Projects
Security and Monitoring
Some Examples:
2 Factor Authentication via RDP
Situation: IT admins need to log in to Microsoft servers via RDP for system administration. The servers are all accessible via the Internet with a public IP address. The event log shows that numerous hacker attacks are taking place on the servers.
Goal: For more security, the registration must be made more difficult in the future and the risk of hacker attacks must be minimized. The RDP port or the RDP registration must therefore be secured.
Realization / Solution: First, it was ensured that the servers had not yet been successfully subjected to a hacker attack. Here, among other things, the installed F-Secure security solution has already prevented worse.
In order to quickly implement enhanced security, the following 3 measures were taken:
- The port for the RDP login has been changed
- The Windows firewall was configured in such a way that RDP access is only possible from certain IP address ranges.
- A two-factor authentication (short: 2FA) was set up for the customer and installed and activated on the affected servers. This means that logging in via RDP is only possible with an extended security solution. From now on, the system employees need their respective registered smartphones (Android and IOS) in order to be able to log on to the servers.
As a partner of the company DUO, we as 3e were able to implement this solution within a few hours.
How does this work?
- Enter user name and password as usual
- Confirm identity using your smartphone
- Securely logged on
In the last phase, login security was further increased by implementing a security gateway. The advantage of such a gateway is that the servers can only be accessed by the system administrators via this gateway and the public RDP port on the servers is completely blocked from the outside. The security gateway itself is not directly accessible from the outside (Internet) and together with the 2FA solution, security has been increased by another factor.
E-Mail-Encryption + Confidentiality
Situation: E-mails sent between customer and supplier must be encrypted and a “confidentiality definition” must be specified.
Realization / Solution: As a Microsoft partner, a cloud-based SaaS solution using MS Office 365 and corresponding S/MIME Class3 company certificates could be implemented quickly and successfully. MS Office 365 is able to customize the confidentiality information.
Here’s an example:
The integration of S/MIME certificates with our Partner Sectigo was also implemented in no time at all, making encrypted communication possible. See also our blog entry: Sicherere E-Mail-Verschlüsselung mit S/MIME-Zertifikaten
Supervised process control part 1
Situation: How can automated processes and service events for an application be monitored and identified and rectified in the event of malfunctions?
Requirement:
- Application services must be monitored and an alarm must be generated in the event of a failure.
- Data transfer (SFTP) must be monitored, including whether files are delivered in the correct order.
- L1 Support must be informed immediately and automatically.
- The status of the monitored application services must be easily visible via a web front end.
- An alarm must be triggered in the event of a fault
Available tools:
- Quest Change Auditor for File Servers
- Quest Intrust for Windows
- Cacti web front end
- SMTP server for emails
- Windows services and scheduler for the necessary data collection
- BMC Control-M Scheduling for Windows
Situation 1:
error situation:
- A database application in finance requires external Windows systems and Windows services for various calculations.
- A calculation generates an error and writes this in a corresponding error file. However, the Windows service is still active and is waiting for a response from the DB.
- A restart of the Windows service is absolutely necessary so that the calculation can be resumed and successfully completed.
Analysis:
- The error file is recognized and evaluated via Quest Intrust monitoring.
- An automated and detailed error message follows immediately, which is sent by email to the L1 Support Team.
Troubleshooting:
The L1 support team can analyze the error and fix it in the database, but the Windows service must be restarted for further calculations. Here, the L1 support team first checks the status of the service via the web front end and restarts the corresponding Windows service.
The calculation can now be continued by restarting the corresponding job via the Control-M controller.
Supervised process control part 1
Situation 2:
- Various files are to be sent via an SFTP server.
- There is a dependency on the order of the files to be sent.
- Only automatically generated files may be sent.
- The file names are always unique and have a consecutive number.
- In the event that a requirement is not met, an alarm must be generated automatically.
- The process is triggered via the Control-M controller and the first two files (01 + 02) have already been successfully transferred.
- A process interruption occurs, the automated process stops and a warning is generated
Analysis:
- L1 Support Team receives an automated e-mail via the Control-M controller with the information that the further scheduling process has been aborted.
- The analysis shows that there is a “wrong” file in the transfer files directory, in this case again or still the first file:
- The L2 support team is commissioned for further analysis
The L2 support team can determine that the first two files (01+02) have been transferred successfully, but cannot see why the first file is still in the transfer directory.
The L3 support team can quickly analyze and find out that a user has access to the directory and the file was manually placed there using Quest’s “Change Auditor for Windows FileServer” software: - Setup search:
Find result:
Troubleshooting:
- L3 Support manually deletes the file from the directory
- L1 Support restarts the process via Control-M
Lessons Learned:
- Write access must be revoked for all users on this directory.
- The customized NTFS permissions are created using a script-based solution using icacls and executed in production via L2 support. This now ensures that files can only be written by a technical service account.
is Partner of and we use the Quest Intrust and Quest Change Auditor tools for Windows/LINUX/UNIX/ORACLE monitoring, among others.
Projects
Solutions for indoor and outdoor service
Here are some successfully completed major customer projects:
Internet Connection
Situation:
Internal and external service requires secure and highly available access to internal and customer data, from any location.
Task:
For the field service, a fail-safe access to the data must be ensured in two independent data centers. Ensure that unauthorized access is excluded.
Implementation / Solution:
This was a project with various hardware manufacturers. Due to the high availability requirement and disaster recovery planning, the Internet portal is being built in two independent data centers. This ensures access to the data stock even in the event of complete destruction of a data center. For data access via the Internet, A redundant multi-level firewall is installed by two different hardware manufacturers. The portal itself is implemented via fail-safe IBM® servers with WebSphere® and NetCache® servers from Network Appliance®. In addition, the portal is divided into different VLANs and the access is secured via SSL certificate servers. A NAS-Filer system from Network Appliance® is used for data storage. This system is particularly suitable for the data matching of the two data centers, which is ensured by Mirorring. Sun® servers are used for virus scanning, mailgateway and management servers. The employees in the connected company network get access to the portal via the multi-layered DMZs. The project will be handed over successfully to the customer after several months. Monitoring is provided by an external service provider.
Hard- und Software Evaluation
Situation:
Purchase of new hardware for internal and external service (desktop PCs and notebooks) with automated software installation for Microsoft® operating system and various application servers. The hardware and software is to be updated throughout Germany.
Task:
A standardized solution is to be found to enable a group-specific software distribution with the help of an automated installation (unattended installation).
Implementation / Solution:
At the beginning of the project, the individual software or hardware requirements are divided into subprojects. The largest share is attributable to software distribution. For the automated operating system installation, start-up media are created for the different groups. Thus, PCs, servers and notebooks can be installed automatically by means of a few, targeted specifications. No so-called cloning is performed. The setup routines and scripts are stored highly available on different master servers. The necessary application software packages are assigned to the respective installation groups so that each installation group conforms to a uniform installation standard. To this extent, the software packages (eg Microsoft® Office, Adobe® Reader) are developed as MSI packages with corresponding MST files. If necessary, self-developed tools are used in scripts or common basic programming languages and are packaged as a package. Documentation and version management are an integral part of the project. The project will be handed over successfully to the customer after several months.
Printing and Copying environment
Situation:
A large insurance company finds that the printing and copying environment is very hetrogenic and wants to standardize the environment.
Task:
Analysis of the printing and copying environment and conception of a re-design with proof of the savings potential.
Implementation / Solution:
At the beginning of the project the actual state is examined. The printing and copying environment is subjected to a quantitative, a qualitative as well as a spatial analysis. The number of existing printers, copiers and multifunction devices as well as consumable materials with corresponding consumption are recorded. The functionality of the existing devices is described in a matrix and assigned to the company-wide premises. A target state with different output stages is defined and the information of the existing print and copying environment is compared with the solution variants. By means of this procedure, it is possible to determine the respective savings potential of the solution variants. It can be seen that, with a moderate reorganization of the printing and copying environment, the highest savings potential can be realized. In the preferred variant, the savings in the acquisition and consumption costs of the printing and reproducing solution are not consumed by the longer travel times of the employees.
IT-Architecture Prozess Control
Situation:
An investment company would like to introduce a new investment management solution with improved functionality.
Task:
Design and commissioning of the IT infrastructure solution with batch and monitoring solution, design and implementation of data transfers as well as development of application interfaces.
Implementation / Solution:
The program is divided into various projects and subprojects by the customer. The management of the IT infrastructure project is transferred to the vendor. The IT infrastructure project includes the design and implementation of the three-tiered IT environment, consisting of test, delivery and production environments. The front-end components are displayed on a Microsoft Windows® platform, the backend components are mapped on a UNIX® platform. The front-end environment includes, in addition to the regular domain and data security components, file transfer and computer services as well as a Citrix® Presentation Server-supported access solution. The accesses to the application are from Europe, America and Asia. In addition, a cross-platform monitoring solution is developed and made available. The backend environment is used for data storage. An Oracle® database solution under AIX® is implemented by a partner of the customer. Since the process processing of the application mainly takes place by means of batch runs, programs for batch control and interfaces are developed and provided for an enterprise scheduling solution. For the in- and output of the application, secure transfer facilities are required, which are realized on the basis of SFTP and IBM Websphere MQ®. In addition, interfaces for Swift® data transfers are developed and installed as well as the market data supply is implemented. After the implementation phase, the infrastructure project is successfully transferred to the plant. The operating manual is handed over to the customer’s outsourcing partner. The operation of the test and development environment as well as the technical 3rd level support are still operated by the supplier.
Projects
IT architecture, high availability and file transfer
Some Examples:
FTP-Cluster
Situation:
The sales representatives of an asset advisory need online access to business data.
Task:
Design and implementation of a high-availability access to data and data transmission via an FTP server. Access should only be allowed to specific IP addresses.
Implementation / Solution:
Two IBM® servers with DAS hard disk systems and hardware RAID are configured and implemented. As a software solution, a Microsoft® Internet Information Server is used as this software solution can be used to implement an IP address restriction in cluster mode. High availability is ensured by means of the cluster software EMC Autostart. With this hardware / software solution, the virtual IP address range of a cluster node can be transferred from a physical server to the second cluster partner.
Microsoft Cluster Solution
Situation:
For extensive applications and databases, a fail-safe hardware and software solution is sought.
Task:
The corresponding operating environment must be designed. The hardware and software implementation must be carried out in close customer contact with corresponding instructions.
Implementation / Solution:
IBM® server systems with hardware RAID and EMC® hard disk systems are used. Our employees implement the complete hardware and prepare the installations systematically, paying particular attention to the redundant fiber channel connection for the EMC® board subsystem. The disk system itself was also redundantly installed and configured according to the MSCS Guidelines. A Microsoft® Cluster (MSCS) with Microsoft® SQL Server is implemented as a software solution. Our staff installs and configures Microsoft® Clustering software and SQL Server software. The pilot phase was completed after a successful test, taken from the customer and taken over to production.
Windows-Domain with Messaging Solution
Situation:
A start-up company needs an IT infrastructure that optimally supports the company’s purpose in an economically viable manner.
Task:
Create a Microsoft® Windows domain with appropriate backoffice and messaging capabilities. The appropriate hardware and software environment is to be designed and implemented.
Implementation / Solution:
An IT infrastructure adapted to the small business is developed and the corresponding hardware and software implemented. Two Compaq® ProLiant® Servers with tape backup capability and 14 workstations are selected as hardware. As a network component, a router of Cisco® and switches from 3Com® are provided. The servers are installed as global and secondary domain controllers. The role as backup server is also transferred to the first domain controller, the role as backoffice and messaging server are transferred to the second domain controller. The workstations are provided with the corresponding client components for the mail and database servers. The overall concept includes a data backup and security solution for clients and servers. Prior to commissioning the solution, training units are held for the customer’s IT manager. After successful transfer, the solution provider is available as 2nd level support.
Tape Backup Solution
Situation:
Continued data growth in the branches of a banking group will require a new backup solution with appropriate hardware.
Task:
Cross-country migration of the new data protection hardware with update of the backup solution and verification of the successful initial backup.
Implementation / Solution:
At the beginning of the project a project organization with representatives of the customer, the suppliers and the subcontractors is established. The individual countries and regions are allocated to different IT service providers due to the volume of the service to be provided. The project is being implemented in Italy, Spain and Germany, with Germany being again divided into the regions North, South and East. The overall coordination of the regions and dates is with the project manager of the supplier, whereby the deadlines come from the customer. Due to the increased data volume, it is necessary to convert the data backup solution of the branches from single drives to tape libraries (DDS3). The data backup solution is also migrated to TSM® (ADSM) as a result of the replacement of the backup infrastructure. The responsible technicians are prepared for the task by means of training measures and receive work instructions with integrative quality checks. The successful initial insurance between customers and suppliers is agreed as acceptance criteria. The respective initial insurances are reported and accepted daily to the project office. The project period covers four months and 3200 individual drives are replaced by tape libraries.
is
and we are happy to support you with your Microsoft projects.
On-Prem-, Hybrid- oder Cloud Solutions.