About Deploying Vista: This is the latest in an ongoing series about the challenges of deploying Windows Vista and the considerations that go into the decision to roll out the new OS. The series highlights the setbacks and successes of those who are at various stages of deployment..
IT shops from a variety of industries have cited the same Windows Vista deployment problems during SearchSecurity.com's year-long look at Microsoft's latest operating system: application incompatibility and a dislike of User Account Control (UAC) pop-up boxes. Because of these issues, analysts expect a slow adoption rate to continue.
But Keith Brown, network administrator at Gwinnett Medical Center in Lawrenceville, Ga., tells a more optimistic tale of Vista deployment in his environment. Like others, he has run into compatibility problems and has gotten complaints about UAC. But in the final analysis, he has determined that Vista's security enhancements outweigh those negatives.
As a result, he plans to deploy the operating system across the entire organization by spring. Such speed mirrors that of early adopters like the Papa Gino's pizza chain and Northeastern University, but is fairly ambitious compared to the mid-to-late 2008 timetable a majority of companies are shooting for.
Brown's appreciation for Vista is driven by the need to protect patient information. Gwinnett is a nonprofit organization that includes three hospitals, additional support facilities, more than 4,100 employees and 700 affiliated physicians. It's also a Windows-based environment where everyone treating a patient needs to touch a computer. Brown estimates there are up to 6,000 users in all, and there have been isolated cases where the wrong people gained too much access.
"There have been sporadic cases where outsiders accessed a computer, sat at a computer or worked in conjunction with someone with access to a computer to get at information," he said. "That's the main risk I worry about, because there's a cottage industry that's out to steal and exploit patient information."
In the long run, he believes Vista will help improve his department's ability to protect that data because of its more robust group policy features, which will allow him to keep tighter rein on the level of network privileges users can have from the desktop.
Reduced admin access, fewer pop-ups
Gwinnett Medical Center boasts an environment where only about 1% of users -- those in IT and a couple people at the executive level -- have local administrative privileges, which ensures only few can access the most sensitive system data. But while Brown lauds Vista Group Policy for allowing him to tighten access control, he shares the frustrations of those who have run into the never-ending barrage of pop-up boxes that are the hallmark of UAC.
"UAC is one of the biggest pains so far," he said. "There are pop ups all over the place, and that can make you miserable. You can deal with it in Group Policy, but in the short term you can't avoid the headaches."
To minimize those headaches, he is using the Privilege Manager product from BeyondTrust Corp., designed to eliminate many of the UAC prompts Vista generates. It provides users with elevated privileges when required, enabling a least-privilege-necessary security environment without all the UAC dialog boxes, company officials said.
"It puts the security decision of when to elevate privileges in the hands of network administrators, allowing them to create security policies that are applied via Microsoft's Group Policy to automatically grant authorized applications the necessary privileges to run, thereby suppressing UAC prompts while allowing enterprises to enjoy the other advantages of Windows Vista and UAC," said BeyondTrust CEO John Moyer.
Brown said his use of the product has allowed him to press ahead with his Vista deployment plans.
To speed that deployment, Brown has campaigned hard to ensure all new computer hardware the organization purchases is Vista-compatible. It's now a standard rule that all new desktops fit the criteria. Earlier this year, he spent a lot of time playing around with Vista on an IBM ThinkPad to get used to it. Use of Vista is still largely contained within the IT department, but the plan is for an organization-wide deployment by May 2008, when Brown expects most third-party vendors to have their own compatibility issues fixed.
Assessing Vista a year after release
Despite Brown's bullish take on Vista, security experts like Rich Mogull expect the big-picture adoption rate to remain at a snail's pace, even though it's been a year since the operating system was released.
Mogull, a former Gartner analyst who now operates a security consulting firm called Securosis, said his own experience with Vista has not been pleasant, and many IT pros have given him similar feedback.
He said he recently emailed a list of 50 or so IT professionals asking who has done their Vista deployments. Nobody responded in the affirmative. And so he's not surprised that big-picture deployments have been slow overall. "The compatibility issues and the necessary hardware improvements make for significant obstacles," he said. UAC is a particularly big challenge because is takes a lot to understand it and make it work for your environment, he said.
Asked if Microsoft has adequately addressed these problems, Mogull said, "I think they have a lot of work ahead of them."
To be fair, he said, Microsoft recognizes they made some mistakes in rolling out Vista and that problems must be addressed, but that it's too late to roll back the clock. He thinks the software giant has been fairly responsive, but that some of the changes are so big that it'll be a tremendous effort to work out the kinks and educate the user community.
Vista success by the numbers
Shanen Boettcher, general manager of Windows client product management at Microsoft, doesn't deny there have been problems. But if the sales figures are any indication, he said, the first year of Vista has been a success.
In addition to having sold 88 million copies of Vista, he said, more than 42 million PCs are now licensed under volume licensing agreements, demonstrating that businesses are buying into the long-term value of Vista.
"To date, we've seen more than 340,000 downloads of the application compatibility toolkit, 283,000 downloads of Microsoft Deployment Solution Accelerator (formerly known as Business Desktop Deployment) and 329,000 downloads of Windows Vista Hardware Assessment, indicating that business are beginning the process of moving to the new OS," he said.
Furthermore, he said, more than 900 hardware partners have certified thousands of Windows Vista devices and hardware components that support innovations in graphics, networking and imaging. Support has been added for 700,000 new devices since Vista shipped, and more than 41,000 hardware products are now supported on Window Update, up from 23,000 thousand at Vista's launch, he said.
On the application compatibility front, over 2,000 applications have passed Microsoft compatibility tests for Vista, and top consumer and small business applications are now compatible with the operating system. And despite the complaints, he said the UAC issues are easing.
"We've done a tremendous amount of work to minimize the times when UAC pop-up boxes appear, and we've made several changes that have resulted in a decrease in notifications," he said. "I think the days of overwhelming notifications are over."
At Gwinnett Medical Center, Brown believes Vista's security enhancements will make the headaches of UAC and incompatibility worth it in the long run, especially given the group policy improvements.
"Vista's group policy feature allows us better control over who gets access to what based on their jobs," Brown said. "Unlike Windows XP, with Vista group policy is a requirement, and those who haven't cared about it before will have no choice because it's how Vista is designed. This is a big advantage security-wise."