We've all heard the old saying that change is inevitable, except perhaps from vending machines. In the IT world, change isn't just inevitable; it's a constant. A network is somewhat like an ecosystem; changes are being introduced on an ongoing basis, but those changes can easily interact to upset the fragile balance and bring the whole thing crashing to the ground.
Every IT administrator has seen it happen: you install a great new piece of software that's supposed to help users get their work done more easily, and suddenly all the desktop system are plagued with error messages, hangs or performance slowdowns. Or you reconfigure your server for better security, and no one can access the network resources they need to do their jobs. Or you put in a new firewall, and lose Internet connectivity.
Well planned and well documented changes help your network evolve as your business grows, but too many networks "just grow that way," with equipment and configuration changes made without much consideration, often by different people who don't consider the full effects of those changes and don't properly document them for the benefit of those who come after them.
Because change is inevitable, especially as a company and network grow, it's essential that you develop a change and configuration strategy that will work for you, not against you, in the years to come.
It starts with a change management policy
Your goal in managing changes within the IT environment is to ensure that those changes have a positive (or at worst, neutral) effect on the network as a whole. This is more likely to happen if you establish formal change management policies to be followed when any significant modifications are made to the environment (for example, operating system upgrades, reconfiguration of the infrastructure, deployment of new security mechanisms, rollout of new applications, etc.).
The scope of your policy will depend, in part, on the size of your organization, and will change as the company and network grow.
Your policy should address each step of the change implementation process, including review and assessment. It should layout how and to whom change requests/proposals are to be submitted and require all proposals for major changes to be in writing. There should be a procedure for evaluating the estimated costs (including hidden and indirect costs) of making the change. There should be a requirement for evaluation of security and liability risks that could result from the change. The policy should also make clear who has the authority to propose changes and who has the authority to approve changes at various cost levels.
The policy should also attempt to define what types of changes are exempt from the process. You don't want to burden administrators with a time-consuming process in order to make small changes or emergency changes that are necessary to recover from a natural disaster or to keep the network up and running in the face of a hacker attack. However, you should require that all changes, including temporary ones, be documented.
Building a baseline
Change occurs in relation to a baseline, a known configuration at a set point in time against which variations are measured. Once you've adopted a policy for dealing with changes and established a procedure to be followed when anticipating and implementing changes, you need to establish and document the baseline from which you're starting.
There are numerous software products that can help you do this. These products help you automate the process of creating an inventory of your IT assets — the hardware and software you have running on the network — and existing system configurations, including the patch and update status of each machine.
Some examples include:
- Microsoft Systems Management Server (SMS) 2003 is part of the Windows Server System family and can be used to inventory software and updates
- IBM Tivoli, which includes the Configuration Manager component that can create hardware and software inventories and collect configuration information.
- Hewlett-Packard OpenView, which automates configuration discovery and management through its CCM Solutions.
The above products are high cost enterprise level systems management packages that have change management as one of multiple functionalities. Smaller companies don't have the need for all those features and may not be able to afford sophisticated packages. Luckily, Microsoft also provides some free tools that can be helpful in developing your baseline and software inventory:
- Microsoft Baseline Security Analyzer (MBSA) is a free tool that can be downloaded from the Microsoft Web site and used to determine the security configurations of Windows computers (Windows 2000 SP3 and later) and whether security updates have been installed.
- Microsoft Software Inventory Analyzer from Software Asset Management (SAM) can be used to create an inventory of Microsoft products installed throughout the network.
A comprehensive change management solution
In addition to the products mentioned above, there are a number of products devoted to configuration and change management exclusively. Examples include:
- Aldon Lifecycle Manager, which collects information about application configurations and components across multiple platforms.
- Marimba Application Management, OS Management and Configuration Discovery products from BMC Software can track the state and usage of software assets.
When your network is small and so is your budget, you need a less expensive and simpler solution. If your network runs Windows servers, you can use some of the features that are built into Windows 2000 Server and Server 2003 to deploy software changes, control user changes to systems and ensure consistency across the organization:
- You can use Group Policy to prevent users from making configuration changes to their workstations and deploy consistent configuration settings throughout the network.
- You can use the Software Installation component to assign or publish applications to users or computers. This allows you to ensure that specific applications are installed on the computers that need them and to ensure that applications get updated across the organization. It can also be used to install security patches and updates.
- Windows Server Update Services (WSUS) is a free download that runs on Windows 2000 Server or Server 2003 and can be used to push updates and patches to Windows 2000 SP3 and later machines in your organization.
Whether your company is still small or growing into an enterprise-level organization, a good change and configuration management strategy is a vital part of keeping your network healthy, organized and secure. Depending on the size of the company and the budget, there are many options available to help you automate the processes of creating effective policies, establishing baselines and creating an asset inventory, and managing changes on an ongoing basis. These range from tools built into the operating system or free for download to highly sophisticated multifunctional packages that will handle changes across an entire enterprise.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.