You don’t need us to tell you how vulnerable your Windows desktops are to malicious exploits. If you’re like most IT professionals, you’re already losing sleep over it. Adding to the urgency, you have internal and external auditors breathing down your neck, looking for proof that you always know how all your desktops are configured and that you’ve been keeping them up to date with accurate, validated patches.
The need for accurate inventory, timely patching and effective asset management is undeniable. So the question isn’t whether you’re inventorying and patching systems to secure your desktops—you’d better be—but rather, how well you’re doing it.
How much time do you devote to inventorying PCs, identifying vulnerabilities, and distributing patches to the appropriate machines and user groups? How quickly can you get new patches out to minimize zero-day threats? How much infrastructure is required, at what cost? How effectively can you document system compliance? How much time and budget does desktop management take away from other crucial IT tasks?
Step back from these daily tasks for a moment (as if you had one to spare) and ask yourself this: In your battle to address these critical needs, are you building a manageable framework to align your IT efforts with rapidly changing business processes and regulatory requirements?
> So Many Questions, One Simple Answer:
Novell ZENworks Configuration Management
Novell ZENworks Configuration Management is the next-generation solution for identity-based management of Windows desktops, including Windows Vista. It’s designed to speed service delivery and ensure accurate desktop configuration for increased IT efficiency and user productivity.
Because it’s built on the Novell Desktop-to-Data Center Management Blueprint for delivering Infrastructure Technology Information Library (ITIL)-based services, ZENworks Configuration Management aligns with your strategic plans. And its modular, threetier Web services architecture gives this new solution unprecedented extensibility and scalability—while supporting easy integration for customers and partners.
> Achieving Consolidation Through Integration
If you’re like most IT professionals, you’ve been using multiple servers, agents and consoles for configuring, inventorying and patching desktops. Now there’s a better way. Novell ZENworks Configuration Management integrates everything you need to manage your complete Windows environment—all in one product.
That means just one server, one agent, one management console and one database for all your desktop management tasks. And because of its modular design, you can simply snap in new services at any time, without causing havoc in your data center or downtime for your users.
> Eight Ways to Better Desktop Management
With ZENworks Configuration Management, you have a single, flexible, comprehensive desktop management architecture. It’s the highest level of integration Novell has ever offered, providing eight distinct advantages:
- Planning and design. All the decisions you make when deploying
ZENworks Configuration Management—what type of server to use, where to place it, how to distribute the agent and so on—automatically apply to asset inventory and the subscription-based patch management service. You can even run it in parallel with ZENworks Patch Management, performing a seamless switchover at your convenience.
- Provisioning and scaling. There’s only one server and one agent to deploy for all your desktop configuration and inventory requirements, as well as for Patch Management Services for ZENworks Configuration Management. To scale up the solution or add redundancy, you just add server capacity instead of adding multiple new servers for each function.
- Installation. Simply install the core product, and Patch Management Services for ZENworks Configuration Management is automatically available to protect your network for a 60-day trial period. If you like the service, purchase a subscription to continue receiving daily patch updates.
- Server and agent management. With all services integrated into a
single server, single agent and single console, you save significant time and money that would otherwise go toward managing separate
infrastructures for desktop management, patching and inventory.
- Architectural flexibility. Deploy the services and database on your choice of server platform including Windows, Linux or Novell Open Enterprise Server 2. Use it to manage all your local and remote Windows end-user systems including Windows Vista.
- Usability. We haven’t just “tacked on” an inventory module and patch management subscription to the ZENworks console’s user interface. This is a deep integration. With a single console and working processes that leverage the same database information, IT staff can work more productively than ever before.
- Devices, groups and policies. Effective configuration management requires identifying devices, defining groups of devices, then defining policies that apply to those groups. With separate systems for patch management and other services, you would have to redo all this work for each system. But now you can “define once, use everywhere,” leveraging inventory information as well as Microsoft Active Directory or Novell eDirectory structures to define groups and automated policies that apply across the board.
- Reporting. With all device data in a single database, reporting capabilities are dramatically more powerful and flexible. In addition to a rich set of standard reports, you can build custom reports that include any data relevant to the configuration and security status of end-user machines. That’s a real boon in the age of regulatory audits.
Novell ZENworks Configuration Management integrates everything you need to manage your complete Windows environment—all in one product. That means just one server, one agent, one management console and one database for all your desktop management tasks.
> Integrated Patch Management and Asset Inventory: A Closer Look
ZENworks Configuration Management provides a unique, policybased approach to automate software distribution and setup, updates, healing and migration for all Windows desktops, including Vista. Let’s take a closer look at two functions that are of critical importance today, as IT staffs face increasing pressures from professional hackers on the one hand and professional auditors on the other.
> ZENworks Configuration Management—Patch Management Services
Patch Management Services for ZENworks Configuration Management automatically discovers unpatched endpoints and prompts you to remediate them. This leverages the solution’s integrated inventory and configuration information, device fingerprinting technology, and the identity information contained in eDirectory or Active Directory to help ensure that no systems are inadvertently left open to attack. This add-on service gives you 60 days of free patch updates with your purchase of ZENworks Configuration Manager and continues to work seamlessly after that with your subscription purchase.
You have the flexibility to define patch policies based on groups, criticality, location, function and more. And no matter how you define resource groups for patching policies, you always know which systems need to be patched at any given time thanks to automatic scanning for inventory, configuration and applicable updates.
The extensive Quality Assurance of Novell all but eliminates the need to analyze and test patches before you can deploy them with confidence, minimizing the IT burdens associated with traditional patch management.
Simple Configuration, Day-to-Day Protection:
A Quick Walkthrough
Most configuration and patching processes happen automatically. Once you install ZENworks Configuration Management, simply log in to ZENworks Control Center as a zone administrator, click the Configuration link on the left-hand pane, expand Patch Management and select the Product Serial Number link. Enter the patch management serial number that came with your purchase. (see Figure 1.)
That’s it. There’s nothing else to install. Your primary server is now capable of replicating vulnerabilities and patches from the subscription service, which happens once per day. To configure when this happens, choose the Subscription Service Information link and enter the time. (see Figure 2.) It’s best to choose a time when the network is not overly busy.
If the primary server for patch management needs to use a proxy server to communicate with the patch management subscription service, choose the Configure HTTP Proxy link and enter the proxy server details.
Now, you’re ready to configure the vulnerabilities that will be downloaded from the subscription service. Select the Subscription Download Options link and choose the Windows architecture(s), operating systems and languages that you are using in this zone. (see Figure 3.)
That’s the entire server configuration. Wait until patches have been downloaded, and then log in as a zone administrator again to view the vulnerabilities in your environment.
To do this, you must first assign the AnalyzeBundle bundle to a group, folder, device or dynamic group and set a recurring launch schedule. The AnalyzeBundle bundle initiates the process of scanning for installed patches, checking device fingerprints and reporting back the server. After at least one device has executed the AnaylzeBundle, choose the Vulnerabilities link to see details of each identified vulnerability, as well as how many devices in the zone are either patched or unpatched. (see Figure 4.)
Note: even though the patches have been thoroughly tested, it’s good practice to deploy patches to a control group before patching your entire enterprise.
You can also deploy remediations from the same screen. Simply check the boxes for the vulnerabilities you want to remediate, then select Action | Deploy Remediation. You’ll be asked to confirm the deployment, and to accept or decline each license agreement that may be associated with the relevant patches. You can also specify a deployment schedule and configure appropriate patching behavior for specific applications, such as user notification, reboot and chain behavior.
When you’re ready to finalize the deployment, review your work on the Summary screen (see Figure 5.) and click Finish. ZENworks Configuration Management takes care of the rest. Your network endpoints are protected wherever they are and however they’re configured.
Leave Patch Testing and Packaging to Us
Once the solution is configured, a simple subscription service delivers the latest patches to your organization as soon as they’re available on a daily basis. Unlike the bare patches typically provided by vendors, these patches have already been tested and packaged with information about applicable operating systems, patch interdependencies and install/deinstall scripts.
The extensive Quality Assurance of Novell all but eliminates the need to analyze and test patches before you can deploy them with confidence, minimizing the IT burdens associated with traditional patch management. Even more important, Patch Management Services for ZENworks Configuration Management virtually eliminates the time lag from when a patch is released to when it’s tested, packaged and ready for deployment.
That means you stay several steps ahead of the hackers—and that’s your best defense in a world where zero-day exploits increasingly dominate the news.
> ZENworks Configuration Management—Asset Inventory
Novell ZENworks Configuration Management provides a simple way to retrieve hardware, software and bundle inventory information from your network endpoints. It helps you track assets and change histories, ensure compliance, identify devices that are ready to be upgraded and understand what bundles need to be created.
> Know Exactly What’s on Your Desktops:
A Quick Walkthrough
Once ZENworks Configuration Management is installed, the asset inventory module is ready to go; no additional server or agent installation is necessary. To configure it, log in as the zone administrator and browse to either the zone configuration page or to a specific folder or device. Expand Inventory and click the Inventory link.
Once ZENworks Configuration Management is installed, the asset inventory module is ready to go; no additional server or agent installation is necessary.
You’ll see the Inventory Configuration options. (see Figure 6.) If the properties of an individual device or folder are displayed, click the Override link.
Scan Now options control how the scan occurs when initiated through the ZENworks Control Center or the ZENworks Properties page on the managed device. These Scan Now options include:
Collect Software Applications: Use the Novell-maintained knowledge base as well as the data on any custom applications you may have to identify applications installed on Windows machines.
Collect Software File Information: Gather all the file information for application files not found in the knowledge base.
Collect Hardware: Retrieve hardware information.
Launch Collection Data Form. Display the Collection Data form after the inventory scan has been completed. This form can be configured with custom fields to prompt the user for specific user or inventory information.
Run DMTF Translator. Translate the scanner’s XML output to a format that can be used by other management solutions such as SMS.
User Can Initiate Scan. Enable the user to initiate a scan for a managed device, from that device.
In addition to Scan Now options, you can also configure First Scan options, which control the way managed devices are scanned when they first register with the zone. And you can set Recurring Scan options for devices that are scanned regularly according to your configured Inventory Schedule. These options all correspond with the Scan Now options, with the exception of User Can Initiate Scan.
You can also choose to exclude directories from the scan, which files (in addition to .exe) and paths to include or exclude from the software scan, and advanced options that Novell Technical Services may ask you to set. Once you’ve set the scan options, simply click Apply or OK to finish the configuration.
Next, you need to configure the inventory schedule. Click the Inventory Schedule link to set the appropriate options for either recurring schedules, no schedule, date-specific schedules or event-driven schedules. (see Figure 7.) Click OK or Apply to save the schedule and complete the configuration.
You can also customize the inventory feature in several ways to make it more applicable to your environment. You can include adding user-defined fields, customizing the data-collection form that appears on the end-user workstation, and creating software entries for in-house applications and other applications not found in the ZENworks knowledgebase.
Details on these customizations are included in the user manual. For now, let’s go straight to the fun part: scanning the devices in your environment.
For managed Windows devices, including Windows 2000, XP and Vista, no additional configuration is required. To run an immediate scan of these devices, log in to ZENworks Control Center as a zone administrator. Browse to the group or device you want to scan, then select the Inventory Scan or Group Members Inventory scan link in the left-hand panel. You can monitor the progress of the scan as it takes place. (see Figure 8.)
Although we won’t walk through these features here, you can even create a portable client that allows inventory collection on disconnected devices. The user manual has complete, easy-to-follow details.
> Adding Advanced Asset Management Services
For usage-based asset tracking and reporting, Novell offers Asset Management Services for ZENworks Configuration Management, a fully integrated add-on service for ZENworks Configuration Management. It brings the full license tracking, compliance and planning capabilities of ZENworks Asset Management to this next-generation management platform—including all of the integration benefits discussed earlier in this article.
> Take the Next Step:
See Integrated System and Patch Management First-Hand
There are so many reasons why ZENworks Configuration Management is Novell’s next-generation systems management platform—and so many benefits associated with its modular, flexible architecture. To see ZENworks Configuration Management in action, talk to your Novell representative or call your local Novell Solutions Provider today.