IST Managed Workstations – What does “Managed” Mean?

Introduction

This document was created to help identify what it is we do to customize and secure the operating system for management and what we mean when we say a workstation is managed. The hope is that by reading it, people with computers running Windows 2000 or Windows XP, that is not our build or in our Active Directory, may be able to benefit from our experience. These Microsoft operating systems, as they come out of the box, are not very secure or conveniently configured.  They do however have many capabilities one can take advantage of to get them to corporate standards. Below is a summary of some of the lessons learned and references to help guide you if you manage a Windows-based PC.

 

If you prefer a more hands-on approach to see exactly what steps have been applied to an Academic Support Workstation, please see:

·        Changes Applied to a Managed ADS Workstation and

·        How to Configure Your PC to Academic Support Standards

What does “Managed” Mean?

When a PC is first built some assumptions are made installing the operating system and applications. (See the “Assumptions” section below.) Next there are decisions to be made about how to best setup, control, update and enhance the system. Hardware changes require physical access. Software changes can often be automated, done locally by a local administrator or remotely, if setup correctly. Exactly what this means is best explained by listing examples of what is managed at UW. Here are some examples:

 

Category

Service

Security

·        Operating system updates: It is critical that someone or something makes sure this happens

·        Antivirus software and updates: This is also crucial to any system on a network.

·        Application updates: This includes patches and new functionality with version upgrades and application service packs

·        Access control: This is mostly security based but there may be other reasons to restrict access.

·        File sharing: Protocols have been established based on past experience

Efficiency

·        Network access (optimized): There is more to networking than just hooking things up. Things may work but may be “slow”.

·        Operating System Policies and Setup: The way an operating system comes “out of a box” is anything but ideal.

·        Printer access: Printer sharing and authentication may need to be defined

·        Driver updates: As with applications hardware drivers develop problems and new drivers are released

 

Reliability

·        Make PCs Generic for easy replacement: For instance storing critical data elsewhere in case local hardware breaks.

·        Event log management: Catch the problems before they become critical

·        Backup: If local data needs to be backed up a strategy needs to be adopted.

 

 

Imaged Workstations

Workstation imaging procedures, and operating systems, have evolved to allow us to make most hardware running Windows XP look the same. This not only allows computers that break to be easily replaced with minimal impact on our clients, but gives us a common base on which to make modifications, domain wide, as deemed necessary. In addition it provides our clients with a far more stable, trustworthy environment and gives administrators time to focus on necessary tools and distribution methods not previously possible. It is not necessary to run an imaged system to take advantage of many of our managed procedures but it does help reduce unknowns that could adversely affect a workstation’s functionality.

 

Notebooks (Laptops and Tablets) versus Desktop Computers

There are fewer differences now between notebook and desktop computers than there were a few years ago. Replacing the operating system that came with the notebook with a predictable, secure, easily replaceable image has become less of a concern than it was but it does mean replacing the vendor-added management tools with the Microsoft ones. Windows XP is far more portable-aware than previous versions of the OS and does have many extensions not visible or needed on a desktop. Vendor tools are however superior and not easy to give up.

 

We do not recommend replacing the operating system on a notebook with the IST image. Instead, a set of routines has been developed to get this vendor OS to a “managed” state and into the ADS domain. References to what is available can be referenced at:

            Managed Notebooks at UW

 

Tablets run a different version of Windows XP called Windows XP Tablet Edition that is a superset of Windows XP Professional. The reference above also deals with this version of the OS.

 

To see a table of known differences between a notebook and a desktop computer follow the link to: 

            Laptops versus Desktops (a table)

A document that identifies some of the main differences faced by notebook users than desktop users exists at:

Setting up a Notebook versus a Desktop

Assumptions

Best practices have evolved in Academic Support that allows us to automate what we can to all of our managed workstations. To best accomplish this, the following assumptions have been made:

 

Obviously it can be a challenge to find the right balance between usability and security. Otherwise all clients would always insist on being administrator at all times. We have enough experience now to know that properly delegated control can be very effective with the least of inconvenience on the computers everyday use.

Tools of Management

Active Directory

The primary tool we use to manage our client’s PCs is a Microsoft Active Directory Service, but it is not the exclusive tool. In a nutshell, Active Directory lets us apply changes to a collection of computers as easily as a local administrator might apply the same to just one.

It’s main features are as follows:

·        By virtue of joining an Active Directory-enabled domain, local administrative rights are granted to appropriate administrative staff.

·        Client PCs are divided into Organizational Units (OUs), or containers, similar in structure to the University departmental structure. These give us the ability to treat each container differently in terms of how they are managed.

·        Delegation of Control is defined to selective groups by OU. This allows us to assign responsibility where it belongs. It also gives the clients the freedom to do as-much-or-as-little management as they wish.

·        Policies are applied either at appropriate OU levels, or locally on the computers themselves. The effect is the same as if they were all locally applied.

·        And software is deployed all using this Microsoft Active Directory. Again, this is not much different than installing it locally as administrator, except it can be done to groups of computers at a time.

Other Tools

Other services available to all at UW include:

·        a central Antivirus Server (actually several) to deliver the newest antivirus updates ( http://ist.uwaterloo.ca/ps/services/antivirus.html )

·        and central SUS (Software Update Service) servers to deliver operating system patches. ( http://www.istiis.uwaterloo.ca/sus )

 

Details of Services provided to IST Imaged and Fully Managed workstations

Much of our management experience has been documented in a variety of locations, and is quickly summarized in the table below. Our challenge now is to extend the services we can to people managing their own computers. This is a much more difficult task than it seems and in many ways, this means reverting back to the world we came from. Let’s start by identifying the services and how they were provided:

 

Method

Service

 

Installed via the Sysprep’d Image

Licensed Application Install

 

Free Applications Install

 

Hardware Drivers

 

OS Configuration Policies and Setup

 

Application Configuration Policies and Setup

 

Network Configuration and Setup

 

At Workstation Deployment

Install Printer Queues for all users

 

DHCP

 

Delivery of Pre-tested Complete system

 

SUS Server delivery

OS Updates (Service Packs)

 

OS (tested) patches

 

Active Directory

Application Updates (Service Packs)

 

Application (tested) patches

 

Hardware Driver Patches

 

Security Policies

 

Scheduled Software Deployment

 

Printer Access

 

Connect Network Shares

 

Roaming Profiles

 

Folder Redirection

 

Manually at the Workstation

BIOS Updates

 

Symantec Antivirus Server

Virus Protection (Managed)

 

Collected by Management Server

Software Usage Reports

 

Auditing

 

Software Metering

 

Hardware Inventory

 

Asset and Configuration Control

 

Software Inventory

 

Active Directory/WMI/Remote desktop

Remote Hard Disk Management

 

Event Log Management

 

The first section called “Installed via the Sysprep’d Image” refers to how the bulk of the workstation is built. It includes the operating system, the applications but more importantly, it refers to the customizations requested by our Academic Support clients for security and efficiency reasons. A lengthy document of all the changes IST applies to create a custom Windows XP image is detailed at: How to configure your PC to Academic Support Standards .

 

The “Active Directory” section above refers to automated routines that have been put in place to finish the install, once an Academic Support workstation is joined to the active directory domain.

Implications of joining ADS can be found at:

            Implications of Joining ADS  

Exact details of the policies applied to an ADS “Managed” Academic Support workstation can be found at:

           Changes applied to a Managed ADS Workstation .

 

Details of How and Why our Management works

We said above in the Introduction and Assumptions sections that we base our management on having administrative access to the computer in question, but also on the fact that we know what to expect when we get there. Client managed computers are all set up differently. We likely don’t have administrative access to any of them, and we won’t completely know the effects of our scripted installs until they happen. This is the reality we faced, times 1000, for most of our Academic Support computers we were asked to manage. Having them mostly the same now, which included upgrading many of them to more capable hardware, meant a much more specialize team of people can reach-out and do much more than ever before. First, let’s cover a few diverse aspects of management:

Advantages of a Predictable Build

 

Proactive versus reactive services include:

 

Advantage of an Active Directory

 

Support to be offered via Documentation

 

 

…TO BE CONTINUED…

 

 

 


Document created by Manfred Grisebach, Last modified March 30th 2005