Welcome
Stay Connected with Microsoft Ireland Stay connected by signing up for the new Irish TechNet Newsletter here: et/technetflash/ et/technetflash/ et/technetflash/ Get involved in local Microsoft Technology user groups – let me know if you’re interested. Just launched Technet Ireland Great event line up next year!
Agenda 9:30 Setting the scene – IOI 9:45 Active Directory and IPSec Tea / Coffee 11:15 MOM 12:30 Lunch
A Crisis Of Complexity ValueCreation Maintenance & Delivery
Solving The Challenge: Infrastructure Optimization
Cost Center Uncoordinated, manual infrastructure More Efficient Cost Center Managed IT Infrastructure with limited automation automation Managed and consolidated IT Infrastructure Infrastructure with maximum automation Fully automated management, dynamic resource Usage, business linked SLA’s Business Enabler Strategic Asset * Based on the Gartner IT Maturity Model The IOM Journey frees resources and provides the foundation for organizational agility
Technology View of Model
Technology View of Model One Example Limited Infrastructure Lack of standardized security measures Ad hock management of system configuration Limited to no monitoring of infrastructure Defense-in-depth security measures widely deployed Anti-malware protection (i.e. spyware, bots, rootkits, etc.) Firewall enabled on desktops, laptops & servers Secure wireless networking Service level monitoring on desktops IPSec used to isolate critical systems Automated patch management (WU, Update Services, SMS) Edge firewall with lock-down configuration Standardized antivirus solution Firewall enabled on laptops New systems limited to those supported by IT Defined set of standard basic images Security updates for both clients & servers Application compatibility testing Client & server firewall mitigations Application and image deployment Server operations Reference image system Security event correlation Security, Networking & Monitoring Automated, central management of:
Technology View of Model One Example Desktop Lifecycle No standard OS image All desktops are unique after deployment Inconsistent patch management Manually deploying and upgrading systems with DVDs or CDs Limited or ad hoc application testing Defined set of standard basic images Multiple desktop OS’ still exist at department level Automated patch management (WU, SUS, SMS) Light touch upgrade and install Departmental application testing Primary desktop OS is WinXP with images defined at corporate level Reference Image managed manually Automated software distribution, management and tracking Zero touch upgrade and install Application certification and compatibility testing Automated reference image system connected to OEM partner Automated patch management extended to servers Automated application compatibility testing
Technology View of Model One Example Running any version of Exchange Secure web- based access Use an application- layer firewall to pre- authenticate web mail users before they reach the mailbox server Unified directory infrastructure for access and messaging Block SPAM at gateway and mailbox store Server anti-virus that uses multiple scanning engines Monitor messaging server health Secure Manageable Messaging Security of mobile devices including remote reset and remote wipe Detect potential service outages and receive alerts in advance
Technology View of Model One Example Data Protection & Recovery Local user data stored randomly and not backed up to network Any backup happens locally No user state migration available for deployment Standards for local storage in “My Docs” but not redirected or backed up Any backup happens at workgroup level Backup/restore on critical servers Some automation of user state migration available for deployment Users store data to “My Docs” and synched to server Backup managed at company level Backup/restore of all servers with SLAs User state is preserved and restored for deployment Self managed backup and restore on all servers and desktop data with SLAs
Technology View of Model One Example Identity & Access Management No server- based identity or access management Users operate in admin mode Limited or inconsistent use of passwords at the desktop Minimal enterprise access standards Active Directory for Authentication and Authorization Users have access to admin mode Security templates applied to standard images Desktops not controlled by group policy Active Directory group policy and Security templates used to manage desktops for security and settings Desktops are tightly managed Centrally manage users provisioning across heterogeneou s systems
Translating IOI into action Garrett Wallis - Microsoft Consulting Services, Ireland
Know what you have
Measure impact of change Network Point Solutions WANLANRASInternet Integration Standards BasedCommon Tools Strategically AlignedException Management Platform File\Print\Fax Servers Server Single Manufacturer Certified Installs Standard Build Managed Client Single Manufacturer Gold Build Version Control Other devices (PDA, mobile, etc.) Domain Core Applications File\Print\Fax Servers Server SAP Dev FilePrint MessagingWeb Client Messaging SAP Antivirus Remote Control OfficeInternet FileNETUtilities SupportSupport ManagementManagement SecuritySecurity Network Services DHCP etc. Authentication AD, SSO, etc Name Services DNS, WINS Replication
AD Forest, Domain and OU Design Common Practices/Tips and Tricks
Forest/Domain Design Majority of Active Directory Forests being implemented are single forest/single domain separate development/pre-production forests Multiple NT4 production domains collapsed into single domain Significant impact on administration – centralised (some delegation of tasks) Tip: Always start from single forest/single domain when planning Try to avoid non-technical influences Tip: Two things that “negatively affect” AD Bad replication design Bad Group Policies
OU Design OU creation based on Delegation of Administration Application of GPO’s Increasing use of security/WMI filtering of GPO’s Choice of 3 basic models reflect Resources Geography BU Structure Tip: use a top level OU Tip: moving objects between OU’s affects GPOs applied Scripts Tip: Naming Conventions
Demo Different OU Strategies
GPO’s Minimum should be Domain and Security policies Automatic updates Windows Firewall Remote Desktop/Remote Assistance/Remote Control Internet Explorer configuration Restricted Groups Office ADM’s Tip: Take as much configuration out of the standard build process into Group Policy as possible Tip: netstat –ano Tip: Disable unused portions of GPO’s Tip: Naming Conventions Link: Group Policy Settings Reference for Windows Server 2003 with Service Pack 1 Group Policy Settings Reference for Windows Server 2003 with Service Pack 1Group Policy Settings Reference for Windows Server 2003 with Service Pack 1
Demo Group Policy application, and using security filtering in GPMC
IPSec What’s it about? Ensure only managed/known devices communicate with each other IPSec or 802.1x? Gathering momentum with Networking teams – take control of the options! What’s achievable in standard environments? Domain Isolation (full or partial) Server Isolation in Isolated Domain What is an IPSec Policy Filters to identify machines and protocols/ports Actions to taken when traffic matches a filter Tip: Mandatory - Ensure that core domain traffic - Domain Controllers, WINS, DNS, DHCP etc. etc. is filtered out and always allowed Tip: Keep it simple, get comfortable Link: IEEE 802.1X for Wired Networks and Internet Protocol Security with Microsoft Windows IEEE 802.1X for Wired Networks and Internet Protocol Security with Microsoft WindowsIEEE 802.1X for Wired Networks and Internet Protocol Security with Microsoft Windows
Demo IPSec Domain Isolation Server isolation (if time permits)
Coffee Break
MOM Why MOM (from a field perspective?) Always asked “What should we monitor in AD, or Exchange, or SQL?” Answer – what MOM monitors Knowledge driven – intended to supply the resolution with the problem SO easy to integrate with other management tools Dell OpenManage Server Administrator, HP Insight Manager SLA evidence (Reporting) Why implement a mission critical environment without MOM? It isn’t expensive Tip: Check for MP’s regularly Tip: MOM on SQL SP4 gotchas
Demo MOM install (ish!!) MP import, including Dell, HP Agent deployment Reporting Create a Management Pack! Link: MOM 2005 Resource Kit MOM 2005 Resource KitMOM 2005 Resource Kit
For a single server deployment of MOM 2005 Install Base OS - Windows Server 2003 Standard with SP1 Install IIS and ASP.NET (Add Remove Programs...Windows Components...Etc.) Get updates (WSUS, SMS, Microsoft Update, other...) Create MOM and SQL Service Accounts, appropriate permissions and rights Install SQL Server 2000 (default installation, but specify DB path) Install SQL 2000 SP3a (SQL 2000 SP4 gotcha - KB902803) Install SQL 2000 Reporting Services (SQL Reporting Services SP2 gotcha too - KB902804) Install MOM Server - Check Prerequisites Install MOM Reporting - Check Prerequisites Install SQL 2000 Server SP 4 Install SQL 2000 Reporting Services Service Pack 2
Additional Links Service overview and network port requirements for the Windows Server system - us; Service overview and network port requirements for the Windows Server system Service overview and network port requirements for the Windows Server system MOM Management Packs - x MOM Management Packs MOM Management Packs Windows Server System Reference Architecture - de/default.mspx Windows Server System Reference Architecture Windows Server System Reference Architecture Windows XP Security Guide - owsxp/secwinxp/default.mspx Windows XP Security Guide Windows XP Security Guide Windows Server 2003 Security Guide - rver2003/w2003hg/sgch00.mspx Windows Server 2003 Security Guide Windows Server 2003 Security Guide What's New in Windows Server 2003 R2 - mspx What's New in Windows Server 2003 R2 What's New in Windows Server 2003 R2
Stay Connected with Microsoft Ireland Stay connected by signing up for the new Irish TechNet Newsletter here: et/technetflash/ et/technetflash/ et/technetflash/ Get involved in local Microsoft Technology user groups – let me know if you’re interested. Just launched Technet Ireland Great event line up next year!