and Networking Content Guide Availability Monitoring of Critical Servers Availability Monitoring of Critical Servers Monitoring Software MOM Operations Components Response to Events Monitoring Data Event Data Performance Data Alert Data Discovery Data Internally Managed Basic Networking Services (DNS, DHCP, WINS) Internally Managed Basic Networking Services (DNS, DHCP, WINS) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Windows Internet Naming Service (WINS) Benefits of an Internal DNS Server Benefits of an Internal DHCP Server WINS and Internal Resources
BasicStandardized Data Protection and Recovery Moving from Basic to Standardized Lacking backup and restore on most critical serversLacking backup and restore on most critical servers User data stored randomly, not backed up on networkUser data stored randomly, not backed up on network Any backup happens locallyAny backup happens locally No user state migration available for deploymentNo user state migration available for deployment Untested recoveryUntested recovery Backup/restore on critical serversBackup/restore on critical servers Standards for local storage in My Documents folder, but not redirected or backed upStandards for local storage in My Documents folder, but not redirected or backed up Any backup happens at workgroup levelAny backup happens at workgroup level Some automation of user state migration available for deploymentSome automation of user state migration available for deployment Tested recovery for mission- critical applicationsTested recovery for mission- critical applications
Data Protection and Recovery Content Guide Data Protection & Recovery Defined Backup and Restore Services for Critical Servers Backup Plan Backup Modes Backup Types Backup Topologies Service Plan Recovery Plan Verify Backups Backup Existing Log Files before Performing any Restoration Perform a Periodic Fire Drill Create a Disaster Kit
BasicStandardized IT and Security Process Moving from Basic to Standardized Formal security policiesFormal security policies Unified directory infrastructure for access and messagingUnified directory infrastructure for access and messaging Robust monitoring and more proactive resolution of issuesRobust monitoring and more proactive resolution of issues Formal helpdesk and incident management processFormal helpdesk and incident management process Most IT resources are used to keep IT functioning with reactive managementMost IT resources are used to keep IT functioning with reactive management Processes are informal or only impliedProcesses are informal or only implied Informal incident or problem managementInformal incident or problem management
IT and Security Process Content Guide Security Process Security Process Risk Assessment, Incident Response, and Data Security Security Policies Risk Assessment Quantitative Risk Assessment Qualitative Risk Assessment Data Security Incident Response Reactive Approach Proactive Approach Improving End-User Support Services Improving End-User Support Services Record and Service Incidents Manage Service Requests
StandardizedRationalized Identity and Access Management Moving from Standardized to Rationalized Active Directory for authentication Security templates applied to standard images Desktops not controlled by group policy Directory tools for central administration of desktops and servers configuration and security Information protection infrastructure is in place Active Directory group policy and security templates used to manage desktops for security and settings
Identity and Access Management Content Guide Centralized Directory- Based Configuration and Security Centralized Directory- Based Configuration and Security Configuration Enforcement in Group Policy Group Policy Implementation Group Policy Management Group Policy and Active Directory Group Policy in Windows Vista Key concepts for Group Policy Group Policy Object Editor Configure Group Policy settings Configuration Monitoring Tools Assess Current State Define Configuration Items (CI) Audit Real Configuration against CI Remediate deviations
StandardizedRationalized Desktop, Device and Server Management Moving from Standardized to Rationalized Automated patch management Defined set of standard images Desktop image strategy in place that includes antivirus, management tools, line of business applications Consistent plan to manage operating systems Monitoring present for most critical servers Mobile device provisioning Security policy provisioning for mobile devices Remote wipe and policy enforcement for mobile devices Primary desktop operating system is Vista or XP SP2 Automated software distribution and automated asset management and tracking Patch management solution for servers Layered image strategy Consistent plan to manage operating system SLA monitoring of mission-critical servers
Desktop, Server & Device Management Content Guide Automated Operating System Distribution App Inventory and Compatibility Building Images Infrastructure Remediation Packaging Applications User State Migration Desktop Hardening Automated Tracking of Hardware and Software for Desktops Asset Inventory System Status Application Deployment Application Deployment and UsageUsage Security Patch Management OS Deployment Latest Two OS Versions and Service Packs on Desktops Reasons to Move to two latest versions of the OS Web Security Wired and Wireless Network Support Data Protection and Recovery Integrated Firewall HAL-Independence Automated Deployment Drive Encryption
Desktop, Server & Device Management Content Guide Latest Versions of Microsoft Office on Desktops Latest Versions of Microsoft Office on Desktops Migration Planning Group Policy Management Enhancing Security Office Deployment Compatibility Testing and Certification of Software Distributions Application Inventory Compatibility Remediation Building Test Environment Application Compatibility Testing Patch Management for Servers Assess Deploy Identify Evaluate and Plan Guaranteed Secure Communications with Mobile Devices Authentication
Desktop, Server & Device Management Content Guide Access to Web Applications Using WAP or HTTP for Mobile Devices Standardizing Devices Web-based Applications Internet Access Using WAP Server Consolidation and Virtualization Hardware Independence Deployment Software Independence Operations Management Planning Infrastructure Reduction Layered Imaging for Desktops Thick and Thin Images Maintenance Layered Images Deployment Time Flexibility
Links & Resources Web site Blog Other Sessions at MMS 2007: SM20 Implementing Core Infrastructure Optimization: The Implementer Resource Guides Web site Blog Other Sessions at MMS 2007: SM20 Implementing Core Infrastructure Optimization: The Implementer Resource Guides
Ihr Potenzial. Unser Antrieb. Thank you for attending this TechNet Event Find these slides at: