One of the major causes of network problems—from security vulnerabilities to system crashes—is improper configuration. This is true whether your organization has 20 computers or 20,000, but it is especially vexing in the enterprise environment, because tracking down and fixing bad configurations can be like searching for the proverbial needle in the haystack.
As Windows operating systems have grown more and more complex, the likelihood of improper configurations occurring has increased. Without some sort of automated control, it is almost guaranteed that your network administrators and IT personnel will spend a significant amount of their time troubleshooting configuration issues. One intriguing solution is Configuresoft’s Enterprise Configuration Manager (ECM) software, which is designed to automate the configuration monitoring and management process. At Microsoft’s TechEd 2003 conference held in Dallas in June, Configuresoft introduced version 4.5 of the ECM, which is designed to provide a "self-healing" capability that will reset configuration settings that are changed to a specified standard, with no human intervention required. In this article, I’ll examine why you need configuration management tools and how this latest version of ECM can do more for your enterprise-level network.
The need for configuration management tools
The search for the perfect configuration can be tedious and time consuming. The problem is that after countless hours and money have been spent in testing and tweaking, IT personnel (and sometimes users) can make changes that negate all that work. In an enterprise environment, systems are usually deployed using an image that contains the optimal settings, but configuration "drift" occurs when changes are made after installation.
IT management is about control, and the first step in controlling the configuration of hundreds or thousands of computers is to establish policies. However, policies are no good without a means to enforce them. Microsoft has addressed this control issue to some degree in its Windows 2000 and 2003 network operating systems, by building in the ability to apply Group Policies that prevent users from changing various aspects of the environment. However, in very large networks, you have various IT personnel who might have the ability to change settings, or you might want to control settings for which there is no Group Policy template. You also need a way to determine whether and to what extent policy compliance is occurring.
In today’s security-conscious world, it is especially important to be able to prove that security-related configurations are in compliance with policies and regulations (for example, HIPAA rules governing the health-care industry).
ECM: What it does and how it works
There are already a number of management tools available, such as Tivoli from IBM and OpenView from Hewlett-Packard. These tools provide the ability to monitor network systems and gather data about those systems. According to Configuresoft, ECM is not intended to compete with those products, but to work in conjunction with them. ECM focuses on configuration details, collecting an amazing number (up to 40,000) of data points for every NT and Windows 2000 workstation or server (and now, with version 4.5, ECM also supports Windows Server 2003) in the organization.
With version 4.5, you can even gather the configuration data from the other side of a firewall, because of ECM’s ability to use HTTP for communications (a port must be opened for the HTTP listener). Agent software is installed on the computers from which you want to collect data, and the data sent between the agents and ECM is encrypted with the Advanced Encryption Standard (AES) algorithm to secure it. The agent software can be installed manually, or you can use the Auto-Discovery feature to automate the installation. Auto-Discovery uses the network’s master browser list to discover computers on the network. You can set rules specifying on which machines to install the agent software (based on operating system, domain membership, description text, naming, etc.). The agent software doesn’t run as a service; it stays inactive until the “collector” software on the ECM server contacts it. The agent uses DCOM technology to communicate.
You first specify the configuration settings that you want to enforce in a compliance template. Then when ECM detects that a server or workstation has been changed and is no longer in compliance with the template, it can both report the noncompliance and automatically reconfigure the computer to bring it back into compliance.
Previous versions of ECM reported deviations from your baseline configuration but did not repair them. The "self-healing" capabilities of version 4.5 make it a significant upgrade.
This is done with the Compliance Manager, one of several modules that ECM calls "action and analysis" modules. The Compliance Manager checks a host of different configuration settings, including whether services that should be running are (such as your antivirus program), whether services that shouldn’t be running aren’t (such as the Web service), registry settings, security policies, software version numbers and patch/service pack levels, permissions, group memberships, and more. It can also check the configurations of popular applications such as SQL, Exchange, and IIS.
Your template designates the values that you expect—for example, a particular service set to start automatically. When you do a compliance scan, values that match the expected ones will be indicated with green checkmarks, while those that don’t match (not in compliance) will be marked with red exclamation points. A single scan can show the results for thousands of settings on thousands of machines, or you can run it for only selected settings/machines. This data can be filtered or viewed as a pivot table to make it easier to analyze the results.
The first time you collect data, it might take a while, because the software has to perform a "full discovery." Subsequent collections, however, are "delta" collections that send the changes only over the network, not the entire data set. This decreases the time required and the impact on system and network performance.
Another module that can be added to ECM, the Security Update Manager, tracks the security bulletins that Microsoft puts out and can notify administrators and automatically scan the managed computers and make it easy for you to apply the patches by simply clicking a button.
Ease and flexibility of administration
You can create groups of machines to which the same rules will be applied, and the rules can be constructed in "if/then" format ("if Service A is installed, then it should be set to start manually," for example). However, this doesn’t mean IT personnel have to spend hundreds of hours creating templates. ECM includes a set of predefined templates that are designed to comply with the Microsoft Security Operations Guidelines and the SANS "Securing Windows" guides. There are also included templates that define industry-accepted best practices for Exchange, IIS, and SQL. If you need to change the standard templates, or if you do need to create your own custom templates, there are wizards to guide you through the process.
Although the self-healing feature sounds impressive, you might be a little skeptical about trusting a program to automatically change things, especially at first. Never fear; you have the choice of automatically enforcing compliance or reviewing ECM’s report and performing enforcement manually.
Compliance scans can be done in three modes: Read Only, Manual Enforcement, or Automatic Enforcement. Read Only mode reports to you the differences between expected and actual values based on your templates, but does not make any changes.
The ECM Reports module lets you view or print detailed reports of your configuration information and also lets you create custom reports using wizards. ECM uses the popular Crystal Reports engine. There have been some compatibility problems between Crystal Reports and Windows Server 2003/IIS 6.0, but a fix is reported to be in the works.
In Manual Enforcement mode, after you analyze the results of the scan, you can choose the changes you want to make and apply them easily and quickly by clicking the Enforce button.
With Automatic Enforcement, ECM detects noncompliant configurations and self-heals them, reconfiguring the machines to match the template settings. The good news is that you can automate the enforcement of some settings and enforce others manually, giving you optimum flexibility to maintain as much control as you want or to gradually relinquish control to the software as you become more familiar with its operation.
In a large enterprise environment, a big issue is controlling who is allowed to perform important administrative tasks that have the potential to wreak havoc on the network. Certainly, administration of powerful management software such as ECM is such a task. To address this concern, ECM includes support for role-based administration.
Role-based security is a hot feature today, with Windows Server 2003 leading the way through its new Authorization Manager tool. With role-based security, you can define user roles based on the functions that particular persons need to perform, and assign permissions to those roles. ECM provides for role assignment within the software so you can delegate access to its configuration data and allow specific administrators access to specific data and tasks. For example, you might assign certain administrators the ability to perform configuration management for only specified machines, or you might allow some administrators to view compliance scan reports, but not allow them to actually implement changes.
What you need to run it
ECM uses a Web browser interface, making it familiar and easy to use without a steep learning curve, and is accessible from almost any computer without installing any special software. The interface supports drag-and-drop, right-click, and the usual Windows navigation methods. It does not use ActiveX Controls, and thus avoids the security issues associated with such elements.
The collector server on which ECM is installed needs to have at least 512 MB of RAM, and you’ll need a minimum of 2 GB of free disk space. The collector software runs on Windows NT, 2000, or (v4.5 only) 2003. The agent software will run on NT 4.0 Workstation and Server, Windows 2000 Professional and Server, Windows Server 2003 servers, and Windows XP Professional systems.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.