Overview

This documentation contains the technical product description for the Swisscom Windows service. Contract-relevant information can be found in the respective customer contract and the service description.

Managed OS comprises the operation of a server operating system by Swisscom as a service provider. The table shows an overview of the most important functions:

FunctionsSwisscom Windows Service
SLA on the OSX
MonitoringX
AlarmingSwisscom
TroubleshootingSwisscom
Malware ProtectionX
PatchingX
ReportingX
Lifecycle (Swisscom Agents and Tools)X

On a Swisscom Windows VM, only Swisscom has administration or root authorization on the server. The flag SeDenyRemoteInteractiveLogonRight is set for Windows service accounts.

RightsSwisscom Windows Service
Administration rights on the serverSwisscom

The application of temporary administration rights by the customer is possible, but leads to the suspension of the SLA.

Prerequisites and general conditions

The supported operating systems and versions as well as the other prerequisites for the purchase of the two product versions are described in this chapter

  • A operating system certified accordingly by Swisscom. An operating system is certified by means of compliance checks, which are an integral part of the requirements.
  • The virtual machine must be based on an Swisscom Enterprise Service Cloud Blueprint

Supported operating systems and versions

The Swisscom Windows Service can be ordered for the following operating systems and versions:

Operating systems Microsoft Windows:

  • Microsoft Windows 2019
  • Microsoft Windows 2022

Requirements

To obtain Swisscom Windows Service, the following requirements must be met, among others:

  • No applications may be installed on drive C:.
  • Service accounts must not be in the local administrator group.
  • The local user account Administrator (SID: S-1-5-21Domain-500) will switch to the responsibility of Swisscom.
  • The password for the User Administrator will be changed.
  • The server must have run through the Swisscom ESC staging process and provisioned with a Swisscom Windows blueprint.
  • No customer-specific malware protection solution (agent) must be installed on the server.
  • The operating system must not be connected to a customer-specific patching solution.
  • The server must not be a domain controller server or installed any other domain services.
  • No customer configuration agent (Puppet, SCCM, LANdesk, etc.) may be installed or configured on the server.
  • The current VMware Tools must be installed on the server.
  • The server must be "hardened" according to Swisscom specifications.
  • The compliance check must be successfully completed. If one of the tests fails, Swisscom Windows Service cannot be offered. The customer is informed and can resolve the problems or apply to Swisscom for an exception. This can either be approved or rejected.

Note: Detailed technical details on the requirements can be found in the compliance checks section

Compliance Check Exception

A successful compliance check is prerequisite for using Swisscom Windows. If one of the tests fails, Swisscom Windows Service cannot be offered. The customer is informed and can resolve (recommended solution) the issue or apply to Swisscom for an exception. This can either be approved or rejected. The approval needs to be requested via ESC Service Requestopen in new window.

Active Directory Resource Domain

Each Swisscom Windows VM is member of a Active Directory Resource Domain owned and managed by Swisscom. For each customer at least one resource domain is built into which a Swisscom Windows VM is added. The Active Directory Resource Domain belongs to Swisscom in any case and cannot be reclaimed by the customer without the resource domain being deleted.

Between the customer domain and the resource domain there is a one-way trust. This means the resource domain trusts the customer domain. This also ensures that Swisscom employees cannot see or have access to objects in the customer domain.

Access to objects in the resource domain is controlled by delegations (View & Edit). This ensures that only the objects that are necessary for the customer are visible from the customer domain.

Last Updated: