Capability: Security and Networking
On This Page
Introduction
Requirement: Antivirus Software for Desktops
Checkpoint: Antivirus Software for Desktops
Requirement: Centralized Firewall Services
Checkpoint: Centralized Firewall Services
Requirement: Internally Managed Basic Networking Services (DNS, DHCP, WINS)
Checkpoint: Internally Managed Basic Networking Services (DNS, DHCP, WINS)
Requirement: Availability Monitoring of Critical Servers
Checkpoint: Availability Monitoring of Critical Servers
Introduction
Security and Networking is the third Core Infrastructure Optimization capability. The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Standardized level in Security and Networking.
Challenges |
Solutions |
Benefits |
|---|---|---|
Business Challenges Lack of basic security standards to protect against malicious software and attacks Antivirus updates are not managed well, increasing attack risk Help desk is reactive, spending majority of time on security-related issues IT Challenges IT workers manually perform updates and deploy patches on each machine Irregular, unpredictable server outages mean outages in network services, reducing end-user productivity Network administrators individually manage IP addresses to avoid duplication, and manually apply configuration changes to workstations |
Projects Deploy firewall with lock-down configuration (possibly a multi-tier firewall solution) Implement networking services such as DNS server to easily find and access network services, and DHCP server for automatic, centralized IP address management Implement a managed, standardized antivirus solution for desktops |
Business Benefits Established policy standards provide a more consistent computing environment Improved desktop security by rapidly and reliably delivering patches to targeted vulnerabilities IT Benefits Centrally managed patches provide a more stable and secure infrastructure Efficient and reliable TCP/IP network configuration helps prevent IP address conflicts and conserves the use of IP addresses through centralized management of address allocation Controlled, robust environment that can withstand attacks through security ”layers” at the perimeter, server, desktop, and application levels Reduced complexity of hardware and software operations lead to smoother change management processes |
The Standardized level in the Infrastructure Optimization Model addresses key areas of networking and security components, including:
Antivirus Software for Desktops
Centralized Firewall Services
Internally Managed Basic Networking Services (DNS, DHCP, WINS)
Availability Monitoring of Critical Servers
The Standardized level of optimization requires that your organization has standard antivirus software installed on clients, a centralized perimeter firewall, basic networking services, and availability monitoring for critical servers.
Requirement: Antivirus Software for Desktops
Audience
You should read this section if you do not have antivirus software with automated signature updating running on 80 percent of more of your desktops.
Overview
Every organization should develop an antivirus solution that will provide a high level of protection to its network and technology resources. However, many networks still become infected, even after the installation of antivirus software. This section provides information on successfully approaching the problem of malicious software (also called malware).
Phase 1: Assess
In the Assess Phase, your organization needs to take an inventory of managed desktop systems and determine their hardware specifications, operating systems, applications, and whether antivirus software or other malicious software-detection software is currently installed. We recommend that you use a tool to automate the inventory process, such as Systems Management Server (SMS) 2003, the Application Compatibility Toolkit, or the Windows Vista Hardware Assessment.
Phase 2: Identify
The goal of the Identify Phase in determining an antivirus strategy is to define your organizational needs for security. Antivirus products vary by manufacturer and offer varying levels of protection and coverage against non-virus threats. Using the information gathered in the Assess Phase, your organization will be able to determine the compatibility requirements of antivirus software and identify the correct solution for your organization.
Phase 3: Evaluate and Plan
As with network security measures, Microsoft recommends a defense-in-depth approach to antivirus design to help ensure that the safeguards your organization adopts will be properly designed and reliably maintained.
Such an approach is vital to the computer security of your organization, because unfortunately, regardless of how many useful features or services a computer system provides, someone will try to find a vulnerability to exploit for malicious purposes.
Levels of Defense
The following figure indicates the levels within an organization that are vulnerable to a malicious software attack.
.gif "image007.gif")
This section of the guide addresses the need for an antivirus plan for the host, application, and data levels, specifically, for client desktop computers within the organization. The other levels are covered in other documents in this series.
Client Defenses
When malicious software reaches a host computer, defense systems must focus on protecting the host system and its data and stopping the spread of the infection. These defenses are no less important than the physical and network defenses in your organization’s network environment. You should design your host defenses based on the assumption that the malicious software has found its way through all outer layers of defense. This approach is the best way to achieve the highest level of protection.
Phase 4: Deploy
In the Deploy Phase, you should implement a number of approaches and technologies for client antivirus protection. The following sections provide details that Microsoft recommends for consideration.
Step 1: Reduce the Attack Surface
The first line of defense at the application layer is to reduce the attack surface of the computer. All unnecessary applications or services should be removed or disabled on the computer to minimize the number of ways an attacker could exploit the system.
Step 2: Apply Security Updates
The sheer number and variety of client machines that may be connected to an organization's networks can make it difficult to implement a fast and reliable security update management service. Microsoft and other software companies have developed tools you can use to help manage this problem. For more detailed information on operating system patch distribution, see the section Requirement: Automated Patch Distribution to Desktops and Laptops in this guide.
Step 3: Enable a Host-Based Firewall
The host-based or personal firewall represents an important layer of client defense that you should enable, especially on laptops that end users may take outside your organization's usual network defenses. These firewalls filter all data that is attempting to enter or leave a particular host computer.
Step 4: Install Antivirus Software
You can choose from multiple antivirus solutions on the market, each of which attempts to protect the host computer with minimal inconvenience to and interaction with end users. Most of these applications have become very effective in providing this protection, but they all require frequent updates to keep up with new malicious software. Any antivirus solution should provide a rapid and seamless mechanism to ensure that updates to the required signature files—files that contain information antivirus programs use to detect and address malicious software during a scan, and which are regularly updated by antivirus application vendors—are delivered to the client computer as quickly as possible.
Note, however, that such updates present their own security risk, because signature files are sent from the antivirus application's support site to the host application (usually via the Internet). For example, if the transfer mechanism used to obtain the file is File Transfer Protocol (FTP), the organization's perimeter firewalls must allow this type of access to the required FTP server on the Internet. Ensure your antivirus risk assessment process reviews the update mechanism for your organization, and that this process is secure enough to meet your organization's security requirements.
Step 5: Test with Vulnerability Scanners
After you have configured a system or network, you should check it periodically to ensure that no security weaknesses exist. To assist you with this process, a number of applications act as scanners to look for weaknesses that both malicious software and hackers may attempt to exploit. The best of these tools update their own scanning routines to defend your system against the latest weaknesses.
Operations
As with most software, antivirus applications require a mechanism to allow continuous updates. The ">Automated Patch Distribution section earlier in this guide discusses in depth the process requirements and tools available to automate software updates. Additionally, we recommend that your organization require the selected antivirus software to be running at all times. The Core Infrastructure Optimization Model Standardized to Rationalized Implementer Resource Guide will discuss how the antivirus software can be enforced to run at all times using Group Policy.
Suggested Antivirus Software
The following software products have been tested by Microsoft to work with Microsoft operation systems:
Microsoft Forefront Client Security
by Microsoft CorporationCA Anti-Virus 2007 (formerly eTrust)
by CA, Inc.Symantec AntiVirus Corporate Edition
by Symantec CorporationNorton AntiVirus 2006
by Symantec CorporationRising Antivirus Software Personal Edition
by Beijing Rising Technology Co., Ltd.
Further Information
For more information on implementing antivirus software, go to The Antivirus Defense-in-Depth Guide.
To see how Microsoft approaches antivirus issues, go to https://www.microsoft.com/technet/itshowcase/content/msghygiene.mspx.
Checkpoint: Antivirus Software for Desktops
|
Requirements |
|---|---|
Installed all operating system and software application security updates. |
|
|
Enabled available host-based firewalls. |
|
Installed antivirus software on 80 percent or more of your desktop computers. |
.gif "Bb821258.tick(en-us,TechNet.10).gif")
If you have completed the steps listed above, your organization has met the minimum requirement of the Standardized level for Antivirus Software for Desktops. We recommend that you follow additional best practices for antivirus protection addressed at the Microsoft TechNet Security Center.
Go to the next Self-Assessment question.
Requirement: Centralized Firewall Services
Audience
You should read this section if you do not have a centralized (not per desktop) firewall protecting 80 percent or more of your system.
Overview
Firewalls are a key part of keeping networked computers safe and secure. All computers need the protection of a firewall, whether it’s the thousands of servers and desktops that compose the network of a Fortune 500 company, a traveling salesperson’s laptop connecting to the wireless network of a coffee shop, or your grandmother’s new PC with a dial-up connection to the Internet.
This section of the guide looks at both network and host-based firewalls (also called personal firewalls). Although home users have traditionally used only host-based firewalls, recent trends in security breaches highlight the importance of using both types of firewalls combined. The Standardized optimization level in the Infrastructure Optimization Model does not require host-based firewalls; these are introduced later in the model. This guide discusses all five primary classes of firewall technology.
The following guidance is based on the Firewall Services Implementation Guides of the Windows Server System Reference Architecture.
Phase 1: Assess
The Assess Phase of implementing a firewall strategy addresses the business need for securing data and access to data stores and determines what, if any, firewall infrastructure is available. Every organization maintains some sensitive information that can harm the organization if it falls into the wrong hands. The potential for such harm becomes even higher, and its impact greater, if an organization actively uses the Internet for hosting various applications and services such as:
General information-gathering and research.
Obtaining financial market data.
Providing online retail services.
E-mail communications.
Virtual private networks (VPNs) for remote workers.
VPN-based branch office connectivity.
Voice communications.
To provide even the most common of such services, for example e-mail, organizations must connect their internal systems to the Internet. In doing so, these systems become accessible to external sources and, therefore, vulnerable to attack. Organizations are also subject to the costs that such connections require, including payments to an Internet service provider (ISP) and investments in technologies that can protect their information systems.
Clearly, it is important to prevent information system attacks, to legally prosecute those who perpetrate them, and to be as knowledgeable as possible about the risks from different kinds of attacks.
Phase 2: Identify
The Identify Phase explores the technology available to protect your organization’s information and provides the input necessary to evaluate your firewall options and begin planning the implementation of firewall technology.
Types of Firewalls
There are two main types of firewalls: network firewalls and host-based (personal) firewalls. Network firewalls, such as the software-based Microsoft® Internet Security and Acceleration Server (ISA Server), or hardware-based switched firewall systems, protect the perimeter of a network by watching traffic that enters and leaves the network. Host-based firewalls protect an individual computer regardless of the network it’s connected to. You might need one or the other—but most organizations require a combination of both to meet their security requirements.
Firewalls can be further divided into five classes:
Class 1 – Personal Firewall. These are host-based software firewalls that protect a single computer.
Class 2 – Router Firewall
Class 3 – Low-End Hardware Firewall
Class 4 – High-End Hardware Firewall
Class 5 – High-End Server Firewall
Network Firewalls – Classes 2-5
Network firewalls protect an entire network by guarding the perimeter of that network. Network firewalls forward traffic to and from computers on an internal network, and filter that traffic based on the criteria the administrator has set.
Network firewalls can be either hardware or software based. Hardware-based network firewalls are generally cheaper than software-based network firewalls, and are the right choice for home users and many small businesses. Software-based network firewalls often have a larger feature set than hardware-based firewalls, and might fit the needs of larger organizations. Software-based firewalls can also run on the same server as other services, such as e-mail and file sharing, allowing small organizations to make better use of existing servers.
When addressing secure network connectivity, administrators need to consider the following:
Security
Management complexity
Cost
By addressing these key security challenges, organizations can achieve greater employee productivity, decrease costs, and improve business integration.
Firewall Features
Depending on the features that a firewall supports, traffic is either allowed or blocked using a variety of techniques. These techniques offer different degrees of protection based on the capabilities of the firewall. The following firewall features are listed in increasing order of complexity, and are explained in the following sections:
Network Adapter Input Filters
Static Packet Filters
Network Address Translation (NAT)
Stateful Inspection
Circuit-Level Inspection
Proxy
Application-Layer Filtering
Network Adapter Input Filters
Network adapter input filtering examines source or destination addresses and other information in the incoming packet and either blocks the packet or allows it through. This filtering applies only to incoming traffic.
Static Packet Filters
Static packet filters match IP headers to determine whether or not to allow the traffic to pass through the interface. This filtering applies to both incoming and outgoing traffic.
Network Address Translation (NAT)
NAT converts a private address to an Internet address. Although NAT is not strictly a firewall technology, concealing the real IP address of a server prevents attackers from gaining valuable information about the server.
Stateful Inspection
In stateful inspection, all outgoing traffic is logged into a state table. When the connection traffic returns to the interface, the state table is checked to ensure that the traffic originated from this interface.
Circuit-Level Inspection
With circuit-level filtering it is possible to inspect sessions, as opposed to connections or packets.
Proxy
A proxy firewall gathers information on behalf of the client and returns the data it receives from the service back to the client.
Application-Layer Filtering
The most sophisticated level of firewall traffic inspection is application-level filtering. Good application filters allow you to analyze a data stream for a particular application and provide application-specific processing.
In general, firewalls that provide complex features will also support simpler features. However, you should read vendor information carefully when choosing a firewall because there can be subtle differences between the implied and actual capability of a firewall. Selection of a firewall typically involves inquiring about its features, and testing to ensure that the product can indeed perform according to specifications.
Phase 3: Evaluate and Plan
Your organization’s goal during the Evaluate and Plan Phase should be to determine a strategy for firewall service. This strategy will cover three primary elements of firewall design:
Perimeter firewall design: A firewall solution designed to protect the enterprise infrastructure from nonsecured network traffic originating from the Internet.
Internal firewall design: A second firewall boundary designed to protect the traffic between semi-trusted network elements and internal trusted elements.
Proxy design: The proxy solution provides a mechanism to provide secure and manageable outbound communications for hosts on internal networks.
Each of these technology solutions needs to meet specific service-level goals, in addition to design goals such as availability, security, and scalability.
Phase 4: Deploy
The goal of the Deploy Phase is to implement the strategy your organization selected and tested in the Evaluate and Plan Phase. Specific deployment routines will vary depending on the classes of firewall selected. For information on installing software-based ISA Server 2006 Enterprise Edition firewall technology, see the ISA Server 2006 Enterprise Edition Installation Guide.
Operations
Operational considerations for firewall services include managing network security, protecting the network, detecting intrusions, and reacting and implementing standardized operational requirements. To get more information about ISA Server 2006 operations tasks, such as administration, monitoring, performance, and troubleshooting to maintain your ISA Server system for optimal service delivery, visit Microsoft ISA Server 2006 – Operations at Microsoft TechNet.
Further Information
For more information on firewalls, visit Microsoft TechNet and search on “firewall.”
To see how Microsoft manages firewalls and other security risks, go to https://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx.
Checkpoint: Centralized Firewall Services
|
Requirements |
|---|---|
Installed a centralized hardware or software firewall. |
If you have completed the step listed above, your organization has met the minimum requirement of the Standardized level for Centralized Firewall Services.
We recommend that you follow additional best practices for firewalls addressed in the Firewall Services Implementation Guides of the Windows Server System Reference Architecture.
Go to the next Self-Assessment question.
Requirement: Internally Managed Basic Networking Services (DNS, DHCP, WINS)
Audience
You should read this section if you do not have internal servers for basic networking services.
Overview
IT networks in today's organizations have multitudes of computing devices, ranging from high-end servers to personal computers, which need to communicate with each other over the local area network (LAN). To do so, each device needs to have an identity in the form of either a logical device name (chosen by the organization) or an address that uniquely identifies the device and its location on the network.
For small networks (those with up to 500 devices), it is possible to maintain and distribute names and addresses manually, but as networks grow in size and complexity, the maintenance of an effective name resolution service becomes more and more time consuming and resource-intensive.
DNS, DHCP, and WINS are three mechanisms that are essential to the provision of IP address allocation and management services in enterprise environments. There are alternative mechanisms, but in most cases DNS and DHCP provide the backbone of any service, and WINS fulfills any requirement to collocate DNS and NetBIOS addressing schemes.
The following guidance is based on the Windows Server System Reference Architecture Introduction to Network Services.
Phase 1: Assess
The goal of the Assess Phase for basic networking services is to define the business need for name resolution and what infrastructure, if any, is currently in place. With the widespread adoption of directory services that provide simplified access to enterprise resources, name resolution has now become a key network service. Directory services need a reliable and efficient name resolution system so that users, client operating systems, and servers can locate resources using names rather than addresses. These functions need to be performed without compromising the security of the network or the services the network provides.
Phase 2: Identify
After your organization has assessed its need for name resolution, you should begin to identify the technologies that match your requirements.
Domain Name System (DNS)
The primary purpose of DNS is to translate easy-to-remember, human-readable host names into numeric IP addresses. Among its many other functions, DNS also resolves e-mail addresses to locate the relevant recipient mail exchange server.
Dynamic Host Configuration Protocol (DHCP)
DHCP is a protocol that allows a computer, router, or other network device to request and obtain a unique IP address and other parameters such as a subnet mask from a server that holds a list of available IP addresses for a network.
Windows Internet Naming Service (WINS)
Windows Internet Naming Service (WINS) is a NetBIOS name-resolution service that allows client computers to register their NetBIOS names and IP addresses in a dynamic, distributed database and to resolve the NetBIOS names of network resources to their IP addresses.
WINS and DNS are both name-resolution services for TCP/IP networks. While WINS resolves names in the NetBIOS namespace, DNS resolves names in the DNS domain namespace. WINS primarily supports clients that run earlier versions of Windows, and applications that use NetBIOS. Microsoft Windows 2000, Microsoft Windows XP, and Windows Server 2003 use DNS names in addition to NetBIOS names. Environments that include some computers that use NetBIOS names and other computers that use domain names must include both WINS servers and DNS servers. If all computers in your networks are running Windows 2000 and later operating systems, you should use Active Directory instead of WINS.
Phase 3: Evaluate and Plan
After you have identified name resolution organizational needs and the network services required to implement, it is important to evaluate the proposed technology and how it will support your organizational goals.
Internal DNS Server
Typically, Windows Server 2003 DNS is deployed in support of Active Directory directory service. In this environment, DNS namespaces mirror the Active Directory forests and domains used by an organization. Network hosts and services are configured with DNS names so they can be located in the network. They are also configured with DNS servers that resolve the names of Active Directory domain controllers. Windows Server 2003 DNS is also commonly deployed as a non-Active Directory, or standard, DNS solution, for hosting the Internet presence of an organization, for example.
Establishing internal DNS servers gives you the greatest flexibility and control over both internal and external domain name resolution. This reduces both intranet and Internet network traffic. The following figure illustrates how Active Directory-integrated zones and file-based secondary zones can be deployed together to provide enterprise DNS services.
.jpg "image008.jpg")
Internal DHCP Server
In Windows Server 2003, the DHCP service provides the following benefits:
Reliable IP address configuration. DHCP minimizes configuration errors caused by manual IP address configuration, such as typographical errors, or address conflicts caused by the assignment of an IP address to more than one computer at the same time.
Reduced network administration. DHCP includes the following features to reduce network administration:
Centralized and automated TCP/IP configuration.
The ability to assign a full range of additional TCP/IP configuration values by using DHCP options.
The efficient handling of IP address changes for clients that must be updated frequently, such as those for portable computers that move to different locations on a wireless network.
The forwarding of initial DHCP messages by using a DHCP relay agent, thus eliminating the need to have a DHCP server on every subnet.
WINS and Internal Resources
Windows Server 2003 components that require name resolution will attempt to use this DNS server before attempting to use the previous default Windows name resolution service, WINS. If your organization has computers that are running operating systems earlier than Windows 2000, you will need to implement WINS for those systems. As you move from the Basic Infrastructure Optimization level to the Standardized level, you will be consolidating your IT environment by running at most only two operation systems. You will be replacing earlier systems and standardizing on newer operating systems, eliminating the need for WINS in your organization.
Phase 4: Deploy
The goal of the Deploy Phase is to implement the technologies selected to enable basic networking services required for name resolution. For detailed guidance for deploying DNS and DHCP, see the Deploying Network Services guidance found in the Windows Server 2003 Deployment Guide.
Further Information
For more information on DNS, go to http://technet2.microsoft.com/WindowsServer/f/?en/library/54375efb-2192-49b7-a823-57c08c6cc06c1033.mspx.
For further information on DHCP, go to http://technet2.microsoft.com/WindowsServer/f/?en/library/85add012-1c2c-41bb-b1ae-11bc07485ee31033.mspx.
For further information on WINS, go to http://technet2.microsoft.com/WindowsServer/f/?en/library/0bef84d9-dafe-4fa8-9e70-fb4f56f1af971033.mspx.
Checkpoint: Internally Managed Basic Networking Services (DNS, DHCP, WINS)
|
Requirements |
|---|---|
Implemented DNS services on servers or other devices within your organization. |
|
|
Implemented DHCP services on servers or other devices within your organization. |
|
Implemented WINS services for older operating systems on servers or other devices within your organization. |
If you have completed the step listed above, your organization has met the minimum requirement of the Standardized level for Internally Managed Basic Networking Services (DNS, DHCP, WINS).
We recommend that you follow additional best practices for firewalls addressed in the Network Services Implementation Guides of the Windows Server System Reference Architecture.
Go to the next Self-Assessment question.
Requirement: Availability Monitoring of Critical Servers
Audience
You should read this section if you do not monitor 80 percent or more of your critical servers.
Overview
The efficiency and productivity of your organization’s computing infrastructure depends on the continuous availability of critical servers such as DNS, DHCP, File and Print, and e-mail servers. You need to establish policies and procedures to monitor these servers to quickly become aware of decreased performance or interruptions of service. Software is available to automate this monitoring and send alerts to the appropriate people so that they can take corrective steps.
Phase 1: Assess
In the Assess Phase of Availability Monitoring of Critical Servers your organization should take an inventory of all servers in your organization’s infrastructure. You can manually identify the servers and specifications or use a tool to automate the inventory process, such as the Systems Management Server (SMS) 2003 inventory collection features.
Phase 2: Identify
After all servers have been inventoried, the Identify Phase is primarily a prioritization of servers and classification of which servers are critical enough to require availability monitoring. Servers should be prioritized according to their impact on the business or operations if they are unavailable. For example, a messaging service may be the communication backbone to your operation; in this case your monitoring should not only extend to the e-mail server, but also the domain controllers and any other servers required for the service.
Phase 3: Evaluate and Plan
The Evaluate and Plan Phase looks at the requirements for availability monitoring of the servers in the defined critical services. In this phase, you evaluate the technology options, decide which solution to implement, test, and plan for deployment.
The first step prior to evaluating a technology solution is establishing what you need to monitor, and deriving a Health Model. The Health Model defines what it means for a system or service to be healthy (operating within normal conditions) or unhealthy (failed or degraded) and the transitions in and out of such states. Good information on a system’s health is necessary for the maintenance and diagnosis of running systems. For more information, see Microsoft Operations Framework Service Monitoring and Control.
Availability Management
Availability management addresses the design, implementation, measurement, and management of IT infrastructure availability to ensure that stated business requirements for availability are consistently met. Availability management can be applied to IT services that are defined as critical business functions, even when no service level agreement exists, as is common in the Standardized level of optimization. For more information, see Microsoft Operations Framework Availability Management.
Monitoring Software
This section illustrates how software can be used to monitor the availability of critical servers. In this example, Microsoft® Operations Manager (MOM) is used in the monitoring role. Software for monitoring availability of servers should have the following functionality:
Ability to gather server attribute information, and apply specific rules to monitor them, based on their attributes.
Ability to obtain data from event logs and other providers, as defined by specific rules.
Ability to collect performance data based on performance counters.
Ability to generate alerts based on criteria specified in rules.
Response to Events
You can use the monitoring data to quantify, evaluate, and sustain a high level of IT service. This level of service is based on:
Availability – Monitor the availability of servers by communicating with them to make sure they are running.
Performance – Monitor performance counters to make sure that servers are running within acceptable parameters.
Capacity – Monitor disk capacity, and capacity analysis and planning.
Error recognition – Identify errors or conditions that affect the previous three aspects of service levels.
For information on setting availability goals, go to https://technet.microsoft.com/en-us/library/a4bb7ca6-5a62-442e-86db-c43b6d7665a4.aspx.
Monitoring Data
During server monitoring, data is generated and stored in a database. Monitoring produces four types of data: event data, performance data, alert data, and discovery data.
Event Data
Managed servers log events into local event logs (application, security, and system). MOM, for example, collects event information from these logs. The collected event data can be used to:
Generate reports using the Reporting Server and Reporting Database.
Provide a context for problems that are detected (in the form of alerts).
Provide information about computer state, which is derived from correlating data from consolidation events or missing events.
Performance Data
Numeric performance data is gathered from sources such as Windows performance counters and Windows Management Instrumentation (WMI). The collected performance data can be used to:
View performance data in the Operator console using different formats such as forms, lists, and graphs.
Generate reports using the Reporting Server and Reporting Database.
Identify critical threshold crossings that may indicate performance issues.
Alert Data
Alert data represents a problem that is detected on managed servers. Alert data contains the following information about a detected problem:
The type of entity the problem is about. This is described as a service discovery type.
The entity the problem is about.
The severity of the problem.
The alert name, description, problem state, alert count, and resolution state.
Alerts are indicators that inform users about the health of managed computers. Alerts also provide the basis for status monitoring.
Alert Updates
Alert data that is stored in the database is continuously updated as information is collected about the server that generated the alert. Again, using MOM as an example, when a problem is detected, an alert is generated. The alert is inserted into the database as an alert that represents a new problem. If MOM detects that the problem has disappeared, it generates another alert item to update the problem state of the original alert. Eventually, the problem state of the existing alert in the database is updated and flagged as fixed; however, you still have to acknowledge the alert by resolving it.
Alert Suppression
Alert suppression is the mechanism for specifying which alerts should be considered as unique problems. As part of the rule definition that generates the alert, alert suppression fields are defined. If alert suppression is not set, every new alert generated by the MOM run time is treated as a new problem. Alert suppression fields are used to specify the alert properties, whose value should be identical if two alerts represent the same problem.
Discovery Data
Discovery data contains a snapshot of the entities discovered for a particular scope. Unlike the other operations data, discovery data is not directly exposed to the user. Discovery data is exposed as topology diagrams, computer attributes, services list, or computer lists.
Phase 4: Deploy
After you have defined the services critical for monitoring, determined the devices required for the service, developed a Health Model, and evaluated monitoring software appropriate for your organization’s needs, it is time to implement the availability monitoring solution.
If your organization has selected Microsoft Operations Manager as the technology to perform availability monitoring of your systems, detailed deployment guidance can be found in the MOM 2005 Deployment Guide at Microsoft TechNet.
Operations
The Operations goal is to manage the activities of the availability management process for critical servers. The operations process should ensure that critical IT services deliver the levels of availability defined for the organization.
Further Information
For more information on monitoring server availability with MOM, go to https://www.microsoft.com/technet/prodtechnol/mom/mom2005/Library/faf19f47-facd-4467-9510-e7c84c671572.mspx?mfr=true.
For information on additional functionality to optimize server monitoring using MOM, see Solution Accelerator content:
Notification Workflow — Notification Workflow is a Microsoft® SQL Server™–based notification services application that can be used to extend notification functionalities of MOM 2005.
Autoticketing — Autoticketing provides guidance for automated ticket generation, enabling the automated posting of a request (or ticket) into the Trouble Ticketing (TT) system used for incident management.
Alert Tuning Solution — Alert Tuning helps reduce the volume of alerts when deploying MOM 2005 management packs.
Service Continuity — Service Continuity helps maintain the availability of MOM 2005 service.
Multiple Management Group Rollup — Multiple Management Group Rollup allows a business to propagate data from multiple management groups into one data warehouse to create consolidated and aggregated reports.
To see how Microsoft monitors Exchange Server 2003, go to https://www.microsoft.com/technet/itshowcase/content/monittsb.mspx.
Checkpoint: Availability Monitoring of Critical Servers
|
Requirements |
|---|---|
Installed availability monitoring software such as Microsoft Operations Manager (MOM). |
|
|
Are monitoring 80 percent of your critical servers for performance, events, and alerts. |
If you have completed the steps listed above, your organization has met the minimum requirement of the Standardized level for Availability Monitoring of Critical Servers.
We recommend that you follow additional best practices detailed at the Microsoft Operations Manager 2005 TechCenter at Microsoft TechNet.
Go to the next Self-Assessment question.