Buying an HDTV is probably a lot like deciding on your change management process.
It starts out pretty much the same: You spec out the right hardware and look at all of the pixel and contrast ratios. You get the approval to purchase and, in your mind, you're done. But when you get home, you come to the stark realization that the picture is not quite as clear as it looked in the store. You tirelessly spend the next 48 hours tweaking the configuration settings to make them just right for you.
It's a similar story when you purchase a new server -- you have a mountain of configurations that need to occur. The real problem is that, more often than not, configuration changes can be the bearer of bad news because they weren't ever standardized.
The following framework should help you manage your configuration changes and maintain standardization:
Identify critical configurations
Perhaps the biggest problems with configuration management are understanding the scope and what to include and what not to include. With so many available configurations and settings, most organizations find it difficult or even impossible to incorporate all of them into their change control process.
The idea here is not to take on the whole enchilada at once if you don't have to. Work with the key individuals at all levels of your organization to define the settings that should never be changed -- or at least those that shouldn't be changed without management approval. Once you have these settings, include them as part of the change management process by documenting the current value and requiring appropriate documentation and approvals before any changes are made.
Simple, right? Just don't forget to keep your configuration management process current with new technology.
Take password configurations, for example. By this point, most organizations have included the domain password policy as part of their change managemen
To continue reading for free, register below or login
To read more you must become a member of SearchWinIT.com
t process. If you want to change passwords from a minimum of six characters to nine characters, you would have to go through the formal process -- especially because any audit would quickly reveal any discrepancies.
However, in Windows Server 2008 Active Directory, you now have the ability to configure Fine-Grained Password Policies, or FGPP, which allows for the creation of multiple password policies within a single domain. Keep this in mind because you will most likely need to include it in your configuration management with a full 2008 deployment.
Leverage available tools
Organizations of all sizes struggle with maintaining consistent configurations across servers. Here, the change control process can go only so far -- it isn't likely to bridge the human error gap.
If you can't deploy those configuration standards consistently, then you are about to experience a significant breakdown -- no matter how well you document the changes and their approvals. At this point, people are really going to lose faith in your process.
Even though you are left almost completely in the dark -- or have become reliant on third parties to help -- with some configurations, like with FGPP where there isn't even a UI, don't give up hope. Windows Server 2008 does help administrators deliver a consistent configuration with the following tools:
Audit, audit, audit
A well-defined audit to ensure operational compliance with the approved configurations will be the icing on your change control process. This doesn't have to be anything fancy. If your password length has been approved at a minimum length of eight characters, all of your domain and local policies should be set accordingly.
However, the difficulties grow in two dimensions -- with the number of servers and with the number of other items on your to-do list. The only way to be successful is with automation.
There are many ways to automate the process -- from a variety of GPO management tools to some simple ADSI or WMI commands. If you have the luxury of deploying Microsoft System Center Configuration Manager, you really need to check out Desired Configuration Management. This application allows a Windows shop to establish an approved configuration and automatically audit compliance.
As you push forward to establish the appropriate configuration settings, automate the configuration/implementation and complete the loop with the appropriate audit or monitoring of your key configurations. That will help ensure the success of your configuration management process.
Russell Olsen is the CIO of a Healthcare Technology company and previously worked for a Big Four accounting firm performing technology risk assessments and Sarbanes-Oxley audits. Olsen is a CISA, GSN and MCP.
