A Window on Admin Right Dangers

- Paul Kenyon, chief operating officer at Avecto (www.avecto.com), says:

Microsoft Windows is loved, not just by consumers, but by businesses too. The vast number of organisations that are either actively, or planning to, roll out Windows 7 is testament to this. The fact is it costs money when an organisation upgrades – both in time, compatibility testing, initial loss of productivity and re-training. If Windows wasn’t so good companies would hardly bother.

However, there is a real danger that these ‘windows’ into the workplace create and, unfortunately, far too many aren’t being sealed shut.

Security
This is the one big area where I have a problem with Microsoft. It has a very loyal customer base, especially in the corporate community, yet it leaves them exposed to security threats.

There will be some who argue that Microsoft takes security very seriously – Microsoft itself for one. Indeed, the recent enhancements that have been touted in the developer edition of Windows 8 substantiate that it continues to make improvements in its security.

However, from what we have seen, Microsoft’s approach to dealing with least privilege is far from adequate.

Instead of sealing this major vulnerability for organisations, it actually gives admin rights to every single user with UAC (User Account Control). For those not familiar with UAC, here is how it works:

• When a user tries to do something that requires elevated rights, UAC prompts them to confirm that they want to perform the task and asks for a password. The user’s own password will not work if he does not have admin rights - which often results in helpdesk calls, at a cost to the business for both the IT team to field the calls and the users in lost productivity.
• If a user knows an administrator password then they could use it to ‘approve’ future tasks – whatever they may be. This also introduces issues in terms of compliance as well as security.

In an effort to limit these prompts, and therefore help desk calls, Microsoft introduced a sliding scale to Windows 7 (and for those interested this remains unchanged in Windows 8). This slider means organisations can allow certain activities to take place without being prompted.

However, following its introduction, everyone soon became aware that there was a vulnerability introduced with how UAC works when it is set at its lowest setting.

That said, UAC is a great idea for home users, and for ‘true’ administrators. The problem is that in most organisations you don’t want to give admin accounts to end users as this gives them full control of the endpoints – which can cause major problems.

Users with rights
Allowing users to control the end point not only exposes the business to internal exploits, but also the users to external attacks. There are lots of articles that examine this topic in finite detail, so I will just give a top level brief on the vulnerabilities users with admin rights can introduce to the enterprise:

• Kernel-mode rootkits – they are very dangerous and you don’t want them on your build
• Key loggers – the sheer idea that every keystroke can be communicated to others outside the organisation is terrifying
• Install Active X controls - whether you want them or not
• Introduce spyware, adware and any other types of malware
• Stop and start services that either freeze the machine or cause a problem on the network – for example switching off the antivirus software or the firewall
• Users can either take themselves out of the domain, or create a new user account. As a result, IT lose visibility and control; domain settings and security updates no longer apply, all of which results in the desktop – and ultimately the whole organisation – being left open to attack. Rogue or unlicensed software can be introduced

If you bestow admin rights on end users you are compromising every other security mechanism in place. Also, if the end user then chooses to turn UAC off, they will not see the prompts and are not made aware of what is happening – so the devastation can go on in the background undetected.

From a personal, and professional, standpoint I love Microsoft. It rocks up late to the party, doesn’t bring a bottle yet is still friends with everyone and manages to lift everyone’s spirits simply with its presence. But it’s not all perfect.

For some reason businesses either fail to recognise, or are prepared to forgive, its major fault that leaves them vulnerable from abused admin rights. Whichever version of Windows you’re running you can’t just turn a blind eye or your windows could let in more than you bargained for.


BOX OUT : Make it secure:


Here are five simple tips to secure the environment:

1. Remove admin rights. To give users control of their desktop, in a corporate environment, is bad news. They’ll introduce or change things that can cause serious security issues – which could cost money and time. Instead, use a privilege management product to assign privileges to the applications, tasks or scripts, making the desktop more secure and the user more manageable.

2. Move towards a least risk Windows desktop. To do that you need to white list your applications, ensuring that only the applications that you want to run in your environment can run. The idea that you’re not in control of your applications in one way or another is foolhardy.

3. UAC is an annoyance for most people – if you give users admin rights, the first thing they will do is turn it off, removing a vital layer of control. A better situation is to replace UAC altogether with customised messaging allowing IT to communicate an appropriate message to the user based on their activity. This can reduce costly support and improve the user experience.

4. Make sure that you have antivirus/anti-spyware/web security on the desktop and that it is up to date.

5. Finally all machines should be part of the domain. If they are not part of your Active Directory you will always have difficulty keeping your endpoints secure. This is especially important for ensuring that policy settings get out to your machines and that they’re always up to date.

For more information, visit www.avecto.com.

Windows 7 Migration Survey: Planning Plays a Key Role in Successful Upgrades

- Christine Ewing, Director of Product Marketing with Symantec's Endpoint Management Group (www.symantec.com), says:

Symantec conducted a survey of more than 1,300 IT managers across the globe to help determine best – and worst – practices that will help make future Windows 7 migrations successful. The survey found that planning plays a key role in smooth upgrades: More than 80 percent of companies said that planning was helpful in facilitating the upgrade and minimizing costs.

The typical survey respondent felt that if a company had 10 or more PCs, it was worth investing in a solution to automate, and most companies automated about 54 percent of migration-related tasks. The IT manager for a midsized consulting company stated, “We picked a smaller department and used them as guinea pigs until we got all the kinks out. At that point, we knew where we stood and could automate the rest.”

The survey findings confirm that a sound migration plan and an integrated, automated solution are key ingredients of a successful migration to Windows 7. For the full report and other resources, please click HERE.

Client Virtualization in Windows 7: XP Mode (possible but challenging)

- Bob Kelly, senior product manager, KACE (www.kace.com), says:

XP Mode makes client virtualization a reality for many small businesses, as it is essentially a Windows XP virtual machine running on the Windows 7 client. For applications that require XP, they can be run by XP (on Windows 7). This is a reliable, but technologically challenging solution to the issue of application compatibility. In the background there is an entire XP operating system that needs to be managed by IT. This could potentially mean that a network of 500 computers has 1000 instances of Windows to manage. The XP system shows up on the network and should be managed and patched as with any operating system. Likely this will mean Microsoft is forced to provide security updates for XP for longer than they would like, but given the challenges faced by those fighting this same problem in their Vista migrations, this is a welcome option to have available. XP Mode is what I’d consider to be the SMB version of Med-V. Many wonder what is the difference and why would someone buy Med-V with XP mode now available to small businesses.

The key downside to XP Mode is that the Windows XP instance and its applications must be set up on each PC individually; each physical PC has its own virtual Windows XP environment and is controlled and managed locally. The larger the environment, the less of an option this becomes, as it is simply not designed for centrally managed deployments. Microsoft’s Med-V adds what is needed to support the larger including the provisioning of an IT configured virtual machine, customization of the virtual machines—essentially the ability to connect to an Active Directory domain and to adjust the settings of the Virtual PC as needed in a managed/centralized way.

Windows 7: Enterprise Readiness - Are You Ready?

- Mike Temple, product manager at Avocent (www.avocent.com), says:

What hardware in my environment doesn't meet minimum specifications? 


Unfortunately, there are two answers to this:

1. What machines do not meet recommended minimum specification as outlined by the Manufacturer?

2. What machines are "borderline?" In other words, once you upgrade a perfectly good XP machine running your big business application, will the overhead of Windows 7 cause the application performance to suffer and be sub-par? It's important to understand what your unique minimum specifications would be.

Once this is determined, you can quickly lay out a hardware refresh program. These new machines, as well as machines refreshed as part of the normal hardware refresh cycle, should factor into the migration as well - make sure your new machine acquisition process includes installation of Windows 7 when it rolls in the door.

Before we get too carried away with the relatively simple act of backing up a machine and laying down a new operating system, it is important to do an analysis on which applications can run on Windows 7, and for those applications that cannot run or do not function properly or completely.

There are essentially three options for applications that have issues:

1. "Compatibility" mode: Essentially a way of running an application and telling the operating system to tell the application that it's running on some other version of windows. This isn't always successful as some applications need more.

2. "XP mode": This mode is only available to those customers who own an EA or a SA with Microsoft; however, it is no additional cost. This is essentially a special Virtual PC session running Windows XP. It is critical to understand that this is essentially another node on your network, which would need provisioned, secured, etc. Please understand the licensing implications (Additional license counts of antivirus, management tools, etc.), the performance implications of virtualizing the operating system, as well as the security/patching implications of having this device on your network. The good news is that it's a real XP machine running inside your Windows 7 machine, so the likelihood that the incompatible application runs normally is very high.

3. Upgrade the application to a Windows 7 compliant version: This includes contacting the vendor of the application (or possibly refactoring and re-compiling if it's a custom application) and could have licensing, migration, training, data conversion and roll-out implications that need to be understood on an application-by-application basis.
_____________

If you decide on a reload process, make sure that you have your standard Windows 7 image set up and complete. Most organizations use a captured sector-based image that has been "Sysprepped" to strip out all unique elements of the OS.

Next, for machines that will not be refreshed, it's important to make sure you maintain the users business data as well as the more critical items such as wallpaper, shortcuts, and desktop icons. Once this activity is complete, you can then wipe the hard drive, lay down the new Operating System and restore the user data. Lather, rinse, repeat for all workstations in the target group.

Of course, most of these steps can be very simply accomplished (except the training step) with a robust Lifecycle management system that integrates with a robust Systems Management solution, like LANDesk Asset Lifecycle Manager and LANDesk Management Suite and Security Suite with LANDesk Application Virtualization. With this solution, the steps of planning on which hardware gets refreshed versus upgraded are as simple as a report, and the Hardware Independent Imaging solution, combined with the process-based Provisioning and User Migration Assistant technologies within the solution make deploying no-touch a breeze. Application incompatibilities can be minimized by leveraging virtualization. Essentially a months-long project could be reduced to days or weeks, and leave in place a robust process for adding new machines, moving machines and retiring machines, regardless of the operating system.

Windows 7: Enterprise Security and Performance

- Bob Kelly, senior product manager at KACE (www.kace.com), says:

What will enterpises gain from switching to Windows 7?

Security improvements are probably the biggest factor for businesses. Security is not only improved, but also better implemented. BitLocker drive encryption is now a simple feature activated by right clicking on a drive. But outside the growing pains Vista had with application compatibility in the early days, user account control (UAC) was among the most unpopular improvements. While it did a lot to help the heavily attacked Windows OS be more secure, it frustrated people by popping up too often and without sufficient detail to let one make an informed decision about weather the action should be permitted. Windows 7 improves on this substantially: by default it only throws up the UAC prompt if something not initiated directly by the user requires elevated privileges.

It also offers improved performance and is better capable of taking advantage of today’s new hardware improvements—especially when compared to Windows XP. I think Apple has proven looking good is indeed important to users and Windows 7 (introduced first with Windows Vista) is smart about taking advantage of system capabilities when available to provide the experience. If the horsepower to pull of these interface improvements are not available, it can gracefully fall back to a “basic” user interface that still looks good but lacks some of “wow” factor sported by the preferred user interface.

Windows 7: Features and Implementation

- Rahul Parmar, Research Analyst for Info-Tech Research Group (www.infotech.com) says:

"Connectivity: DirectAccess and BranchCache are 2 features that greatly improve the connectivity feature-set of the new OS.

Direct Access allows mobile users to securely connect to the corporate network without a VPN client provided the organization has a Windows 2008 Server R2 backend in place. The cost savings here come from the fact that the organization no longer needs to have a VPN solution in place. More so, however, is the fact that IT can push out updates/patches and general service to laptops regardless of whether or not they are connected via VPN to the corporate network. DirectAccess basically creates a secure connection between the client and the corporate network as long as there is an internet connection, resulting in easier pushes for IT and, generally, more efficiency.

BranchCache is another great feature for organizations with branch offices. BranchCache basically caches large, often-accessed files on intermediary servers at the branch location, drastically reducing bandwidth costs as other users in the same office look to retrieve the same files. The reduced bandwidth usage should result in some cost savings for the organization.

Security: On the security side, Microsoft has included BitLocker and AppLocker technology with Windows 7, improving the OS’ current security offering.

BitLocker encrypts the contents of hard drives on desktops and laptops that have Trusted Platform Modules embedded in hardware. It’s also capable of encrypting and protecting removable media, relieving IT of the burden of often lost or stolen USB keys.

AppLocker allows IT to exercise control over the applications users are allowed to install and run, decreasing the potential for malware infections and providing more control regarding compliance. The functionality secures applications at the digital signature level, ensuring that users can update/install their own updates to allowed software, freeing IT to deal with more support-intensive issues.

We are seeing (Windows 7) adoption across industries and verticals, but Business Services and Manufacturing tend to be leading the way.

From what we’ve seen at client organizations that have installed it, the implementation has been relatively smooth. End-users find the Windows 7 desktop interface to be very similar to XP and migrate to it rather quickly and with little training. The heavy lifting is in planning, preparation, and testing.

In terms of training end-users to use the new OS, our clients had success with setting up virtualized instances of the OS for users to 'bang' on before deploying it enterprise-wide."

Desktop Virtualization: Windows 7

- Calvin Hsu, Director of Product Marketing for XenDesktop (http://www.citrix.com/), says:

Citrix and Microsoft have been doing joint seminars in 100+ cities around the world, talking about desktop virtualization and Windows 7. The feedback in these events has been that migrations have been smooth and their end users have been happy with the transition. In fact, we’ve heard several times that they are having trouble rolling out Windows 7 as quickly as some users would like – and that’s why they are investigating desktop virtualization as a means of accelerating deployments.

Windows 7

- Bob Kelly, Senior Product Manager for Dell KACE (www.kace.com), says:

"While many (data centers) have migrated, many more report that they are in the process now which will help to move Windows 7 above Windows XP in terms of seats deployed over the next year or two.

I don’t think it is tied to any particular market segment, although I’d say those environments large enough to have more than a couple of dedicated IT staff typically lead the charge.

I have not heard any horror stories about implementation. The most major issues with Vista revolved around application compatibility. This did two things for Windows 7: it caused Microsoft to invest considerable resources and technologies in alleviating such issues and secondly it raised awareness while lowering expectations. Instead of being upset when one out of twenty applications fails to work, people are happy to see nineteen working. There is far more tolerance here. The visibility of such problems also has administrators taking care to perform more lab and pilot testing to identify expected issues.

Many Windows 7 management features (BranchCache and DirectAccess to name two) require Windows Server 2008 R2."