Customer Solution Case Study
/ Bank Tightens Branch-Server Security, Simplifies Management with New Software
Overview
Country or Region: Turkey
Industry: Financial services—Banking
Customer Profile
VakifBank provides a range of financial products and services to Turkish government employees and the public through a network of 570 branches.
Business Situation
VakifBank wanted to better secure remote domain controllers in branch offices. Without more manageable, secure branch servers, the bank did not feel confident rolling out new applications and services.
Solution
VakifBank upgraded its 160 domain controllers to Windows Server 2008 R2 Enterprise and used the read-only domain controller feature to help simplify management and eliminate unauthorized access to sensitive information.
Benefits
- Enhanced security of bank network
- Easier management of remote servers
- Foundation for new services
Ferdi Yelbaşi, Manager, IT Department, VakifBank
IT managers at VakifBank, one of Turkey’s leading banks, worried about the vulnerability of the domain controllers located at the bank’s 570 branch offices. Also, VakifBank invested significant manual repair work to resolve replication problems between branch and headquarters. To better secure its domain controllers and address replication issues, VakifBank began upgrading its servers to the Windows Server 2008 R2 operating system, taking advantage of the read-only domain controller feature. At the same time, VakifBank deployed Microsoft System Center Configuration Manager 2007 to simplify software deployment to remote computers. VakifBank has enhanced the security and reduced the work required to manage remote domain controllers, while laying the foundation for deploying new applications that will make employees more productive and the bank more competitive.
Situation
VakifBank, founded in 1954, is a state-owned bank that pays most Turkish government employees’ salaries and pensions; it is also one of the leading commercial banks in Turkey, providing products and services for corporate, commercial, small business, retail, and private banking customers. VakifBank has more than 570 branch offices across Turkey, 2,100 automated teller machines, 87,581 credit-card processing devices in retail stores, and nearly 10,000 employees.
The bank’s core banking applications run on a mainframe in its Ankara data center. Its 10,000 employees, most of whom work in remote branch offices, reach these mainframe programs by using terminal emulation programs over a wide area network (WAN). Employees authenticated to the mainframe by using Active Directory credentials that were managed by a network of 158 domain controllers based on the Windows Server 2003 operating system—8 in the Ankara data center and 150 in branch offices around Turkey. Smaller branches without domain controllers authenticated through the nearest domain controller. The bank used File Replication Service, a feature of Active Directory that keeps files synchronized on multiple servers, to keep computer files up-to-date as they passed back and forth between mainframe and branch-office employee computers.
VakifBank was concerned about the potential for security breaches in its decentralized domain controller environment. If one of these remote domain controllers was compromised or stolen, all 10,000 employee accounts would be at risk. As a financial institution, this was a big concern. “If someone removed one of these servers, they would have access to every account in our network,” says Ferdi Yelbaşi, Manager of the IT Department at VakifBank. Also, whenever there was a need to swap out a branch domain controller because of faulty hardware, service technicians required access to the administrator password, which also presented security risks.
In addition to security concerns, the VakifBank IT staff spent excessive time managing remote computers and dealing with replication problems between the remote domain controllers and domain controllers in the Ankara headquarters. “We were experiencing intermittent network failures related to file replication, and we had to correct these replication issues manually, which took at least a half-hour every day,” says Erol Doğan, Microsoft-Based Server Technical Deputy Director at VakifBank.
Until the bank felt that its branch-office servers were secure and more manageable, it did not feel comfortable expanding service delivery across those servers.
Solution
In late 2009, VakifBank began upgrading approximately 400 servers to Windows Server 2008 R2. These servers run a variety of business applications, including Microsoft Exchange Server 2007 email messaging and collaboration software, Microsoft SQL Server 2008 data management software, and Microsoft Office Communications Server 2007.
The bank realized that it could take advantage of enhanced security features in Windows Server 2008 R2 to resolve its branch-office domain controller concerns. Specifically, VakifBank liked the read-only domain controller (RODC) technology in Windows Server 2008 R2. An RODC is a specialized Server Core installation of Windows Server 2008 that hosts read-only partitions of the Active Directory Domain Services database. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services.
In February 2010, VakifBank upgraded all 158 domain controllers to Windows Server 2008 R2 Enterprise. The upgrade took just one month and was accomplished with the assistance of local Microsoft Services consultants. Microsoft Services consultants helped with the planning phase of the project and provided the overall domain design and migration planning.
With RODCs in the branches, VakifBank now has far better security of its Active Directory infrastructure. Only the passwords for a specific branch are cached on the branch domain controller. In the event that a domain controller is compromised, only the passwords for that branch would be at risk and need to be changed.
Windows Server 2008 R2 also features an improved data replication technology called Distributed File System Replication (DFSR), which helped solve the networking issues that had caused domain replication problems. DFSR only replicates changed data bits, thereby dramatically reducing network traffic.
Additionally, VakifBank used the more powerful Group Policy settings in Windows Server 2008 R2 to help improve end-user security. Together with the DFSR functionality, the Group Policy enhancements helped to eliminate the replication problems.
At the same time that VakifBank upgraded its domain controllers to Windows Server 2008 R2, it installed Microsoft System Center Configuration Manager 2007 on Ankara and branch-office servers. The IT staff uses System Center Configuration Manager to automate deployment of all software programs and security updates to remote servers and to gather software inventory data. VakifBank will also use System Center Configuration Manager to deploy the Windows 7 operating system to its 10,000 desktop computers later in 2010. The bank plans to take advantage of the BranchCache feature in Windows 7 to locally cache frequently used content on a branch-office server so that the information can be accessed much faster.
“With the improved networking capabilities of Windows Server 2008 R2 and Windows 7, the speed of transmitting data across our WAN link will increase considerably,” Doğan says. “Using technologies such as the BranchCache feature in Windows 7 and DFSR replication, branch employees will benefit from a better file-server experience and resilience against network problems.”
Benefits
By upgrading its branch-office domain controllers to Windows Server 2008 R2 and installing System Center Configuration Manager, VakifBank has enhanced the security of its computer network, simplified management of remote servers, and provided a sound foundation for future services.
Enhanced Security of Bank Network
By taking advantage of RODC technology in Windows Server 2008 R2, VakifBank was able to tighten the security of its branch domain controllers and thereby better safeguard its financial applications and confidential customer data. “We feel that our network is much more secure running Windows Server 2008 R2,” Yelbaşi says. “Branch-office server security is critical to protecting financial data.”
Easier Management of Remote Servers
Having branch domain controllers configured as RODCs also makes it easier for VakifBank to manage its remote infrastructure. “Now, if anything happens to a local domain controller, we only have to reset the passwords on that one server,” Doğan says.
Also, with the remote replication issues resolved, there is less corrective action needed to keep replication operational. By using DFSR and the new Group Policy features in Windows Server 2008 R2, the IT staff can centrally manage remote servers and user desktops in a more automated fashion.
Foundation for New Services
Upgrading its domain infrastructure to Windows Server 2008 R2 was the first step toward providing new and improved services that make employees more productive and ultimately enable VakifBank to deploy new banking services. “We cannot expand our applications unless our branch-office infrastructure is secure,” Yelbaşi says. “It’s the foundation for everything. Now, we can offer branch employees faster performance of existing applications and start to deliver new applications, such as Windows 7, that will improve their productivity and our competitiveness.”
Microsoft Infrastructure Optimization
With infrastructure optimization, you can build a secure, well-managed, and dynamic core IT infrastructure that can reduce overall IT costs, make better use of resources, and become a strategic asset for the business. The Infrastructure Optimization model—with basic, standardized, rationalized, and dynamic levels—was developed by Microsoft using industry best practices and Microsoft’s own experiences with enterprise customers. The Infrastructure Optimization model provides a maturity framework that is flexible and easily used as a benchmark for technical capability and business value.
For more information about Microsoft infrastructure optimization, go to: