You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Understanding Main Considerations

To understand the most important aspects of the policy, it is necessary to first understand the status of devices most likely affected by the policy before proceeding with more complicated scenarios that require more considerations. Thus, this section will deal primarily with Windows desktops and Windows laptops. Furthermore, this section will focus on the policies that are most likely to affect the Chemistry IT department: Patching, Encryption, and Screen Lock.

Critical Computers

Windows laptops and desktops are the primary concern. However, not all windows laptops and desktops in the inventory are useful, for many inventoried laptops and desktops are missing, scrapped, or in the stock room. Therefore, when talking about windows laptops and desktops that likely have some relevance (by not being stock, missing, or scrapped), this page will refer to them as "critical computers."

Patching

According to the policy, patches must be applied within 14 days of release. It is possible to use Active Directory's CM Client to verify which systems undergo a "Managed Update." Thus, the primary concerns are:

  1. To identify which critical computers are in Active Directory without "Managed Update"; and
  2. To identify which critical computers are not in Active Directory, for those are the systems whose patching status cannot be automatically verified.

Patching Concern #1

As of early October, 2017, there were 111 critical computers with Managed Update. Therefore, to answer how many critical computers are in AD, but not undergoing Managed Update, all that is needed is to subtract 111 from the number of critical computers in AD. This can be done by searching the inventory for critical computers that follow the "AS-" naming convention (which means it is in Active Directory) and subtracting 111 from the number yielded from the search. The resulting number would be the answer to how many systems are in concern #1.

To generate the list, assuming the inventory search is dependable, perform the above search and generate an excel file. Then bring to that file the list of systems undergoing Managed Update and compare. The list of systems in the search that are not in Managed Update should be as large as the number of systems in the search subtracted by the number of systems in Managed Update (111 as of early October, 2017).

Patching Concern #2

To identify which critical computers are not in AD, simply perform an inventory search for critical computers that don't follow the naming convention (resulting number as of October 20, 2017: 313). The resulting number of systems should be the same as the number of critical computers (596) minus the number of critical computers in AD (283) ==> 313.

Encryption

The policy states that laptops and desktops must have whole-disk encryption, except for those that are Virtual Machines, Instrumentation Machines, systems that are automatically reconfigured, and data-less workstations. However, despite these official exceptions, the policy requires that all exceptions be documented. Therefore, it is important to somehow keep track of these machines and systems that likely will never get encrypted. Another use for keeping track of this information is that it will allow us to know which excepted laptops and desktops are encrypted nonetheless.

Thus, the encryption concerns are like that of Patching, but with the twist that we don't concern ourselves with excepted machines in remediating policy violations but are still expected to track which systems we don't concern ourselves with for remediation strictly for documentation purposes. Thus, the primary concerns are the following:

  1. Finding out which non-excepted critical computers are not in AD
  2. Finding out which excepted critical computers are in AD and are encrypted.

Remediation

Edge Cases

  • No labels