Managing Vista security requires IT effort
- 26 February, 2008 10:53
Jeff Dimock, vice president of Microsoft solutions at the IT consultancy Dimension Data Americas, expects IT organizations will like Windows Vista's tighter security. That's true even though it requires a change in both user behavior (to acknowledge the User Account Control, or UAC warnings when installing potentially harmful applications), and an update in applications (to run in user mode rather than administrator mode). "It's a lot more robust security model, but it does come at a price," he says.
The good news is that IT can control the new security model to some extent, so they can choose how much of a price is paid for that extra security.
Working with -- or around -- UAC
With Vista now installed on all 80 PCs, Collegiate Housing Services, a college facilities management firm, has seen a marked decrease in spyware and adware infections, says IT Director Sumeeth Evans. "Before Vista, we got one every other month. In the year since we deployed Vista, we've had none," he says. "We no longer need to use Spybot or Ad-Aware." He credits Vista's User Account Control feature, which makes users approve every potential installation of software, whether from applications or Web pages. "UAC tells the user what's going to happen before they do it," he observes.
Although some people have complained that UAC is overzealous and desensitizes users to threats by its constant "are you sure?" messages, Evans says Collegiate Housing countered that behavior through "social education," conveying that clicking OK by default was not the right response.
Still, he knows that not everyone responds in that desired way. "I'm sure some users do turn it off -- I do that, since sometimes it can be an annoyance. Microsoft did go a bit overboard," Evans says. That's why he is looking for a tool that would automatically approve known applications, so users only get challenged on unusual activity. A few such tools already exist, such as BeyondTrust's Privilege Manager 3.5.
At capacitor manufacturer Kemet, Global Infrastructure Manager Jeff Padgett has disabled the User Account Control security system. UAC is too invasive, he notes, making users confirm any suspicious activity before allowing it, which annoyed users and caused many to click OK without reading the warnings. Rather than use UAC, Padgett will continue to use Trend Micro's anti-malware software to protect the PCs. "While UAC would protect against rogue administrator-privileged apps, we couldn't afford to handle the user support [requests it would cause]," he says.
Padgett says UAC makes sense in a tightly controlled network environment, where most risks are filtered out before they get to the user, but that's not a realistic state for his network, as it connects to supplier and customer networks beyond Kemet's control.
Reworking custom apps' permissions
Although many people have complained that Vista's new security model breaks apps designed to run in administrator mode -- not in user mode as Microsoft has been urging since 1999 -- this has not caused much of a problem at Kemet. The reason, Padgett says, is that he had already reworked homegrown programs to run in user mode. Today, only five of 50 .Net and FoxPro database applications in use have problems with the new security model, and he expects to have those externally developed apps fixed shortly. Padgett's team has also migrated from Visual Studio 2003 to the 2005 edition, which natively supports the Vista security model.
The issues that some users have had with the new security model didn't apply to a medical setting because his IT group had already locked down the PCs in a way similar to what Vista does by default. "We never gave users full access to the PC [administrator privileges], so they're not seeing a change" in what applications they can run from user mode, he notes.
IT can elevate certain apps so UAC gives them more leeway before issuing warnings. But the long-term solution is to modify custom apps to support the Vista security model and insist that your vendors do the same, says Kemet's Padgett.
BitLockerencryption lacks flexibility
Another Vista security feature has also caused some problems, notes Gary Wilhelm, the business and systems financial manager (a combination of CTO and CFO) at Englewood Hospital Medical Center in New Jersey.
That feature is the BitLocker encryption capability. It is an all-or-nothing tool, encrypting the entire disk or nothing, which caused some access issues on PCs that are used by multiple people with separate user accounts. It also encrypts only the C drive, even though the hospital uses a separate D partition for data, distinct from application and system files. Wilhelm hopes that Microsoft will change BitLocker so it can encrypt just specific files or folders, as some third-party encryption tools already do, and support encryption across multiple volumes.
At the Milwaukee YMCA, IT Director David Fritzke ran into a surprising issue with BitLocker: Users turned this feature on to protect data if their laptops were lost or stolen, but when they left the YMCA's employment, IT discovered it couldn't read the backed-up files from their laptops. BitLocker requires that the data be opened on the actual computer where it was encrypted, even with administrator privileges.
Fritzke's team now uses an awkward workaround: If they need access to a former employees' files, they take back that employee's laptop from its current owner, copy the files to it, decrypt them with BitLocker, and then give back the laptop when done. Fritzke is hoping that Microsoft or a third party will provide a way for IT to open these files when backed up, so he can end this workaround.
The Vista deployment guide: