Sie sind auf Seite 1von 54

Microsoft Technology Blueprint for Primary and Secondary Schools

Published: May 2007 For the latest information, please see www.microsoft.com/education/blueprint.mspx

Copyright 2007 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below. If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons AttributionNonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM. Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious. Microsoft, Active Directory, ActiveSync, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.

Contents
Overview............................................................................................1 Chapter 1: Introduction to the Blueprint.............................................3 Chapter 2: Educational Institution Objectives.....................................6 Chapter 3: Basic Optimization Level....................................................8 Chapter 4: Standardized Optimization Level......................................19 Chapter 5: Rationalized Optimization Level.......................................37 Chapter 6: Dynamic Optimization Level.............................................40 Links.................................................................................................44 Acknowledgements...........................................................................51

Overview
As the world becomes more dependent on technological advances, planning for and managing technology become more and more essential. And although prudent management of technology is important to business and governments, it is perhaps even more critical to educational institutions, which frequently have very limited resources so that the cost of failure can be extremely high. The Microsoft Technology Blueprint for Primary and Secondary Schools provides guidance to assist educational institutions in fully utilizing their current technology and migrating from their current state to a more efficient and effective institution. Because each school has unique issues, priorities, and resources, no Technology Blueprint can be expected to address the specific needs of all schools. Although educational institutions have very specialized requirements, many lessons that have been learned in the business world can apply to the needs of educational institutions.

Chapter Summary
The Blueprint is comprised of the following chapters: Overview. The overview provides an introduction to the Blueprint and describes the topics that each chapter covers. Chapter 1, Introduction to the Blueprint. This chapter provides an introduction to the Infrastructure Optimization (IO) Model and describes the four levels of technological maturity on which the Blueprint focuses. In addition, the chapter describes the five capabilities that are required to build a more agile IT infrastructure. Chapter 2, Educational Institution Objectives. This chapter describes the technical challenges that educational institutions face and summarizes the objectives upon which the Blueprint focuses. Chapter 3, Basic Optimization Level. This chapter provides an introduction to the Basic level of the IO model. It describes some of the tools that schools at the Basic level use to address technical challenges. In addition, the chapter describes some of the processes and advantages of moving from Basic to the Standardized level. Chapter 4, Standardized Optimization Level. This chapter discusses how schools at the Standardized level address technical challenges and describes some of the advantages of moving from Standardized to the Rationalized level. Chapter 5, Rationalized Optimization Level. This chapter describes how schools at the Rationalized level integrate tools and processes to address technical challenges. It also provides a high level description of the advantages of moving from the Rationalized level to Dynamic. Chapter 6, Dynamic Optimization Level. This chapter introduces the Dynamic level and describes how schools at this level integrate tools and processes. Links. This section provides URL links to all of the resources and case studies that the Blueprint references. Acknowledgements. This section lists the people who contributed to the creation of the Blueprint.

Microsoft Technology Blueprint for Primary and Secondary Schools

Who Should Read the Blueprint


The intended audience for the Blueprint includes school IT professionals, consultants, and systems architects, who are responsible for the planning stages of application or infrastructure development of a schools. Although written primarily for these roles, the Blueprint may also be helpful to the school educational leadership (Board Members, Superintendents, Ministries, etc.)

Feedback
Please direct questions and comments about this guide to edu-sa@microsoft.com.

Chapter 1: Introduction to the Blueprint


The Microsoft Technology Blueprint for Primary and Secondary Schools is designed to help IT support staff and education decision makers plan for IT upgrades for the schools. In addition, the Blueprint provides a means for the staff to identify gaps in their environment that prevent them from moving forward with plans to increase the use of technology in schools, as well as to identify where additional technology gains can be made with the existing deployments. Finally it provides the foundation for a scalable, safe computing environment upon which the school can build additional services. The Blueprint uses the Core Infrastructure Optimization (IO) Model for as its basis. Although the Core IO model has multiple levels, the majority of the Blueprint focuses on moving from the Basic level to the Standardized level and from the Standardized level to the Rationalized level. Studies suggest that the majority of schools are at the Basic level. The Core IO model is comprised of the following levels: Basic. Schools at the Basic level rely on manual, localized processes, have minimal central control, and lack enforced IT policies and standards for security, backup, image management and deployment, compliance, and other common IT practices. Standardized. At the Standardized level, schools maintain standards and policies to manage desktops and servers, to control the way computers are introduced into the network, and use Active Directory to manage resources, security policies, and access control. Rationalized. At the Rationalized level, the costs involved in managing desktops and servers are at their lowest and processes and policies have been optimized to play a large role in supporting the school. Dynamic. The Dynamic level is characterized by IT systems that are self-managing and dynamic. When educational institutions reach this level, IT teams capture and use knowledge to design and deploy manageable systems and automate ongoing operations using system models.

The Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized provides significant detail about what is required to move an organization from Basic to Standardized. The Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized provides significant detail about what is required to move an organization from Standardized to Rationalized.
Note Additional guides are planned to address the movement between other optimization levels. As they become available, this document will be refreshed to reflect those new guides.

Infrastructure Optimization Model


The Infrastructure Optimization (IO) Model helps customers realize dramatic cost savings for their IT infrastructure by moving toward a secure, defined, and highly automated environment. Security improves from vulnerable in a Basic infrastructure to dynamically proactive in a more mature infrastructure. IT infrastructure administrative and managerial processes change from highly manual and reactive to highly automated and proactive.

Microsoft Technology Blueprint for Primary and Secondary Schools

Microsoft and its partners provide the technologies, processes, and procedures to help customers move along the infrastructure optimization path. Processes move from fragmented or nonexistent to optimized and repeatable. Customers' ability to use technology to improve their business agility and deliver business value increases as they move from the Basic level to the Standardized level, the Rationalized level, and finally to the Dynamic level. The IO Model has been developed by industry analysts, Massachusetts Institute of Technology (MIT) Center for Information Systems Research (CISR), and Microsoft, derived from experiences with its enterprise customers. A key goal for Microsoft in creating the IO Model was to develop a simple way to use a maturity framework that is flexible and can easily be used as the benchmark for technical capability and business value. The Core IO Model defines five capabilities that are required to build a more agile IT infrastructure: Identity and Access Management. Describes how customers should manage people and asset identities, solutions that should be implemented to manage and protect their identity data, and how to manage access to resources from mobile users, customers and/or partners outside of a firewall. Desktop, Device and Server Management. Describes how customers should manage desktops, mobile devices, and servers as well as how to deploy patches, operating systems, and applications across the network. Security and Networking. Describes what customers should consider implementing in their IT infrastructure to help guarantee that information and communication are protected from unauthorized access while at the same time provides a mechanism to protect their IT infrastructure from denial of service attacks and viruses while preserving access to corporate resources. Data Protection and Recovery. Provides structured or disciplined backup, storage, and restore management. As information and data stores proliferate, organizations are under increasing pressure to protect that information and provide cost-effective and time-efficient recovery when required. IT and Security Process. Provides proven best practice guidance on how to costeffectively design, develop, operate, and support solutions while achieving high reliability, availability, and security. While rock-solid technology is necessary to meet demands for reliable, available, and highly secure IT services, technology alone is not sufficient; excellence in process and people (skills, roles, and responsibilities) is also needed. This capability is comprised of two processes, Security Process and ITIL/COBIT-Based Management Process, each of which is addressed separately in the Blueprint.

Chapter 1: Introduction to the Blueprint

Core IO Model Capability Requirements


The following image lists the requirements for each capability to advance through the optimization levels.

Figure 1. Overview of Core IO Model Capability Requirements

Self Assessment
Prior to implementing any of the recommendations within this document, IT staff should perform a self assessment of the environment to see where they fall within the IO model. They may find that they do not have to implement all the recommendations to move to the next optimization level because they have implemented them previously. Microsoft has a simple online self-assessment tool that IT staff can use to determine the optimization level of the organization. The tool asks a series of yes or no questions and based on the responses produces a Web page that outputs the results. The following graphic shows an example of the simple chart that the self assessment tool produces.

Figure 2. Self Assessment Results Chart This results chart shows that the Identity and Access Management capability is in Standardized, whereas the other capabilities remain in Basic. Because of these results, the staff would need to focus on moving the other three capabilities to Standardized. To perform a self assessment, see the Core Infrastructure Optimization Assessment site.

Chapter 2: Educational Institution Objectives


Schools have a tremendous amount of technical challenges, some of which are similar to businesses whereas many are different. Focus groups of educators have summarized some of the general challenges to be: Raising academic standards/lack of visibility into student progress Business management: Inefficient operations and a lack of insight into where money is spent Communication and access to information for parents and students Curriculum and lesson sharing among educators

Raising Academic Standards/Lack of Visibility into Student Progress


All education stakeholders require some ability to assess student learning. Regional officials need to be able to assess the overall effectiveness of the education programs. School administrators need to know how well students are doing at their schools. This information is also required by classroom teachers, parents, the school community and the students themselves. This student progress data can assist decision makers in making changes to the curriculum and to teaching. Accurate, timely and integrated data can assist school administrators and superintendents in understanding the relationships between direct expenditures (e.g. teachers, books, and classroom computers), indirect expenditures (transportation, lunches, etc.) and student performance. Finally, many government agencies require various detailed reports. Case studies: Jefferson County Public Schools Close Achievement Gaps in Student Performance Lake Washington School District: Collaborative Learning Portal Promotes Student Success at Lake Washington School District Ninestiles School: Anytime Anywhere Learning

Business Management: Inefficient Operations and a Lack of Insight into Where Money Is Spent
With scarce resources, highly diverse and specialized funding for special needs children, grants, capital funds, etc, the need arises for schools to manage resources efficiently and be able to provide funding agencies with reports on how and where funds were spent. These funds are distributed by departments throughout school districts to purchase a myriad of items from pencils, food, or large equipment, to major capital improvements that require substantial detailed accounting. Finally, because of government regulations and local community scrutiny, there is a need for clear, easily readable reports.

Case studies: Oregon Department of Education: Web-Based Solution Enables Better DecisionMaking, Productivity for the Oregon Department of Education Ivy Tech Community College: Community College Improves Enrollment Forecasting, Positions to Meet Growth Goal University of Southern Mississippi: University Boosts Productivity by 40 Percent, Saving U.S.$66,000 Annually

Communication and Access to Information for Parents and Students


Successful educational institutions have found that strong communications between the schools, classrooms, students, parents, and communities are essential. School announcements such as the school calendar, testing, sports, parent meetings, policy changes, and staff changes help parents stay connected to the educational institution. Case studies: The School District of Philadelphia: Messaging Solution Boosts Communication Among Students, Educators, and Parents Elementary School of National Hero Maks Pear: Slovenian School Improves Communication with Parents Anoka-Hennepin School District: Identity Management Solution Keeps Parents in Large Minnesota School District Informed Edmonton Catholic Schools Provide Parents with a Window into the Classroom Greenhill School: Making the Grade with Microsoft FrontPage 2000 Tracy Unified School District: School District Learns E-Mail Security Can Do More, Cost Less, and be Easier to Use

Curriculum and Lesson Sharing Among Educators


Successful educational institutions have found substantial successes when they are current in world changes, education trends, and resources. There is a great need to facilitate the communication systems between peer institutions, schools and the world. There is also substantial concern about ensuring copyright protections through these exchanges. Case studies: The Department of Education for Northern Ireland: Northern Ireland Chalks Up Educational Excellence with Microsoft Innovative Teachers Programme Miami-Dade County Public Schools: Collaborative Portal Improves Education for Fourth-Largest U.S. School District

Chapter 3: Basic Optimization Level


The following section describes how schools at the Basic level address the technical challenges described in Chapter 2, "Educational Institutional Objectives," of the Blueprint.

Raising Academic Standards/Lack of Visibility into Student Progress


Many teachers at schools at the Basic level of the Core IO Model perform a substantial amount of manual analysis of data because the tools that they have are not completely integrated. These tools include spreadsheets, which allow classroom teachers to correlate test objectives to student performance to determine the students level of mastery of an objective in contrast to overall test scores. They can also analyze student progress data on a per-pupil or per-classroom basis. There are also several effective stand-alone applications that help to facilitate instructional support and track student performance. Case studies and references: Hutchesons Grammar School: Leading Scottish Grammar School Maintains High Standards Online Denbigh High School: Teachers Lesson Preparation Time Reduced with Free Education Support Tools Microsoft Office Online - Templates for teachers

Business Management: Inefficient Operations and a Lack of Insight into Where Money Is Spent
Most effective schools at the Basic level perform a substantial amount of manual work using stand-alone accounting software or specialized Enterprise Management Systems. These schools use stand-alone systems for manual work and analysis and then download the reports into spreadsheets for further analysis, which typically includes combining and segmenting data using tools such as rollup reports and pivot tables. The financial officers can provide several perspectives on the financial conditions of the schools. Office staff use stand-alone word processing programs for inter-office communications and spreadsheets to assist in tracking school and office funds. The IT Help desk provides an e mail or database-based help system in which school staff submit help requests. These requests are sent to an IT Help e-mail alias so that IT Staff can schedule responses based on a pre-established priority system. These requests are tracked in a stand-alone database. References: Use Microsoft Dynamics and 2007 Microsoft Office system together for best results Service call management database: Call Center Template

Chapter 3: Basic Optimization Level

Communication and Access to Information for Parents and Students


Most effective schools at the Basic level perform a substantial amount of manual work to communicate with parents; however some technology efficiencies are frequently used. By using student information databases, mailing lists can be maintained for sending notices and announcements to parents. Also, word processing and publishing software provide templates for newsletters (e.g. all school, per class, or student generated). These utilities also provide Web site templates that schools can use to create Web sites, which can be hosted by the institution or by low cost vendorsdepending on the need and capabilities of the institution. A great number of schools use direct e-mail to send announcements to parents and also provide individual staff addresses and/or monitored department e-mail aliases to allow parents and the community to communicate with one another all of the time.

Curriculum and Lesson Sharing Among Educators


Most effective schools at the Basic level participate in education conferences and subscribe to education newsletters (via snail mail and e-mail). Many also find value in participating in online user groups. There are also several newsgroups that facilitate detailed educational discussions. Many of the effective schools leverage support information from government-run Web sites (even beyond their region) as well as access the Web sites of other organizations.

Basic IT Infrastructure
The Basic IT infrastructure is characterized by manual, localized processes; minimal central control; and nonexistent or unenforced IT policies and standards for security, backup, image management and deployment, compliance, and other common IT practices. Overall health of applications and services is unknown due to a lack of tools and resources. Generally, all patches, software deployments, and services are provided manually.

Moving to Standardized
Customers benefit substantially by moving from this Basic level of infrastructure to a Standardized infrastructure, helping them to dramatically reduce work effort by: Developing standards, policies, and controls with an enforcement strategy. Mitigating security risks by developing a "defense in depth" posture: a layered approach to security at the perimeter, server, desktop, and application levels. Automating many manual and time-consuming tasks. Adopting best practices, such as those of the IT Infrastructure Library (ITIL); the SysAdmin, Audit, Network, and Security Institute (SANS); and so on.

The Standardized infrastructure introduces controls through the use of standards and policies to manage desktops and servers; by the way computers are introduced to the network; and use of the Active Directory directory service to manage resources, security policies, and access control. Customers in a Standardized state have realized the value of basic standards and some policies, yet still have room to improve. Generally, all software updates, software deployments, and desktop service are provided through medium touch with medium to high cost. However, these customers have a reasonable

10

Microsoft Technology Blueprint for Primary and Secondary Schools

inventory of hardware and software and are beginning to manage licenses. Security measures are improved with a locked-down perimeter, but internal security may still be a risk.

Identity and Access Management


A directory service is a core foundational service that provides key advantages to educational organizations. The most common use is for identity management. The directory service provides some form of authentication and authorization control system for the environment. For example, access to a portal system can be controlled through accounts issued within the directory. This allows the organization to control who has access to what data, for example, students can see their own grades or class schedules, but not someone elses. In addition, the directory service provides a storehouse for data related to that users identity. Applications can leverage the directory to store key configuration data and to perform lookups against that data. Mail servers, for example, can store the users e-mail address information within the directory and associate it with the owner. Finally some directory services provide network management functionality for network resources. For example, Active Directory can store Group Policy objects that point to policy information. This information can be uniformly applied to computers within the environment. It should be noted that as you move through the IO model, computer configuration through a policy system is required. If you do not have a directory service in place within the organization that is authenticating 80 percent or more of your users, read the Directory Services for Authentication of Users section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Desktop, Device and Server Management


IT professionals today face immense challenges in implementing effective software update management strategies: more devices and mobile users now access corporate networks; there is a consistent stream of security updates from software and hardware vendors; footprints for systems and applications are expanding; there is an almost daily identification of new security threats; and the attacker community is now much more sophisticated. The Standardized level of the Core IO Model addresses the key areas of management including: Automated patch distribution to desktops and laptops Manage and consolidate standard desktop images Consolidation of desktop images to two operating system versions Centrally manage connected mobile devices Identity validation, data protection, and data backup of mobile devices

The Standardized level of optimization requires that your organization has procedures and tools in place to automate patch distribution, manage and consolidate standard desktop images, and centrally manage connected mobile devices.

11

Microsoft Technology Blueprint for Primary and Secondary Schools

Automated Patch Distribution


The patch management process that Microsoft recommends is a four-phase approach to managing software updates, which is designed to give your organization control over the deployment and maintenance of interim software releases into your production environment. These phases are: Assess. The process starts with assessment, because you need to determine what you have in your production environment, what security threats and vulnerabilities you might face, and whether your organization is prepared to respond to a new software update. Identify. Your goal during the Identify phase is to discover new software updates in a reliable way, determine whether they are relevant to your production environment, and determine whether an update represents a normal or emergency change. Evaluate and plan. Your goal during the Evaluate and Plan phase is to make a go/no-go decision to deploy the software update, determine what resources the deployment requires, and test the software update in a production-like environment to confirm that it does not compromise business-critical systems and applications. Deploy. Your goal during the Deploy phase is to roll out the approved software update successfully into your production environment so that you meet all of the requirements of any deployment service level agreements (SLAs) you have in place.

By using an automated patch distribution process, educational institutions can ensure that their resources are properly patched. These updates protect the system from crashes due to bugs in the software, and also protect against the security threats that appear constantly. An automated patch distribution process requires fewer people and less time to fully patch an environment. If you do not have an automated patch distribution process in place for 80 percent or more of your desktops and laptops, read the Automated Patch Distribution to Desktops and Laptops section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Manage and Consolidate Standard Desktop Images


To succeed in deploying an operating system, organizations must use the best technology and business processes available, in addition to best practices for optimizing those technologies. By developing baselines for the computing environment, educational institutions have a known and fixed configuration for deployment, which lowers the cost of support, troubleshooting, and other operations. Through imaging, a standard build that includes core applications, the operating system, and any additional organization requirements can be used for workstation deployment. There are three primary strategies for standard images: thick images, thin images and hybrid images. Thick Images Thick images contain the operating system, applications, and other standard files. The advantage of thick images is simplicity: deployment is a single step because all files are deployed at once. Also, applications are available on first run. The disadvantages are maintenance, storage, and network costs. Thick images also limit flexibility. Either all computers receive all applications whether or not they need them, or many different thick images must be developed and maintained. Using thick images is a common legacy approach.

12

Microsoft Technology Blueprint for Primary and Secondary Schools

Thin Images These images contain few if any applications. The advantages of thin images are many: they cost less to build, maintain, and test; network and storage costs are lower; they offer far greater flexibility. However, flexibility increases deployment and networking costs. Hybrid Images Hybrid images are a combination of thick and thin images. In a hybrid image, the disk image is configured to install applications on first run, giving the illusion of a thick image but installing the applications from a network source. Hybrid images have most of the advantages of thin images, yet are not as complex to develop and do not require a software distribution infrastructure. Installation times are longer, which can increase initial deployment costs. An alternative is to start with a tested thin image and build a thick image on top of it. Testing the thick image is minimized, because the imaging process is essentially the same as a regular deployment. Another alternative is to add a minimum number of core applications to a thin image. These applications could include antivirus software and line-of-business (LOB) applications required on all computers in the organization. Deployment of images can be done in a number of ways. The two recommended methods are called Lite Touch Installation and Zero Touch Installation. In Lite Touch Installation, an imaged is configured with the majority of the configuration settings defined. The actual launch of the installation is done manually via a boot disk and leveraging the network, a bootable image CD or some other means. In addition, a few configuration settings may need to be manually installed. This is the recommended installation method for the Standardized level. In Zero Touch Installation, the image installation is initiated automatically. All configuration settings are defined so that the administrator does not perform any manual post-installation steps. Because of this, it takes more time to customize this form of deployment. If you do not have a defined strategy for image based deployments, a defined set of disk images and tools for deploying the images for 80 percent or more of your client computers, read the Defined Standard Images for Desktops and Laptops section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Consolidation of Desktop Images to Two Operating System Versions


There are several things to consider when deploying multiple operating systems within an organization. These include: Maintenance of multiple standard images Availability of patches and updates Cost of extended maintenance contracts User productivity Application compatibility

Where possible, the educational institution should attempt to limit the number of images to absolute minimum required for the environment. Having a large number of images increases the cost of management associated with maintaining the images. While a goal of two would be ideal, it is understood that exceptions will need to be made for a variety of reasons.

Chapter 4: Standardized Optimization Level

13

If you are managing more than two operating system versions in your desktop environment, read the Consolidation of Desktop Images to Two Operating System Versions section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Centrally Manage Connected Mobile Devices


Organizations worldwide use mobile devices to accelerate business cycles, increase productivity, reduce operating costs, and extend their infrastructure. With this growing reliance on mobile devices, it is critical for administrators to understand their mobile environment, to ensure users set up secure network access, and to deliver new business capabilities while utilizing existing infrastructure investments. Mobile-device management is a relatively new concept and there are limited offerings from Microsoft and its partners to supplement management tools for client and server devices. The primary products currently available from Microsoft are Microsoft Exchange Server with ActiveSync, Direct Push, Remote Wipe, and Systems Management Server (SMS) 2003 with the Device Management Feature Pack. Additional products are offered from Microsoft partners and software vendors such as Odyssey Software, Bluefire, and iAnywhere to manage mobile devices. It should be noted that for features such as ActiveSync to work correctly, an Active Directory domain must be deployed and the Exchange Servers must be members of the domain. If you support/supply mobile devices and do not have a centralized solution to track, manage and upgrade your mobile devices, read the Centralized Management of Mobile Devices section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Identity Validation, Data Protection, and Data Backup of Mobile Devices


Lost or stolen mobile devices can compromise sensitive information and allow unintended access to networks. You must protect these resources by implementing thorough policies and software. This section of the guide addresses areas where you can take steps to secure information and networks in your organization. These areas are: User access Passwords Device lockout Certificates Data encryption Remote device wipe

Data access

For information about mobile device security from Microsoft, see Windows Mobile 5.0 Messaging and Security Feature Pack. If you support or supply mobile devices and do not user identity validation, data protection and backup for mobile devices, read the Identity Validation, Data Protection, and Data Backup of Mobile Devices section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

14

Microsoft Technology Blueprint for Primary and Secondary Schools

Security and Networking


To move the organization to the Standardized level within the Security and Networking capability, there are four key areas that need to be addressed. These areas are: Antivirus with automated signature updating Centralized firewall services Internally managed DNS, DHCP and WINS services Monitoring of critical servers

Antivirus with Automated Signature Updating


Antivirus software is critical for defending an organization from malicious software, commonly known as malware. However, effectiveness of the protection granted by antivirus software is greatly diminished if it is not correctly implemented. For example, the antivirus solution must have the ability to obtain new virus signature files automatically and on a timely basis. The malware threats in the world are changing daily and without the update capabilities, its only a matter of time before an organization is infected with a new malware variant because the antivirus solution doesnt see the infection. In order to protect the systems effectively, the following should be done: 1. Reduce the attack surface of the computer by removing unnecessary applications and services 2. Ensure systems are getting promptly patched with security updates 3. Enable the host-based firewall (personal firewall) on the clients, if available, 4. Install antivirus software with ability to update signatures automatically/remotely 5. Test the security with vulnerability scanners If you do not have antivirus software with automated signature updating running on 80 percent or more of your desktops, read the Antivirus Software for Desktops section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Centralized Firewall Services


Firewalls are a key part of keeping networked computers safe and secure. All computers need the protection of a firewall, whether its the multitude of servers and desktops that compose the school's network, or a teacher's laptop connecting to the wireless network of a coffee shop. More modern client operating systems include a host-based firewall (also called personal firewalls), and users of older systems can purchase such firewalls as well. However, the IO model at this point calls only for a network firewall at the perimeter. If you do not have a centralized firewall protecting 80 percent or more of your system, read the Centralized Firewall Services section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Internally Managed DNS, DHCP and WINS Services


IT networks in today's organizations have multitudes of computing devices, ranging from high-end servers to personal computers, which need to communicate with each other over the local area network (LAN). To do so, each device needs to have an identity in the form of either a logical device name (chosen by the organization) or an address that uniquely identifies the device and its location on the network.

Chapter 4: Standardized Optimization Level

15

DNS, DHCP, and WINS are three mechanisms that are essential to the provision of IP address allocation and management services in enterprise environments. There are alternative mechanisms, but in most cases DNS and DHCP provide the backbone of any service, and WINS fulfills any requirement to collocate DNS and NetBIOS addressing schemes. If you do not have internal servers for basic networking, read the Internally Managed Basic Networking Services (DNS, DHCP, WINS) section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Monitoring of Critical Servers


The efficiency and productivity of your organizations computing infrastructure is dependent on the continuous availability of critical servers such as DNS, DHCP, and email servers. You need to establish policies and procedures to monitor these servers to quickly become aware of decreased performance or interruptions of service. Software is available to automate this monitoring and send alerts to the appropriate people so that they can take corrective steps. If you do not have monitoring software that monitors 80 percent of your critical servers for performance, events and alerts, read the Availability Monitoring of Critical Servers section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Additional Information
The following resources don't explicitly reference the Core IO Model, but they provide guidance that the IT staff should consider as they plan a move from Basic to Standardized. Securing Windows 2000 Server Windows Server 2003 Security Guide

Data Protection and Recovery


The Standardized level of the Core IO Model addresses key areas of Data Protection and Recovery, including Defined Backup and Restore Services for Critical Servers. It requires that your organization has procedures and tools in place to manage backup and recovery of data on critical servers.

Defined Backup and Restore Services for Critical Servers


Backup and recovery technologies provide a cornerstone of data protection strategies that help organizations meet their requirements for data availability and accessibility. Storing, restoring, and recovering data are key storage management operational activities. Data centers can use redundant components and fault tolerance technologies (such as server clustering, software mirroring, and hardware mirroring) to replicate crucial data to ensure high availability. However, these technologies alone cannot solve issues caused by data corruption or deletion, which can occur due to application bugs, viruses, security breaches, or user errors. There may also be a requirement for retaining information in an archival form; this requirement may extend to transactional data, documents, and collaborative information such as e-mail. Therefore, it is necessary to have a data protection strategy that includes a comprehensive backup and recovery scheme to protect data from any kind of unplanned outage or disaster, or to meet requirements for data retention.

16

Microsoft Technology Blueprint for Primary and Secondary Schools

If you do not have a backup and restore solution for 80 percent or more of your critical servers, read the Defined Backup and Restore Services for Critical Servers section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Security Process
Security process is a key element of infrastructure optimization, and security must be part of the design criteria for all procedures and technologies highlighted by the Core IO Model. Most organizations know that it is important to protect their data and resources from loss or damage due to theft, human or computer error, malicious intent, or any number of other events. You can take steps to limit the opportunities for loss or damage to occur. You can also establish policies and procedures to respond to and minimize the effects of the loss or damage to your IT environment. To move the organization to the Standardized level within the Security Process capability, there are four key areas that need to be addressed. These areas are: Security policies Risk assessment Incident response Data security

Security Policies
To establish an effective set of security policies and controls you need to determine the vulnerabilities that exist in your computer systems and review the security policies and controls that guard them. This review should cover areas where policies are lacking, in addition to examining current policies. Some of these areas are: Physical computer security policies such as physical access controls. Network security policies (for example, e-mail and Internet policies). Data security policies (access control and integrity controls). Contingency and disaster recovery plans and tests. Computer security awareness and training. Computer security management and coordination policies. Compliance of acquired software.

Your organization should have a person dedicated to reviewing and maintaining the security policies and setting the security strategy of the organization.

Risk Assessment
With a formal security risk management process, organizations can operate in the most cost-efficient manner, with a known and acceptable level of risk. A formal security risk management process also gives organizations a consistent, clear path to organize and prioritize limited resources to manage risk. You will realize the benefits of using security risk management when you implement cost-effective controls that lower risk to an acceptable level.

Chapter 4: Standardized Optimization Level

17

Incident Response
When a security event occurs, IT professionals might feel like the only things they have time to do are to contain the situation, figure out what happened, and fix the affected systems as quickly as possible. Some might try to identify the root cause, but even that might seem like a luxury under extreme resource constraints. While this kind of reactive approach can be an effective tactic, imposing a small degree of order to the reactive approach can help organizations of all types to better use their resources. With proper planning, your organization can be proactive in addressing breaches of security.

Data Security
One of the most important tasks of the IT department is ensuring the security of company data. There are several steps you can take to move to the Standardized level for data security. Implement antivirus controls on all computers. (See the " Antivirus with Automated Signature Updating " section earlier in this guide). Establish consistent policies for classifying sensitive data. Establish consistent processes to identify security issues and threats that could compromise sensitive company data.

For a full discussion of data security, see the Data Security and Data Availability in the Administrative Authority white paper. If you do not have plans in place for security policies, risk assessment, incident response, and data security, read the Security Policies, Risk Assessment, Incident Response, and Data Security section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

ITIL/COBIT-Based Management Process


Best practice processes must be defined for all tasks highlighted in the Core IO Model in order to receive maximum benefit and performance. The Standardized level of optimization requires that your organization has defined procedures for incident management, problem management, user support, configuration management, and change management.

Support and Change Management Process


Infrastructure optimization goes beyond products and technologies. People and processes compose a large portion of an organizations IT service maturity. A number of standards and best practice organizations address the areas of people and process in IT service management. The Microsoft Operations Framework (MOF) applies much of the knowledge contained in the IT Infrastructure Library (ITIL) and Control Objectives for Information and related Technology (COBIT) standards and makes them actionable and achievable for Microsoft customers. MOF covers such topics as: Incident management. This critical process provides organizations with the ability to first detect incidents, and then target the correct support to resolve the incidents as quickly as possible. Problem management. By implementing problem management processes at the same time as incident management processes, organizations can identify and resolve the root causes of any significant or recurring incidents, thus reducing the likelihood of recurrence.

18

Microsoft Technology Blueprint for Primary and Secondary Schools

Improving end-user support services. Support services, or the Service Desk is the first point of contact for the organization. Its efficient and effective response to customer problems and concerns can do much to enhance the reputation of the organization. Configuration management. A key principle in effectively managing an IT infrastructure is to document its components and the relationships between them. Configuration management provides the foundation for decision-making in change management, negotiating SLAs, assessing IT capacity, and other critical processes. Implementing change management best practices. Change management describes a consistent set of processes to initiate infrastructure changes, assess and document their potential impacts, approve their implementation, and schedule and review their deployment.

If you do not have a process for incident, problem, service, configuration, and change management, read the Support and Change Management Process section in the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardized.

Chapter 4: Standardized Optimization Level


The following section describes how schools at the Standardized level address the technical challenges described in Chapter 2, "Educational Institutional Objectives."

Raising Academic Standards/Lack of Visibility into Student Progress


Teachers at the schools at the Standardized level have found tremendous results in providing Web-accessible document exchange portals. These institutions provide tools that teachers who have minimal technical expertise can use to update their classroom Web sites. School departments can also have easily maintainable Web sites. Secured accounts can be established for students and parents so that they can monitor ongoing student progress over the Internet. Resources such as virtual libraries give students, parents and teachers much more access than most schools would be able to provide in a physical school library. Instructional support tools including online science experiments, music, art, and language support tools are also available and manageable for Standardized level schools. The parent and student accounts and Internet infrastructure can also facilitate, anyplace, anytime learning. Case studies: Lenawee Intermediate School District (LISD): Michigan District Boosts StudentTeacher Interaction, Enhances Classroom Instruction Western Heights Public Schools Meet NCLB Requirements, Gain US$400,000 in Revenue Ninestiles School: Anytime Anywhere Learning Wolverhampton City Council Mobilises Learning to Give Students Access to Anywhere, Anytime Education Mere Green Combined School Unlocks the Potential of Every Child

Business Management: Inefficient Operations and a Lack of Insight into Where Money Is Spent
Most effective schools at the Standardized level value the integration of their student data management system, the business management systems, instructional management, and technology services. The integration of these systems allows business managers to track and report the flow of resources from funding agencies to their expenditures. It reduces redundancy, and prevents erroneous and out-dated data from being maintained, used for analysis, and providing standard and customizable detailed reports. The office staff uses integrated office communications systems that combine the word processing, spreadsheet, e-mail, Internet, and phone systems. This infrastructure makes for efficient office management and communications between departments and allows

20

Microsoft Technology Blueprint for Primary and Secondary Schools

reports to be rolled up to regional reports. In addition, interoffice employee management systems, such as Human Resource services, are accessible to all employees. The IT Help desk provides an e-mail or database-based help system in which school staff can make and monitor track. The Tracking system provides report capabilities, allowing the IT Management to perform root cause and trend analysis. Case studies: Delaware Department of Education (DDOE): Delaware Schools Meet NCLB Requirements, Cut Costs by U.S.$740,000 Sydney Anglican Schools Corporation Implements Powerful Financial System Nebraska Department of Education: Web-Based School Assessment System Wins Political Points Department of Education and Training Victoria: DET Victoria Saves up to $208,000 a Year with Microsoft Office SharePoint Server 2007 Saskatchewan Learning: Saskatchewan School Boards Score Top Marks in Efficiency with New Financial Management System

Communication and Access to Information for Parents and Students


Most effective schools at the Standardized level leverage their access to the Internet by using e-mail aliases to broadcast communications to parents. They also provide Web sites, which parents can access from at home, work, libraries, etc., which provide class announcements, supplementary instructional materials, and homework assignments. These Web sites are easily maintained even by non-technical classroom teachers. Students and parents are provided with secure access accounts so they can monitor the student's academic progress and attendance. Case studies: Northern Lights Public School Builds an Award-Winning Learning Environment UK Schools: Parents Help Cut Truancies and Improve Pupil Performance

Curriculum and Lesson Sharing Among Educators


Many effective schools at the Standardized level provide Web-based tools with which educators can share best practices and references, post questions and answers, provide peer reviews of materials, and facilitate relationships between teachers internationally, which helps them better prepare their students for communications and exchanges with the international community. Recent increases in the usage of distance learning and teleconferencing facilitates teacher participation in peer discussions and training. Case studies: Carson-Dellosa Publishing: Educational Publisher Speeds Time-to-Market with Information Sharing Solution Sandwell Borough Council: Portal Solution Brings the Whole Community Together to Raise Educational Standards Perm Municipal Education and Science Committee Increases Staff Productivity Thanks To Collaborative Solution

Chapter 4: Standardized Optimization Level

21

Standardized IT Infrastructure
The Standardized infrastructure introduces controls through the use of standards and policies to manage desktops and servers; to control the way computers are introduced into the network; and by using Active Directory to manage resources, security policies, and access control. Organizations in a Standardized state have realized the value of basic standards and some policies, yet still have room to improve. Generally, all patches, software deployments, and desktop service are provided through medium touch with medium to high cost. They have a reasonable inventory of hardware and software and are beginning to manage licenses. Security measures are improved with a locked-down perimeter, but internal security may still be a risk.

Moving to Rationalized
By moving to a Rationalized IT infrastructure, you can improve your organizations infrastructure and take control with automated systems management and automated identity and access management. At this level, your IT staff can access tools and information efficiently, service-level agreements are linked to organizational objectives, and your organization can benefit from clearly defined and enforced images, heightened security, and reliable best practices.

Identity and Access Management


IT Administrators face increasingly complex challenges in managing their IT infrastructures. They must deliver and maintain customized desktop configurations for many types of workers, including mobile users, information workers, or others assigned to strictly defined tasks, such as data entry. Changes to standard operating system images might be required on an ongoing basis. Security settings and updates must be delivered efficiently to all the computers and devices in the educational institution. New users need to be productive quickly without receiving costly training. In the event of a computer failure or disaster, service must be restored with a minimum of data loss and interruption. The Rationalized level of the Core IO Model addresses the key areas of Identity and Access management including: Configuration monitoring Policy based configuration settings for desktops

Configuration Monitoring
Configuration monitoring tools are available that provide reports for out-of-compliance configuration. Some educational institutions may want to report on out-of-compliance computers and then determine the correct course of action to bring the computer back into compliance. For example, if a school wants to enforce that an application is installed on all computers, but that application requires drivers that do not exist for certain hardware types in the environment, the best option may be to monitor these out-ofcompliance computers and determine the best way to resolve them on an individual basis. The Rationalized level of the Core IO Model requires implementation of a directory-based configuration management infrastructure using Group Policy and recommendsbut does not requirestand-alone configuration monitoring tools. Although there are a number of third-party options available, Microsoft offers two types of tools to monitor configuration compliance: Best Practices Analyzers and Systems Management Server 2003 Desired Configuration Monitoring. Best Practices Analyzers (BPA) from Microsoft contain pre-defined best practice settings and reports. These free downloads are available for Microsoft server products including Microsoft Exchange

22

Microsoft Technology Blueprint for Primary and Secondary Schools

Server, Microsoft Internet Security and Acceleration Server, and Microsoft SQL Server. Systems Management Server 2003 Desired Configuration Monitoring, which is also a free download, enables organizations to define desired configuration settings or rules and to monitor compliance. In addition to these tools, there are a number of software applications available from Microsoft partners to define and manage standard configuration.

Policy-Based Configurations
As the number of managed clients grows within an organization, it becomes necessary to standardize on how the security and configuration settings are applied to the systems. By ensuring a uniform means of applying policy settings through an automated means increases the security of the environment. This comes from protecting against inconsistent configurations that are introduced through a manual process. In addition, it lowers the cost of managing the environment as these policies are applied in a uniform fashion. If changes are required to the configuration of the computers, the changes can be made in the policy and quickly applied to computers in the organization. For more information about how to implement a directory-based tool to centrally administrate configurations and security on desktops, see the Windows Server 2003 Group Policy documentation. If you do not have a directory-based tool to centrally administer configurations and security on 80 percent or more of your desktops, read the Centralized Directory-based Configuration and Security section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Desktop, Device and Server Management


The Rationalized level of the Core IO Model addresses the key areas of Desktop Device and Server Management including: Automated operating system distribution Automated tracking of hardware and software for desktops Latest two operating system versions and service packs on desktops Latest versions of software on desktops Compatibility testing and certification of software distributions Patch management for servers Guaranteed secure communications with mobile devices Access to Web applications using WAP or HTTP for mobile devices Server consolidation and virtualization Layered imaging for desktops

Automated Operating System Distribution


The "Moving to the Standardized Level" section described defining and deploying standard images for desktops. Moving to the Rationalized level involves automating the deployment of operating systems to desktops in the environment.

Chapter 4: Standardized Optimization Level

23

To automate operating system distribution, an educational institution must: Identify tools and technologies required to enable automated operating system deployment. Perform necessary pre-deployment tasks for application compatibility and packaging, infrastructure remediation, imaging, user-state migration, and desktop security. Test and validate Zero Touch Installation in a lab environment and pilot program. Perform automated operating system deployment to end users.

The objective in moving to the Rationalized level is to completely automate existing desktop deployment procedures. Doing so enables a Zero Touch Installation (ZTI) of desktop images, role-based applications, required drivers, language packs, updates, and migration of user state without any interaction at the targeted computer. In this phase, you should identify what is necessary to enable ZTI in your desktop environment. Microsoft Solution Accelerator for Business Desktop Deployment (BDD) 2007 is the recommended resource for identifying deployment options and end-to-end planning of deployment projects. BDD 2007 provides guidance for Zero Touch Installation (ZTI) using Systems Management Server (SMS) 2003 with the Operating System Deployment Feature Pack. To successfully automate operating system deployment involves a number of predeployment steps, which include addressing: Application compatibility Infrastructure remediation Application management Computer imaging system User state migration Securing the desktop

After completing the steps required for pre-deployment, you are ready to start testing and deploying desktop images. All of the pre-deployment steps mentioned above are necessary for a Lite Touch Installation (LTI) or Zero Touch Installation (ZTI). Testing the deployment in a controlled environment reduces costs if an issue is found. In addition, testing helps ensure a smoother roll out to the general population when the time comes. For more information about how to automate operating system distribution, visit Microsoft TechNet and search for operating system deployment or Zero Touch Installation. To see how Microsoft uses SMS for operating system distribution, see the Deployment Process: Overview page. If you have not completed the pre-deployment tasks, read the Automated Operating System Distribution section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Automated Tracking of Hardware and Software for Desktops


Automated tracking of hardware and software assets addresses and resolves change and configuration needs. By understanding the installed application base and its usage, applying automation helps lower software costs and helps improve configuration compliance. As hardware and software assets comprise an increasing portion of the IT budget, organizations are becoming more focused on finding ways to reduce these costs while continuing to stay compliant with licensing policies.

24

Microsoft Technology Blueprint for Primary and Secondary Schools

At the Standardized level, tools to automate asset inventory are required as part of the patching process, and software update or patch management is also a requirement. Automated tracking of desktop assets leads to requirements to automate deployment of applications and operating systems, track usage, and report system status. The Rationalized level requires that all of these tasks are integrated into a common process methodology and toolset. If you do not have automated tracking of hardware and software assets on 80 percent or more of your desktops, read the Automated Tracking of Hardware and Software for Desktops section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Latest Two Operating System Versions and Service Packs on Desktops


To reach the Standardized level required that you have no more than two different operating systems in the environment. To move from the Standardized level to the Rationalized level, your organizations two standard operating system images need to be the most recent versions, with the latest service packs installed. The general benefits of having the most recent operating system versions in production are supportability, ease of maintenance and troubleshooting, and reduced complexity of the desktop environment. If you do not have the most recent versions of the operating systems running on 80 percent or more of your desktops, read the Latest Two OS Versions and Service Packs on Desktops section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Latest Versions of Software on Desktops


Today, more than ever, people and organizations use software tools to process information. These applications are used to create materials critical to an organizations success and therefore require careful consideration when configuring, deploying, securing, and managing them. Newer versions of software provide tools for securing and managing the application within a networked environment. Microsoft Office is one of the worlds most utilized application packages. Although it is beyond the scope of this document to discuss the advantages of particular applications, the technology and guidance for Office can be useful for understanding what needs to be addressed. The areas to be addressed include: Planning and architecture Security protection Deployment Operations Evaluate the latest versions of the software and define a plan to consolidate versions on production systems. Deploy the latest versions. Define a plan for managing the applications.

To move to the Rationalized level, you must:

For guidance specific to Microsoft Office, read the Latest Versions of Microsoft Office on Desktops section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Chapter 4: Standardized Optimization Level

25

Compatibility Testing and Certification of Software Distributions


In general, applications are highly optimized for a specific operating system or operating system version. Application compatibility problems can arise when you have applications that were designed to run on earlier versions of operating systems. The rationale for testing applications is to ensure that deployment of any new software component does not affect productivity or result in downtime. Compatibility testing is also mentioned as a required process for patch management and operating system deployment in the Core IO Model. Even with advanced compatibility features included in products, you need to ensure that all your applications function properly under the latest operating systems before you distribute those applications to your organizations desktops. For applications running on Microsoft Windows operating systems, guidance can be found in the Application Compatibility Toolkit and the Application Compatibility Feature Team Guide, both free resources from Microsoft that assist in overall application compatibility management. For more information on application testing, visit Microsoft TechNet and search for application compatibility. To see how Microsoft does application compatibility testing, see Application Compatibility Testing for Windows Vista. If you do not test and certify application compatibility on 80 percent of new or updated applications before deploying them to desktops, read the Compatibility Testing and Certification of Software Distributions section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Patch Management for Servers


To reach the Standardized level, you had to deploy a patch management solution for desktops. To move from the Standardized level to the Rationalized level, you need to extend patch management to servers. The tools and procedures for updating Windowsbased servers are common with those used to update Windows-based desktops. Although many of the processes are shared, there are several notable exceptions when patching servers and dependencies on other requirements in the Core IO Model. Servers often provide mission-critical functions with service level agreements (SLAs), depending on the servers availability. Minimizing unplanned server downtime is a key operational and server patch management requirement because, unlike desktop downtime, server downtime can impede an entire IT service or prevent the entire organization from running. The Rationalized level begins to introduce SLAs, which often stipulate allowable maintenance intervals, especially when maintaining servers. For more detailed information on patch management, see the Automated Patch Distribution section in Core Infrastructure Optimization Resource Guide for Implementers: Basic to Standardized. You can also visit Microsoft TechNet and search for patch management. To see how Microsoft addresses patch management, see the Server Security Patch Management at Microsoft white paper. If you do not have a patch management solution for 80 percent of your servers, read the Patch Management for Servers section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

26

Microsoft Technology Blueprint for Primary and Secondary Schools

Guaranteed Secure Communications with Mobile Devices


As educational institutions consider mobile solutions, a key evaluation point is security. Mobile communication solutions need to be safe and reliable, whether they involve personal information or confidential transactions in the environment. Personal digital assistants (PDAs) and smart phones are as important as laptop computers when it comes to an organization's security plan. In moving to the Standardized level, you established security policies as part of your overall management of mobile devices. To move to the Rationalized level, you need to automate enforcement of those security policies, especially in the area of remote communications. When you have passwords and data encryption in place, you have taken the first steps to secure communications between your corporate network and mobile devices. For more information on authentication and digital certificates for mobile devices, see: Windows Mobile 5.0 Security Model FAQ Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2

To see how Microsoft addresses secure mobile communications, see Trustworthy Messaging at Microsoft. If you have not implemented mobile device authentication for all devices, read the Guaranteed Secure Communications with Mobile Devices section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Access to Web Applications Using WAP or HTTP for Mobile Devices


The integration of mobile devices, the Internet, and wireless connectivity provides an exciting opportunity for organizations to extend the reach of their information and services. The potential results include improved productivity and reduced operational costs. The ability to access the Internet from mobile devices is the key to this increase in productivity. As the use of mobile devices increases, the need to control types of mobile devices also increases. Without standardization, the mix of mobile devices connecting to your network would be nearly impossible to manage. User authentication, standardization of operating systems, patch management, and other everyday administrative controls can only be effectively managed with an established organizational standard for each type of mobile device. For more information on managing mobile devices, see Managing Mobile Devices in the Enterprise. Planning a mobile device solution involves the consideration of many issues and device features. For guidance in planning a mobile device solution, see Mobile Device Wireless Connectivity. There are several operating systems available for mobile devices. Windows Mobile devices offer access to Web-based applications with extensive security and authentication features. For additional information on deploying, maintaining, and supporting Windows Mobile devices, see the Windows Mobile Center. Wireless Application Protocol (WAP) is a communications protocol that is similar to the combination of HTTP and HTML, but optimized to account for the low memory, low bandwidth, and limited resolution of mobile devices. For more information on WAP, see Introduction to the Wireless Application Protocol. Employees who use mobile devices in their day-to-day job functions often need access to information on the Internet. This information is usually dynamic (time-sensitive or constantly changing), or it is retrievable based on search criteria.

Chapter 4: Standardized Optimization Level

27

These services can be accessed through a mobile device if that device has a WAPdesigned browser that simplifies the content to account for the restrictions of mobile devices. If you have not made your key applications accessible to mobile devices through HTTP or WAP, read the Access to Web Applications Using WAP or HTTP for Mobile Devices section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Server Consolidation and Virtualization


Consolidation of physical infrastructure, in general, is an effective business strategy. Consolidation of locally situated physical servers has proven effective in reducing server sprawl and, thereby, improving IT efficiency, enhancing flexibility, and reducing total cost of ownership (TCO). Virtualizing applications or services means installing and running an application or service using virtual machines on a physical computer; the physical computer is running a host operating system as well as a virtual or guest operating system to implement the virtual machines. The virtual machine runs its own operating system, which can either be migrated to a later operating system or, for short-term solutions, can be the same operating system as that used before virtualization. Virtualization takes consolidation to a new level, breaking the 1:1 relationship between application and server. Virtualization is a consolidation technique that yields additional benefits by abstracting the applications from the physical server and placing them on virtual machines (VMs), many of which can reside on a single physical host. This requirement calls out the virtualization best practices highlighted in the Solution Accelerator for Consolidating and Migrating LOB Applications. Additional guidance for using virtualization in the context for development and test can be found in the WSSRA Virtual Environments for Development and Test guide. For more information, visit Microsoft TechNet and search for virtualization. To see how Microsoft implements virtualization, see Improving IT Efficiency at Microsoft Using Virtual Server 2005. If you do not have a plan for server consolidation with virtualization, read the Server Consolidation and Virtualization section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Layered Imaging for Desktops


In moving to the Standardized level, you may have created a thick image for standardizing image deployment. Creating a thick image is a viable approach, but using a thin or hybrid image can increase efficiency and reduce deployment and maintenance costs. The layered-image approach advocates the thin and hybrid image strategies, meaning that only the operating system itself or operating system with limited standard core applications is deployed to target computers. Supplemental applications, drivers, or language packs are added via an installation sequence separate from the main image at deploy time. The impact is that there are fewer core images to maintain and more flexibility for adding components outside the core image at deployment. To help determine and implement image strategies, the Computer Imaging System Feature Team Guide discusses the options for desktop imaging and goes into detail for creating desktop images using Microsoft technologies. For more information on layered images, visit Microsoft TechNet and search for layered imaging.

28

Microsoft Technology Blueprint for Primary and Secondary Schools

To see how Microsoft has simplified disk imaging with Windows Vista, see Planning the Windows Vista Deployment at Microsoft. If you do not have a layered-image strategy for managing your desktop images, read the Layered Imaging for Desktops section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Security and Networking


The Rationalized level in the Core IO Model addresses the key areas of Security and Networking including: Policy-managed firewalls on servers and desktops Secure remote access to internal resources and line-of-business applications Secured and guaranteed communication verification between servers Service level agreement monitoring and reporting for servers Secure communication mechanism for presence IAS/RADIUS for wireless network authentication and authorization Centrally managed Certificate Services

Policy-managed Firewalls on Servers and Desktops


To move to the Standardized level, you deployed a centralized perimeter firewall to protect the environment. To move from the Standardized level to the Rationalized level, you need to supplement your networks firewall protection by establishing and enforcing policies on your servers and desktops using class 1 host-based firewalls. Microsoft and other software vendors offer firewall software that allows you to configure protection based on a policy or set of rules. This requirement is tightly associated with the requirement for Centralized Directory-based Configuration and Security also at the Rationalized level. Most class 1 firewalls can be configured for different levels of protection, from minimal to very restrictive. When you allow users to set the level of protection on their own computers, you cannot be certain that they will select a level that will protect your entire network. With policy-managed firewalls, you can determine the level of security that meets your network needs. For more information on firewalls, visit Microsoft TechNet and search for Windows Firewall. To see how Microsoft incorporates firewalls into network perimeter security, see Providing Security for the Network Perimeter at Microsoft. If you do not have a policy-managed firewall on at least 80 percent of your servers and desktops, read the Policy-managed Firewalls on Servers and Desktops section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Secure Remote Access to Internal Resources and Line-of-Business Applications


In the current environment, organizations are under pressure to reduce costs, increase efficiency, and maximize performance from the existing infrastructure. The growth of the Internet, together with new global opportunities, makes it imperative that organizations provide secure 24x7 network access. Two scenarios in which remote access is typically used are:

Chapter 4: Standardized Optimization Level

29

Remote client access. Remote clients are usually single computers, such as home computers or laptops of employees who need to access resources while working at home or traveling. Site-to-site access. Site-to-site access is used between remote sites and centralized facilities of the organization to access resources and data at different logical and physical locations.

Both of these key remote access requirements of an organization can be provided using a virtual private network (VPN). Both of these solutions require the underlying presence of either a dial-up connection or an Internet (shared) leased-line connection. Remote Terminal Services such as provided by Microsoft Windows Server 2003, lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing deviceincluding those that cannot run Windows. Terminal Services provides three important benefits for secure remote access: Rapid centralized deployment of applications. Low-bandwidth access to data. Windows anywhere.

For more information on Terminal Services, see Windows Server 2003 Terminal Services. To see how Microsoft implements VPN and Terminal Services, see: Providing Security for Corporate Resources at Microsoft by Using ISA Server 2004 Security Enhancements for Remote Access at Microsoft

If you do not provide secure remote access to internal resources and line of business applications through VPN or Microsoft Terminal Services, read the Secure Remote Access to Internal Resources and LOB Applications section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Secured and Guaranteed Communication Verification Between Servers


Organizations face increasing challenges in securing the perimeters of their networks. As organizations grow and relationships change, and customers, vendors, and consultants need to connect mobile devices to your network for valid reasons, controlling physical access to a network can become impossible. The advent of wireless networks and wireless connection technologies has made network access easier than ever. This increased connectivity means that domain members on the internal network are increasingly exposed to significant risks from other computers on the internal network, in addition to breaches in perimeter security. The concept of logical isolation embodies two solutions: server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members, and domain isolation to isolate domain members from untrusted connections. These solutions can be used separately or together as part of an overall logical isolation solution. At its core, server and domain isolation enables IT administrators to restrict TCP/IP communications of domain members that are trusted computers. These trusted computers can be configured to allow only incoming connections from other trusted computers or a specific group of trusted computers. Group Policy centrally manages the access controls that control network logon rights. Nearly all TCP/IP network connections can be secured without application changes because Internet Protocol security (IPsec) works at the network layer below the application layer to provide authentication and per-

30

Microsoft Technology Blueprint for Primary and Secondary Schools

packet security, end-to-end between computers. Network traffic can be authenticated, or authenticated and encrypted, in a variety of customizable scenarios. For more information on IPsec, visit Microsoft TechNet and search for IPsec. To see how Microsoft secures communications between servers, see Improving Security with Domain Isolation. If you do not have a secured and guaranteed way to verify communication between critical servers, read the Secured and Guaranteed Communication Verification Between Servers section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Service Level Agreement Monitoring and Reporting for Servers


Managing IT using a service management approach is becoming more prevalent in todays IT industry. As organizations work to stay competitive and meet the needs of their internal and external consumers, they find it necessary to view their IT infrastructures as more than a collection of servers connected through wide area networks (WANs) and running applications You and your organization need to view these resources as services that provide capabilities for your school community. When you take this approach, you need to understand all of the components making up the services and each components impact on the level of availability that the service provides. In addition, you must successfully measure your service delivery over time to clearly understand the quality of service that your systems provide. To reach the Standardized level, you implemented an automated way of monitoring critical servers. The Rationalized level extends the requirement to all servers in the organization and attaches the service level management requirements as part of the monitoring requirement. The Rationalized level does not require a minimum bar for availability; this is determined as appropriate for each IT service in the organization. To see how Microsoft monitors Exchange Server 2003, see Monitoring Exchange Server 2003 at Microsoft. To see how Microsoft uses service level agreements, see IT Health Scorecard Metrics. If you do not have a service level agreement (SLA) for monitoring and service level reporting for 80 percent or more of your servers, read the Service Level Agreement Monitoring and Reporting for Servers section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Secure Communication Mechanism for Presence


Presence is real-time information that describes a particular users location and availability to communicate. Establishing organizational-wide presence can provide a significant increase in productivity. Collaboration and communication between workers is more efficient when the tracking time is reduced. Online presence gives individuals the ability to identify who is online and available to communicate with them at any given moment. Enabling online presence (and installing the required software) adds an online status indicator next to an individual's name wherever his or her name appears in a site collection. The online status indicator shows whether the individual is offline or is online and available to respond to queries via an instant messaging client. When an individual is online, you can click the online status indicator to send an instant message. This direct access to knowledgeable sources can help team members work more effectively and efficiently. You can take steps to provide secure communications for presence information. Instant messaging systems can provide secure communications between user objects in your directory. By providing technology like Session Initiation Protocol (SIP) for presence

Chapter 4: Standardized Optimization Level

31

communications, you can move from the Standardized level to the Rationalized level. The Rationalized level requires that communication via SIP is also secure, which means that the communication is archived, operated through the directory service, and certificates are used. To see how Microsoft uses secured communication mechanisms, see Deploying Office Live Communications Server 2005 and Office Communicator 2005 at Microsoft. If you do not provide a secured communication mechanism for presence, such as Session Initiation Protocol (SIP), read the Secure Communication Mechanism for Presence section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

IAS/RADIUS for Wireless Network Authentication and Authorization


Wireless technology releases us from copper wires. A user can have a notebook computer, PDA, Pocket PC, Tablet PC, or just a cell phone and stay online anywhere a wireless signal is available. The basic theory behind wireless technology is that signals can be carried by electromagnetic waves that are then transmitted to a signal receiver. But to make two wireless devices understand each other, we need protocols for communication. Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol where RADIUS clients send authentication and accounting requests to a RADIUS server. The RADIUS server checks the remote access authentication credentials on the user accounts and logs remote access accounting events. Internet Authentication Service (IAS) in Windows Server 2003 or Network Policy Server (NPS) in the future with Windows Server Code Name Longhorn operating system are Microsoft implementations of a RADIUS server and proxy. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access including wireless, authenticating switch, and remote access dial-up and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. RADIUS is an Internet Engineering Task Force (IETF) standard. IAS/RADIUS servers can leverage an existing directory service, such as Active Directory, for authentication and authorization. This allows the organization to use just one authentication store for users. For more information, visit Microsoft TechNet and search for IAS or RADIUS. To see how Microsoft uses IAS, see Providing Security for the Network Perimeter at Microsoft. If you have not deployed a secure wireless network using IAS/RADIUS for authentication and authorization, read the Active Directory and IAS/RADIUS for Wireless Network Authentication and Authorization section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Centrally Managed Certificate Services


Computer networks are no longer closed systems where the mere presence of a user can serve as a sufficient proof of identity. In this age of information interconnection, the network of an organization may consist of intranets, Internet sites, and extranets, all of which are susceptible to intrusion by individuals with malicious intent seeking a variety of data files, from e-mail messages to confidential data such as grade reports. To mitigate the risks incurred by this susceptibility, mechanisms for establishing and sustaining a user's identity are required. A centrally managed, electronic identity for users can provide the following:

32

Microsoft Technology Blueprint for Primary and Secondary Schools

Accessibility of information. Information assets need to be accessible to authorized users and protected from unauthorized access or modification. Passwords can help, but users who have several passwords for accessing different secure systems may choose passwords that are easy to remember and consequently easy to decipher. Non-repudiation of identity. Information needs to be sent from one user to another with the confidence that the sender of the information is valid. It is also necessary to provide reasonable confidence that the information has not been changed en route. Privacy of information. Users should be able to send information to other users or to access a computer system with confidence that the information cannot be accessed or be made available to others. It should be possible for the user or system to define who can access the information. Privacy is of particular importance when information is transmitted over the public Internet.

These requirements deal with electronic information assets and have a direct impact on most organizations. Any mechanism that is implemented to deal with these requirements must be both manageable and secure. A public key infrastructure (PKI) is an appropriate technology to fulfill these requirements with the use of digital certificates. PKI enables the exchange of digital certificates between authenticated entities and trusted resources. Certificates in a PKI are used to secure data and manage the identification credentials of resources within and outside the organization. Because PKI needs to be trusted, it is managed by a pre-qualified organization or part of such organization. Such an organization can be called a certification authority (CA), but usually just the computer that runs the certificate software is called a CA. Whether the CA refers to an organization or to the software that supports certification, the CA is responsible for establishing and vouching for the identity of certificate holders. It may also revoke certificates if they should no longer be considered valid and publish certificate revocation lists (CRLs) for use by certificate verifiers to determine the validity of a certificate. For more information, visit Microsoft TechNet and search for PKI. To see how Microsoft deploys PKI, see Deploying PKI Inside Microsoft. If you do not have a centrally managed Certificate Services infrastructure or public key infrastructure (PKI), read the Centrally Managed Certificate Services section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Data Protection and Recovery


The Rationalized level in the Core IO Model addresses the key areas of Data Protection and Recovery including: Centrally managed data backup for remote sites Backup, restore and defined recovery times for servers

Centrally Managed Data Backup for Remote Sites


Organizations with remote sites need the ability to protect and restore data centrally so that employees in the field can concentrate on their core functions. Managing data backup at individual sites poses numerous problems. As personnel, hardware, and software changes, you would need to constantly retrain staff at remote locations. Which backup and recovery solution is most appropriate for branch services depends on the location of the services, the facilities available at the branch location, and the nature of the data stored. The need for continuity and the number and type of decisions required to define appropriate backup and recovery solutions can affect where you locate each branch service. The backup and recovery of services and data over the WAN can

Chapter 4: Standardized Optimization Level

33

introduce significant amounts of trafficthe decision to centralize must take such impacts into account. Co-locating services can introduce additional challenges. Your backup and restore software should provide the following capabilities: No user intervention. Local users do not need to remember to rotate the data backup tapes into tape backup hardware. Automated monitoring. You can verify the success and health of the backed-up production servers. The software should give you just-in-time alerts about issues that you need to fix. Faster and more reliable restorations. The software must provide rapid and reliable recovery of data lost because of user error or server hardware failure. Enduser recovery enables users to independently recover their own data. Verification of backups. You can easily verify the success of a backup. Monitored backup process. You can verify the success and health of the backup process.

If you do not have a centrally managed data backup for your remote sites, read the Centrally Managed Data Backup for Branch Offices section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Backup, Restore and Defined Recovery Times for Servers


The move to Standardized involved defining backup and restore services for critical servers. To move to the Rationalized level involves extending backup and restore capabilities to 80 percent or more of your servers. In addition, you also need to define and track recovery times through Service Level Agreements (SLAs). Your SLAs should have defined recovery times for your servers. These times need to be renegotiated periodically as equipment and services expand. You can also use your records of data recovery incidents and the improvement over time of your ability to restore servers to operation to negotiate the new recovery times. If you do not have a backup and restore solution for 80 percent or more of your servers as well as defining and tracking recovery times through SLAs, read the Backup, Restore, and Defined Recovery Times for Servers section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Security Process
Most organizations know that it is important to protect their data and resources from loss or damage due to theft, human or computer error, malicious intent, or any number of other events. You can take steps to limit the opportunities for loss or damage to occur. You can also establish policies and procedures to respond to and minimize the effects of the loss or damage to your IT environment. The Rationalized level of the Blueprint deviates somewhat from the Core Infrastructure Optimization Self-Assessment and focuses on the following topics: Two-factor authentication Standard security review for new software acquisitions Data classification processes.

Two-Factor Authentication
Single secrets such as passwords can be effective security controls. A long password of more than 10 characters that consists of random letters, numbers, and special characters

34

Microsoft Technology Blueprint for Primary and Secondary Schools

can be very difficult to crack. Unfortunately, users cannot always remember these sorts of passwords, partly due to fundamental human limitations. Two-factor authentication systems overcome the issues of single secret authentication by requiring a second secret. Two-factor authentication uses a combination of the following items: Something that the user has, such as a hardware token or a smart card. Something the user knows, such as a personal identification number (PIN). Something the user is, such as their fingerprints or retinas

Smart cards and their associated PINs are an increasingly popular, reliable, and costeffective form of two-factor authentication. With the right controls in place, the user must have the smart card and know the PIN to gain access to network resources. The twofactor requirement significantly reduces the likelihood of unauthorized access to an organizations network. For detailed information on two-factor authentication, see The Secure Access Using Smart Cards Planning Guide.

Standard Security Review for New Software Acquisitions


At the Rationalized level, all software acquisitions in your organization should follow a program to enable standard security review. Best practice processes for performing security reviews of IT systems are outlined in the ISO/IEC 17799:2005 Information technology Security techniques Code of practice for information security management standard. ISO/IEC 17799:2005 establishes guidelines and general principles for information systems acquisition, development, and maintenance, including: Security requirements of information systems. Correct processing in application systems. Cryptographic controls. Security of system files. Security in development and support processes. Technical vulnerability management.

For more information about the standard and to obtain the documentation, visit the ISO/IEC 17799:2005 Information technology Security techniques Code of practice for information security management Web site.

Data Classification Processes


Data classification and protection deals with how to apply security classification levels to the data either on a system or in transmission. This solution category also deals with data protection in terms of providing confidentiality and integrity to data that is either at rest or in transmission. Cryptographic solutions are the most common method that organizations use to provide data protection. For more information on developing security operations and process standards, go to the Security Guidance Portal on Microsoft TechNet. If you do not have plans in place for security policies, risk assessment, incident response and data security; read the Two-Factor User Authentication, Standard Security Review for New Software Acquisitions, and Data Classification Processes section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Chapter 4: Standardized Optimization Level

35

ITIL/COBIT-Based Management Process


The Rationalized level of the Core IO Model addresses key areas of ITIL/COBIT-based management process including operating, optimizing and change processes.

Operating, Optimizing, and Change Process


Infrastructure optimization goes beyond products and technologies. People and processes compose a large portion of an organizations IT service maturity. A number of standards and best practice organizations address the areas of people and process in IT service management. Microsoft Operations Framework (MOF) applies much of the knowledge contained in the IT Infrastructure Library (ITIL) and Control Objectives for Information and related Technology (COBIT) standards and makes them actionable and achievable for Microsoft customers. The recommendations in this section are based on common issues found at the Standardized level and areas of improvement sought by the Rationalized level. These are only recommendations and may be different for your specific educational institution. Although the Standardized level brings an increased use of tools for managing and monitoring IT operations and infrastructure, plus an environment in which such processes as change management, configuration management, and release management are standardized and predictable, there is room for improvement in key areas. Service level management is rudimentary with service level agreements (SLAs) that are informal or only implied. Configuration management is informal and typically consists of basic build checklists and spreadsheets, and release management is not well defined and lacks rigor. The Rationalized infrastructure is where the costs involved in managing desktops and servers are at their lowest and processes and policies have been optimized to begin playing a large role in supporting and expanding the business. Security is very proactive, and responses to threats and challenges are rapid and controlled. The use of zero touch deployment helps minimize cost, the time to deploy, and technical challenges. The number of images is minimal, and the process for managing desktops is very low touch. These customers have a clear inventory of hardware and software and only purchase the licenses and computers they need. There are strict security policies and control, from the desktop to server to firewall to extranet. Microsoft provides MOF as an iterative model for defining and improving IT operations. MOF defines service management functions (SMFs) as logical operational functions within an IT organization. The SMFs are grouped together into four broad areas, or quadrants: Changing, Operating, Supporting, and Optimizing. This guide highlights areas to improve that are typically found in organizations at the Standardized level of optimization. These are: Service level management Release management System administration Network administration Job scheduling

Depending on the organization, improvements to these service management functions might or might not have the greatest impact on operational effectiveness and improvement. We recommend that your organization at a minimum completes the Microsoft Operations Framework Self-Assessment, and preferably a full Service Management Assessment, to identify the most important areas requiring process or service improvements.

36

Microsoft Technology Blueprint for Primary and Secondary Schools

For more information, visit the Microsoft Operations Framework Web site. To see how Microsoft IT uses MOF and best practice IT service management, see Microsoft Operations Framework: Improving the Way IT Organizations Handle IT Issues. If you have not established processes for service level management, release management, systems administrator, network administrator and job scheduling, read the Operating, Optimizing, and Change Processes section in the Core Infrastructure Optimization Implementer Resource Guide: Standardized to Rationalized.

Chapter 5: Rationalized Optimization Level


The following section describes how schools at the Rationalized level address the technical challenges described in Chapter 2, "Educational Institutional Objectives," of the Blueprint.

Raising Academic Standards/Lack of Visibility into Student Progress


Teachers at effective schools at the Rationalized level can run analytic reports that link curriculum, instructional objectives, and student results. These reports can show the progress of individual students as well as entire class results. The reports also integrate with other student data systems (e.g. special education). With the increased use of mobile devices (laptops, pocket PCs, etc), students have greater access the schools educational resources including adaptive teaching tools which adjust the learning tools to the needs of the individual student. Case studies: Abbotsholme School: Independent Boarding School Moves to 21st Century with Network and Wireless Solution Rockdale County Public Schools: School Staff Gains Immediate Access to Student Information with Handheld Solution

Business Management: Inefficient Operations and a Lack of Insight into Where Money Is Spent
Schools at the Rationalized level can use highly integrated systems that assist the business leadership in proactively providing detailed funding and expense reports, substantial trend reports, and budget modeling tools for planning and risk analysis and decision support. Case study: EDCO Gains Multi-Company Project Accounting Capabilities

Communication and Access to Information for Parents and Students


Schools at the Rationalized level can leverage the substantial integration of systems to update Web-based systems automatically with current student and school information. Student and parents can access these systems via the Internet.

38

Microsoft Technology Blueprint for Primary and Secondary Schools

Curriculum and Lesson Sharing Among Educators


Effective schools that are at the Rationalized level are strongly connected to federated repositories. They provide tools that have smart search capabilities. Such searching algorithms search not only for the specified text, but also provide related searches. Increased use of distant learning and teleconferencing facilitates teacher participation in peer discussions and training. Schools at the Rationalized level not only participate but can host and archive these activities. Case study: Carnegie Mellon University's West Coast Campus: University Supports Remote Students with Web Conferencing Solution

Rationalized IT Infrastructure
The Rationalized IT infrastructure is where the costs involved in managing desktops and servers are at their lowest and processes and policies have been optimized to begin playing a large role in supporting and expanding the business. The use of zero-touch deployment helps minimize cost, the time to deploy, and technical challenges. The number of images is minimal and the process for managing desktops is very low touch. These customers have a clear inventory of hardware and software and only purchase those licenses and computers that they need. Security is extremely proactive with strict policies and controls from the desktop to server to firewall to extranet.

Moving to Dynamic
By moving to a Dynamic IT infrastructure, you can benefit from self-assessing and continuous improvement, access information from anywhere on the Internet with greater ease and security, and ensure compliance and high availability through self-provisioning and quarantine-capable systems.

Security and Networking


The Dynamic level of the Core IO Model addresses the key areas of Security and Networking including: Enable VPN with quarantine Extend internal applications to external users Monitor critical desktops

Enable VPN with Quarantine


While VPN provides a secure means for accessing the organizations network, enforcement of configuration and security policies on the remote client is not easily assessed through technology. If there were stated policies about the configuration of remote clients, it was typically unenforceable at the time the client accessed the network remotely. VPN quarantine allows for an automated enforcement check prior to allowing the client to having access to the network. It works by placing the client in a network that has little connectivity to the rest of the organization. Automated checks are performed on the client and if they are passed, then the client is removed from the quarantine network and granted access to the rest of the network.

Chapter 5: Rationalized Optimization Level

39

Clients that fail the check may have automatic remediation occur and then be rechecked. Alternatively, the owner of the client may have to perform some remediation steps and attempt the connection again. Microsoft has a planning guide around VPN quarantine that was introduced in Windows Server 2003 with Service Pack 1. For more information, see the Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide.

Extend Internal Applications to External Users


As an organization grows, it is typical to discover that some of the applications within the organization need to be extended so that external users can gain access to these systems. Extend internal applications to external users with Active Directory Federation Services

Monitor Critical Desktops


Now that your servers are being monitored for performance, operational and security issues, the next step is to identify and monitor your key desktops in the environment. For example, IT administrator systems could potentially be classified as a critical system to monitor. Ideally the same system that monitors the servers would also be used to monitor the desktop environment. This reduces the cost of the monitoring solution and time required for training. There are a number of centralized monitoring systems available on the marketplace. The Microsoft solution is called Microsoft Operations Manager (MOM) 2005. For more information on how MOM 2005 and Management Packs can be used to monitor your critical servers, see the MOM 2005 Operations Guide. In addition, for information on securing MOM 2005, see the Microsoft Operations Manager 2005 Security Guide. For information about how to optimize your firewall infrastructure, see Introduction to Firewall Services. For information about how to secure the wireless network, see Wireless Networking.

Data Protection and Recovery


The Dynamic level of the Core IO Model addresses the key areas of Security and Networking including data protection and recovery for desktops.

Data Protection and Recovery for Desktops


As laptops have become increasingly popular, the risk associated with sensitive data being compromised has increased due to potential theft of the laptops. An organization that has sensitive data on laptops needs to look at implementing some form of data protection and recovery mechanisms to protect that data. Microsoft provides data protection mechanisms within Windows XP and Windows Vista. For more information, see the following: Data Protection and Recovery in Windows XP Chapter 3, "Protect Sensitive Data," of the Windows Vista Security Guide

Chapter 6: Dynamic Optimization Level


The following section describes how schools at the Dynamic level address the technical challenges described in Chapter 2, "Educational Institutional Objectives," of the Blueprint.

Raising Academic Standards/Lack of Visibility into Student Progress


Teachers in effective schools at the Dynamic level have highly integrated student database systems. Analytical student reports are automatically generated to show the progress of individual students and classes toward specific learning objectives. These systems also provide supportive guides that teacher can use to help reinforce objectives that students have not yet mastered.

Business Management: Inefficient Operations and a Lack of Insight into Where Money Is Spent
Schools at the Dynamic level use their highly integrated business systems to provide proactive analysis tools and reports. These tools provide the schools with warning and opportunity flags, which can assist the schools in making data-driven short term and long term decisions.

Communication and Access to Information for Parents and Students


Schools at the Dynamic level utilize parent and student self-provisioning (in which nonadministrators can ask for and automatically receive access to resources) to allow of them to establish informational alerts to be sent to e-mail accounts or to cell phones or other mobile devices. Parents and/or students may want to receive special alerts, for example when college or career recruiters make presentations on campus. Schools at the Dynamic level can also facilitate school community communications, for example online informational postings or questions.

Curriculum and Lesson Sharing Among Educators


Schools at the Dynamic level can take advantage of a large array of multimedia resources including teleconferences, and can also develop those tools and resources so that they can share or host such teleconferences. They utilize these tools for staff development and as a supplementary resource. A Web-based portal provides educators anytime/anywhere access. Contextual smart searches make resources very user-friendly, such as a library system that provides immediate response to queries, or allows users to request alerts for updated information.

Chapter 6: Dynamic Optimization Level

41

Dynamic IT Infrastructure
The Dynamic infrastructure is one where IT systems are self-managing and dynamic. When an infrastructure reaches the Dynamic level, IT teams capture and use knowledge to design and deploy manageable systems and automate ongoing operations using system models. A Dynamic infrastructure requires alignment of development, architecture, deployment, and management tools. Although the Dynamic infrastructure is the final stage of the Core IO Model, constant changes in technology and IT service capability enable organizations to move beyond the Dynamic level as defined in the model. Microsoft has established the Dynamic Systems Initiative (DSI) to build software solutions that facilitate the movement to the Dynamic stage. DSI describes a vision in which IT systems become self-aware and self-managing. From a core technology perspective, DSI is about building software that enables knowledge of an IT system to be created, modified, transferred, and operated on throughout the life cycle of that system. These core principlesknowledge, models, and life cycleare the keys in addressing the complexity and manageability challenges that IT organizations face today. The IO Model defines a core number of capabilities in alignment with the Dynamic infrastructure: Proactive component configuration control User self-service for common help desk requests Automated application compatibility testing Optimized firewall and security practices, including network quarantine capabilities Secure wireless network access Secured third-party remote access to network and line-of-business applications Automated desktop health monitoring Automated software update management for servers Data protection and recovery strategy for critical desktops

These attributes are key areas where customers can currently implement processes and technologies to achieve a Dynamic infrastructure. The Moving from a Rationalized to Dynamic Infrastructure page highlights key technologies and implementation guidance to correspond with these capabilities. DSI takes the Dynamic infrastructure definition further by defining the building blocks of a dynamic system: knowledge of a designer's intent for those systems, knowledge of the environment in which the systems operate, knowledge of IT policies that govern those systems, and knowledge of the user experience associated with those systems. Microsoft is currently developing a common language for the knowledge components, the Service Modeling Language (SML), where this knowledge can be captured, consumed, and augmented throughout the IT system. Based on Microsoft research in service modeling, SML will provide a rich set of constructs for creating models of complex IT services and systems. These models will include information about configuration, deployment, monitoring, policy, health, capacity planning, target operating range, service-level agreements, and other configuration attributes. The Service Modeling Language is based on the System Definition Model, which defines a mechanism for capturing information about systems in reusable models. You can begin preparing for the convergence of knowledge among developers, architects, administrators, and users through the SML. Tools and practices are available for defining, maintaining, and enforcing knowledge components at all stages in the infrastructure life cycle.

42

Microsoft Technology Blueprint for Primary and Secondary Schools

Align Application Development with Operations


As custom applications are created for the environment, its important to take into account during the development process how the application will be managed after its deployed. Collaborating with operations teams during the design phase reduces the number of issues that are introduced during deployment. Additionally, by documenting the expected configuration information, the operations team can monitor for discrepancies in the production environment. Visual Studio 2005: Bridge the Gap Between Development and Operations with Whitehorse Define auditable configuration items using Microsoft Systems Management Server 2003 Desired Configuration Monitoring

Define Configuration Standards at Deploy Time


By understanding the configuration attributes of the applications, greater automation can be designed with less user intervention, allowing for a cost savings during deployments. Additionally, if the operations team has defined configurations, it can monitor for changes in the environment that may be unauthorized or affect the overall health of the environment. To create a database containing the configuration attributes used to automate desktop deployment, see the Zero Touch Installation Deployment Feature Team Guide. To define and capture server configurations using WSSRA Configuration Matrix materials, see Windows Server System Reference Architecture (WSSRA). To define security configurations using the Security Configuration Database, see Extending the Security Configuration Database. To define configuration health models using MOM 2005 management packs, see the Microsoft Operations Manager (MOM) 2005 Management Pack Development Guide.

Implement and Maintain Configuration Standards


Maintained configuration standards help to lower the cost of maintaining the environment while increasing the supportability and reliability of the environment. Ensuring that systems are configured to best practice levels helps reduce issues in the environment while increasing overall security of the production systems. To use Best Practice Analyzer tools with predefined configuration items for Exchange, ISA Server, SQL Server and ASP.NET, see the Best Practice Analyzers on the Microsoft Download Center. To implement configuration management standards using a CMDB, see Service Management Functions: Configuration Management. To leverage MOM 2005 Power Tools to enforce desired configuration settings, see Power Tools. To use SMS 2003 to monitor server and application configurations, see Microsoft Systems Management Server 2003 Desired Configuration Monitoring 2.0.

Chapter 6: Dynamic Optimization Level

43

Infrastructure References
Los Angeles County Office of Education: Los Angeles County Cuts Messaging Costs; Employees Stay in Touch in Real Time Department of Education and Training Victoria: DET Victoria Saves up to $208,000 a Year with Microsoft Office SharePoint Server 2007 Broward County Public Schools: School District Addresses Core Educational Goals with Automated Project Management Dufferin-Peel Catholic District School Board Delivers New Learning Tools Oregon Department of Education: Education Department Reduces Number of Servers by 40 Percent, Lowers IT Costs

Links
The following lists provide URL links to the resources and case studies cited within the Blueprint.

Resources
Active Directory Federation Services at http://technet2.microsoft.com/windowsserver/en/library/050392bc-c8f5-48b3-b30ebf310399ff5d1033.mspx Application Compatibility Feature Team Guide in Business Desktop Deployment 2007 at www.microsoft.com/technet/desktopdeployment/bdd/2007/AppCompact_1b.mspx Application Compatibility Testing for Windows Vista: Technical Case Study at www.microsoft.com/technet/itshowcase/content/appcompattcs.mspx Application Compatibility Toolkit at http://technet.microsoft.com/enus/windowsvista/aa905102.aspx Best practices analyzers: Microsoft Exchange Server Best Practices Analyzer at www.microsoft.com/downloads/info.aspx? na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u= %2fdownloads%2fdetails.aspx%3fFamilyID%3ddbab201f-4bee-4943-ac22e2ddbd258df3%26DisplayLang%3den Microsoft Internet Security and Acceleration Server Best Practices Analyzer Tool at www.microsoft.com/downloads/info.aspx? na=22&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u= %2fdownloads%2fdetails.aspx%3fFamilyID%3dd22ec2b9-4cd3-4bb6-91ec0829e5f84063%26DisplayLang%3den Best Practices Analyzer Tool for Microsoft SQL Server at www.microsoft.com/downloads/details.aspx?FamilyID=b352eb1f-d3ca-44ee893e-9e07339c1f22&DisplayLang=en

Bluefire at www.bluefiresecurity.com/ Bridge the gap between development and operations with Whitehorse at http://msdn.microsoft.com/msdnmag/issues/04/07/whitehorse/default.aspx Computer Imaging System Feature Team Guide at www.microsoft.com/technet/desktopdeployment/bdd/2007/ComImgFea_3.mspx Control Objectives for Information and related Technology (COBIT) at www.isaca.org/ Core Infrastructure Optimization at www.microsoft.com/business/peopleready/coreinfra/ac/default.mspx Core Infrastructure Optimization Online Self-Assessment at www.microsoft.com/business/peopleready/coreinfra/ac/default.mspx

Links

45

Core IO Implementer Resource Guide Standardized to Rationalized at www.microsoft.com/downloads/details.aspx?FamilyId=ED8F8C4A-5E48-46BA-89B617D9F8894AB5&displaylang=en Core IO Implementer Resource Guide: Basic to Standardized at www.microsoft.com/downloads/details.aspx?FamilyId=77C0EA3A-BC82-456CB13D-CFC04D9DCB89&displaylang=en Data Protection and Recovery in Windows XP at www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx Data Security and Data Availability in the Administrative Authority at www.microsoft.com/technet/security/bestprac/bpent/sec3/datasec.mspx Deploying Office Live Communications Server 2005 and Office Communicator 2005 at Microsoft at www.microsoft.com/technet/itshowcase/content/lcs2005twp.mspx Deploying PKI Inside Microsoft at www.microsoft.com/technet/itshowcase/content/deppkiin.mspx Deployment Process: Overview at www.microsoft.com/technet/desktopdeployment/depprocess/default.mspx Dynamic Systems Initiative at www.microsoft.com/windowsserversystem/dsi/default.mspx Extending the Security Configuration Database at http://technet2.microsoft.com/windowsserver/en/library/80740a7a-3668-491a-a9dc114cfe8d43741033.mspx. iAnywhere at www.ianywhere.com Implement configuration control policies across systems using Group Policy at http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.msp x Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide at http://go.microsoft.com/fwlink/?LinkId=41308 Improving IT Efficiency at Microsoft Using Virtual Server 2005 at http://www.microsoft.com/technet/itshowcase/content/virtualserver2005twp.mspx Improving Security with Domain Isolation at www.microsoft.com/technet/itshowcase/content/ipsecdomisolwp.mspx Introduction to Firewall Services at www.microsoft.com/technet/solutionaccelerators/wssra/raguide/FirewallServices/defa ult.mspx Introduction to the Wireless Application Protocol at www.wirelessdevnet.com/channels/wap/training/wapoverview.html ISO/IEC 17799:2005 Information technology -- Security techniques -- Code of practice for information security management at www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail? CSNUMBER=39612&ICS1=35&ICS2=40&ICS3= IT Health Scorecard Metrics at www.microsoft.com/technet/itshowcase/content/itscorecdnote.mspx IT Infrastructure Library (ITIL) at http://www.itil.co.uk/ Managing Mobile Devices in the Enterprise at www.microsoft.com/technet/solutionaccelerators/mobile/evaluate/mblmange.mspx Microsoft Office Online Templates for teachers at http://office.microsoft.com/enus/templates/results.aspx?qu=teacher&av=TPL000

46

Microsoft Technology Blueprint for Primary and Secondary Schools

Microsoft Operations Framework (MOF) at www.microsoft.com/mof Microsoft Operations Framework: Improving the Way IT Organizations Handle IT Issues at www.microsoft.com/technet/itshowcase/content/mofmmppt.mspx Microsoft Operations Manager 2005 Security Guide at www.microsoft.com/technet/prodtechnol/mom/mom2005/Library/3e039637-463946f7-9f5f-518e0c04795e.mspx Microsoft Operations Manager (MOM) 2005 Management Pack Development Guide at www.microsoft.com/technet/prodtechnol/mom/mom2005/Library/dcb14ae5c716-4629-90ce-77f898b91d4f.mspx Microsoft Systems Management Server 2003 Desired Configuration Monitoring at www.microsoft.com/technet/itsolutions/cits/mo/sman/dcm.mspx Microsoft TechNet at http://technet.microsoft.com Mobile Device Wireless Connectivity at www.microsoft.com/technet/archive/itsolutions/mobile/deploy/mblwirel.mspx MOM 2005 Operations Guide at www.microsoft.com/technet/prodtechnol/mom/mom2005/Library/faf19f47-facd-44679510-e7c84c671572.mspx Monitoring Exchange Server 2003 at Microsoft at www.microsoft.com/technet/itshowcase/content/monittsb.mspx Odyssey Software at www.odysseysoftware.com/ Optimizing Bandwidth at Microsoft at www.microsoft.com/technet/itshowcase/content/optbwcs.mspx Optimizing Infrastructure: The Relationship between IT Labor Costs and Best Practices for Managing the Windows Desktop at http://whitepapers.zdnet.com/whitepaper.aspx?docid=284982&promo=100202 Planning the Windows Vista Deployment at Microsoft at www.microsoft.com/technet/itshowcase/content/vistadeploy_twp.mspx Providing Security for Corporate Resources at Microsoft by Using ISA Server 2004 at www.microsoft.com/technet/itshowcase/content/isa2004sp2.mspx Providing Security for the Network Perimeter at Microsoft at www.microsoft.com/technet/itshowcase/content/secnetwkperim.mspx Providing Security for the Network Perimeter at Microsoft at www.microsoft.com/technet/itshowcase/content/secnetwkperim.mspx Secure Access Using Smart Cards Planning Guide at http://go.microsoft.com/fwlink/?LinkID=41314 Securing Windows 2000 Server at http://go.microsoft.com/fwlink/?linkid=14838 Security Enhancements for Remote Access at Microsoft at www.microsoft.com/technet/itshowcase/content/rasecwp.mspx Security Guidance Portal on Microsoft TechNet at www.microsoft.com/technet/security/guidance Server Security Patch Management at Microsoft at www.microsoft.com/technet/itshowcase/content/sms03spm.mspx Service call management database Microsoft Office Access Database Call Center Template at http://office.microsoft.com/enus/templates/TC010184671033.aspx?pid=CT101426031033

Links

47

Service Modeling Language at www.microsoft.com/windowsserversystem/dsi/serviceml.mspx Set up automated application compatibility testing at www.microsoft.com/technet/prodtechnol/winxppro/deploy/appcom/apcintro.mspx Solution Accelerator for Consolidating and Migrating LOB Applications at www.microsoft.com/technet/solutionaccelerators/ucs/lob/lobsa/lobsaovw.mspx Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2 at www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_3.mspx Systems Management Server (SMS) 2003 at www.microsoft.com/technet/sms/default.mspx Systems Management Server 2003 Desired Configuration Monitoring at www.microsoft.com/downloads/details.aspx?FamilyID=a867fc14-daa3-4c2a-9e654fbcbec60aaa&DisplayLang=en Trustworthy Messaging at Microsoft at www.microsoft.com/technet/itshowcase/content/trustmes.mspx Update Management at www.microsoft.com/technet/updatemanagement/default.mspx Use Microsoft Dynamics and the 2007 Microsoft Office system together for best results: Integrate business software tools to empower your people and achieve your goals at www.microsoft.com/dynamics/product/office2007integration.mspx? mg_id=10150&wt.svl=10150 Windows Mobile 5.0 Messaging and Security Feature Pack at www.microsoft.com/windowsmobile/business/directpushemail.mspx Windows Mobile 5.0 Security Model FAQ at http://blogs.msdn.com/windowsmobile/archive/2005/12/17/security_model_faq.aspx Windows Mobile Center at www.microsoft.com/technet/solutionaccelerators/mobile/default.mspx Windows Server 2003 Group Policy at http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.msp x Windows Server 2003 Security Guide at http://go.microsoft.com/fwlink/? linkid=14846 Windows Server 2003 Terminal Services at http://technet2.microsoft.com/windowsserver/en/technologies/featured/termserv/defa ult.mspx Windows Server System Architecture Virtual Environments for Development and Test at www.microsoft.com/technet/solutionaccelerators/wssra/ve/default.mspx Windows Server System Reference Architecture (WSSRA) at www.microsoft.com/downloads/details.aspx?familyid=d44e34ec-b4e2-49a1-9f409ed4ba3765df&displaylang=en. Windows Vista Security Guide, Chapter 3: Protect Sensitive Data at www.microsoft.com/technet/windowsvista/security/protect_sensitive_data.mspx Wireless Networking at www.microsoft.com/technet/network/wifi/default.mspx Zero Touch Installation (ZTI) at www.microsoft.com/technet/desktopdeployment/bdd/2007/ZeroTouch_3.mspx Zero Touch Installation Deployment Feature Team Guide at www.microsoft.com/technet/desktopdeployment/bdd/enterprise/ztidftguide_7.mspx

48

Microsoft Technology Blueprint for Primary and Secondary Schools

Zero Touch Provisioning at www.microsoft.com/technet/desktopdeployment/ztp/default.mspx

Case Studies
Abbotsholme School: Independent Boarding School Moves to 21st Century with Network and Wireless Solution at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49303 Broward County Public Schools: School District Addresses Core Educational Goals with Automated Project Management at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=1000003652 Carnegie Mellon University's West Coast Campus: University Supports Remote Students with Web Conferencing Solution at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=53579 Carson-Dellosa Publishing: Educational Publisher Speeds Time-to-Market with Information Sharing Solution at www.microsoft.com/casestudies/casestudy.aspx? casestudyid=53827 Delaware Department of Education (DDOE): Delaware Schools Meet NCLB Requirements, Cut Costs by U.S.$740,000 at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=48439 Denbigh High School : Teachers Lesson Preparation Time Reduced with Free Education Support Tools at www.microsoft.com/casestudies/casestudy.aspx? casestudyid=1000003764 Department of Education and Training Victoria: DET Victoria Saves up to $208,000 a Year with Microsoft Office SharePoint Server 2007 at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=201040 Dufferin-Peel Catholic District School Board Delivers New Learning Tools at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=48834 EDCO Gains Multi-Company Project Accounting Capabilities at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=48382 Elementary School of National Hero Maks Pear: Slovenian School Improves Communication with Parents at www.microsoft.com/casestudies/casestudy.aspx? casestudyid=1000003795 Anoka-Hennepin School District: Identity Management Solution Keeps Parents in Large Minnesota School District Informed at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=1000003795 Edmonton Catholic Schools Provide Parents with a Window into the Classroom at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=48835 Greenhill School: Making the Grade with Microsoft FrontPage 2000 at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=50468 Hutchesons Grammar School: Leading Scottish Grammar School Maintains High Standards Online at www.microsoft.com/casestudies/casestudy.aspx? casestudyid=200395 Ivy Tech Community College: Community College Improves Enrollment Forecasting, Positions to Meet Growth Goal at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200036

Links

49

University of Southern Mississippi: University Boosts Productivity by 40 Percent, Saving U.S.$66,000 Annually at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200111 Jefferson County Public Schools Close Achievement Gaps in Student Performance at www.microsoft.com/casestudies/casestudy.aspx? casestudyid=52902 Lake Washington School District: Collaborative Learning Portal Promotes Student Success at Lake Washington School District at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=52395 Lenawee Intermediate School District (LISD): Michigan District Boosts StudentTeacher Interaction, Enhances Classroom Instruction at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=53231 Los Angeles County Office of Education: Los Angeles County Cuts Messaging Costs; Employees Stay in Touch in Real Time at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200047 Mere Green Combined School Unlocks the Potential of Every Child at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=52429 Miami Dade County Public Schools: Collaborative Portal Improves Education for Fourth-Largest U.S. School District at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200967 Nebraska Department of Education: Web-Based School Assessment System Wins Political Points at www.microsoft.com/casestudies/casestudy.aspx? casestudyid=50847 Ninestiles School: Anytime Anywhere Learning at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=51168 Northern Lights Public School Builds an Award-Winning Learning Environment at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49024 Oregon Department of Education: Education Department Reduces Number of Servers by 40 Percent, Lowers IT Costs at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200692 Oregon Department of Education: Web-Based Solution Enables Better Decision-Making, Productivity for the Oregon Department of Education at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=50340 Perm Municipal Education and Science Committee Increases Staff Productivity Thanks To Collaborative Solution at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=53149 Rockdale County Public Schools: School Staff Gains Immediate Access to Student Information with Handheld Solution at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=48747 Sandwell Borough Council: Portal Solution Brings the Whole Community Together to Raise Educational Standards at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=53619 Saskatchewan Learning: Saskatchewan School Boards Score Top Marks in Efficiency with New Financial Management System at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=201326 Sydney Anglican Schools Corporation Implements Powerful Financial System at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200586

50

Microsoft Technology Blueprint for Primary and Secondary Schools

The Department of Education for Northern Ireland: Northern Ireland Chalks Up Educational Excellence with Microsoft Innovative Teachers Programme at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=52050 The School District of Philadelphia: Messaging Solution Boosts Communication Among Students, Educators, and Parents at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200039 Tracy Unified School District: School District Learns E-Mail Security Can Do More, Cost Less, and be Easier to Use at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200918 UK Schools: Parents Help Cut Truancies and Improve Pupil Performance at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=51806 Western Heights Public Schools Meet NCLB Requirements, Gain US$400,000 in Revenue at www.microsoft.com/casestudies/casestudy.aspx?casestudyid=52901 Wolverhampton City Council Mobilises Learning to Give Students Access to Anywhere, Anytime Education at www.microsoft.com/casestudies/casestudy.aspx? casestudyid=53880

Acknowledgements
The Solution Accelerators Security and Compliance team would like to thank the team that produced the Microsoft Technology Blueprint for Primary and Secondary Schools. The following people were either directly responsible for or substantially contributed to the writing, development, testing or provided valuable feedback to the Blueprint. Craig Bartholomew Eve Blakemore Gaurav Bora Liz Butowicz Derick Campbell Chase Carpenter Jeremy Chapman Bret Clark Mike Danseglio Charles Denny Dave Gasiewicz Karl Grunwald Mike Hines Karina Larson Jerry Lee Linda Bookey, Bookey Consulting John Cobb, Wadeware LLC RaxitKumar Gajjar, Infosys Technologies Ltd Michelle Hargarten, Silver Fox Jennifer Kerns, Wadeware LLC Jeanne Tiscareno, Chase Marketing Company Aidan McCarthy Juan Manuel Santos Rodriguez Bomani Siwatu Jim Stewart Cynthia Suber Cindy Weisz Adrian Wilson Naser Ziadeh

Beta reviewers
Cindy Agnew, Fife School District Brent Albasini, Fife School District Micah Baker, Cascade School District Douglas Harrell, Edison McNair Academy Marthelia Hargrove, Former Principal Costano School Kevin Johnson, Fife School District Kevin Pobst, Hinsdale Township High School District 86 Tim Hohman, Hinsdale Township High School District 86 John Porter, Montgomery County Public Schools, Maryland Mike Casey, San Diego Public Schools Tim McCarty, Dublin Unified School District Scott Sexsmith, Capistrano Unified School District Brian L. Stockbrugger, Capistrano Unified School District Julie Yack, Colorado Technology Consultants