White Paper How to Achieve Enterprise-Wide Compliance Taking Configuration Manager

How to Achieve Enterprise-Wide Compliance
with System Center Configuration Manager 2007
Taking Configuration Manager
Beyond Windows Clients and Servers
Written by
Don Jones
Co-Founder, Concentrated Technology
Microsoft MVP
White Paper
© 2009 Quest Software, Inc.
ALL RIGHTS RESERVED.
This document contains proprietary information, protected by copyright. No part of
this document may be reproduced or transmitted for any purpose other than the
reader's personal use without the written permission of Quest Software, Inc.
WARRANTY
The information contained in this document is subject to change without notice.
Quest Software makes no warranty of any kind with respect to this information.
QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software
shall not be liable for any direct, indirect, incidental, consequential, or other
damage alleged in connection with the furnishing or use of this information.
TRADEMARKS
All trademarks and registered trademarks used in this guide are property of their
respective owners.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
e-mail: [email protected]
Please refer to our Web site (www.quest.com) for regional and international office
information.
Updated—February 25, 2009
WPW-SCCM-1_Compliance-US-AG
CONTENTS
INTRODUCTION .......................................................................................... 1
CONFIGURATION MANAGER AND COMPLIANCE CHALLENGES ..................... 2
MAINTAINING THE LATEST PATCH LEVELS .............................................................. 2
Service Packs ......................................................................................... 3
Software Patches .................................................................................... 4
INVENTORY HELPS COMPLIANCE ......................................................................... 5
Software Inventory.................................................................................. 5
Hardware Inventory................................................................................. 6
DID YOU REMEMBER YOUR LICENSES? ................................................................. 7
EXTENDING CONFIGURATION MANAGER TO NON-WINDOWS SYSTEMS...... 8
THE GENIUS IS IN THE ARCHITECTURE ................................................................. 8
Supported Non-Windows Systems ............................................................. 8
AMPLIFYING CONFIGURATION MANAGER’S CAPABILITIES .......................................... 10
No Changes to Configuration Manager Infrastructure for Mixed Mode
Environments ....................................................................................... 11
RESPECTING YOUR BOUNDARIES ...................................................................... 11
CONFIGURATION MANAGER + QMX: MANY SYSTEMS,
ONE CONSOLE, FULL COMPLIANCE ............................................................ 13
ABOUT THE AUTHOR ................................................................................. 14
ABOUT QUEST SOFTWARE, INC. ................................................................ 15
CONTACTING QUEST SOFTWARE ....................................................................... 15
CONTACTING QUEST SUPPORT ......................................................................... 15
i
White Paper
INTRODUCTION
You know how difficult compliance can be—whether you’re dealing with the Health
Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB),
Sarbanes-Oxley (SOX), the Payment Card Industry’s Data Security Standard (PCI
DSS), Basel II, CORBIT/COSO, European privacy laws or any of the other numerous
legislative and industry rules for security and privacy.
Microsoft’s System Center Configuration Manager 2007 (Configuration Manager),
the successor to Systems Management Server 2003 (SMS), goes a long way toward
helping you achieve, maintain, and prove compliance. Configuration Manager’s
major features can even help you maintain compliance with rules you may not have
realized you were subject to!
However, Configuration Manager’s primary focus is on computers running
Microsoft’s Windows operating system. That’s fantastic if every computer and
device in your environment is running a version of Windows, but most of today’s
enterprises are meeting their business needs by using a mix of operating systems,
applications, clients and devices—not to mention network and hardware
components. When Linux, Mac OS X, Unix, VMware ESX and other operating
systems enter the mix, your Configuration Manager investment can’t be maximized.
Or can it?
The fact is that Configuration Manager has the perfect infrastructure for helping you
manage change, configuration and system updates across all of your systems, both
Windows and non-Windows, as well as for enabling you to achieve, maintain and
prove compliance across all of the operating systems in your environment. And it
can do so in a way that respects distributed systems management teams, individual
administrator requirements and much more! The key is extending Configuration
Manager’s capabilities to non-Windows systems through Quest Management
Xtensions - Configuration Manager 2007 Edition (QMX).
1
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007
CONFIGURATION MANAGER AND COMPLIANCE
CHALLENGES
A lot of administrators think of Configuration Manager as mainly a software
distribution and management tool—sort of a grown-up version of the IntelliMirror
software distribution technology that’s built into Microsoft’s Active Directory. And in
fact, Configuration Manager does do a great job of software distribution. But if you
take a look at the common requirements of HIPAA, SOX, GLB, PCI DSS,
COBIT/COSO, Basel II and other compliance mandates, you’ll find that
Configuration Manager can provide a greater level of value.
Maintaining the Latest Patch Levels
While we’re at it, let’s talk about software distribution capability, because it’s
definitely a major aspect to ensuring you achieve or maintain compliance. Every
major compliance effort focuses primarily on the security and/or privacy of specific
types of data:
•
For HIPAA, it’s healthcare information.
•
In GLB, it’s financial customer information.
•
In PCI DSS, it’s cardholder information.
•
For SOX, it’s corporate financial data.
•
For Basel II, it’s banking laws and regulations.
•
For COBIT/COSO, it’s information technology.
Only PCI DSS—being a fairly technical-level set of requirements—explicitly
mentions keeping software up to date with the latest patches, but the other rules
are commonly interpreted to have that requirement, too. After all, unpatched
software is insecure software. And “software” in this context doesn’t just refer to
operating systems! It means any software that is used to store, transmit, view,
output, transform, manage, protect or audit any data that’s of concern to the
specific compliance effort. In a typical environment, you’d be looking at database
server software, office productivity software like Microsoft Office, line-of-business
software (both commercial and internally developed), and much more.
2
White Paper
Service Packs
Configuration Manager’s software distribution capabilities can help. Configuration
Manager is far more versatile than using only Windows Software Update Services
(WSUS) and other operating system-level patch distribution mechanisms, and
offers greater granularity and reporting than Active Directory’s IntelliMirror Group
Policy-based software distribution. Configuration Manager can easily target software
patches to specific computers, keep track of which computers have received their
patches and produce management reports detailing the status of any given patch
distribution. Shown here, for example, is a report listing operating systems and
service packs. It shows an administrator or an auditor exactly how many systems
exist with a given operating system and what service pack level each one is using.
Figure 1. Auditors require reports on all operating system versions and service
pack levels.
3
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007
Software Patches
Of course, patch distribution is about more than just service packs, and
Configuration Manager is equally adept at pushing out patches for in-house
software, database server software and any other software you may have. Reports
like the one below show you the status of a software and patch distributions, so you
can see which systems have succeeded and failed.
Figure 2. To stay in compliance, you need to know the status of software and
patch updates.
If you have Configuration Manager in your environment, you already have these
capabilities for your Windows-based systems. What you need is the ability to
extend them across your non-Windows systems.
4
White Paper
Inventory Helps Compliance
Software Inventory
Maintaining compliance is a delicate and difficult task. For example, an extra
background service (or daemon, in non-Windows terms) shows up on a server that
contains sensitive information. Should you be concerned? Absolutely: that service
may compromise your ability to remain compliant. At the very least, it needs to be
investigated, its compliance impact evaluated, and if it’s going to stay on the
machine, then it needs to be documented and maintained. In essence, any
configuration change to a computer that contains sensitive data is of concern to
compliance officers and auditors.
Fortunately, Configuration Manager lets you easily review the services running on
any Windows computer, and even other software applications installed on any
Windows computer. If those capabilities could be extended to non-Windows
systems, as illustrated below, you’d be that much closer to gaining full enterprisewide compliance through a single, integrated management and reporting paradigm.
Figure 3. Compliance requires a detailed software inventory.
5
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007
Hardware Inventory
Even hardware inventory can impact your compliance posture. Perhaps a missing
memory module isn’t crucial for compliance, but a missing hard drive is definitely of
concern, especially in computers that store sensitive data. Missing hardware can
have subtle effects. For example, suppose you’ve installed special network adapters
that encrypt their communications using IP Security protocols. If one of those
adapters is replaced with a normal, non-encrypting adapter, you may be out of
compliance—and since the computer continues operating, you might not realize it.
Configuration Manager, however, can spot hardware inventory changes and help
you easily identify those changes in its management reports.
Figure 4. A hardware inventory that identifies changes is critical for compliance.
Again, however, Configuration Manager natively delivers these capabilities only for
your Windows computers. But if you could enable Configuration Manager to display
this information for all of your non-Windows systems as well, you’d be able to view
critical compliance information via a single management console.
6
White Paper
Did You Remember Your Licenses?
While being in compliance with software licensing agreements is not specifically
addressed by most common compliance measures, it is still important to your
business. In fact, maintaining the necessary software licenses is mandated by law;
it could be considered one of the oldest “compliance efforts” the IT industry has had
to deal with. Companies have been fined hundreds of thousands of dollars for
illegally running unlicensed software. Configuration Manager helps here, too, both
through software inventory (which tells you what’s installed) and through software
metering (which helps track what’s actually running). But metering software on
Windows-based systems isn’t enough; you need to keep track of what’s running on
your non-Windows systems, too.
Figure 5. Identifying exactly what software is installed is critical to license
compliance.
7
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007
EXTENDING CONFIGURATION MANAGER TO
NON-WINDOWS SYSTEMS
We’ve seen that Configuration Manager can make a positive contribution to your
compliance efforts, but only on Windows systems. Now let’s address that burning
question: what about everything else? We need to extend those capabilities to nonWindows systems, and that’s what Quest Management Xtensions - Configuration
Manager 2007 Edition (QMX) is designed to deliver.
The Genius is in the Architecture
One of the true beauties of Configuration Manager lies in its architecture, which is
fairly vendor-agnostic by design. Computers, after all, are computers; they’re all
comprised of the same basic components in hardware and software. Logically, you
can think of Configuration Manager as having two distinct parts: the back-end
infrastructure, including its databases, distribution points, and so forth; and the
client pieces, which send inventory information, implement software metering and
so forth. The back-end is the part that’s vendor-agnostic, while Microsoft provides
client pieces that run on various versions of the Windows operating system.
Supported Non-Windows Systems
QMX extends Configuration Manager by providing equivalent client agents for a
variety of non-Microsoft systems, including the following:
8
•
Red Hat
•
SUSE
•
IBM / AIX
•
Sun Solaris
•
HP-UX
•
Macintosh OS X
•
VMware ESX Server
•
Asianux
•
CentOS
White Paper
Figure 6. QMX provides information on non-Windows operating systems.
Each of these operating systems is supported by a variety of version levels. Older
versions can be supported through a set of no-install-required, agentless extensions
from Quest called QMX for Device Management, which can also provide support for
additional Linux builds and for hundreds of network devices. Obviously, the
capabilities of the agentless extensions are more limited: they can’t do software
metering, for example, but they can capture hardware and software inventory
across the entire environment.
9
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007
Amplifying Configuration Manager’s Capabilities
By increasing the number of systems that can report data to Configuration
Manager, you’re expanding the product’s reach in your enterprise—and truly
maximizing your investment. QMX also adds extensions to Configuration Manager’s
management user interface (UI) through a Microsoft Management Console (MMC)
snap-in that is installed on the administrator’s console. These extensions help the
UI recognize non-Windows inventory and other data, add parallel capabilities for
non-Windows systems and even allow you to remotely place non-Windows systems
under Configuration Manager’s management purview through a secure, intelligent
system.
Figure 7. Console Extensions provides right-click menus, wizards, property pages,
collections and queries to create a seamless management console for all systems.
10
White Paper
No Changes to Configuration Manager Infrastructure for
Mixed Mode Environments
The great thing about this approach is that no changes are made to the
Configuration Manager infrastructure for mixed mode environments. No schema
changes in the database. No new server types. If your existing Configuration
Manager infrastructure can support the load of your additional non-Windows
systems, then you’re ready to go. You can leverage that investment with no
incremental cost in the back-end. QMX for Configuration Manager also supports
Native Mode environments through the use of a Management Point Proxy to deliver
SSL-based secure communications.
Your Configuration Manager administrators need no additional training, have no
additional learning curve, require no additional tools and can work within your
existing management processes. You’re simply extending those processes to
include all of your computers. Even more important is that you eliminate the effort
and risk created by having to maintain admin rights for multiple tools and consoles.
Respecting Your Boundaries
It’s no secret that administrators of non-Windows systems aren’t always eager to
give up control to their Windows-based colleagues. Fortunately, QMX doesn’t ask
anyone to give up control. Unix, Linux, VMware ESX and Mac administrators
continue to administer their own machines in the same ways they always have.
Let’s emphasize that:
Unix, Linux, VMware ESX and Mac administrators lose no control,
change none of their processes and grant
no administrative access on their systems to Windows administrators.
Instead, by installing the QMX software on these non-Windows systems, you’re
simply enabling hardware and software inventory, gaining the option for software
metering and enabling an additional method of software package distribution.
You’re not shutting off any existing management processes unless you choose to do
so. Unix administrators, for example, can continue to deploy their patches the oldfashioned, manual way if that’s what they want to do (not that their management
team will agree with this continuation of manual effort); Configuration Manager will
still be able to inventory applications and patches, and reflect the update in its
management reports.
11
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007
Of course, because QMX extends so many Configuration Manager features to nonWindows systems, your administrators may decide they want to take advantage of
more Configuration Manager capabilities. For example, one difficult aspect of
compliance in a mixed environment is making sure that desktop computers remain
properly configured. Windows-based systems are remotely accessible via
Configuration Manager features, but what about, for example, Mac systems? QMX
enables a variety of contextual-based remote access techniques, including SSH, and
(for Macs) support for standard VNC viewers such as RealVNC, so administrators
can remotely control, review and correct desktop configuration settings.
Figure 8. Caption QMX enables a variety of remote access techniques so
administrators can remotely manage desktop settings.
The reality is that QMX for Configuration Manager enables Unix, Linux and Mac
administrators to handle much more critical computing aspects in their respective
environments, not less-critical management tasks.
12
White Paper
Figure 9. Secure remote control of Mac systems allows administrators to review
and modify configuration settings.
CONFIGURATION MANAGER + QMX: MANY
SYSTEMS, ONE CONSOLE, FULL COMPLIANCE
With System Center Configuration Manager and QMX, you can bring the benefits of
Configuration Manager to Unix, Linux, Mac and VMware ESX systems—without
changing the other ways in which those systems are administered. You can use a
consolidated set of processes for achieving, maintaining and proving compliance,
while still preserving the independent administration of your non-Windows systems.
You can get further return from your Configuration Manager infrastructure and skills
investment, allowing you to solve challenging business problems like compliance in
a consistent fashion across your enterprise.
For more information about all Quest System Center solutions that extend the power
of Configuration Manager, visit http://www.quest.com/system-center/changeConfigurationuration.aspx. At the site, you can also learn about similar capabilities
Quest provides for Systems Management Server 2003 deployments.
13
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007
ABOUT THE AUTHOR
Don Jones is a co-founder of Concentrated Technology (ConcentratedTech.com).
His consulting practice specializes in making the connection between technology
and business, helping businesses realize more value from their IT investment, and
helping IT align more closely to business needs and values. Don is also a Microsoft
“Most Valuable Professional” (MVP) Award recipient, and the author of more than
30 books on information technology. He has been an IT journalist for more than
eight years, and is currently a contributing editor for Microsoft TechNet Magazine.
Don is a sought-after speaker at industry conferences and symposia, including
Connections conferences, Microsoft TechEd and TechMentor events.
14
White Paper
ABOUT QUEST SOFTWARE, INC.
Quest Software, Inc., a two-time winner of Microsoft’s Global Independent Software
Vendor Partner of the Year award, delivers innovative products that help
organizations get more performance and productivity from their applications,
databases Windows infrastructure and virtual environments. Quest also provides
customers with client management through its ScriptLogic subsidiary and server
virtualization management through its Vizioncore subsidiary. Through a deep
expertise in IT operations and a continued focus on what works best, Quest helps
more than 100,000 customers worldwide meet higher expectations for enterprise
IT. Quest’s Windows management solutions simplify, automate secure and extend
Active Directory, Exchange Server, SharePoint, SQL Server, .NET and Windows
Server as well as integrating Unix, Linux and Java into the managed environment.
Quest Software can be found in offices around the globe and at www.quest.com.
Contacting Quest Software
Phone:
949.754.8000 (United States and Canada)
Email:
[email protected]
Mail:
Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
Web site:
www.quest.com
Please refer to our Web site for regional and international office information.
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest product
or who have purchased a commercial version and have a valid maintenance
contract. Quest Support provides around the clock coverage with SupportLink, our
web self-service. Visit SupportLink at http://support.quest.com
From SupportLink, you can do the following:
•
•
•
•
Quickly find thousands of solutions (Knowledgebase articles/documents).
Download patches and upgrades.
Seek help from a Support engineer.
Log and update your case, and check its status.
View the Global Support Guide for a detailed explanation of support programs,
online services, contact information, and policy and procedures. The guide is
available at: http://support.quest.com/pdfs/Global Support Guide.pdf
15