Automating Enterprise Security in a Small School District
- By Dian Schaffhauser
Brad Huffaker isn't just the lone IT person at North Conejos School District in Southern Colorado. He also drives a school bus and directs the vocational program. The father of four also runs a ranch with 400 head of cattle and 75 quarterhorses. So he doesn't have much time or energy for shuttling between schools to provide support and updates for the 550 PCs in the 1,200-student district.
About four years ago, Huffaker told the school board that either it was time to add another IT person to the bench or automate operations. Making sure that all of those systems had the latest patches, software, and security settings was becoming impossible to keep up with. "We were running into problems with imaging, with being able to help students and teachers, problems with viruses, problems with Windows updates not being done," he recalled. Since hiring another person was about three times the expense of automation, the district chose automation.
Hunting for an Automation Answer
North Conejos, in La Jara, consists of seven buildings: two elementary schools, one middle school, one high school, an adult education center, a bus garage, and the administrative offices. The two elementary schools are about seven miles apart, which requires a lot of shuttling among locations to provide technical support for users.
After evaluating Novell Zenworks ("a good product, but you need a couple of servers") and Altiris (which is "really extensive but costs a lot"), Huffaker called Kaseya, which appeared to offer a Swiss Army knife approach to computer management. "Everything you could want was integrated into one interface, and I could roll out the whole thing with one server," he said.
But Kaseya initially tried to talk him out of the purchase. At that time, they were selling the solution strictly to managed service providers to help them manage their clients' infrastructures. "They said, 'No, we don't sell to enterprise customers,'" Huffaker said, laughing. "Now three and a half years later, they have a whole enterprise side of their business, which is what we're a part of."
Huffaker bought the IT Department Edition. That includes functionality for patch management, remote control, network policy enforcement, hardware and software inventory and audits, software deployment and system management, system and performance monitoring, and alerts, Windows event monitoring, help desk and trouble ticketing, and reporting. He also has add-on modules for backup and disaster recovery and user state management.
In fact, the only module he has declined to buy from the company is the endpoint security, which provides anti-virus, anti-spyware, and rootkit protection using software licensed from AVG. For those functions, he said, he prefers Sophos because the company's enterprise license allows the software to be run on staff home computers as well as the district computers. But running updates of Sophos is done through Kaseya.
How Kaseya Operates
The Kaseya software allows the administrator to manage the entire computing infrastructure through one web-based console. The Kaseya Server, the central component of the framework, issues schedule-based instructions to Kaseya agents, which reside on network devices. All communication to the server is initiated by that agent, which provides a level of security that prevents a third-party application from attacking the agent from the network. The server uses Microsoft Internet Information Services version 5.0 or higher to host the administrative console. The endpoints to be managed can be running Vista, XP, or a Mac OS. The district uses Windows 2003 Server Active Directory and Group Policies to manage users on the network and to deploy the Kaseya agents, but the company said that's not the only way to deploy the agents.
Huffaker interacts with the Kaseya software on a daily basis. "It's always open in my browser," he said. His most frequent activities are performing a remote control operation on some machine in the district or recovering files that were deleted accidentally. "That's probably the biggest thing I do," he said. "Just grab a machine and explain to a teacher what I'm doing. Teachers will delete a file accidentally off the server, and we go in and recover it." Backup and recovery operations can be granular or performed on the whole image of a computer.
When a teacher has a problem, he or she communicates with Huffaker through an instant messaging system the district runs. Kaseya includes a service ticket module, but he doesn't use that. "That's what's cool about Kaseya," he pointed out. "You don't have to use this stuff. You don't have to use their anti-virus or their IM. It works with what you already have."
To gain access to computers through the network for updates, Huffaker tells teachers to leave their machines on during the week. "I know a lot of other districts are greener than we are," he admitted. "We have too much of a hodgepodge of hardware to do that." If a machine isn't accessible on the network, he doesn't stress about the update. He knows it'll be done the next time the computer is turned on.
This fall the computer count will grow to about 700 machines when the district deploys laptop carts at each of the five schools, each with 30 new notebook PCs running Windows Vista Business. With those new machines Huffaker said he expects to use power settings to wake up the machines on the cart for updates and then turn them back off once the updates are done.
Although Kaseya includes a repository of prewritten scripts to automate a number of services, it also provides the ability for the administrator to write a script. Huffaker acknowledged that he isn't a "script person," so he uses a packager utility with the software. "Say you want to write a script to install a printer in a lab," he said. "The packager takes a snapshot of the Windows Registry before you do anything to the machine. Then you install the printer on one machine. Then you take a snapshot of the Registry again, and it builds you an install package, which you can then push out to all the other clients." As long as all of the machines are running the same operating system, it doesn't matter if the registries are the same, he explained. "It only adds that chunk to the registry. It doesn't replace the whole registry."
Kaseya has a K-12 pricing plan, which is based on the number of machines managed. According to the company, it's common for a district with 1,000 machines to pay between $5,000 and $25,000 each year for Kaseya, depending on what configuration of services it needs. To keep the Kaseya licenses current in his district, Huffaker said it pays 20 percent of the original cost of the software as an annual maintenance and update fee. The company said most districts prefer to use the annual purchase option that has a set recurring annual fee. It is also part of the PEPPM Technology Bidding and Purchasing Program, a competitive-bid purchasing service that schools can use to buy the software.
North Conejos has about 900 licenses. If he needs to pull the software off of one machine and put it on another, the license can be moved to the new machine.
Relaxing on the Job
During the summer is when a lot of school district IT people have to hustle to finish implementing new technologies before the school year starts.
He sounds downright relaxed when he describes his job. "I do 10 million things in a day," he said. "But at the same time, I can't imagine doing this job without Kaseya. My machines do so much remote control. I don't have drive time. By not going there [in person], I don't have to deal with the other 14 problems the customer forgot to mention to me. You go in and fix the problem, and you're out."