Winged migration

Software for standard configurations can speed the switch to Vista ' and make OMB happy, too.

Meeting OMB's deadline

Agencies must perform these seven action items to establish a standard desktop configuration by February 2008, as required by the Office of Management and Budget.


  • Test configurations in a nonproduction environment to identify adverse effects on system functionality.
  • Implement and automate enforcement for using the configurations.
  • Restrict administration of configurations to authorized employees.
  • Ensure that new acquisitions include these configurations by June 30, 2007, and require vendors to certify that their products operate effectively using the configurations.
  • Apply Microsoft patches available from the Homeland Security Department for new Windows XP or Vista vulnerabilities.
  • Provide National Institute of Standards and Technology documentation if configurations are modified, and the rationale for making the changes.
  • Ensure that agency capital planning and investment control processes incorporate the configurations.

Source: Office of Management and Budget

Automation is essential for smooth migration

A word of advice for agencies preparing to migrate to a standard desktop configuration, new operating systems such as Microsoft Vista or a new hardware platform: Automate the process as much as you can.

Adopting an automated migration approach allowed information technology specialists at the Federal Deposit Insurance Corp. to replace close to 5,000 desktop computers in three months, said Cynthia Bell, an information technology specialist at FDIC's information technology division.

The task of deploying new hardware with a standard configuration for each computer might have taken six months or more if FDIC had not chosen a tool that automated the migration efforts, Bell said.

The agency used Intrinsic Technologies' Single Worldwide Image (SWIMAGE) framework to migrate users' existing settings onto new hardware. 'We used the product to come up with one standard configuration that worked on all desktops,' she said.

Previously, the agency used Symantec Technology's Ghost software, but it produced static images of users' desktops. As soon as a new application or security hot fix came out, that image would be out of date. 'You would have to rebuild the image every quarter,' Bell said.

Now, if a Microsoft security patch is introduced and has to be deployed immediately, it can be incorporated into SWIMAGE so any newly built PC or new PC deployment will have that security patch in it without doing the whole process over again, she said.

Additionally, the product allows for more hardware independence. 'If I had a Hewlett-Packard desktop and a Dell desktop ' without SWIMAGE or other products that do the same thing ' I would have had to create an image for HP because the drivers are specific to that and an image for Dell because there are drivers specific to it,' she said.

Now, 'I have one process that uses additional coding and scripting to decipher what hardware I need for my specific platform,' she added.

Bell said the product could provide a smoother transition to Microsoft Vista if the agency decided to make that move. The agency could use existing hardware and send updates automatically to desktops by using Microsoft Systems Management Server.

'We could actually upgrade a number of users overnight from XP to Vista and have the same standard configuration on every one of those PCs upgraded,' she said.
But for now, Bell's focus is on replacing as many as 4,000 laptop computers. 'We will be using SWIMAGE to deploy a standard configuration set to all the laptops in the environment.'

' Rutrell Yasin

Comstock

'Get control of your networks. Get control of your systems.' ' Tim Ruland, Census CISO

Henrik G. De Gyor G.

Planning to upgrade your office to Microsoft Windows Vista? Establishing a standard configuration for Microsoft Windows desktop and notebook PCs could make the transition relatively painless.

In fact, using a standard configuration is also the law. The Office of Management and Budget requires all agencies to migrate to a standard desktop configuration for Microsoft Windows XP and Vista environments by February 2008.

Even if many agencies are not expected to migrate to Microsoft's new operating system before then, program managers should start planning for the transition.
Government officials have noted that governance, proper planning and sound policy are keys to a successful transition. However, migration and security tools can aid agencies in this effort, industry experts and users say.

Vendors such as Intrinsic, PS Soft and Symantec's Altiris business unit offer tools that will ease migration to a standard, secure desktop configuration and to Vista. And security suppliers such as BeyondTrust and Secure Elements are offering tools that tackle such aspects of the problem as managing user privileges and auditing for compliance.

FDIC ensured

The Federal Deposit Insurance Corp. needed a more dynamic, automated approach to reduce the time and labor associated with moving to new desktop computers running on a Windows XP Service Pack 2 environment.

'We were trying to come up with an automated solution to roll out desktop and laptop configurations,' said Cynthia Bell, an information technology specialist in FDIC's information technology division. 'We wanted a solution that would automate the process and also make it dynamic.'

Previously, the division used technology that provided a static image of the operating system (the build) installed on desktop or laptop computers. Because of the setup, IT personnel would have to schedule a set time for installation of security patches or hot fixes to close vulnerabilities, Bell said.

For more flexibility, the agency turned to a tool to deploy 'a standard configuration to all platforms from a central location and dynamically update the platforms with security patches instead of rebuilding the whole thing,' she said. The agency picked SWIMAGE from Intrinsic for the job.

Now, when a patch comes out to close a security hole, FDIC can quickly deploy it. Previously, they would have had to rebuild the whole static environment before they could distribute it, she said.

Because SWIMAGE lets IT administrators create a pre-defined configuration in an automated way, FDIC is better positioned to meet OMB, National Security Agency or National Institute of Standards and Technology configuration requirements, she said.

Many disk image processing techniques try to put everything into the image, including enterprise, group-level and personal applications in addition to hardware drivers. As a result, administrators wind up with a 'very fixed and bloated image,' said Marc Roth, director of federal operations at Intrinsic.

Intrinsic's approach is to put as little in the base image as possible, he said. SWIMAGE, which stands for Single Worldwide Image, does not include device drivers in the binary image. The product maintains a database of device drivers and distributes these to each PC as needed, so the administrator does not have to lead every driver for each PC on the network into the standard image.

In addition, the product only builds core office suites and system applications into the base image. SWIMAGE maintains a database of software packages and distributes the appropriate applications through role-based definitions, the company says.

Administrators can create and edit the image through a Web-based administrative console. They also can define both current state and desired future state of all desktop systems to include locations of user data and stored profile information. They can refresh a desktop without the user even being aware.

Know your assets

Identification of an organization's information technology assets is the first step in any migration, said Paul Rochester, chief executive officer at PS Soft, a maker of IT asset management and license compliance software.

PS Soft's suite of tools integrates into a repository to give administrators a common view of the IT infrastructure, he said. The asset management suite stores detailed information on all assets culled from sources, including automatic discovery and software distribution tools, network management systems, enterprise resource planning applications, Microsoft Active Directory, databases and data sources.

The asset management suite integrates with Microsoft Systems Management Server, but it goes beyond mere discovery of devices on the network as SMS does. It can determine whether computers are stand-alone machines or shared devices ' and if shared, who the owner is. The last person logged on to a shared device might not be the owner, Rochester said.

Tim Ruland, chief information security officer at the Bureau of the Census, also advises fellow agency managers to get a handle on their environment.

'Get control of your networks. Get control of your systems,' he told an audience of federal agency officials at a recent event in Washington sponsored by the Potomac Forum. They can do this through the implementation of configuration and patch management tools.

Census has a standard desktop configuration based on Federal Information Security Management Act requirements implemented for Windows XP standards, Ruland said. The agency has also applied configuration guidelines from the Center for Internet Security.

Ruland's team is poised to put the new OMB-mandated configurations through testing. The plan is to deploy the new standard in September 2007, he said.
The agency does not plan to implement Microsoft Vista until after the 2010 census because such a deployment would be too much of a disruption of those efforts at this point, he said.

Common sense

'The OMB initiative just really speaks to [having] a well-managed environment, frankly,' said Mark Magee, director of product marketing at Symantec's Altiris business unit. Altiris information technology management software can provide agencies with that kind of capability. But they can go deeper to address security configuration issues with products such as Application Compatibility Suite.

The suite is part of new, automated software that can help reduce the time and costs associated with Vista deployment.

Agencies that adhere to guidelines from OMB and the National Institute of Standards and Technology must make sure they are not providing administration rights to all computer users, he said.

With the Application Compatibility Suite, an IT administrator can enable an application to run under administration rights capabilities for its resources without actually granting administration rights to the entire user base. This minimizes security risks, Magee said.

The suite also lets users create a consistent image of the software running on the desktop. Another OMB requirement is the ability to ensure that other applications installed on the system are not manipulating or changing configuration aspects of the base that are not authorized.

The Altiris Software Virtualization Solution, a component of the Application Compatibility Suite, allows organizations to place applications in a virtual, protected area of Windows so they can function as originally intended.

With 'some of the software virtualization [technology], we can ensure that you can install an application in the standard image, and it won't affect the base,' Magee said.

Auditing and compliance

To help agencies determine if tested systems are configured according to recommended guidance for Windows XP and Vista, NIST provides Extensible Markup Language content for automatically determining compliance. Testing standard desktop configurations in a nonproduction environment to identify adverse effects on system functionality is one of the seven actions agencies must take to meet the OMB deadline (see Page 22 for complete list).

The deadline for agencies to adhere to a standard desktop configuration is rapidly approaching. So officials at Secure Elements, a developer of auditing and compliance appliances, are advising agencies to leverage this XML content with automated solutions to obtain compliance.

In April, the company released a new version of the C5 Compliance Platform with automated system-auditing features to aid agencies in meeting OMB requirements.
Secure Elements has worked with NIST and Microsoft to offer security guidance to agencies, said Scott Armstrong, vice president of marketing and alliances at the Herndon, Va.-based company.

Secure Elements introduced the C5 Compliance Starter Bundle, which includes the software solution and a pre-configured server for collection and storage of audit results. The server can be licensed for up to 100 hosts with annual support and maintenance.

The enterprise-class auditing platform can support agencies' initial assessment and planning needs, Armstrong said. The bundle is available on the GSA Schedule for immediate purchase.

In addition, the bundled solution automates many certification and accreditation activities, such as audits of initial and deployed image configurations and assessment of conformance with recommended baseline settings or modified configuration settings.

Restricted control

Another action item for agencies is to ensure that they restrict administration of the standard configuration to authorized personnel. This means locking down desktops so users cannot make changes to the configuration unwittingly or intentionally.

But what happens if users need access to individual applications that might require administrative rights? How do you limit those privileges while
allowing users to run or install all authorized applications.

Officials at Vandenberg Air Force Base in California encountered this problem leading to a move to a standard Windows XP configuration earlier this year, said Mike De Bruin, a senior systems engineer at RS Information System, an on-site contractor managing user privileges for 500 users and 450 desktops.

The squadron De Bruin oversees ' like many other units on the base ' has customized ap-plications that users need to access. Prior to the
Air Force's standard-configuration initiative, which OMB has held up as a model for other agencies, power users at the base had administrative privileges.

De Bruin required a solution that would free system administrators from the potential need to log in users and stand by their computers to monitor their work and avoid forcing developers to rewrite applications to work in a restricted environment.

The squadron chose Privilege Manager software from BeyondTrust, which offers policy-based management of user privileges across an organization. The software's ability to work with Microsoft Group Policy, which the base already used, was an attractive feature, De Bruin said.

Group Policy lets administrators implement security settings, enforce IT policies and distribute software consistently across a given site, domain or range of organizational units.

Privilege Manager lets IT administrators filter privileges in many ways ' by time of day or specific computer, IP address, user or organizational unit ' De Bruin said. For example, they could allow only the accounting department to have secure access to accounting applications.

Currently, the base is running Windows XP Service Pack 2 in the standard configuration.

De Bruin said a product such as Privilege Manager would be needed even more if the base migrated to Vista because the operating system has more access control and other security features than XP.

'I would say going to Vista, Privilege Manager would go from being nice to being mandatory,' De Bruin said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above