Keep Change Management Under Control

Early in my career, working on a help desk, I learned that when a computer fault is logged, one of the first questions to ask is, “What changed?” My boss would always point out that computers don't stop working without a reason, and he was right. Intentional or not, modifications to system configuration can create unexpected results.

In the case of desktops, functionality and performance problems are frequently the result of user actions, often indirect, which may have accumulated over a period of time. Users commonly hold system privileges beyond what they require for their daily tasks and rarely appreciate why a relatively simple change, such as installing a new program or device, might stop a computer from operating as expected. Faulty hardware components can also produce strange side effects. Even administrators, who understand the risks, sometimes implement untested changes to expedite tasks.

Change and Configuration Management

Along with security best practices, change and configuration management procedures can be used to prevent undesirable changes, reduce the risks involved in modifying critical systems and lower desktop support costs.

Standardizing your environment as much as possible and creating a series of tested and documented baseline images for your servers and desktops is the first and most daunting task. When unexpected problems occur, you can compare the current state of a system against the baseline to determine exactly what has changed, and in extreme cases, roll your systems back to an earlier configuration.

It’s essential that when changes are made to critical systems, or parts thereof, that they are tested, approved and documented. If procedures are too time consuming or complex, users will find ways to circumvent them. Basic change management procedures for SMBs should be simple to introduce; with fewer stakeholders, getting changes approved should be relatively straightforward.

Security plays an important role in change and configuration management. Access to privileged accounts should be tightly controlled, and least-privilege security should be the rule to prevent unwanted change. A well-understood best practice, least-privilege security gives users only the rights they need to be productive. This can be difficult to implement on the desktop; before Vista, Windows did not naturally lend itself to working with nonadministrator accounts. However, the right experience and knowledge can overcome such technical challenges.

Microsoft Operations Framework

Based on the Information Technology Infrastructure Library (ITIL), MOF 4.0 is a practical guide for deploying and maintaining IT infrastructures. It is divided into four phases — Plan, Deliver, Operate and Manage — and offers a good foundation on which to base your company’s strategy for managing its IT infrastructure.

Change and configuration management is included as part of MOF in the Manage layer as a Service Management Function (SMF). Although much of the advice given may be overkill for small organizations, the basic principles outlined in MOF can be applied to businesses of any size.

MOF details the following processes for seeing a change through to completion, which I’ll group together as follows:

Change management at the simplest level should include, for each critical system in your organization, a change log that outlines who changed what, when and for what reason. A more comprehensive change management procedure should require a roll-back plan in case things go wrong, details of the potential risks, sign-off from system stakeholders and information about any post-implementation problems. This Request for Change (RFC) should be analyzed carefully by the stakeholders and change management team before approval.

You can find more detailed information on the Microsoft Operations Framework at http://technet.microsoft.com/en-us/library/cc506049.aspx

Change and Configuration Management for Desktops

A strict change management procedure for desktops may be excessive, but nonetheless restricting the changes users can make, with a balanced security policy, will lower support costs by helping you maintain a standard configuration across your desktops.

Security technologies such as personal firewalls and User Account Control (UAC), which implements least privilege in Vista, can all help to prevent unwanted changes. Windows XP post Service Pack 2 comes with an enhanced (and switched on by default) firewall. Ensuring that personal firewalls are turned on, antivirus is kept up to date, patches are deployed and other defense-in-depth security technologies are left enabled is crucial.

Change and Configuration Management Technologies

Although Windows doesn’t have any enterprise-class change management technologies out of the box, there are some tools that can help to control and identify system changes. Vista and Server 2008 include the Reliability Monitor, which tracks changes over a period of time, such as software installs and driver updates. Management technologies such as disk imaging, Active Directory Group Policy, Access Control Lists (ACLs) and UAC can be used to implement and enforce configuration.

Microsoft’s Desktop Optimization Pack (MDOP) for Software Assurance customers includes the Advanced Group Policy Management (AGPM) tool, which allows administrators to control who can edit Active Directory Group Policy Objects (GPOs), with check in/check out functionality and offline editing. It also includes an approval system, so that changes can’t be rolled forward into your production environment without consent.

Microsoft’s System Center Configuration Manager (SCCM) features the Desired Configuration Manager (DCM) tool for enforcing policies and baseline configurations. ChangeAuditor from Quest Software offers comprehensive auditing for Active Directory, which is especially useful when there are many administrators with privileged access.