1 / 29

Welcome

Welcome. Stay Connected with Microsoft Ireland http://www.microsoft.com/ireland/technet. Stay connected by signing up for the new Irish TechNet Newsletter here: http://www.microsoft.com/ireland/technet/technetflash/

hector-carpenter
Download Presentation

Welcome

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Welcome

  2. Stay Connected with Microsoft Ireland http://www.microsoft.com/ireland/technet • Stay connected by signing up for the new Irish TechNet Newsletter here: http://www.microsoft.com/ireland/technet/technetflash/ • Get involved in local Microsoft Technology user groups – let me know if you’re interested. • Just launched Technet Ireland www.Microsoft.com/ireland/technet • Great event line up next year!

  3. Agenda • 9:30 Setting the scene – IOI • 9:45 Active Directory and IPSec • 11.00 Tea / Coffee • 11:15 MOM • 12:30 Lunch

  4. Value Creation Maintenance & Delivery A Crisis Of Complexity

  5. Solving The Challenge:Infrastructure Optimization

  6. The IOM Journey frees resources and provides the foundation for organizational agility Managed and consolidated IT Infrastructure with maximum automation Fully automated management, dynamic resource Usage , business linked SLA’s Managed IT Infrastructure with limited automation Uncoordinated, manual infrastructure More Efficient Cost Center Business Enabler Strategic Asset Cost Center * Based on the Gartner IT Maturity Model

  7. Technology View of Model

  8. Technology View of ModelOne Example Security, Networking & Monitoring LimitedInfrastructure Lack of standardized security measures Ad hock management of system configuration Limited to no monitoring of infrastructure Automated patch management (WU, Update Services, SMS) Edge firewall with lock-down configuration Standardized antivirus solution Firewall enabled on laptops New systems limited to those supported by IT Defined set of standard basic images Defense-in-depth security measures widely deployed Anti-malware protection (i.e. spyware, bots, rootkits, etc.) Firewall enabled on desktops, laptops & servers Secure wireless networking Service level monitoring on desktops IPSec used to isolate critical systems Automated, central management of: Security updates for both clients & servers Application compatibility testing Client & server firewall mitigations Application and image deployment Server operations Reference image system Security event correlation

  9. Technology View of ModelOne Example Desktop Lifecycle • Primary desktop OS is WinXP with images defined at corporate level • Reference Image managed manually • Automated software distribution, management and tracking • Zero touch upgrade and install • Application certification and compatibility testing • Automated reference image system connected to OEM partner • Automated patch management extended to servers • Automated application compatibility testing • Defined set of standard basic images • Multiple desktop OS’ still exist at department level • Automated patch management (WU, SUS, SMS) • Light touch upgrade and install • Departmental application testing • No standard OS image • All desktops are unique after deployment • Inconsistent patch management • Manually deploying and upgrading systems with DVDs or CDs • Limited or ad hoc application testing

  10. Technology View of ModelOne Example Secure Manageable Messaging Unified directory infrastructure for access and messaging Block SPAM at gateway and mailbox store Server anti-virus that uses multiple scanning engines Monitor messaging server health Running any version of Exchange Secure web-based e-mail access Use an application-layer firewall to pre-authenticate web mail users before they reach the mailbox server Security of mobile devices including remote reset and remote wipe Detect potential service outages and receive alerts in advance

  11. Technology View of ModelOne Example Data Protection & Recovery • Local user data stored randomly and not backed up to network • Any backup happens locally • No user state migration available for deployment • Standards for local storage in “My Docs” but not redirected or backed up • Any backup happens at workgroup level • Backup/restore on critical servers • Some automation of user state migration available for deployment • Users store data to “My Docs” and synched to server • Backup managed at company level • Backup/restore of all servers with SLAs • User state is preserved and restored for deployment • Self managed backup and restore on all servers and desktop data with SLAs

  12. Technology View of ModelOne Example Identity & Access Management • Active Directory for Authentication and Authorization • Users have access to admin mode • Security templates applied to standard images • Desktops not controlled by group policy • Active Directory group policy and Security templates used to manage desktops for security and settings • Desktops are tightly managed • No server-based identity or access management • Users operate in admin mode • Limited or inconsistent use of passwords at the desktop • Minimal enterprise access standards • Centrally manage users provisioning across heterogeneous systems

  13. Translating IOI into action Garrett Wallis - Microsoft Consulting Services, Ireland

  14. Know what you have

  15. Measure impact of change Point Solutions Integration Standards Based Common Tools Strategically Aligned Exception Management Core Applications Server SAP Dev File Print Messaging Web Client Messaging SAP Antivirus Remote Control Office Internet FileNET Utilities Suppor t Management Security File\Print\Fax Servers Platform Server Single Manufacturer Certified Installs Standard Build Managed Client Single Manufacturer Gold Build Version Control Other devices (PDA, mobile, etc.) File\Print\Fax Servers Domain NetworkServices DHCP etc. Authentication AD, SSO, etc NameServices DNS, WINS Replication Network WAN LAN RAS Internet

  16. AD Forest, Domain and OU Design Common Practices/Tips and Tricks

  17. Forest/Domain Design • Majority of Active Directory Forests being implemented are single forest/single domain • separate development/pre-production forests • Multiple NT4 production domains collapsed into single domain • Significant impact on administration – centralised (some delegation of tasks) • Tip: Always start from single forest/single domain when planning • Try to avoid non-technical influences • Tip: Two things that “negatively affect” AD • Bad replication design • Bad Group Policies

  18. OU Design • OU creation based on • Delegation of Administration • Application of GPO’s • Increasing use of security/WMI filtering of GPO’s • Choice of 3 basic models reflect • Resources • Geography • BU Structure • Tip: use a top level OU • Tip: moving objects between OU’s affects • GPOs applied • Scripts • Tip: Naming Conventions

  19. Demo • Different OU Strategies

  20. GPO’s • Minimum should be • Domain and Security policies • Automatic updates • Windows Firewall • Remote Desktop/Remote Assistance/Remote Control • Internet Explorer configuration • Restricted Groups • Office ADM’s • Tip: Take as much configuration out of the standard build process into Group Policy as possible • Tip: netstat –ano • Tip: Disable unused portions of GPO’s • Tip: Naming Conventions • Link: Group Policy Settings Reference for Windows Server 2003 with Service Pack 1

  21. Demo • Group Policy application, and using security filtering in GPMC

  22. IPSec • What’s it about? • Ensure only managed/known devices communicate with each other • IPSec or 802.1x? • Gathering momentum with Networking teams – take control of the options! • What’s achievable in standard environments? • Domain Isolation (full or partial) • Server Isolation in Isolated Domain • What is an IPSec Policy • Filters to identify machines and protocols/ports • Actions to taken when traffic matches a filter • Tip: Mandatory - Ensure that core domain traffic - Domain Controllers, WINS, DNS, DHCP etc. etc. is filtered out and always allowed • Tip: Keep it simple, get comfortable • Link: IEEE 802.1X for Wired Networks and Internet Protocol Security with Microsoft Windows

  23. Demo • IPSec • Domain Isolation • Server isolation (if time permits)

  24. Coffee Break

  25. MOM • Why MOM (from a field perspective?) • Always asked “What should we monitor in AD, or Exchange, or SQL?” • Answer – what MOM monitors • Knowledge driven – intended to supply the resolution with the problem • SO easy to integrate with other management tools • Dell OpenManage Server Administrator, HP Insight Manager • SLA evidence (Reporting) • Why implement a mission critical environment without MOM? • It isn’t expensive • Tip: Check for MP’s regularly • Tip: MOM on SQL SP4 gotchas

  26. Demo • MOM install (ish!!) • MP import, including Dell, HP • Agent deployment • Reporting • Create a Management Pack! • Link: MOM 2005 Resource Kit

  27. For a single server deployment of MOM 2005 • Install Base OS - Windows Server 2003 Standard with SP1 • Install IIS and ASP.NET (Add Remove Programs...Windows Components...Etc.) • Get updates (WSUS, SMS, Microsoft Update, other...) • Create MOM and SQL Service Accounts, appropriate permissions and rights • Install SQL Server 2000 (default installation, but specify DB path) • Install SQL 2000 SP3a (SQL 2000 SP4 gotcha - KB902803) • Install SQL 2000 Reporting Services (SQL Reporting Services SP2 gotcha too - KB902804) • Install MOM Server - Check Prerequisites • Install MOM Reporting - Check Prerequisites • Install SQL 2000 Server SP 4 • Install SQL 2000 Reporting Services Service Pack 2

  28. Additional Links • Service overview and network port requirements for the Windows Server system - http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 • MOM Management Packs - http://www.microsoft.com/management/mma/catalog.aspx • Windows Server System Reference Architecture - http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx • Windows XP Security Guide - http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx • Windows Server 2003 Security Guide - http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx • What's New in Windows Server 2003 R2 - http://www.microsoft.com/windowsserver2003/r2/whatsnewinr2.mspx

  29. Stay Connected with Microsoft Ireland http://www.microsoft.com/ireland/technet • Stay connected by signing up for the new Irish TechNet Newsletter here: http://www.microsoft.com/ireland/technet/technetflash/ • Get involved in local Microsoft Technology user groups – let me know if you’re interested. • Just launched Technet Ireland www.Microsoft.com/ireland/technet • Great event line up next year!

More Related