The Pro’s and Con’s of System Lockdown
By Rodney Buike
Locking down desktops is becoming more and more prevalent in today’s corporate environment. Malware, viruses, malicious users and laws like SarbOx are putting the pressure on IT staff to remove users as local admin’s and lockdown systems. In order for this to be successful administrators need a delivery mechanism to install software and hot fixes to user machines.
In many corporate environments, users are required to install their own software and patches. While this may reduce the load on the IT staff, the ability for users to download applications off the ‘net, including viruses, Malware and other suspect software will increase the load. Certifying software to be used, locking down and automating software installation and patch management shifts the role of the IT staff; however the load should remain the same. With a proper infrastructure in place you can even reduce the workload on the IT department by implementing such a scheme. Applications such as WSUS and SMS make it easier for IT staff to implement and manage this.
Of course there are certain users with specific, non-certified software that they require. In these cases, the IT staff can install the app. By doing it this way you accomplish two things, first you know what apps are installed on their machines and second they can be tested in your environment to ensure they don’t mess up any other applications. How many times have you installed a piece of software only to find out it renders another useless? By having the IT staff test the application they get some sense of how it works so when the user calls they have some clue as to what the user is trying to do, and you can ensure that the program does not conflict with other applications. This system allows you to configure a basic desktop setup for all users with a general set of applications and then add the required functionality on a per-user/per-need basis.
All this is fine for local users, but becomes increasingly difficult with remote users. Remote users introduce a whole slew of issues. First they usually have to be local admin’s, or have access to a local admin account on their PC. This enables them to manage the software installation and hot fix installation on their own. Unfortunately they are usually not as vigilant in this task. This leads to an entry way for viruses, worms and Malware on to your corporate network when the do arrive at the office or connect remotely via VPN. There are solutions to this, including the Remote Access Quarantine feature in Windows Server 2003 SP1. Quarantines work great for ensuring that remote users are up to date on their hot fixes, virus definitions and other security related updates however they do not lock down the workstation.
The biggest complaint will come from the users. Taking away a privilege they may have had for years won’t happen without a fight and lots of whining. In certain cases, their maybe employees who actually need elevated privileges to perform their day-to-day tasks. In order to accomplish this effectively you will need to define a standard IT policy that everyone must follow and set out some rules and procedures to give those who require elevated privileges the rights they need to complete their job efficiently.
Confused? Sound like a lot of work? Well it is, but in the end, once all is said and done and the last user tear has been wiped up, your IT staff should have the time work on the things that are real important, like finishing Quake 4!