|
LOL... easier said than done to open up our DMZ's at all, even to specific systems. Of course, the good news is that we weren't really worried during all the recent outbreaks of viruses and worms. Our critical systems are pretty well sealed off, even from loyal administrators' workstations.
Actually, some of this is being drivin by the need to quickly identify the current configuration of all our servers to help evaluate how/when we want to deploy patches or other security fixes. For instance, MS03-001 is critical for domain controllers, but minor for other servers UNLESS they are running the locator service for whatever reason. It would have been great to do a quick query and be able to identify all servers running the locator service. Even if it was only domain controllers (as it should be), upper managment really likes to get positive confirmation.
We are also starting into a major upgrade project to W2K3. "At a glance" reports showing which servers are good candidates now and which need hardware upgrades or replacement make projects like this much easier.
Of course, unlike workstations, we can't rely on logon scripts (over half of our servers are not domain members anyway -- the DMZ and multiple independent business units thing again)
If I ever get my code cleaned up enough to where I wouldn't be embarrassed (much of the development was done under extremely tight timelines), I'll post the scripts. The process isn't perfect, but it is leaps and bounds ahead of the manual ways we collected and managed server information before.
Thanks,
NMM
| 
