In the pre-Windows enterprise, client management was easy—you didn't have anything to manage. Back then, most clients were dumb terminals or, at best, X terminals that didn't have many local resources. With the proliferation of Windows desktops, however, client change and configuration management has become a major problem, especially in large enterprises. And because most PCs are extremely versatile, ready to be melded and extended with new software and hardware, this management task is exponentially more difficult. Short-lived attempts to overcome these problems—such as the Windows-based Terminals that Microsoft was touting a few years ago—suggest that we're going to have to learn to deal with the PC. Thankfully, software solutions are available, and some are amazingly full featured.
To tackle change and configuration management, Microsoft is expanding its Systems Management Server (SMS) product line, historically used for software and patch deployment, into new areas. For example, SMS 2.0 provides simple asset tracking and security distribution, which identifies systems on the network that lack certain hotfixes and patches and distributes the correct updates accordingly. In fact, in recent conversations with Microsoft, I discovered that SMS users liked the security-patching capabilities so much that Microsoft decided to ship an SMS Value Pack this summer that integrates SMS 2.0 with Windows Update to make rolling out the Windows Update patches easier.
Some change and configuration management tools are strictly report oriented. For example, Ecora Software ships a line of Configuration Auditor products, including versions for Windows workstations and Windows 2000 and Windows NT servers. Configuration Auditor tracks and identifies configuration changes so you can more easily enforce corporate standards or align PCs with Ecora's built-in baseline configurations.
However, report-oriented tools lack the ability to act on the information you obtain. BindView offers a line of bv-Admin products that combine basic change and configuration report functionality (with an emphasis on auditing and security configuration) with scripting capabilities that let you automate certain tasks, such as resetting passwords and configuring security options.
For total control over change and configuration management, however, a proactive tool, such as Configuresoft's upcoming Enterprise Configuration Manager (ECM) 4.0, lets you configure workstations across the enterprise from one administrative console. So, if you want to bring your desktops in line with the guidance in Microsoft's Security Operations Guide, for example, ECM 4.0 can tell you which machines aren't in compliance and make changes to those machines to ensure they're in compliance.
ECM's functionality is compelling for a variety of reasons, including its granular, roles-based management model that lets administrators delegate management responsibilities logically and fine-tune the report and action views based on need and job requirements. The full-featured and automated change management aspects of this product set it apart from the report-oriented products I mentioned earlier. ECM 4.0 lets you automatically take corrective action on any PC in your enterprise, select configuration templates and apply them en masse to multiple PCs, and prevent unauthorized PC configuration changes. "There are viewers and there are doers," said Randy Streu, Configuresoft's vice president of Product Marketing. Indeed, these automation capabilities are so necessary and desirable to large enterprises that I'm surprised Microsoft hasn't yet licensed the technology in a deal similar to the one the company struck with NetIQ that resulted in Microsoft Operations Manager (MOM). A free preview of ECM 4.0 is available online .
Speaking of Microsoft, the fact that the company isn't more aggressively targeting this increasingly important management problem is curious. SMS 2003, due next year, will include better mobile support (both laptops and Pocket PC devices) and better Active Directory (AD) integration, but my discussions with Microsoft uncovered little in the way of change and configuration management improvements. The company's long-term plans—which include some as yet unknown restructuring of its current management server lineup—are still vague. As Microsoft Senior Vice President Brian Valentine put it, "The next generation of management solutions from Microsoft will deliver leadership and vision in this critical area for customers."
Unfortunately for Microsoft, many of its customers need leadership and vision today; I recommend that they check out some of the products mentioned above. However, I'm interested in hearing about how you're tackling change and configuration management today, and what other management hurdles you face.
References:
BindView
http://www.bindview.com
Configuresoft
http://www.configuresoft.com
Ecora Software
http://www.ecora.com/ecora
Microsoft Systems Management Server 2.0
http://www.microsoft.com/smserver
