Microsoft's SCCM upgrade tackles NAC integration

Microsoft will ship on Nov. 12 its revamped Systems Management Server, now called System Center Configuration Manager 2007, and with it will ship the first piece of the company’s integration between its management platform and its network-access-control technology, Network Access Protection, which verifies that a client desktop is secure before it's let onto a network The software will be unveiled at Microsoft’s TechEd IT Forum in Barcelona.

SCCM 2007 also will include support for modeling technology that will eventually incorporate the management tool into Microsoft’s service-oriented-architecture (SOA)-based Oslo initiative announced last Tuesday.

NAP’s client technology is included in Windows Vista and back-ported to Windows XP, but the server component won’t ship until Windows Server 2008 in released early next year. The NAP server technology originally was supposed to ship for Windows 2003 R2, but those plans were scrapped last year.

SCCM 2007, which will integrate with the NAP Policy Server in Windows Server 2008, includes policies that let administrators enforce the installation of software patches via SCCM’s software installation.

NAP technology checks patch levels and virus signatures as a way of assessing a desktop's "health." The client’s health is validated against a set of policies, and those clients that don't pass can be put into an isolation area where they stay until being updated.

The Trusted Computing Group, Cisco and Microsoft represent the three main NAC architectures, and all need software that gathers data about the security posture of devices seeking network access.

The combination of SCCM 2007 and NAP gives administrators two enforcement policies to ensure that PCs comply with their NAP configurations. The first taps a NAP policy in SCCM 2007 to set a date to force the installation of patches on PCs that have failed to install them via usual avenues. The second NAP policy in SCCM 2007 lets administrators expedite patch installation by forcing machines to load the patches "as soon as possible." The second policy is designed to help users rally defenses against zero-day exploits.

SCCM 2007 is also represents the third piece of software to support Microsoft’s modeling language called the System Definition Model (SDM).

SDM is a linchpin in Microsoft’s Dynamic Systems Initiative (DSI), a 10-year plan to build a management platform for Windows. SDM is used to build models that servers and applications use to define their optimum health and operational needs and communicate that data to the network. System Center Operations Manager and Visual Studio, both of which shipped earlier this year, now support SDM.

The SDM support eventually will integrate SCCM 2007 and other tools that support the technology with the Oslo initiative, which is intended to merge models designed around applications, business processes and IT deployments into a single tool. The set of Oslo technologies are designed to ease rollouts of SOA-based applications and online services.