Västra Götalandsregionen

Regional Government Boosts the Security of Directory and Authentication Services

Västra Götalandsregionen (VGR) is a 24,000-square-kilometer area in Sweden. The region’s government consists of 37 separate entities that include hospitals as well as departments that promote culture and tourism. In the past, seven separate IT departments supported the entities. Over the last year, however, VGR consolidated its IT groups into one for greater operational efficiency. Rather than immediately replacing server and workstation technologies, VGR decided to first consolidate its 15 directories into one and 100 domain controllers onto six domain controllers running Active Directory® in Windows Server® 2008. The new solution provides the foundation for a unified system that promotes data sharing, collaboration, and specialization. In addition, VGR will be able to realize significant cost savings and improvements in security and productivity.

Situation

By migrating our domain controllers to Windows Server 2008, we’ll consolidate 100 domain controllers down to six. This will save us a lot of money.  Rickard Dehlin IT Strategy VGR

Västra Götalandsregionen (VGR), a 24,000- square-kilometer area in Sweden, is home to 1.6 million people. The authority that governs VGR employs approximately 50,000 people in permanent and contract positions. These employees provide services related to healthcare and infrastructure, in addition to other services that promote tourism, culture, and environmental protection. In 2007, healthcare accounted for 90 percent of the region’s annual operating budget of SEK39 billion (U.S.$6 billion).

In the past, VGR's governing authority consisted of 37 separate entities that each provided a service. For example, one group was responsible for public transportation, while another supported an opera house. These and other groups, including each of the hospitals in the region, operated as separate entities. The 37 entities were all self-managed, and each had its own IT architecture, staff, and policies. In mid-2006, VGR began to discuss consolidating these groups into one organization to improve communication among the groups and to improve the services that VGR offered to the region. Merging the entities took time, and VGR first focused on the administrative aspects of the groups. Addressing the disparity of the IT systems came in early 2007.

The IT architecture of each entity was unique. Some were based on a version of the Windows Server® operating system, while others ran the Linux, Sun Solaris, or Macintosh operating systems. Numerous applications—such as Novell NetWare, IBM Lotus Domino, IBM WebSphere, and Computer Associates Identity Manager—delivered various services to VGR employees. In addition, a total of 15 separate directories were used to manage system user accounts and resources, 13 in Active Directory® and two in Novell eDirectory.

Rather than having employees use multiple operating systems and disparate technologies, VGR wanted to create a common desktop environment and service desk to help streamline operations. Not only did it cost VGR more money to manage numerous architectures rather than only one, but employees also struggled to share information. “All of the entities wanted to work more closely with one another,” explains Rickard Dehlin, IT Strategy for VGR. “But without having a common environment to work in, we could not support data sharing in a way that was affordable, easy, or secure.”

As a government organization, VGR was increasingly concerned about information security. The organization had created a new security policy that outlined different security requirements for various types of system users. However, the existing directory technologies allowed administrators to set up only one policy per domain, to apply to all users in the domain. As a result, when a domain had multiple user classes, all users in that domain were constrained to the strictest security policy that was assigned across the domain. Thus, more than 15 directories existed throughout all of the 37 VGR entities to help segregate user types.

It was impractical to replace large portions of the overall IT infrastructure because of costs, so VGR sought a solution that could provide employees with a single access point to applications and data. After achieving that, the organization could then begin to migrate to the same server and client environment.

Solution

Before we implemented Windows Server 2008, it was challenging to meet our security guidelines …. With Windows Server 2008 we can create separate password policies in a single domain.  Rickard Dehlin IT Strategy VGR

After researching options, VGR engineers chose to consolidate the 15 existing directories into one directory managed by Active Directory in the Windows Server 2008 operating system. Active Directory works with Computer Associates Identity Manager to provide a unified directory and permissioning service: Active Directory holds the permissions information for all of the disparate computing resources, and Identity Manager automates the creation, modification, and deletion of accounts and entitlements based on user relationships.

“It was a very quick decision to consolidate on Active Directory in Windows Server 2008,” explains Dehlin. “The majority of our healthcare applications run on the Windows® operating system, and we have a large number of IT staff who are highly knowledgeable about Microsoft technologies. The direct impact of one Active Directory service is the ability to consolidate to one client platform and one common service desk.”

Another reason VGR chose Windows Server 2008 is because the operating system would help to boost security. For example, the new Active Directory Domain Services (AD DS) provides a feature known as fine-grained password policies that administrators can use to define multiple password and account lockout policies for users in a single domain. This capability would allow administrators to consolidate the number of directories from 15 to one. Windows Server 2008 also offers a Server Core installation option so that administrators can set up server computers—such as domain controllers—to run only those components required by the operating system. This minimizes necessary maintenance on the server computers and increases security because there is a smaller attack surface exposed to the network.

VGR engaged a Microsoft® Services consultant to help with the deployment. “We chose to work with Microsoft Services because we wanted to maintain a very close connection with Microsoft,” says Dehlin. “And we would only need the services of one part-time consultant who has excellent knowledge of the products.” 

In September 2007, VGR began deploying a beta version of the Windows Server 2008 Enterprise operating system, using the Server Core installation option, on six Dell PowerEdge 2950 server computers. The server computers, which function as domain controllers, are connected by a gigabit Ethernet and feature quad-core Intel processors. “We chose Intel purely from an operations perspective,” explains Dehlin. “All of our existing servers have Intel processors. We didn't want to maintain different images of our servers, so that we would have to track down different drivers for AMD systems and for Intel systems. From an environment perspective, we wanted the same architecture everywhere.”

Next year, VGR engineers and the Microsoft consultant will migrate the existing directories and domain controllers, which had been running on more than 100 server computers, to the six new domain controllers running Windows Server 2008. “The challenging part will be determining how best to migrate the directories, because we had so many different baselines to start from,” says Dehlin.

Benefits

By deploying Windows Server 2008 on its new domain controllers, VGR will create a foundation that it can use for greater levels of data sharing and collaboration among its employees. In addition, VGR expects to cut costs, improve security and productivity, and make it easier for IT employees to focus on gaining specialized knowledge.

Server Core is the best new feature in Windows Server 2008. By setting up the domain controllers to run only the Server Core, we have fewer patches to apply, and fewer things can go wrong.  Rickard Dehlin IT Strategy VGR

Facilitates Data Sharing and Collaboration

Windows Server 2008 interoperates with Computer Associates Identity Manager to provide consolidated directory and permissioning services for the disparate technologies at VGR. “We will build the environment for our new architecture around the new domain controllers that are running Windows Server 2008,” says Dehlin. “All of the products we use will in one way or another talk to Active Directory for authentication and authorization.”

Once VGR sets up a centralized directory, it can begin to consolidate its workstations and server computers to a common environment, which will further boost data sharing. Although the decision has not yet been finalized, VGR expects that it will initially standardize on the Windows XP operating system for client systems and then, in 2008, migrate to the Windows Vista® operating system. Discussions are ongoing, but VGR anticipates that it will standardize most of its infrastructure server computers on Windows Server 2008.

Reduces Costs

The new directory and domain infrastructure will also make it possible for VGR to reduce hardware, license, and personnel costs. “By migrating our domain controllers to Windows Server 2008, we’ll consolidate 100 domain controllers down to six,” Dehlin says. “This will save us a lot of money because we won’t have to buy 100 or more server computers, plus operating system licenses for those servers every three years.”

By reducing the number of domain controllers, VGR can also reorganize its IT staff to increase productivity. “We have about 25 domain administrators right now,” notes Dehlin. “After we fully implement our domain controllers on Windows Server 2008, we will only need four domain administrators.”

VGR also expects to realize cost savings as a result of its simplified IT environment. “With Windows Server 2008, we expect that the number of incidents and change orders will go down,” Dehlin explains. “Also, by maintaining a single IT environment, we won’t have to hire so many people to support disparate technologies.”

Boosts Security

Windows Server 2008 provides for greater levels of security than previous editions. “Windows Server 2008 and Active Directory are extremely secure, and we feel very comfortable with both technologies,” Dehlin notes. “But we also know that the biggest security threats come from people and processes. As we migrate old domains to a new domain, we expect to find new and better ways to set things up. So the migration process will also be a permission clean-up process.”

Dehlin continues by explaining another key security improvement. “Before we implemented Windows Server 2008, it was challenging to meet our security guidelines because we didn’t have the right technology. Now, with Windows Server 2008 we can create separate password policies in a single domain by using the fine-grained password policies feature.”

Increases Productivity

Creating a more cohesive IT environment will help administrators to deploy applications more quickly and for less money. Conversely, employees will be able to access the information and resources they need more quickly because they won’t have to wait so long for permissions or workarounds for accessing information. In addition, building domain controllers on 64-bit server and operating system technologies accelerates system response times.

The new domain controllers will also require less attention. Not only are there 94 less than before, the new Server Core installation option simplifies administrative processes. “Server Core is the best new feature in Windows Server 2008,” says Dehlin. “By setting up the domain controllers to run only the Server Core, we have fewer patches to apply, and fewer things can go wrong.”

Allows for Specialization

Consolidating seven IT architectures into one will result in an unexpected benefit: specialization. Previously, many of the IT departments within VGR were fairly small. The IT personnel in these environments had to manage all of the hardware and software components in their particular architecture.

“Every technician had to be able to work on everything,” explains Dehlin. “They had to know about the storage area network, the client, the applications, and the domain. Because of this, people could never really gain a specialized knowledge about any one technology, although they did know a lot about many different things. With the new consolidated Windows Server 2008 environment, our IT personnel can work in one or two areas of the infrastructure and gain a deeper knowledge and increased competency in specific technologies. This will allow our IT organization to provide the best possible service levels to our customers.”

For More Information

For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com

For more information about Västra Götalandsregionen services, call (46) (521) 27 57 00 or visit the Web site at:
www.vgregion.se

Windows Server 2008

Windows Server 2008, with built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, Web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized data center. Powerful new tools like IIS 7.0, Server Manager, and Windows PowerShell™ allow you to have more control over your servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller option for Active Directory Domain Services harden the operating system and protect your server environment to ensure you have a solid foundation on which to build your business.

For more information, go to:
www.microsoft.com/windowsserver2008

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Document published January 2008