Transitioning to IT Operations

IT Operations is responsible for many aspects of client security that have not been addressed in this document. After the Security feature team has reached this phase, it must transition the role of securing client computers to IT Operations. IT Operations’ responsibilities include:

  • Maintaining security. IT Operations must take steps to ensure that client computers maintain their initial security settings unless deliberately changed. This process must be deliberate, because security settings will degrade over time without active maintenance. Enforcing security settings by using GPOs is the most common method for maintaining these settings.

  • Auditing. Auditing verifies that security settings on deployed clients are consistent with those settings identified during the Planning and Developing Phases. Without auditing, it is likely that some settings will not be properly deployed. Another form of auditing involves monitoring computers for potential attacks, and this is also the responsibility of IT Operations.

  • Updating the operating system and applications. Although the Security feature team has accommodated the need to regularly update software during the Planning Phase, the bulk of the burden falls on IT Operations. IT Operations must identify new updates as they are released, evaluate the updates to determine which must be deployed, deploy the updates, and then verify that the updates were successfully deployed. This process does tie in to the client deployment process, however. Updates that are distributed to existing clients should also be integrated into client images on a regular basis.

  • Addressing newly discovered threats and vulnerabilities. Security changes constantly as new vulnerabilities are discovered, new exploit tools are developed, and new types of attacks are invented. IT Operations must assess these developments and determine the best way to address these issues to continue to meet the organization’s security requirements. Often, the best way to address these changes involves a change in the client platform. When such a change is necessary, IT Operations should communicate with the Security feature team to ensure that security configuration changes are integrated into future releases of the client platform image.

  • Disaster recovery. Disaster recovery, encompassing everything from restoring data from a failed hard disk to rebuilding client computers after a natural disaster, falls into the scope of security. IT Operations must have a plan to restore client computers after different types of events occur that cause data loss. The amount of data that the organization can tolerate losing determines the frequency of updates and the need to store data off site.

  • Training and personnel. Human error is the source of many compromises. Although human error can never be eliminated, IT Operations must train users to reduce security risks. For example, users must be trained how to create a password that is consistent with the password requirements that the Security feature team identified in the Planning Phase. Human resources and legal teams must be involved in security, too, to ensure that employees agree to follow security guidelines, to properly assign liability in the event an employee initiates an attack, and to notify employees that the actions on their computers may be monitored.

  • Responding to security events. IT Operations must have a process to respond to security events. If auditing or intrusion detection has been designed into the client platform, IT Operations must understand how to use these resources to gather information about an attack. After the immediate needs of a security event have been addressed (such as ensuring the safety of personnel and limiting the scope of the damage), IT Operations must analyze the vulnerability. As a result of this analysis, they may need to engage the Security feature team to change aspects of the client platform to prevent similar compromises in the future.

The transition to IT Operations does not completely end the responsibilities of the Security feature team. Especially during the first several months after deployment, IT Operations must work regularly with the Security feature team to understand how restrictive security settings may be responsible for problems users are experiencing and how best to resolve those problems. The Security feature team must maintain a close, ongoing relationship with IT Operations.

Milestone: Transitioning to IT Operations

Milestones are synchronization points for the overall solution. See the Plan, Build, and Deploy Guide.

At this milestone, the Security feature team has ensured that IT Operations staff members are properly trained and adequately equipped to maintain security settings on clients after deployment. This milestone requires the deliverables listed in Table 8.

Table 8. Transitioning to IT Operations Milestone Deliverables

Deliverable ID


Security configuration summary

A listing of the client security settings that the Security feature team has identified. IT Operations will be able to reference this list to audit computers to verify the computers’ integrity. As much as possible, the summary provides justifications for unusual security settings, especially for those security settings that may cause problems for users and IT Operations.

Problem escalation contacts and procedures

Policies for dealing with problems as they arise. In all but the least-restrictive environments, IT Operations will run into problems with overly restrictive settings. Specifically, new applications may not function correctly in the client environment the team has developed, or users may not be able to perform specific tasks because their accounts lack sufficient privileges. Although IT Operations may be technically capable of adjusting permissions to resolve these problems, they should not do so without contacting the Security feature team to better assess the impact of the permissions change.

Update integration contacts and procedures

Policies for updating security settings. IT Operations will identify security settings that must change and security updates that must be applied to the base client images. These procedures provide IT Operations with a process for suggesting these changes.


Get the Microsoft Solution Accelerator for Business Desktop Deployment 2007

Update Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions