ITT 420

Chapter 2

Workstation
Management

Prepared by: Muhammad Azizi

([email protected])

Thomas A. Limoncelli,Christina J. Hogan,Strata R.

Chalup
The Practice of System and Network Administration
3rd, Addison-Wesley Professional, 2016
ISBN: 9780133415100
 ITT 420

Chapter 2 Objectives
 Discuss workstation issues that are
important to customers.
 Discuss fundamental strategies related to
workstation hardware.
 Determine strategies for installing an OS
that influences the machine’s life.
 Define fleet service required for hardware
and software.
 Determine fleet logistic for high-level
process.
 ITT 420

Chapter 2 Outline
 Workstation Architecture
 Workstation Hardware Strategies
 Workstation Software Life Cycle
 OS Installation Strategies
 Workstation Service Definition
 Workstation Fleet Logistics
 Workstation Standardization
 Workstation Architecture

Workstation Architecture
 Workstations are computers used by
people. Whether it is a desktop PC in an
office or a laptop computer carried from
place to place, workstations are the
computers people use to get work done.
 Workstation Architecture

Workstation Architecture
 The experiences people have when using
their workstations are determined by
design decisions you make as the system
administrator. Issues that are important
to customers are:
 Locality: Is the workstation available where and
when it is needed?
 Reliability: Is the workstation reliable or does it
lock up or crash frequently?
 Productivity: Can the customer work with
minimal obstruction?
 User agency: Do the users have agency or
control over their environment?
 Current-ness: How much lag time is there
between when new features ship and when they
are installed and ready to use on the machine?
 Workstation Architecture

Fungibility
 Workstations should be a fungible
resource: Any one unit should be able
to substitute for any other.
 The ability to log into any workstation
improves access locality.
 Computers break. If a person is tied to a
particular machine, he or she is unable to
work until the computer is fixed.
 But there is limit on how close we can get
a fungible system such as:
 There will be variations in hardware.
 There will be variations in login access.
 Variation in Applications and software
installed.
 Workstation Architecture

Fungibility
 Workstation Architecture

Fungibility
 Lastly, having all data be stored
remotely and accessed over a network
requires network access. However,
network access is not always available
to laptops or other mobile devices, nor
to workstations when used in a remote
area or disaster areas.
 The primary elements of a workstation
architecture are the hardware itself,
the operating system(s), network
configuration, the accounts and
authorization system, data storage,
host security, and logging.
 Workstation Architecture

Hardware
 There are laptops and desktops, mobile
devices and tablets, and other physical
form factors to choose from.
 There is also the decision between
physical workstations and virtual
workstations
 whether the workstation is provided by
the company or if some kind of bring
your own device (BYOD) strategy is
employed.
 Workstation Architecture

Operating System
 As part of our workstation architecture, we can
provide a single operating system or many.
 Linux has both different vendors and versions
within those vendors. For example, RedHat,
Ubuntu, Debian, CoreOS, and other vendors
make Linux distributions (“distros”) by
packaging the Linux kernel with different sets of
applications, utilities, and enhancements.
 Similarly, Microsoft and Apple have server and
workstation variations of each operating system.
 Standardizing on exactly one operating system
good at all aspects of the one supported
operating system.
 Workstation Architecture

Network Configuration
 Workstations are generally connected to a
network by either wired (Ethernet) or
wireless (WiFi) technologies.
 Architecturally speaking, the decision to be
made here is whether network configuration
is hardcoded (stored on the machine itself)
or dynamic (provided by the network).
 Network configuration parameters:
include the machine’s IP address,
subnet mask,
default gateway,
DNS servers
 Workstation Architecture

Network Configuration
 Dynamic Configuration
 the machine asks the network what its
configuration parameters should be via Dynamic
Host Configuration Protocol (DHCP) service.
(DHCP server or router) Static and dynamic Ip
address
 IPv6 has the additional possibility of using a
system called Neighbor Discovery (ND)
 Dynamic configuration permits network
configurations to be controlled centrally.
 The ability to centrally control configurations is
key to being able to efficiently manage large
numbers of machines.
 Otherwise, one would have to visit every machine
for even the most minor change.
 Workstation Architecture

Network Configuration
 Applicability
 Storing a static configuration on a host makes it
less generic. It can plug into only the one subnet
it was configured for.
 Desktop PC users benefit from dynamic network
configuration because it reduces the skill required
to deploy or move their PC.
 Dynamic configuration is also less error prone.
 Expecting a user to manually type an IP address,
subnet mask, and default gateway accurately is
overly optimistic.
 Workstation Architecture

Network Configuration
 Hardcoded Configuration
 the configuration parameters are stored on the machine
itself.
 A hardcoded configuration has the benefit that it works
whether the DHCP server is available or not.
 Servers generally use static configurations so as to
minimize their external dependencies.
 Hybrid Configuration
 Servers can also have a hybrid configuration, where the
network parameters are defined in local files, but the
server periodically checks the network parameters via
DHCP.
 This technique uses the DHCP INFORM request.
 This approach combines the ease of managing a large-
scale installation with the benefit of removing the boot-
time dependence on DHCP for critical servers.
 Workstation Architecture

Accounts and Authorization

 Workstations need a database of usernames,
passwords, groups, and related account
information.
 Architecturally speaking, the decision to be
made here is whether this information is
stored on the machine itself, is accessed
from a central database over the network, or
both.
 All machines have a local account database.
Unix has /etc/passwd and /etc/group.
 Windows stores local accounts in the Security
Accounts Manager (SAM).
 Workstation Architecture

Accounts and Authorization

 When this information is made available as a
network service, it is generally called a
network directory.
 The most common example is Microsoft
Active- Directory, though there are others
such as Apple’s OpenDirectory and Red-
Hat Directory Server which is based on
LDAP protocol.
 With the use of a network directory, the same
information is made available to all machines.
 Having account information available to all
machines is important even if the user doesn’t
have login permission for a specific machine.
 Workstation Architecture

Accounts and Authorization

 Important definition
 Identity is storing information about a user.
 Authentication is using that information plus
secrets (usually passwords) to prove that
someone is who he or she claims to be.
 Authorization is what a user is permitted to
do.
 Workstation Architecture

Data Storage
 The user of a workstation needs to store
information, or state.
 There are three fundamental ways to configure
storage:
 Local: All data files are stored locally
 Stateless: No locally unique data. Users’ files are
stored remotely on a network server. The local disk is
used only for the OS, temporary files, and caches.
 Diskless: No local disk storage. The operating
system and user data are stored on a remote disk
over a network using protocols such as iSCSI or NFS.
 Workstation Architecture

Data Storage
 A big part of creating generic, fungible
workstations is to make them stateless. This
can be done a couple of ways:
 Remote file storage: The client accesses storage
from a remote server as a “network disk” or other
mechanism that makes the files appear as if they
were local, but actually accesses them from another
server behind the scenes. Examples include NFS,
popular on Unix/Linux systems, and SMB, popular in
Microsoft Windows.
 Network-synced or cloud storage: The user’s files
are stored locally but copied to a network service as
soon as possible. Examples of this include Dropbox,
Microsoft OneDrive, and Apple’s iCloud Drive.
 Workstation Architecture

OS Updates
 As long as software is being actively supported by
the vendor, there will always be updates, often
called patches, that add new features, fix
bugs, and close security holes.
 We can install updates manually or automatically.
 Manually means a person visits each machine and
gives the commands to install the updates,
possibly rebooting the machine if that is required.
 workstation architecture should take the following
considerations into account regarding updates:
 Centrally control which patches are distributed when.
 Test updates before they are deployed.
 Users should be able to delay an update
 SAs should have the ability to stop all updates if a
problem is detected
 Workstation Architecture

Security
 Theft
 Ifa laptop is lost or stolen, the first priority is to
make sure that whoever possesses the device
cannot access the contents.
 Laptop tracking software periodically announces
the machine’s IP address to a service that helps
you track its location.
 Another way to protect access to the information
on the hard drive is to use full disk encryption
(FDE).
 The users’ accounts are disabled until passwords
and security credentials can be reset.
 Workstation Architecture

Security
 Malware
 Malware is software created to insert itself on a
machine to subvert the security of the system.
 Anti-malware software comes in two general
categories:
 Antivirus software/blacklisting: Detects malicious software
by watching for specific banned software, or detecting
particularly bad behavior.
 Application control software/whitelisting: Uses a whitelist
of permitted software and prevents all other software from
running.
A network firewall is a software-enforced policy
that determines network access to and from a
host.
 Workstation Architecture

Security
 Malware
 Any kind of security defense software should have
the following qualities:
 Centralized control: Security defense software should be
configured and controlled from a central point.
 Centralized reporting: There should be a central
dashboard that reports the statuses of all machines.
 Silent updating: The software should update silently. It
does not need to pop up a window
 Hidden from view: The user should be able to determine
that the software is activated
 Negligible performance impact: Anti-malware software
can have a significant impact on the performance of the
machine.
 Workstation Architecture

Logging
 A workstation architecture needs to make
workstations error observable.
 This is done by logging events and making this
information accessible.
 Microsoft Windows calls this the event log
 Unix/Linux systems call it the system log, or
syslog.
 There are many log analysis tools such as
Logstash and Splunk that store and interpret
log information.
 Workstation Hardware
Strategies

Workstation Hardware Strategies

 First strategy is to provide physical machines
such as laptops and desktops.
 Second strategy is virtual desktop
infrastructure (VDI), or virtual machines
accessed through various means.
 Third strategy is to not provide workstations at
all. Bring your own device (BYOD) involves
providing access to applications and services using
the hardware your customers already have.
 Workstation Hardware
Strategies

Physical Workstations
 Laptop Versus Desktop
 Desktops are generally more expandable. They have slots
for add-on cards and video processor cards, and sockets
for additional memory.
 Laptops are generally more expensive than comparable
desktop models. A laptop’s mobility requires it to be more
rugged because people drop, bang, and otherwise
mistreat these machines.
 Laptops are easier to support because people can bring
their laptop to a helpdesk rather than requiring an IT
technician to visit their desk.
 Vendor Selection
 Minimize the number of vendors used to reduce
complexity and support cost.
 Having multiple vendors permits price competition but
incurs a bigger support cost.
 Workstation Hardware
Strategies

Physical Workstations
 Product Line Selection
 Most vendors have multiple product lines. Choose based on
lowest initial cost or purchase price, lowest total cost of
ownership (TCO), and emphasize performance.
 Lowest Initial Cost
 The lowest initial purchase price is achieved by sacrificing the
features that would make the machine less expensive.
 For example, a fixed configuration makes the initial purchase
price lower but future expansion may require replacing the entire
machine
 Total Cost of Ownership
 Total cost of ownership refers to all costs related to the machine
for its lifetime.
 business with a large fleet can lower its TCO by minimizing the
variations in hardware.
 Performance
 includes features required by engineering applications such as
computer-aided design (CAD) and computer-aided engineering
(CAE), which require high-end graphics, vector processing, and
heavy-duty computation.
 Workstation Hardware
Strategies

Virtual Desktop Infrastructure

 The point of VDI is to turn workstations into a
centrally managed network service to reduce
administrative and hardware costs.
 The user’s applications run on a virtual machine
(VM) in a VM server cluster elsewhere on the
network.
 The user interacts with the VM though a “thin
client.” The thin client looks like a very tiny
desktop PC.
 The benefits of VDIs are that they offer savings
due to reduced hardware costs, along with
increased ease of management.
 Workstation Hardware
Strategies

Virtual Desktop Infrastructure

 Reduced Costs
 The thin client hardware is inexpensive since it is
designed for the single purpose of speaking a remote
access protocol such as Windows Terminal Services,
VMWare Horizon, or Citrix.
 The VDI system is easier to manage because the thin
clients are generic.
 Ease of Maintenance
 The VM server infrastructure can be upgraded more
cost-effectively because it does not require the
physical labor of visiting each thin client.
 Additional CPUs can be added to the VM
infrastructure and allocated among the VMs.
 Workstation Hardware
Strategies

Persistent or Non-persistent VDI?

 With non-persistent VDIs, the virtual desktop is
created from scratch using a standard golden
image each time it is needed. Non-persistent
VDIs do not permit customization.
 With persistent VDIs, there is a one-to-one
mapping between users and virtual desktops, and
each user’s desktop is created from a separate
disk image. The user’s settings are saved at
the end of each session, and appear each time at
login.
 Workstation Hardware
Strategies

Non-Persistent VDI?
 The advantages of non-persistent VDIs are as follows:
 • It is easy for administrators to patch and update the image
 • It minimizes storage and backup requirements for the OS
image.
 • It simplifies deploying company-wide applications to all end
users.
 • It improves security since users can’t alter desktop settings

 The disadvantages of non-persistent VDIs are as

follows:
 Not all software supports use in a non-persistent VDI.
 It reduces personalization. With non-persistent VDI, users
cannot easily personalize
 It reduces application flexibility
 It is a difficult transition for users.
 It increases complexity.
 Workstation Hardware
Strategies

Persistent VDI?
 The advantages of persistent VDIs are as follows:
 They ease customization.
 They provide an easier transition for users.
 Support is similar to desktops.

 The disadvantages of persistent VDIs are as

follows:
 Larger storage and backup capacities are required.
 There is more support overhead due to image
management.
 There are fewer security benefits.

 One variation of a VDI is called a VDI thick client.

 Thick clients give users access to applications that
are otherwise incompatible with their
workstations.
 Workstation Hardware
Strategies

Persistent VDI?
 The advantages of persistent VDIs are as follows:
 They ease customization.
 They provide an easier transition for users.
 Support is similar to desktops.

 The disadvantages of persistent VDIs are as

follows:
 Larger storage and backup capacities are required.
 There is more support overhead due to image
management.
 There are fewer security benefits.

 One variation of a VDI is called a VDI thick client.

 Thick clients give users access to applications that
are otherwise incompatible with their
workstations.
 Workstation Hardware
Strategies

Bring Your Own Device

 Bring your own device (BYOD) is a service model
where users supply their own hardware device
rather than use one provided by their employer.
 For example, people may already own a mobile
device such as an Android phone or Apple iPad and
want to run corporate applications on them.
 Strategies
 BYOD-only strategy: the IT organization supplies no
hardware and requires users to supply their own device.
 BYOD mixed model strategy: the IT organization
supplies workstations but also permits BYOD.
 BYOD-lite strategy: enables a small number of specific
applications to be accessed, possibly only from registered
devices made by approved vendors.
 Workstation Hardware
Strategies

Bring Your Own Device

 Pros and Cons
 Pros:
 Benefits users because they are typically comfortable
with their current device and find it bothersome to have
to carry a second device for work.
 benefits the company by improving productivity for its
employees without having to accept full responsibility for
hardware support.
 Cons:
 support cost increases due to the added complexity
inherent in supporting a wide variety of models and
devices.
 This complexity can be mitigated by adopting a number
of classes of support.
 Workstation Hardware
Strategies

Bring Your Own Device (BYOD)

 Security
 Mobiledevice management (MDM) software permits
an organization to secure and control the BYOD
devices in the organization.

 MDM Features:
 Deny access unless approved anti-malware software is in use
 Perform end-to-end encryption on all communication
 ability to remotely wipe the device

 BYOD can be a source of data leakage.

 Workstation Software
Life Cycle

Workstation Software Life Cycle

 This is about installing and maintaining the
software that runs on our computers.
 Life of a Machine
 Workstation Software
Life Cycle

Workstation Software Life Cycle

 The diagram depicts five states: new, clean,
configured, unknown, and off:
 New: A completely new, unconfigured, machine
 Clean: A machine on which the OS has been installed but
no localizations performed
 Configured: A correctly configured and operational
environment
 Unknown: A computer that has been misconfigured or
has become outdated
 Off: A machine that has been retired and powered off

OS Installation
 The OS installation process erases any existing
operating system and installs a new one
 Installation is best achieved through automation.
 Workstation Software
Life Cycle

OS Configuration
 After installation, many subsystems and components
need to be configured. Configuration technique as follows:

 Configuration Management Systems

 CM systems are specialized programming languages that permit
you to describe the details of what a properly configured system
should look like, called the desired state of the machine.
 Microsoft Group Policy Objects (GPO)
 A GPO defines some permission or setting to a definition stored in
Active- Directory.
 DHCP Configuration
 Many network settings can be controlled via DHCP. For example,
DHCP can be used to set which DNS server a machine uses
 Package Installation
 Software packages usually include a post-install script—a program
that runs after installation to perform various cleanup tasks.
 Workstation Software
Life Cycle

Updating the System Software

and Applications
 Software-update systems should be general enough to be
able to deploy new applications, to update existing
applications, and to patch the OS.
 The ability to roll out software packages via automated
means is key to a well run environment.
 Update Methods
 No Updates
 this is the easiest option, but in other ways it is the most difficult.
over time the lack of updates will result in security issues and other
problems that create more work than was initially saved. Benefits
reduce variation
 User-Initiated Updates
 User-initiated updates mean the user of the machine is required to
update the system.
 Automated Updates with User Approval
 It’s almost always best to automate updates.
 these updates need to be coordinated so that they do not cause
service interruptions.
 Workstation Software
Rolling Out Changes . . . Life Cycle

Carefully
 An automated update system has the potential to
cause massive damage.
 You must have a process around it to make sure
that risk is managed.
 Create a well-defined release candidate that will be
distributed to all hosts.
 Roll out the change to a small group first
 Establish success criteria for an iteration.
 Workstation Software
Life Cycle

Disposal
 The last stage of life for a machine is disposal. Tasks related to
disposal fall mainly in three categories: accounting, technical, and
physical.
 Accounting:
 Remove the machine from capital inventory.
 Write off any calculated depreciation.
 Remove the machine from any hardware maintenance contracts.
 Technical (decommissioning):
 Move or decommission any remaining services.
 Transfer any data to other hosts or long-term backup media such as
tape.
 Remove the machine from monitoring systems.
 Technical (data security):
 Physically disconnect the machine from the network, or perform the
virtual machine equivalent.
 Reset any onboard management systems to the factory defaults.
 Securely erase all disk, SSD, or other storage.
 Physical:
 Disconnect any remaining cables.
 Remove the machine from the rack.
 OS Installation
Strategies

OS Installation Strategies
 There are many strategies for installing an OS, from
fully manually to fully automated.
 The lack of automation meant that setting up each new
machine took days
 Consistency Is More Important Than Perfection
 If a customer has multiple machines, each
unexpected difference is an unpleasant surprise.
 Consistency makes your team look much more
professional.
 Inconsistency also creates inefficiencies for your
team.
 A small misconfiguration can cause a big problem.
 Manual OS and application installation will always
result in some kind of inconsistency
 OS Installation
Strategies

Installation Strategies
 Installation of the OS and initial applications can be
done by automation, cloning, or manually
 Automation
 All modern OS vendors provide a mechanism to automate OS
installation.
 Microsoft Windows has Microsoft Deployment Toolkit (MDT)
 RedHat Linux has KickStart, Debian has Debconf
 All of these have the same basic components: They have a way
of booting over the network from an installation server.
 An automated installation process does not require a long
installation checklist, but some documentation is needed.
 OS Installation
Strategies

Installation Strategies
 Cloning
 One machine is installed and configured as desired, and a snapshot of that
machine’s disk is saved somewhere.
 The original machine is known as the golden host and the snapshot is
called the golden image.
 An early product was called Ghost. Clonezilla and FOG (Free and Open
Ghost) are now popular open source alternatives.
 Disadvantages of Cloning
 First, if the hardware of the new machine is significantly different
from that of the old machine, you have to make a separate
master image.
 In addition, cloning hides history.
 Automated Image Creation
 Many of these disadvantages can be mitigated or eliminated by
automating the creation of the golden image in a way that can be
reproduced easily
 Packer and Vagrant are two such systems
 Hybrid Cloning and Automation
 The golden image is used to establish a minimal OS install and
the remaining configuration is achieved through other
automation, such as the software distribution system
 OS Installation
Strategies

Installation Strategies
 Manual
 The most basic, and least preferable, way to install and configure
an operating system is manually.
 Manual configuration may include installing applications,
enabling or disabling various features and options, and so
on.
 manual installation results in inconsistently configured
machines.
 Only done when an operating system is new and the
automation has not yet been created.
 Another situation is if the site is so small that new
machines are installed too infrequently to justify creating
such automation.
 another situation is when the machine is that of a remote
employee with limited bandwidth.
 OS Installation
Strategies

When not to automate

 A lack of automation can be justified if there is only one
host of a particular OS/hardware combination.
 if the cost of automation is larger than the time
savings.
 if the vendor has done the world a disservice by making
it impossible (or unsupported) to automate the
Vendor Support of OS Installation
procedure.
 Vendors should make it easy for their operating system
install procedure to be automated.
 When vendors try to sell us new products, always ask
them whether and how installation can be automated.
 Reject vendors that have no appreciation for
deployment issues.
 Workstation Service
Definition

Basic Service Definition

 Service definition should begin with requirements.
 These get translated into technical specifications of
which hardware, operating system, and accessories are
deployed.
 For example, in a call center the requirements might be
a narrowly defined suite of applications required by the
call center employees, plus planned upgrades for the
next three years.
 Workstation Service
Definition

Refresh Cycles
 There needs to be an orderly way of identifying older
hardware and replacing it. Hardware eventually become
obsolete.
 Choosing an Approach
 Generational
 Workstations are installed in large groups, each called a generation.
 Hiring Date
 Another strategy for refresh cycles is based on hiring date.
 Departmental
 each department creates its own strategy and policy. Some
departments will do a good job but most will not.
 Short-Sighted Approaches
 These decisions include foregoing upgrades for multiple years, ignoring
the corporate hardware standards,
 or buying models that have a deceptively low initial purchase price.
 Workstation Service
Definition

Tiered Support Levels

 Tiered support system is a better use of resources to
provide full support to a few, specific platforms and
have a policy of limited support for all others.
 First tier:
 These machines are fully supported, with a list of benefits
including hardware and software driver support, easy OS
reinstallation, and automatic software updates,
 Second tier:
 These machines receive best-effort support.
 Ad hoc support:
 These machines receive no direct support. All support is
selfsupport.
 Forbidden:
 All other machines are not permitted to connect to the
corporate network.
 Workstation Fleet
Logistics

Workstation Fleet Logistics

 Workstation fleet logistics is the business process of
physically delivering new workstations to users.
 Fleet logistics is most efficient when done at scale. This way
we benefit from the economies of mass-production.
 What Employees See
 The best way to envision fleet logistics is by first looking at the end
result, and then looking inside to see how it is accomplished.
 What new employees see is that on their first day their workstation
 Existing employees also know that machines are replaced with
newer models now and then.
 Workstation Fleet
Logistics

What Employees Don’t See

 While employees see the end result, they are unaware
of what goes on behind the scenes to make it all
happen. Many processes work in concert to deliver the
entire service.
 The division of labor requires many teams:
 Purchasing team: Procures machines to be installed
 Prep team: Prepares the machines for use
 Delivery team: Delivers the machines to the users
 Platform teams: Define the hardware/OS platform and are
responsible for OS-related automation
 Network team: Configures network jacks and plans
network capacity. Setting up VLAN for different users
 Tools team: Develops applications that coordinate the
entire fleet program
 Project management: Manages individual projects and
day-to-day operations
 Program office: Oversees the entire fleet management
program
 Workstation Fleet
Logistics

Configuration Management
Database
 The configuration management database (CMDB) is a
system that stores information about all machines in a
fleet.
 The CMDB stores information about a machine—its
name, serial number, who uses it, which operating
system is deployed in it, and so on.
 It also stores desired state
 Workstation Fleet
Logistics

Small-Scale Fleet Logistics

 But what if a company is too small to have a dedicated
Fleet organization?
 Part-Time Fleet Management
 An environment with a handful of machines will not need
such a formal, systematic fleet logistics program.
 Keep good notes so that the ad hoc procedures can be
reused such as
 Vendor list
 Installation procedures
 Delivery checklist
 Welcome letter
 Full-Time Fleet Coordinators
 As the company grows, the work of a fleet logistics team
grows. It may become necessary to have a dedicated IT
coordinator.
 Another model that works well is having a two-person
team: one technical person and one nontechnical person.
 Workstation
Standardization

Workstation Standardization
 How does one take an organization from a mix of
workstation configurations to a unified standard?
 This is surprisingly difficult. People resist change.
 Key Points in Workstation standardization:
 • Involve customers early. Involve customers early in
the planning stages to gather requirements and to help
identify the project’s justification.
 • Release early and iterate. Expose a small group to the
new platform first, fix problems, and then repeat with larger
and larger groups.
 • Have a transition interval. Maintain the old and new
systems at the same time. Do not expect to convert
everyone at the same time.
 • Ratchet. Move in only one direction, toward the goal.
Adopt a strategy that prevents regressions.
 • Don’t let it last forever. Set a cut-off date at which
point legacy machines lose access.
End of chapter 2