Posts by PhillCO2

New world, Order: Cetacea

I, for one, welcome our new cetacean overlords.

Internet connected systems...

The problem would seem to start there, surely a critical system such as this should be heavily firewalled off not only public networks but also from the company's LAN/WAN. A VPN system would provide for much more secure remote working, you could even throw in two factor authentication for an extra security layer.

Enterprise solutions...

We run a full Dell ship for our desktops (of which we have about 8000 accross 4 domains) and in the last 12 months we have been using Altiris to deploy images and software. This uses a linux deployment OS that is booted over PXE with a standard set of drivers, a unified image is copied down to a partition on the local disk using multicast where possible then written to the local disk. The drivers for the particular hardware are injected as part of this process and the Windows OS is sysprepped on the fly to join the domain. Once the OS has booted post deployment installs the antivirus and the agent for Altiris which then installs a standard set of software that has been queued up. The imaging process takes about 25 minutes from pc with a blank disk to full windows OS then software installation for our standard suite takes about 15 minutes. The beauty of this system is that the OS image is retained on the local disk so providing the disk is sound, in the event of an OS failure redeployment of the local image can occur without having to copy back down over the WAN.

We only rebuild the image to include service packs as patching is also handled by Altiris which has advantages over WSUS. Obviously this kind of solution can be pricy for smaller businesses but in a larger business or enterprise the advantages outweigh the cost.

Delegated Access?

My company is in the process of migrating to a new single domain from multiple legacy domains, the approach that has been taken here is to delegate administrative access only over what each IT staff member needs to do.

A normal support analyst may have local admin rights on all the PCs within his area and some control over active directory for the users in his area, he wont on the other hand have access to say, reconfigure the exchange or dns servers. These are set up centrally and then the configuration can only be changed by certain infrastructure administrators.

I find this approach also leads to better change control, because an admin can't just decide to be lazy and say I can just change that without bothering run it through official channels, because they don't have the rights to do so without them being delegated out.

It can be frustrating at times to have to get a form filled in to get access to a server to do a simple task but it is generally beneficial as a whole.

(Black helicopters because the audit trail means they always know who bricked their system)