White Paper How to Achieve Enterprise-Wide Compliance Taking Configuration Manager
Transcription
White Paper How to Achieve Enterprise-Wide Compliance Taking Configuration Manager
How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 Taking Configuration Manager Beyond Windows Clients and Servers Written by Don Jones Co-Founder, Concentrated Technology Microsoft MVP White Paper © 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information, protected by copyright. No part of this document may be reproduced or transmitted for any purpose other than the reader's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: info@quest.com Please refer to our Web site (www.quest.com) for regional and international office information. Updated—February 25, 2009 WPW-SCCM-1_Compliance-US-AG CONTENTS INTRODUCTION .......................................................................................... 1 CONFIGURATION MANAGER AND COMPLIANCE CHALLENGES ..................... 2 MAINTAINING THE LATEST PATCH LEVELS .............................................................. 2 Service Packs ......................................................................................... 3 Software Patches .................................................................................... 4 INVENTORY HELPS COMPLIANCE ......................................................................... 5 Software Inventory.................................................................................. 5 Hardware Inventory................................................................................. 6 DID YOU REMEMBER YOUR LICENSES? ................................................................. 7 EXTENDING CONFIGURATION MANAGER TO NON-WINDOWS SYSTEMS...... 8 THE GENIUS IS IN THE ARCHITECTURE ................................................................. 8 Supported Non-Windows Systems ............................................................. 8 AMPLIFYING CONFIGURATION MANAGER’S CAPABILITIES .......................................... 10 No Changes to Configuration Manager Infrastructure for Mixed Mode Environments ....................................................................................... 11 RESPECTING YOUR BOUNDARIES ...................................................................... 11 CONFIGURATION MANAGER + QMX: MANY SYSTEMS, ONE CONSOLE, FULL COMPLIANCE ............................................................ 13 ABOUT THE AUTHOR ................................................................................. 14 ABOUT QUEST SOFTWARE, INC. ................................................................ 15 CONTACTING QUEST SOFTWARE ....................................................................... 15 CONTACTING QUEST SUPPORT ......................................................................... 15 i White Paper INTRODUCTION You know how difficult compliance can be—whether you’re dealing with the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), Sarbanes-Oxley (SOX), the Payment Card Industry’s Data Security Standard (PCI DSS), Basel II, CORBIT/COSO, European privacy laws or any of the other numerous legislative and industry rules for security and privacy. Microsoft’s System Center Configuration Manager 2007 (Configuration Manager), the successor to Systems Management Server 2003 (SMS), goes a long way toward helping you achieve, maintain, and prove compliance. Configuration Manager’s major features can even help you maintain compliance with rules you may not have realized you were subject to! However, Configuration Manager’s primary focus is on computers running Microsoft’s Windows operating system. That’s fantastic if every computer and device in your environment is running a version of Windows, but most of today’s enterprises are meeting their business needs by using a mix of operating systems, applications, clients and devices—not to mention network and hardware components. When Linux, Mac OS X, Unix, VMware ESX and other operating systems enter the mix, your Configuration Manager investment can’t be maximized. Or can it? The fact is that Configuration Manager has the perfect infrastructure for helping you manage change, configuration and system updates across all of your systems, both Windows and non-Windows, as well as for enabling you to achieve, maintain and prove compliance across all of the operating systems in your environment. And it can do so in a way that respects distributed systems management teams, individual administrator requirements and much more! The key is extending Configuration Manager’s capabilities to non-Windows systems through Quest Management Xtensions - Configuration Manager 2007 Edition (QMX). 1 How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 CONFIGURATION MANAGER AND COMPLIANCE CHALLENGES A lot of administrators think of Configuration Manager as mainly a software distribution and management tool—sort of a grown-up version of the IntelliMirror software distribution technology that’s built into Microsoft’s Active Directory. And in fact, Configuration Manager does do a great job of software distribution. But if you take a look at the common requirements of HIPAA, SOX, GLB, PCI DSS, COBIT/COSO, Basel II and other compliance mandates, you’ll find that Configuration Manager can provide a greater level of value. Maintaining the Latest Patch Levels While we’re at it, let’s talk about software distribution capability, because it’s definitely a major aspect to ensuring you achieve or maintain compliance. Every major compliance effort focuses primarily on the security and/or privacy of specific types of data: • For HIPAA, it’s healthcare information. • In GLB, it’s financial customer information. • In PCI DSS, it’s cardholder information. • For SOX, it’s corporate financial data. • For Basel II, it’s banking laws and regulations. • For COBIT/COSO, it’s information technology. Only PCI DSS—being a fairly technical-level set of requirements—explicitly mentions keeping software up to date with the latest patches, but the other rules are commonly interpreted to have that requirement, too. After all, unpatched software is insecure software. And “software” in this context doesn’t just refer to operating systems! It means any software that is used to store, transmit, view, output, transform, manage, protect or audit any data that’s of concern to the specific compliance effort. In a typical environment, you’d be looking at database server software, office productivity software like Microsoft Office, line-of-business software (both commercial and internally developed), and much more. 2 White Paper Service Packs Configuration Manager’s software distribution capabilities can help. Configuration Manager is far more versatile than using only Windows Software Update Services (WSUS) and other operating system-level patch distribution mechanisms, and offers greater granularity and reporting than Active Directory’s IntelliMirror Group Policy-based software distribution. Configuration Manager can easily target software patches to specific computers, keep track of which computers have received their patches and produce management reports detailing the status of any given patch distribution. Shown here, for example, is a report listing operating systems and service packs. It shows an administrator or an auditor exactly how many systems exist with a given operating system and what service pack level each one is using. Figure 1. Auditors require reports on all operating system versions and service pack levels. 3 How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 Software Patches Of course, patch distribution is about more than just service packs, and Configuration Manager is equally adept at pushing out patches for in-house software, database server software and any other software you may have. Reports like the one below show you the status of a software and patch distributions, so you can see which systems have succeeded and failed. Figure 2. To stay in compliance, you need to know the status of software and patch updates. If you have Configuration Manager in your environment, you already have these capabilities for your Windows-based systems. What you need is the ability to extend them across your non-Windows systems. 4 White Paper Inventory Helps Compliance Software Inventory Maintaining compliance is a delicate and difficult task. For example, an extra background service (or daemon, in non-Windows terms) shows up on a server that contains sensitive information. Should you be concerned? Absolutely: that service may compromise your ability to remain compliant. At the very least, it needs to be investigated, its compliance impact evaluated, and if it’s going to stay on the machine, then it needs to be documented and maintained. In essence, any configuration change to a computer that contains sensitive data is of concern to compliance officers and auditors. Fortunately, Configuration Manager lets you easily review the services running on any Windows computer, and even other software applications installed on any Windows computer. If those capabilities could be extended to non-Windows systems, as illustrated below, you’d be that much closer to gaining full enterprisewide compliance through a single, integrated management and reporting paradigm. Figure 3. Compliance requires a detailed software inventory. 5 How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 Hardware Inventory Even hardware inventory can impact your compliance posture. Perhaps a missing memory module isn’t crucial for compliance, but a missing hard drive is definitely of concern, especially in computers that store sensitive data. Missing hardware can have subtle effects. For example, suppose you’ve installed special network adapters that encrypt their communications using IP Security protocols. If one of those adapters is replaced with a normal, non-encrypting adapter, you may be out of compliance—and since the computer continues operating, you might not realize it. Configuration Manager, however, can spot hardware inventory changes and help you easily identify those changes in its management reports. Figure 4. A hardware inventory that identifies changes is critical for compliance. Again, however, Configuration Manager natively delivers these capabilities only for your Windows computers. But if you could enable Configuration Manager to display this information for all of your non-Windows systems as well, you’d be able to view critical compliance information via a single management console. 6 White Paper Did You Remember Your Licenses? While being in compliance with software licensing agreements is not specifically addressed by most common compliance measures, it is still important to your business. In fact, maintaining the necessary software licenses is mandated by law; it could be considered one of the oldest “compliance efforts” the IT industry has had to deal with. Companies have been fined hundreds of thousands of dollars for illegally running unlicensed software. Configuration Manager helps here, too, both through software inventory (which tells you what’s installed) and through software metering (which helps track what’s actually running). But metering software on Windows-based systems isn’t enough; you need to keep track of what’s running on your non-Windows systems, too. Figure 5. Identifying exactly what software is installed is critical to license compliance. 7 How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 EXTENDING CONFIGURATION MANAGER TO NON-WINDOWS SYSTEMS We’ve seen that Configuration Manager can make a positive contribution to your compliance efforts, but only on Windows systems. Now let’s address that burning question: what about everything else? We need to extend those capabilities to nonWindows systems, and that’s what Quest Management Xtensions - Configuration Manager 2007 Edition (QMX) is designed to deliver. The Genius is in the Architecture One of the true beauties of Configuration Manager lies in its architecture, which is fairly vendor-agnostic by design. Computers, after all, are computers; they’re all comprised of the same basic components in hardware and software. Logically, you can think of Configuration Manager as having two distinct parts: the back-end infrastructure, including its databases, distribution points, and so forth; and the client pieces, which send inventory information, implement software metering and so forth. The back-end is the part that’s vendor-agnostic, while Microsoft provides client pieces that run on various versions of the Windows operating system. Supported Non-Windows Systems QMX extends Configuration Manager by providing equivalent client agents for a variety of non-Microsoft systems, including the following: 8 • Red Hat • SUSE • IBM / AIX • Sun Solaris • HP-UX • Macintosh OS X • VMware ESX Server • Asianux • CentOS White Paper Figure 6. QMX provides information on non-Windows operating systems. Each of these operating systems is supported by a variety of version levels. Older versions can be supported through a set of no-install-required, agentless extensions from Quest called QMX for Device Management, which can also provide support for additional Linux builds and for hundreds of network devices. Obviously, the capabilities of the agentless extensions are more limited: they can’t do software metering, for example, but they can capture hardware and software inventory across the entire environment. 9 How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 Amplifying Configuration Manager’s Capabilities By increasing the number of systems that can report data to Configuration Manager, you’re expanding the product’s reach in your enterprise—and truly maximizing your investment. QMX also adds extensions to Configuration Manager’s management user interface (UI) through a Microsoft Management Console (MMC) snap-in that is installed on the administrator’s console. These extensions help the UI recognize non-Windows inventory and other data, add parallel capabilities for non-Windows systems and even allow you to remotely place non-Windows systems under Configuration Manager’s management purview through a secure, intelligent system. Figure 7. Console Extensions provides right-click menus, wizards, property pages, collections and queries to create a seamless management console for all systems. 10 White Paper No Changes to Configuration Manager Infrastructure for Mixed Mode Environments The great thing about this approach is that no changes are made to the Configuration Manager infrastructure for mixed mode environments. No schema changes in the database. No new server types. If your existing Configuration Manager infrastructure can support the load of your additional non-Windows systems, then you’re ready to go. You can leverage that investment with no incremental cost in the back-end. QMX for Configuration Manager also supports Native Mode environments through the use of a Management Point Proxy to deliver SSL-based secure communications. Your Configuration Manager administrators need no additional training, have no additional learning curve, require no additional tools and can work within your existing management processes. You’re simply extending those processes to include all of your computers. Even more important is that you eliminate the effort and risk created by having to maintain admin rights for multiple tools and consoles. Respecting Your Boundaries It’s no secret that administrators of non-Windows systems aren’t always eager to give up control to their Windows-based colleagues. Fortunately, QMX doesn’t ask anyone to give up control. Unix, Linux, VMware ESX and Mac administrators continue to administer their own machines in the same ways they always have. Let’s emphasize that: Unix, Linux, VMware ESX and Mac administrators lose no control, change none of their processes and grant no administrative access on their systems to Windows administrators. Instead, by installing the QMX software on these non-Windows systems, you’re simply enabling hardware and software inventory, gaining the option for software metering and enabling an additional method of software package distribution. You’re not shutting off any existing management processes unless you choose to do so. Unix administrators, for example, can continue to deploy their patches the oldfashioned, manual way if that’s what they want to do (not that their management team will agree with this continuation of manual effort); Configuration Manager will still be able to inventory applications and patches, and reflect the update in its management reports. 11 How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 Of course, because QMX extends so many Configuration Manager features to nonWindows systems, your administrators may decide they want to take advantage of more Configuration Manager capabilities. For example, one difficult aspect of compliance in a mixed environment is making sure that desktop computers remain properly configured. Windows-based systems are remotely accessible via Configuration Manager features, but what about, for example, Mac systems? QMX enables a variety of contextual-based remote access techniques, including SSH, and (for Macs) support for standard VNC viewers such as RealVNC, so administrators can remotely control, review and correct desktop configuration settings. Figure 8. Caption QMX enables a variety of remote access techniques so administrators can remotely manage desktop settings. The reality is that QMX for Configuration Manager enables Unix, Linux and Mac administrators to handle much more critical computing aspects in their respective environments, not less-critical management tasks. 12 White Paper Figure 9. Secure remote control of Mac systems allows administrators to review and modify configuration settings. CONFIGURATION MANAGER + QMX: MANY SYSTEMS, ONE CONSOLE, FULL COMPLIANCE With System Center Configuration Manager and QMX, you can bring the benefits of Configuration Manager to Unix, Linux, Mac and VMware ESX systems—without changing the other ways in which those systems are administered. You can use a consolidated set of processes for achieving, maintaining and proving compliance, while still preserving the independent administration of your non-Windows systems. You can get further return from your Configuration Manager infrastructure and skills investment, allowing you to solve challenging business problems like compliance in a consistent fashion across your enterprise. For more information about all Quest System Center solutions that extend the power of Configuration Manager, visit http://www.quest.com/system-center/changeConfigurationuration.aspx. At the site, you can also learn about similar capabilities Quest provides for Systems Management Server 2003 deployments. 13 How to Achieve Enterprise-Wide Compliance with System Center Configuration Manager 2007 ABOUT THE AUTHOR Don Jones is a co-founder of Concentrated Technology (ConcentratedTech.com). His consulting practice specializes in making the connection between technology and business, helping businesses realize more value from their IT investment, and helping IT align more closely to business needs and values. Don is also a Microsoft “Most Valuable Professional” (MVP) Award recipient, and the author of more than 30 books on information technology. He has been an IT journalist for more than eight years, and is currently a contributing editor for Microsoft TechNet Magazine. Don is a sought-after speaker at industry conferences and symposia, including Connections conferences, Microsoft TechEd and TechMentor events. 14 White Paper ABOUT QUEST SOFTWARE, INC. Quest Software, Inc., a two-time winner of Microsoft’s Global Independent Software Vendor Partner of the Year award, delivers innovative products that help organizations get more performance and productivity from their applications, databases Windows infrastructure and virtual environments. Quest also provides customers with client management through its ScriptLogic subsidiary and server virtualization management through its Vizioncore subsidiary. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 100,000 customers worldwide meet higher expectations for enterprise IT. Quest’s Windows management solutions simplify, automate secure and extend Active Directory, Exchange Server, SharePoint, SQL Server, .NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: 949.754.8000 (United States and Canada) Email: info@quest.com Mail: Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site: www.quest.com Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com From SupportLink, you can do the following: • • • • Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/Global Support Guide.pdf 15