Winged migration

 

Connecting state and local government leaders

Software for standard configurations can speed the switch to Vista ' and make OMB happy, too.

Planning to upgrade your office to Microsoft Windows Vista? Establishing a standard configuration for Microsoft Windows desktop and notebook PCs could make the transition relatively painless.In fact, using a standard configuration is also the law. The Office of Management and Budget requires all agencies to migrate to a standard desktop configuration for Microsoft Windows XP and Vista environments by February 2008.Even if many agencies are not expected to migrate to Microsoft's new operating system before then, program managers should start planning for the transition.Government officials have noted that governance, proper planning and sound policy are keys to a successful transition. However, migration and security tools can aid agencies in this effort, industry experts and users say.Vendors such as Intrinsic, PS Soft and Symantec's Altiris business unit offer tools that will ease migration to a standard, secure desktop configuration and to Vista. And security suppliers such as BeyondTrust and Secure Elements are offering tools that tackle such aspects of the problem as managing user privileges and auditing for compliance.The Federal Deposit Insurance Corp. needed a more dynamic, automated approach to reduce the time and labor associated with moving to new desktop computers running on a Windows XP Service Pack 2 environment.'We were trying to come up with an automated solution to roll out desktop and laptop configurations,' said Cynthia Bell, an information technology specialist in FDIC's information technology division. 'We wanted a solution that would automate the process and also make it dynamic.'Previously, the division used technology that provided a static image of the operating system (the build) installed on desktop or laptop computers. Because of the setup, IT personnel would have to schedule a set time for installation of security patches or hot fixes to close vulnerabilities, Bell said.For more flexibility, the agency turned to a tool to deploy 'a standard configuration to all platforms from a central location and dynamically update the platforms with security patches instead of rebuilding the whole thing,' she said. The agency picked SWIMAGE from Intrinsic for the job.Now, when a patch comes out to close a security hole, FDIC can quickly deploy it. Previously, they would have had to rebuild the whole static environment before they could distribute it, she said.Because SWIMAGE lets IT administrators create a pre-defined configuration in an automated way, FDIC is better positioned to meet OMB, National Security Agency or National Institute of Standards and Technology configuration requirements, she said.Many disk image processing techniques try to put everything into the image, including enterprise, group-level and personal applications in addition to hardware drivers. As a result, administrators wind up with a 'very fixed and bloated image,' said Marc Roth, director of federal operations at Intrinsic.Intrinsic's approach is to put as little in the base image as possible, he said. SWIMAGE, which stands for Single Worldwide Image, does not include device drivers in the binary image. The product maintains a database of device drivers and distributes these to each PC as needed, so the administrator does not have to lead every driver for each PC on the network into the standard image.In addition, the product only builds core office suites and system applications into the base image. SWIMAGE maintains a database of software packages and distributes the appropriate applications through role-based definitions, the company says.Administrators can create and edit the image through a Web-based administrative console. They also can define both current state and desired future state of all desktop systems to include locations of user data and stored profile information. They can refresh a desktop without the user even being aware.Identification of an organization's information technology assets is the first step in any migration, said Paul Rochester, chief executive officer at PS Soft, a maker of IT asset management and license compliance software.PS Soft's suite of tools integrates into a repository to give administrators a common view of the IT infrastructure, he said. The asset management suite stores detailed information on all assets culled from sources, including automatic discovery and software distribution tools, network management systems, enterprise resource planning applications, Microsoft Active Directory, databases and data sources.The asset management suite integrates with Microsoft Systems Management Server, but it goes beyond mere discovery of devices on the network as SMS does. It can determine whether computers are stand-alone machines or shared devices ' and if shared, who the owner is. The last person logged on to a shared device might not be the owner, Rochester said.Tim Ruland, chief information security officer at the Bureau of the Census, also advises fellow agency managers to get a handle on their environment.'Get control of your networks. Get control of your systems,' he told an audience of federal agency officials at a recent event in Washington sponsored by the Potomac Forum. They can do this through the implementation of configuration and patch management tools.Census has a standard desktop configuration based on Federal Information Security Management Act requirements implemented for Windows XP standards, Ruland said. The agency has also applied configuration guidelines from the Center for Internet Security.Ruland's team is poised to put the new OMB-mandated configurations through testing. The plan is to deploy the new standard in September 2007, he said.The agency does not plan to implement Microsoft Vista until after the 2010 census because such a deployment would be too much of a disruption of those efforts at this point, he said.'The OMB initiative just really speaks to [having] a well-managed environment, frankly,' said Mark Magee, director of product marketing at Symantec's Altiris business unit. Altiris information technology management software can provide agencies with that kind of capability. But they can go deeper to address security configuration issues with products such as Application Compatibility Suite.The suite is part of new, automated software that can help reduce the time and costs associated with Vista deployment.Agencies that adhere to guidelines from OMB and the National Institute of Standards and Technology must make sure they are not providing administration rights to all computer users, he said.With the Application Compatibility Suite, an IT administrator can enable an application to run under administration rights capabilities for its resources without actually granting administration rights to the entire user base. This minimizes security risks, Magee said.The suite also lets users create a consistent image of the software running on the desktop. Another OMB requirement is the ability to ensure that other applications installed on the system are not manipulating or changing configuration aspects of the base that are not authorized.The Altiris Software Virtualization Solution, a component of the Application Compatibility Suite, allows organizations to place applications in a virtual, protected area of Windows so they can function as originally intended.With 'some of the software virtualization [technology], we can ensure that you can install an application in the standard image, and it won't affect the base,' Magee said.To help agencies determine if tested systems are configured according to recommended guidance for Windows XP and Vista, NIST provides Extensible Markup Language content for automatically determining compliance. Testing standard desktop configurations in a nonproduction environment to identify adverse effects on system functionality is one of the seven actions agencies must take to meet the OMB deadline (see Page 22 for complete list).The deadline for agencies to adhere to a standard desktop configuration is rapidly approaching. So officials at Secure Elements, a developer of auditing and compliance appliances, are advising agencies to leverage this XML content with automated solutions to obtain compliance.In April, the company released a new version of the C5 Compliance Platform with automated system-auditing features to aid agencies in meeting OMB requirements.Secure Elements has worked with NIST and Microsoft to offer security guidance to agencies, said Scott Armstrong, vice president of marketing and alliances at the Herndon, Va.-based company.Secure Elements introduced the C5 Compliance Starter Bundle, which includes the software solution and a pre-configured server for collection and storage of audit results. The server can be licensed for up to 100 hosts with annual support and maintenance.The enterprise-class auditing platform can support agencies' initial assessment and planning needs, Armstrong said. The bundle is available on the GSA Schedule for immediate purchase.In addition, the bundled solution automates many certification and accreditation activities, such as audits of initial and deployed image configurations and assessment of conformance with recommended baseline settings or modified configuration settings.Another action item for agencies is to ensure that they restrict administration of the standard configuration to authorized personnel. This means locking down desktops so users cannot make changes to the configuration unwittingly or intentionally.But what happens if users need access to individual applications that might require administrative rights? How do you limit those privileges whileallowing users to run or install all authorized applications.Officials at Vandenberg Air Force Base in California encountered this problem leading to a move to a standard Windows XP configuration earlier this year, said Mike De Bruin, a senior systems engineer at RS Information System, an on-site contractor managing user privileges for 500 users and 450 desktops.The squadron De Bruin oversees ' like many other units on the base ' has customized ap-plications that users need to access. Prior to theAir Force's standard-configuration initiative, which OMB has held up as a model for other agencies, power users at the base had administrative privileges.De Bruin required a solution that would free system administrators from the potential need to log in users and stand by their computers to monitor their work and avoid forcing developers to rewrite applications to work in a restricted environment.The squadron chose Privilege Manager software from BeyondTrust, which offers policy-based management of user privileges across an organization. The software's ability to work with Microsoft Group Policy, which the base already used, was an attractive feature, De Bruin said.Group Policy lets administrators implement security settings, enforce IT policies and distribute software consistently across a given site, domain or range of organizational units.Privilege Manager lets IT administrators filter privileges in many ways ' by time of day or specific computer, IP address, user or organizational unit ' De Bruin said. For example, they could allow only the accounting department to have secure access to accounting applications.Currently, the base is running Windows XP Service Pack 2 in the standard configuration.De Bruin said a product such as Privilege Manager would be needed even more if the base migrated to Vista because the operating system has more access control and other security features than XP.'I would say going to Vista, Privilege Manager would go from being nice to being mandatory,' De Bruin said.

Meeting OMB's deadline

Agencies must perform these seven action items to establish a standard desktop configuration by February 2008, as required by the Office of Management and Budget.


  • Test configurations in a nonproduction environment to identify adverse effects on system functionality.
  • Implement and automate enforcement for using the configurations.
  • Restrict administration of configurations to authorized employees.
  • Ensure that new acquisitions include these configurations by June 30, 2007, and require vendors to certify that their products operate effectively using the configurations.
  • Apply Microsoft patches available from the Homeland Security Department for new Windows XP or Vista vulnerabilities.
  • Provide National Institute of Standards and Technology documentation if configurations are modified, and the rationale for making the changes.
  • Ensure that agency capital planning and investment control processes incorporate the configurations.

Source: Office of Management and Budget

Automation is essential for smooth migration

A word of advice for agencies preparing to migrate to a standard desktop configuration, new operating systems such as Microsoft Vista or a new hardware platform: Automate the process as much as you can.

Adopting an automated migration approach allowed information technology specialists at the Federal Deposit Insurance Corp. to replace close to 5,000 desktop computers in three months, said Cynthia Bell, an information technology specialist at FDIC's information technology division.

The task of deploying new hardware with a standard configuration for each computer might have taken six months or more if FDIC had not chosen a tool that automated the migration efforts, Bell said.

The agency used Intrinsic Technologies' Single Worldwide Image (SWIMAGE) framework to migrate users' existing settings onto new hardware. 'We used the product to come up with one standard configuration that worked on all desktops,' she said.

Previously, the agency used Symantec Technology's Ghost software, but it produced static images of users' desktops. As soon as a new application or security hot fix came out, that image would be out of date. 'You would have to rebuild the image every quarter,' Bell said.

Now, if a Microsoft security patch is introduced and has to be deployed immediately, it can be incorporated into SWIMAGE so any newly built PC or new PC deployment will have that security patch in it without doing the whole process over again, she said.

Additionally, the product allows for more hardware independence. 'If I had a Hewlett-Packard desktop and a Dell desktop ' without SWIMAGE or other products that do the same thing ' I would have had to create an image for HP because the drivers are specific to that and an image for Dell because there are drivers specific to it,' she said.

Now, 'I have one process that uses additional coding and scripting to decipher what hardware I need for my specific platform,' she added.

Bell said the product could provide a smoother transition to Microsoft Vista if the agency decided to make that move. The agency could use existing hardware and send updates automatically to desktops by using Microsoft Systems Management Server.

'We could actually upgrade a number of users overnight from XP to Vista and have the same standard configuration on every one of those PCs upgraded,' she said.
But for now, Bell's focus is on replacing as many as 4,000 laptop computers. 'We will be using SWIMAGE to deploy a standard configuration set to all the laptops in the environment.'

' Rutrell Yasin

Comstock

'Get control of your networks. Get control of your systems.' ' Tim Ruland, Census CISO

Henrik G. De Gyor G.










FDIC ensured





















Know your assets
















Common sense















Auditing and compliance














Restricted control























X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.