IT Best Practices for Community Colleges Part 3: Configuration Management

IT Best Practices for Community Colleges Part 3: Configuration Management


that the Speaker may use. >> Donna: Welcome to the I T best practices for community colleges part 3 configuration Management. SPEAKER today is Donald Hester. he is currently teaching at San Diego City College for the at one project. He is the security director and he is a guest lecturer in SPEAKER on security topics. He serves on various advisory committees and is an expert in the information technology and security field. He has a bachelor’s degree and security management with a concentration in information security. He has a lot of certifications and I am putting them in the chat window right now. I will turn it over to Donald now. >> Donald: thank you Donna. We have had to previous presentations the first one was on risk-management and the second one was on contingency Management. This one will focus on configuration Management and the last one will focus in on security awareness training, which is part 4. Without further ado let’s talk about configuration Management today. The first question everyone asks is what is configuration Management? [on the board] (reading). What does this really mean? When we set up a new system whenever that is whether it’s going to be a laptop or a new server for Web CT or blackboard there is configuration that needs to go on in that system. All systems need to be configured at some level. Typically do not take things out of the box and plug it and and it just works. Configuration needs to be done somewhere along the line. Configuration Management is focusing in on how should you configure this system so that it actually meets your needs or your colleges needs. And you’re going to have different groups in your college that have conflicting needs so you need to come up with the configuration for your system that works for the different groups. Faculty obviously have completely different needs than Administration staff. You’ll find that configuration is a very important aspect. I hope this will become clear for you so that you can understand the value of this because I do not want you to leave this class today not understanding all the benefits of configuration. It is actually a lot easier than what you’re probably doing now. I’m going to do a poll right now and just ask you to click the green check for Yes and the Red X for know. How many of you have configuration Management Plan set up within your organization right now? OK, so most of you have it. . Most colleges have a lab environment and have a really good configuration for that but for servers there might not be any documentation for configuration Management. So how many of you have it for things besides a lab environment? There are a lot of times I go into a college and find out that they do not have anything, so I’m glad to hear that a lot of you to have some configuration Management already. The next slide lists some I T Standards [on the board] (reading). These all focus in on configuration Management. The second one on the list really focuses in on controlling the configuration environment. It is really a process Management: how to establish process controls. It is not that we can recover a system is that when you recover a system is it recovered the same way, or close to that. They’re obviously going to be some of variances. The first one is very similar to that but it is more high level and not as granular. It does not focus only on security but it focuses in on all the different areas. Making sure that you have processes set up for Purchasing to deployment to disposal of the system. So it really does focus in on the whole life cycle of the system. NIST and ISO really line up and they are very similar. These both list the controls they should have in place. They are coming out with a configuration Management standard. NIST is the United States government answer to ISO. we talk about how you set up a system and configure it for the best uses of the particular agency or college in this case that will be using it. Yhr The benefit to configuration is that you’re not going to have any variant without you being aware of it. If someone broke into your system you would instantly know. The most mature what I have seen out there is all automated, and the administration is immediately notified if there is a problem anywhere in the system. The least mature process I have seen is they have routers but nobody really knows how they are set up and there is no control and each switch might be set up completely differently. That is the worst case that I have seen. Obviously, the higher and more mature system is going to be able to be recovered much more quickly if the problem does happen. The one with the most mature configuration Management is going to be able to be recovered the fastest. If you do not have a known good state when you lose your system and you cannot bring it back to a known good stage when it is down. So it is very important to have this also. So having a gold standard really helps out. So all of these standards listed on the board can really help you with this. ISO is probably the best location to go for developing processes. Change management is how we change these things on a scheduled basis where as configuration Management is how we come up with a configuration that is the right configuration or the best configuration for our particular situation. Last year at a conference I talked about this next slide that is on the board. 80 percent of a system outages are caused by operator in Application errors. This goes back to if we have a configuration Management Plan we can control this 80 percent which is most of our down time. If we can control most of our down time-if we take our help desk calls and reduce 80 percent of them then how much more time would we have to do other important things that we need to get done. But we cannot do that if we’re spending at least 80 percent of our total time fixing systems in dealing with that. We have other things like application failure and on security and security related failures which make up a small percentage of down time as well. I know of one college that but there core router switches and a GM enters closet that often in a janitor’s closet that often leaks, and obviously this was not a good place to put the core switches. Here is a list of common characteristics of high performance I T organizations. [on the board] (reading). Please look at these ratios and see if your college has a ratio like these-one administrator for every 100 servers. The next thing is more plant worked an unplanned work. It is so important to plan ahead to prevent things from happening that we do not want to happen. Also high-performance organizations collaborate-and this is extremely important that we have input from all departments and know what everybody needs so that when we set up whenever configuration is going to be that is going to meet their needs. In order to know that we have to collaborate with everyone. One of the other things that these organizations have is a posture of compliance. , or I T standards. The best way to prove that you are protecting your system is to adopt some I T standards. In these organizations they also have a culture of change management. These organizations test innings before they go out-and I know a lot of people say we do not have time to test things before they go out, but is much easier to do this early in the life cycle then after it breaks down. The other thing is they understand the causality of breakdowns. before they happen. If you cannot figure out the cause of a breakdown then you cannot figure out how to prevented in the future. And this is an example of managing by fax, really. If you do not have the facts and then you cannot make the correct changes. So how do we come up with the standard for how we set up servers and how we set up workstations. It is impossible to set all workstations up the same in all parts of the campus. Everyone obviously has different needs. Recognizing that and looking at that early in the life cycle means that you have a better plan and better set up. The math department may have certain set of needs in the English department probably has a different set of needs so they will have a different configuration. So the idea is to come up with a custom fit to for each department. If we do not have configuration Management set up ahead of time then we end up with too many different types of said and no management of those. Change management is how do we set up things and be ready to change them. Release management is how we set it up to release out to the people who need it. Incident management is it something bad happens is beyond the help desk What we do then. Problem management is very similar and that when a problem happens what is our plan to take care of that. So here are some of the missing pieces that I find in many colleges when I go and an audit their systems. The systems are in there and that they are ad hoc and not documented. So what are some of the benefits of configuration Management [on the board] (reading). The first one is something that people just do not want to believe, but good configuration Management does not increase the workload it actually decreases it. People think that this is not true because it takes time to set it up and yet to document everything. But if you spend time up front testing things and documenting things than in the future you’re down time will be greatly decreased because you have the documentation and you know what to do. We just had a bad thing with Adobe and there is a really bad virus out there and if he didn’t catch it right away you’re in big trouble. So a lot of things that I T does is just to push out information before we know what the right action needs to be done to take care of this problem because we’re greatly all afraid of the problem or the virus that we are sending out information on. But if we take our time to go through the process and actually do the testing that we should then we may find different ways of dealing with the issue that is coming up and taking care of it much more quickly. So this can lead to fewer incidents if we have a good configuration Management Plan. One place I know what actually went through in reviewed all the incidents that had happened in the past and realize that if they would have a configuration Management Plan and place it could of prevented a lot of those incidents from happening. If we do not have a plan then again, we do not know what to do to fix things when they do happen and we leave our systems more vulnerable to attack and longer downtimes to fix the problems when they do occur. The next item is that you get a greater return on investment. You may spend a little bit more money up front but the dividends will be much greater in the future. Faster recovery time is the next item, and we call this the mean to recovery time (MTTR). biggest benefit is limiting the amount of down time when a problem does happen. If we have the configuration actually documented and it is much easier to get back to that. When the system fails then if we do not have a documented in the first place. I have had experiences where I have not documented configuration and then later on in fact one time I had a system where two years after I had set it up there was a problem, the Internet service provider change, but I had not retain any of the configuration information so I was unable to set it back up because I actually had no idea how I had set up originally so there is no way for me to say why did I set up this record in this way. So it turned out to spend a lot of time on this that I should not have had to if I had the configuration documented in the first place. So I learned my lesson the hard way about configuration management. And this obviously affects the quality and if we have a configuration Management Plan it will improve the quality and improve the I T service as well. Faculty usually completely ignore that the system is up and running and 90 percent of the time, so in this way I T is really like an unsung hero. The only time you hear about it is when the system is down. [on the board] let’s look at the configuration Management lifecycles. The first thing you need to come up with is what is your configuration identification. You’re going to have what we call a baseline or gold standard. In this will be different for different systems. Once you have this set up then you’ll have areas they deviate from this configuration based on their particular needs. We can come up with a baseline or gold standard for faculty or even more than 14 different areas of faculty and then you might have something different for labs. You can use a product called Deepfreeze for this. And then you also have students and faculty that all may have different baselines were gold standards set or gold standards set up. the next. Common configuration control, is that we’re going to have to change this baseline from time to time when a new version comes out or other changes need to have been. We need to know how we’re going to manage these changes when they come up. The next thing is how do we stop users and changing the configuration-this is what we call enforcement or status accounting. And then finally how you go about testing on a regular basis to see that if you are deploying it is deployed correctly. Basically you have no way of knowing when things have changed on that individual system, so how do you then go back to check and see if it is doing the same baseline as when you enter originally deployed it. So we need to have a system for testing these. Now we’ll get into the specifics of each area of the life cycle. [on the board] the configuration Management database is a repository of information related to all the components of an information system. This might be configuration files which might even be image files which can be a gold standard de use as your base system. You also might have a group policy settings if you’re using active directory. This is a way of automating this-And every time a machine boots up it gets reapplied with those settings. If you’re using the most recent Microsoft products you it obviously will have the greatest latitude for changing settings-right now you have 1300 1300 settings for Internet explorer with Windows 7.the bad thing about this is if you do not tested ahead of time you’re going to be having faculty call you up and saying I cannot get into CCC confer or whatever so you need to make sure this is set up early in the life cycle and have all the details written down for all the different systems. [on the board] (reading) In order to do this we need to start out with the policy. We need to develop, disseminate, and review and update this policy regularly. Think people to buy into this site idea is idea is the hardest part of this. But if you can get people to see the benefit of this then you have overcome the biggest hurdle. For example, if you set up a spade and filter it debt someone is unaware of the naming not be getting e-mail’s that they want to get simply because they do not know how to go into the filter area or junk mail folder and set those e-mail’s to actually come through the filter if they are good e-mail’s. This can create a big problem if someone is not aware of this configuration, but it can be avoided if everyone is aware of how it is set up. [on the board] (reading). So again the biggest thing is you can see is management commitment to this configuration management policy. Next is the baseline [on the board]. We want to develop, document, and maintain under configuration control, the current base line configuration. Again, this can include images, builds, CMDB, configuration files, and group policy objects (GPO). so there different ways to in force the baseline and you’re going to be using those ways . . Baselines, again [on the board] (reading). Here I give you a great place to start to . If you just type in FDCC you’ll find out a whole bunch of information about this. You can also modify what you find a based upon your needs. You can also go out to CIS benchmarks by typing this in to Google as well and you’ll find out a lot of information about this. This will give you a lot of good information on how to configure servers and different workstations as well as compatibility issues and interoperability issues. cities start with the information I find it these two sites and then modify it based upon your needs, as I said. For example, when Windows 2000 came out and quick books was upgraded it had a difficult time and if you called in and said my quick books isn’t running then they would try to back to the Web site-meanwhile we security folks were cringing because people were telling them this information and all they really needed was access to the registry Key, so people could still get their jobs done and they did not have to be a local administrator. So if they would have the correct configuration to begin with and everyone would of been able to run quick books without a problem on their machine. But that did not have been back then because they did not have the correct configuration to begin with. So oftentimes is it a simple fix. [on the board] so controlled it changes the next thing. First you need to determine the types of changes to the information system that are configuration controlled. One of the things that change control is looking for is approving the configuration control changes. We want to make sure they’re tested ahead of time and that we know they will work. We want to work with the end users, because the end users may think that the way the desktop is working right now does not work for me because of reasons X, Y, and see. Z. so if we listen to this and figure out what changes need to be made and document those beacons solve the problem and approved the configuration approved changes. That way in the future you can look back and see why the changes were made, who made the changes and and what the changes were. Next we’re going to have to look at the impact of the change, or impact analysis. And we need to look at how it’s going to impact of the rest of the system from working. For example if the system has Office97 on that it does not work with different upgraded versions of this and if we know that then it’s easy to analyze the system and say well that is the problem and we need to fix it in. Typically, it is bad if your blackboard or Web CT server goes down in the middle of the semester So we want to have good availability on those servers to get them back up and running as quickly as possible. Confidentiality is oftentimes looked down on in colleges and is not a high priority. But you have to do it especially if you have an on-line credit-card system and because you have to protect this information and you also need to protect student information and records so confidentiality is extremely important in the need to know how to protect the users confidentiality. Integrity-people changing grades in the computer is one example of this we need to make sure that this does not happen because nothing hurts the credibility of a college when this happens. Like this, so we need to know how to prevent this. Restricting changes to this system. So have it documented and approved and how we enforce this. We need to limit who can make the changes, which usually means no local administrators. If you can’t automate this it becomes all the better. This system a trilogy about earlier they have the It automatically checked every three minutes to see that the configuration is still the same on all the systems. And again this is done automatically with no extra workload on anybody. The next thing we want to focus on is the least amount of functionality. We need to configure the information system to provide only the essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols and or services. It is not needed we do not need to have it. Oftentimes there are things or functions are turned on the do not need to be, so we need to know how to turn those off if they are not necessary. These oftentimes become just one more thing that could go wrong to bring a system down. Again, it really comes down to if you do not need it why is it turned on? And then you need to periodically review that because you may have a port open now that you need but you may not need it in the future So then you can turn that off work change the functionality on it. or change the functionality on it. Inventory. You need to develop, document, and maintained in inventory of your information system components. It is important that this accurately reflects the current system at whatever level of regularity is deemed necessary. There different levels needed for different groups. Again, like I said previously there is no compulsory on I T standards required for local governments. [on the board] (reading). However the National Institute of Standards and Technology encourages us to use these guidelines as appropriate. In adopting the standards the local government demonstrates due diligence. This publication that I am pointing to is not available yet but it should be available later this year. This next one is a list of all the controls that you should have (I am pointing to this now on the board). And last to have the federal desktop core configuration. So this is a very good place to start to see how you should set up your system. Another great book I have on the board [on the board]. It is a very short book-you can read it in about two hours-it is only about 100 pages long. [on the board] (reading). She I highly I highly recommend this book. Here are some other resources that are out there [on the board] (reading). (there’s also another listed in the chat box that I did not have listed on the board. please take a look at this website as well). Here is my contact information [on the board]. and in the chat box. Also I am giving you the link to the online teaching conference on the board. If you have any questions please type them in the chat window now. Please also take a minute to take our evaluation survey. Thank-you for the handclap. Kathy, if you have a question please type it in the chat window. Otherwise, thank you for the handclap again. I have also posted in the chat window the link to the at one Web site to look at our upcoming training sessions. >> Donna: it looks like we do not have any questions so we will close the session. Thank you again to Donald for the great seminar and be sure to join us next time on partfor which is developing security awareness

Leave a Reply

Your email address will not be published. Required fields are marked *