Finding the right balance between security and usability is an ongoing challenge for enterprise IT staffs, and companies that are in the process of deploying Vista are finding that process even more complex as they deal with the operating system's myriad access control and security features.
Those features, especially Vista's User Account Control, have drawn equal amounts of praise and criticism from administrators since Microsoft Corp. released Vista nearly a year ago. But for organizations who committed to Vista specifically because of its enhanced security, the problem of dealing with UAC's constant pop-ups and restrictions has gone well beyond mere annoyance.
"We all like security, but I don't want a situation where a user is trying to get a statement out for a CFO and boxes keep popping up every two seconds," said Omar Ghneim, network administrator at EXCO Resources Inc., a Dallas-based oil and natural gas company. "More security is good but I don't want to keep clicking 'yes I agree' or 'yes open' all the time."
UAC, which is designed to block all user-initiated and malware-initiated actions on a computer that requires administrative privileges, has become a serious drag on productivity because users are forced to deal with a series of pop-up boxes when they try to perform basic business functions, Ghneim said. So while he is interested in tapping into Vista's security benefits, he is proceeding cautiously. The good news is that the process won't take as long as first expected because one of his vendors will be able to help him address the UAC problem.
Microsoft launched Vista in November 2006 and IT pros are in various stages of deploying it. Microsoft and experts have touted such new security features as encryption and Network Access Protection (NAP) as keys to more secure corporate networks, but enterprises are dealing with a host of compatibility challenges along the way, and some have pushed their Vista deployment schedules into next year as a result. EXCO is no exception. Ghneim is all for better security, but not if it means crippling the company's ability to do the work it's paid for.
The promise and perils of Vista UAC
In its Web site primer, Microsoft describes Vista UAC as a crucial security enhancement.
"Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token," said Austin Wilson, director of Windows client security product management at Microsoft. "As a result, malicious programs could install on users' computers without notifying the users."
UAC is designed to prevent that from happening. Unlike in previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user's full administrative access token is split in two: a full administrator access token and a standard user access token. During the log-on process, Wilson said, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop. Because all applications inherit their access control data from the initial launch of the desktop, they all run with the privileges of a standard user as well.
But many security experts complain that UAC is ineffective in the same way that a noisy IDS is: users get tired of seeing all the pop-up warning boxes and quickly choose to ignore them all. Others say the feature gives users a false sense of security because the appearance of all these boxes makes it seem as though the operating system has already blocked something malicious.
Ollie Whitehouse of the Symantec Security Response team recently blogged that it becomes a chicken-and-egg situation when the user is making a decision based on a false sense of trust that UAC creates. "Do I think some UAC is better than no UAC? Yes. Do I think UAC that presents information that can not be relied upon is good for user confidence? No," Whitehouse wrote.
For his part, Ghneim said, "If I, as an administrator, can't handle all the pop-up boxes that get in the way, my users certainly won't be able to handle it."
Testing Vista against critical business applications
Even while he worries about the productivity problems UAC could pose for his users, Ghneim also grapples with a lot of the same compatibility problems experienced by other IT shops that are testing Vista.
Other IT professionals have said that Vista doesn't work well with some VPNs and virtualization software vital to their operations. EXCO doesn't use a VPN and has only dabbled with virtualization, but the company does run a lot of other applications that must be tested for compatibility.
"We use a lot of applications that are vital to the oil and gas industry to deal with geological issues and determine where we can drill next," Ghneim said. "We have to make sure all of that works with Vista."
Because of the testing that will entail and the need to complete several large business projects first, EXCO's IT staff originally resolved not to even look at Vista until the fourth quarter of 2008. But, Ghneim was eager to tap into Vista's security enhancements, especially the integrated firewall and BitLocker Drive Encryption. "We have a lot of laptops in our environment and if one is stolen you want it to have an encryption feature like BitLocker," he said.
And so EXCO has adopted a more ambitious testing and deployment schedule that calls for initial rollouts by the second quarter of 2008 and 90 percent deployment by the fourth quarter. Ghneim hopes to have all the application testing done by the end of this year, and once that mission is accomplished, a couple of employees from each department will be given Vista machines to test.
Third-party cooperation speeds deployment
For EXCO and other companies profiled in this series, third-party help has been crucial in their ability to speed the Vista deployment process. For example, Papa Gino's got a leg up on the process when one of its security vendors, Wave Systems Corp., announced in March that its Embassy Trust Suite was Vista-compatible.
For its part, EXCO has been able to shorten its Vista deployment timetable thanks to help from BeyondTrust Corp., a company it has been using for the last four years. Ghneim found he could keep all those UAC-generated pop-up boxes away from his users by deploying BeyondTrust Privilege Manager 3.5, which is designed to eliminate many of the UAC prompts Vista generates.
Privilege Manager provides users with elevated privileges when required, enabling a least-privilege-necessary security environment without all the UAC dialog boxes, company officials said.
"It puts the security decision of when to elevate privileges in the hands of network administrators, allowing them to create security policies that are applied via Microsoft's Group Policy to automatically grant authorized applications the necessary privileges to run, thereby suppressing UAC prompts while allowing enterprises to enjoy the other advantages of Windows Vista and UAC," said BeyondTrust CEO John Moyer.
"BeyondTrust Privilege Manager will allow us to move to Vista and continue to use our critical line-of-business applications without any pop-ups," Ghneim said.
2008 deployment schedule consistent with others
EXCO's cautious approach to its Vista deployment is in line with the way that other enterprises are handling the transition. For example, Quintiles Transnational Corp. has set up a 2008 test and deployment schedule so IT staffers can take all the time needed to make sure Vista compatibility problems don't open up network holes attackers could exploit to access the healthcare services provider's intellectual property, said Steven Dietz, information security principal at the company.
For the time being, most enterprises continue to standardize on Windows XP SP2. At this point, two percentof PCs in the enterprise are running Vista, 84 percent are running XP SP2 and 11 percent still run Windows 2000, said Benjamin Gray, an analyst with Forrester Research.
"IT managers are incredibly focused on sticking with XP before gearing up for Vista," he said. "But Vista isn't a matter of if for companies -- it's a matter of when and how."
A third of the companies Gray has talked to say they'll deploy Vista by the end of 2008 and many have decided to pull back on more aggressive plans until the release of Vista SP1 in the first quarter.
"When SP1 is released, deployments will jump," Gray said. "By mid-2008 you'll see this really moving along. IT shops will have figured out all their application and hardware needs by that point."
Dig Deeper on Windows Security: Alerts, Updates and Best Practices