Over the last week I’ve two people who are suffering pain due to corporate laptop builds that have been “secured” – meaning that an untold number of access controls have been changed and parts of the operating system have been removed to “enhance the security” of the system. A complete nightmare. The poor old users are running out of date versions of both the operating system and applications as the integration testing required for even a minor security update is immense let alone a service pack or new version of the operating system.
One chap had a fancy new laptop that was running Windows 2000 Professional AND HE WORKS FOR A HIGH TECH company! Power management wasn’t an option nor was making use of any of the advanced features of his laptop.
I understand that security professionals want to reduce the attack surface of machines and encourage them to do so but making changes to the operating system itself is a support and manageability nightmare. Instead spend time using built-in security features like IPSec, Group Policy to make the most of the operating system’s security functionality. Don’t go crazy forcing IPSec data encryption everywhere as it will add complexity & management costs – using IPSec for authentication primarily will give a much better return on your investment of time and effort for risk reduction.