A Microsoft U.S. Public Sector White Paper by Ken Page and Shelly Bird. January government

Transcription

1 Federal Server Core Configuration (FSCC) A high-level overview of the value and benefits of deploying a single, standard, enterprise-wide managed server environment A Microsoft U.S. Public Sector White Paper by Ken Page and Shelly Bird January 2009

2 Table of Contents Table of Contents... 1 Overview... 2 Benefits... 3 METHODOLOGY... Error! Bookmark not defined. SUPPORT TOOLS... Error! Bookmark not defined. Summary... 8 Page 1 of 8

3 Overview The concept of enhancing server and network security, while also reducing the total cost of ownership, first took shape on a large enterprise scale in the U.S. Air Force (USAF). It began as a follow-on project to the USAF s pioneering work on desktop standardization that grew into Federal Desktop Core Configuration (FDCC). During 2007 and 2008, the USAF, partnering with Microsoft, has led the effort to develop standard Windows Server 2003 configurations and, very recently, Windows Server 2008 configurations. Microsoft Federal, at the request of several other federal agencies, has built on the USAF s foundational work to produce Federal Server Core Configuration (FSCC) as a proposed standard until such time as the federal government produces their own formal configuration. FSCC is now being offered to federal, state, and local government agencies, along with private sector organizations, as part of a packaged service that includes a member server baseline configuration and image that can be applied to all Windows servers, and additional role-based configurations for many Microsoft server based applications. The member server baseline image is built using Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager 2007 with a process similar to the one used for building and maintaining FDCC images. These images begin with FSCC but are further tailored to the customer s unique requirements. Image deployment of the resulting Windows Image (WIM) can be accomplished through Systems Management Server / System Center Configuration Manager 2007, MDT, or a host of other tools commonly available on the market. Alternatively, FSCC can be implemented or enforced through the application of Group Policy objects (GPOs). The additional role-based configurations further adapt each server to maximize security while ensuring full application functionality. This overlaying of settings necessary to specific server roles is usually accomplished via the application of GPOs. The following table lists many of the roles currently supported by FSCC. Additional roles are being added to the offering as customer demand increases. Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) File and Print Terminal SQL Server Network Policy and Access (Network Access Protection [NAP])* Web (Internet Information Services) Domain Controller Active Directory Certificate Services (public key infrastructure [PKI])* Exchange Server 2007 Internet Security and Acceleration (ISA) Server Office SharePoint Server *Windows Server 2008 only Although FSCC is not currently a federal government mandate, there is growing momentum toward standards, as technology allows more managed IT environments. This is partly driven by a desire to follow the same successful model used for FDCC. But there are also many other reasons to drive a server standard, such as FSCC, in any enterprise: Page 2 of 8

4 1. FSCC can form a powerful part of strategies to meet multiple Office of Management and Budget (OMB) mandates, in particular: privacy information, green initiatives, and initiatives to protect sensitive information. 2. Implementing FSCC makes great sense financially and operationally. It can help enhance security, reduce operational costs, and improve the ability to rapidly adopt new technologies with less cost and trouble for administrators and users. 3. If virtual server technology is made part of the FSCC initiative (this is an optional part of the service offering), substantial cost savings can be garnered in the consolidation of servers and corresponding reduction in electrical power consumption. Benefits FSCC is designed to provide a standard, enterprise-wide, managed environment for servers running Windows operating systems. By using a common configuration developed for the enterprise, rather than multiple, costly, locally created configurations, organizations will be able to move to the right on the following infrastructure optimization model, while reaping the associated benefits. Infrastructure Optimization Model Uncoordinated, Manual Infrastructure Managed IT Infrastructure Managed & Consolidated IT Infrastructure Fully Automated Management Knowledge Not Captured Limited Knowledge Capture Extensive Knowledge Capture & Use Automated Knowledge Capture & Use Security Risk Limited Automation Extensive Automation Dynamic Resource Usage Inefficient Business-Linked SLAs Page 3 of 8

5 The following table lists some of the benefits of using common configurations. Benefit Improved security Description The common configuration improves security in two primary ways: 1. The security, performance, usability, compatibility, and feature settings in the baseline were developed with guidance from security, operations, help desk, and software engineering experts from the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the U.S. Department of Defense (DoD), the U.S. Department of Homeland Security (DHS), Microsoft, and other industry experts. 2. The applications riding on the servers are, in most cases, further configured to specifications provided by the Product Groups, which enhance security by reducing the attack surface. Improved reliability Lower support costs Agility Streamlined network management Rapid adoption of new technologies Improved use of virtualization technologies Knowledge-sharing A consistent standard usually leads to far fewer performance issues and often leads to much more predictable behavior across the enterprise. The cost of supporting hundreds or thousands of servers across a large agency is significant. By using a single baseline image and standard settings, a government agency can decrease the number of dedicated support professionals it requires. Through adoption of FSCC, agencies will be able to significantly reduce the time required to apply security patches. With a common configuration, testing, and deployment of new applications, updates and patches can be dramatically accelerated. Network management orders and notices are primary administrative tools used to direct and inform network managers on configuration management issues. A common baseline reduces the complexity of these tools and helps make compliance easier, more consistent, and faster. As new software products and upgrades are released, a common configuration allows for accelerated testing and installation of these products. This also facilitates agencywide simultaneous migration to new products or product upgrades, and it increases the value of software license maintenance agreements. Where virtual servers will be in use, the standard will provide all the details needed. It will also provide the pre-developed build to serve as the virtual template, which all servers will need to start from. FSCC was developed with the input and guidance of multiple agencies, and the foundation work and best practices of early adopters are well documented and easily shared with others, precluding the need to reinvent the wheel. Page 4 of 8

6 Methodology The approach and most of the methods used in a typical FSCC engagement are drawn from dozens of successful FDCC deliveries and follow Microsoft Solutions Framework. This section gives a very brief overview of the phases of a typical FSCC engagement, their purpose, and their results. Envision. First, an Envisioning phase gives the customer an overview of what is to come, and it outlines roles and responsibilities, assigning them appropriately between the customer s technical resources and those brought to bear by Microsoft Federal. During this kick-off period, schedules are worked out for the next two phases. Plan. Second, a Planning phase brings the customer s security and operations personnel together to work through what they want to see in the baseline configuration and server roles. The process is considerably streamlined through the use of efficient security checklists, which heavily reference Microsoft, NSA, DISA, and NIST security guidelines. This results in complete sets of security settings for each server role, along with all the necessary and agreed-upon configuration decisions, which will affect the baseline image build. Build. Third, a Build phase applies all decisions made during the Envisioning and Planning phases, resulting in one master member baseline server image in WIM format, along with concurrent Group Policies and edits to the master build that would result in various server roles. This session heavily leverages the support tools mentioned in the next session, and if the customer does not already have a solid build process for servers, should greatly improve on that process and procedure. Stabilize. Fourth, a Stabilization phase, including laboratory testing and remediation, followed by a limited production pilot, will affirm whether the new builds are working properly in the customer s environment. This session helps to build up confidence in the viability of the new standards and to prove out the value of more rapid deployment of a known standard. Deploy. Fifth, a Deployment phase, in which initial assistance will be provided to the customer as they prepare for formal deployments. Typically, this involves advice on setting up System Center Configuration Manager 2007 to support a mass-scale deployment or guidance on establishing new virtual servers where needed. The offering typically does not extend through the entire deployment, however, since the testing and production pilot in the Stabilization phase is intended to reveal and correct issues that would impede deployment. Support tools Microsoft Security Guides (and tools) Microsoft Security Guides for Windows Server 2003 and Windows Server 2008 provide not only policy white papers on recommended security settings, but also tools, such as GPO Accelerator to automate loading the Group Policies into the local Active Directory, and Security Configuration Wizard, which is used to reduce the attack surface. Microsoft Deployment Toolkit Microsoft Deployment Toolkit (MDT) is utilized if System Center Configuration Manager 2007 server is not available. MDT is a free download from the Microsoft public Web site. MDT unifies the tools and processes required for desktop Page 5 of 8

7 and server deployment into a common deployment console and collection of guidance. This fourth-generation deployment accelerator adds integration with recently released Microsoft deployment technologies to create a single path for image creation and automated installation. The end-to-end guidance of Microsoft Deployment Toolkit can help reduce deployment time, standardize desktop and server images, limit service disruptions, reduce post-deployment help-desk costs, and improve security and ongoing configuration management. Microsoft Deployment Toolkit technologies eliminate or greatly limit any necessary interaction time required to install desktop and server operating systems. Interaction at the targeted computer may take a few moments using the Lite Touch Installation (LTI) method, or it can be completely automated using Zero Touch Installation (ZTI). Zero Touch Installation utilizes Microsoft System Center Configuration Manager 2007 or Systems Management Server 2003 with the Operating System Deployment Feature Pack. Lite Touch Installation can be used when software distribution tools, such as System Center Configuration Manager 2007, are not in place. Microsoft Deployment Toolkit also uses the stand-alone, media-initiated operating system deployment feature in Configuration Manager This release offers project management guidance for all deployment roles and separates technical documentation for the products and technologies to facilitate automation tasks. Microsoft Deployment Toolkit enables deployment of the following Microsoft products: Windows Vista Business, Windows Vista Enterprise, and Windows Vista Ultimate (32 bit and 64 bit) RTM and SP1 Microsoft Office Professional 2007, Office Professional Plus 2007, Office Enterprise 2007, and Office Ultimate 2007 Windows Server 2008 Windows Server 2003 R2 (32 bit and 64 bit) Windows XP Professional with Service Pack 2 and Service Pack 3 (32 bit and 64 bit) or Windows XP Tablet PC Edition Download Microsoft Deployment Toolkit at: FE871C461A89&displaylang=en Server virtualization With increasing demand on IT to solve business challenges, a greater number of server workloads is required. Often, organizations isolate each workload on its own physical server, causing server sprawl. As a result, data centers quickly fill to capacity, and each new server purchase increases capital and operating expenditures, along with real estate, power, and cooling costs. The U.S. Department of Energy and the U.S. Environmental Protection Agency have reported on the high energy costs of data centers, estimating that 1.5 percent of all U.S. energy consumption occurs in data centers. i Compounding this problem, server workloads consume, on average, only 5 percent of total physical server capacity wasting hardware, space, and electricity. Server sprawl can lead to unplanned downtime, complicated disaster and recovery plans, and delayed server provisioning, creating an environment where compliance is daunting, security is threatened, and complexity becomes overwhelming. Page 6 of 8

8 The solution: Server virtualization Server virtualization has gained much attention across organizations looking to address these challenges, improving the efficiency of their IT operations, and enhancing their responsiveness to changing conditions. The core idea of server virtualization is simple: Use software to create a virtual machine (VM) that emulates a physical server. This creates a separate operating system environment (OSE) that is isolated from the host server. By providing multiple virtual machines, organizations can run several operating systems simultaneously on a single physical machine. Benefits of server virtualization include: Increased IT efficiency through server consolidation, reducing hardware, space needed and associated costs, and management complexity. Decreased energy consumption and associated carbon emissions. Fewer disruptive events, thanks to streamlined maintenance and disaster recovery, which maximize system availability and help ensure business continuity. Dynamic resource allocation and streamlined workload provisioning to efficiently support business growth and meet Service Level Agreements (SLAs). Windows Server 2008 Hyper-V Windows Server 2008, the most advanced Windows Server operating system yet, increases server infrastructure flexibility, while saving time and reducing costs. With Windows Server 2008, you can develop, deliver, and manage rich user experiences and applications, help provide a highly secure network infrastructure, and increase technological efficiency and value within your organization. Windows Server Hyper-V, the next-generation hypervisor-based server virtualization technology, allows you to make the best use of your server hardware investments by consolidating multiple server roles as separate VMs running on a single physical machine. With Hyper-V, you can also efficiently run multiple different operating systems Windows, Linux, and others in parallel, on a single server, and fully leverage the power of x64 computing. And, because Hyper-V uses the same Virtual Hard Disk (VHD) format as Microsoft Virtual Server 2005 R2, migrating workloads from this earlier technology is relatively straightforward. Incorporating the FSCC initiative into a new modeling of the servers around virtualization technologies makes a lot of sense. Unlike traditional management of physical servers, virtualization demands use of templates and standard builds. Failing to establish standards, such as FSCC, greatly complicates efforts to properly manage the virtual systems. System Center Configuration Manager 2007 System Center Configuration Manager 2007 incorporates a new operating system deployment feature with the latest version. Should Configuration Manager be available, the FSCC team will take advantage of it, using it not only to distribute the standardized server images, but also to establish a clear build process with Configuration Manager to create and allow continual updates of the server baselines, as necessary. Page 7 of 8

9 Group Policy Active Directory Group Policy features included in Windows Server 2003 and Windows Server 2008 are critical to effective FSCC implementation. Group Policy objects are created not only to implement, but also to actually enforce key settings in the new FSCC standard server roles and baseline builds. If the customer has the Microsoft Deployment Optimization Pack (MDOP) license, Microsoft Federal recommends taking further advantage of the Advanced Group Policy Management that is available in that product. Summary For customers wanting to extend the benefits of FDCC to their server environment and further optimize their infrastructure, FSCC is right next step. This service offering delivers enhanced security, reduced operating costs, and the ability to accelerate the adoption of new technologies across the enterprise. Join the growing list of agencies and organizations making the most of FSCC today. For additional information, contact Ken Page at , or send an message to Federal Server Core Configuration Inquiry. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The example companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. Microsoft, Active Directory, SQL Server, Windows, Windows Vista, and Windows Server are trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. i U.S. EPA, Report to Congress on Server and Data Center Energy Efficiency, Public Law , August Page 8 of 8