Cutting Costs With Microsoft Infrastructure Optimization

Apply this model in stages to achieve significant savings and improved service.

While dynamic or fully automated systems that are strategic assets to an organization might seem like a far-off dream, infrastructure optimization models and products can help get you one step closer to making IT a valuable asset.

Microsoft Infrastructure Optimization (IO) is based on Gartner’s Infrastructure Maturity Model and provides a simple structure for evaluating the efficiency of core IT services, business productivity and application platforms.

Though the ultimate goal is to make IT a business enabler across all three areas, you’ll need to concentrate on standardizing core services: moving your organization from a basic infrastructure (in which most IT tasks are carried out manually) to a managed infrastructure with some automation and knowledge capture.

An IDC study of 141 enterprises with 1,000 to 20,000 users found that PC standardization and security management could save up to $430 per user annually; standardizing systems management servers could save another $46 per user.

The Basics

Anyone who’s ever had to set up and maintain shared resources without a server to provide basic infrastructure services such as Domain Name System (DNS) and directory services will know how problematic that task can be. Windows Server in its various editions (Foundation, Small Business and Standard) can authenticate users and computers, and control access to systems and applications using Active Directory (AD). Other networking infrastructure services such as Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS) and DNS can be hosted on the same server.

Non-Windows devices can also authenticate against AD. For instance, why maintain a separate list of user names and passwords on a virtual private network device if it can use AD? Users would need to remember only one set of credentials for accessing network resources, which in turn would reduce support costs.

Though there are no technical requirements for configuration management in the standardized level of Microsoft IO, configuration and change management processes must be defined. It’s worth noting that you can centrally manage and enforce configuration settings for Windows clients and servers via AD Group Policy.

Many sysadmins were put off by Group Policy’s complexity when it was introduced with Windows 2000. Management tools have since matured, and the Group Policy Management Console (GPMC) — which can be downloaded from Microsoft and is included with Windows Server 2008 — provides a modeling tool for evaluating the results of a particular set of applied policy objects. Virtualization products such as Hyper-V and VMware Workstation also make it easy to test Group Policy in a lab. Central management can save up to $190 per PC per year.

Patching and Endpoint Security

Windows Server Update Services (WSUS), a free component of Windows Server, can be used to patch operating systems, and its functionality can be extended to include third-party applications with System Center Configuration Manager (SCCM) and Essentials (SCE). Microsoft’s latest Security Intelligence Report shows that 86 percent of reported vulnerabilities affected third-party applications or other software. At a push, Group Policy can be used to distribute application patches, but it’s more difficult to manage and less flexible than SCCM.

Enterprise-class antivirus programs, such as those offered by Symantec or McAfee, should be used to protect clients, servers and special applications such as Exchange and SharePoint. Starting with XP, all Windows clients and servers include a firewall, which should be turned on and managed centrally using Group Policy. Some security suites also include endpoint firewalls with advanced functionality. Comprehensive endpoint security can save $130 per PC per year.

Any organization connected to the Internet over a shared connection is likely to have a firewall or network address translation device in place, providing some degree of protection for Intranet clients. Ideally, a good hardware firewall or server-based firewall (such as Microsoft ISA Server) with stateful inspection and application-layer filtering should be deployed at the network edge.

Disaster Recovery and Image Deployment

While Windows provides simple backup and restore functionality, it’s likely that all but the most basic setups will require a specialized product (for example, Backup Exec) or a dedicated server (such as Microsoft’s Data Protection Manager), which can consolidate data and provide centralized backup from multiple sources.

Limiting the number of operating systems that you support to a maximum of two and creating a set of standard images for deploying operating systems can save up to $110 per PC per year. Windows Server includes Windows Deployment Services, while SCCM provides more advanced OS deployment features. Symantec’s Ghost Solution Suite 2.5 is also capable of deploying images to multiple machines. Norton Ghost 14.0 is a good imaging solution for small organizations.

Mobile Devices

Managing mobile devices to ensure they remain secure and updated is probably one of IT’s biggest challenges. Exchange Server 2007 contains a set of ActiveSync policies for controlling Windows Mobile-based devices, and SCCM provides more advanced functionality, such as the ability to distribute software. Should a device be stolen, Exchange ActiveSync remote wipe can erase confidential data. BlackBerry devices can be managed by server software from Research In Motion.

Server Monitoring

Monitoring servers and other important infrastructure devices is important for anticipating potential problems and maintaining a good level of service. System Center Operations Manager (SCOM) or Essentials can be used to monitor Windows servers and other devices.

Nontechnical Competencies

Technical incidents are often caused by lack of change-control procedures. Microsoft IO standardization requires change and configuration management processes to be defined. Even a simple spreadsheet to record changes, along with limiting access to administrative privileges on servers, can provide a more stable environment. Processes must also be defined for problem, incident and service management — and be consistently applied.

While it may not seem to fit with core IT services, Microsoft states that all software should be evaluated and tested. This is a best practice when working with standard images and security controls on desktop computers. Software shouldn’t be installed unless it is part of your organization’s approved software portfolio.

Standardize for Success

Standard features of Windows server and client operating systems, such as Group Policy and Windows Firewall, are often underutilized — but can help fulfill many of the criteria outlined by Microsoft Infrastructure Optimization, both standardized and rationalized.

While some of the competencies will require additional software, such as Exchange for managing mobile device security or SCE for server monitoring, that shouldn’t stop you from reaping the benefits of basic infrastructure services and security controls.

Striving for the status of standardized infrastructure, according to Microsoft IO, may not be beneficial for every organization. The cost of deploying a particular competency should be balanced against the gains. For example, a small office with five desktops is unlikely to benefit much from a standardized image for desktop deployment. Equally, rationalized (consolidated) and dynamic (fully automated) infrastructures are likely to be more beneficial for large organizations.

For more information on Microsoft IO and the potential savings it could yield, visit Microsoft's infrastructure website. The site also provides an online tool for evaluating the current status of your infrastructure.

Checklist: Microsoft Infrastructure Optimization for Core IT Services

This table divides the competencies for service standardization into Stage 1, Stage 2 and nontechnical. Stage 1 competencies should be relatively easy to achieve if you already have a Windows server in place. Stage 2 competencies may require additional software.

Stage 1

  • Active Directory for authentication and authorization
  • Automatic patching for Windows and third-party applications
  • Malware protection and enabled endpoint firewalls
  • Hardware or server-based firewall at the network edge
  • Networking infrastructure services: DNS, DHCP and WINS
  • Disaster recovery for business-critical servers

Stage 2

  • A set of standard images for desktop deployment
  • Standardize to a maximum of two operating system versions
  • Centralized management for mobile devices
  • Data protection for lost mobile devices
  • Monitoring of business-critical servers


  • Risk assessment methodology and incident response plan
  • Consistent security policy compliance
  • Evaluation and testing of all software
  • Problem, incident, service, configuration and change management processes
May 21 2009