From a personal and professional perspective I love Microsoft. They can turn up late to the party, ignore the BYO instruction and still get everyone dancing as soon as they walk through the door.
As far as Windows 8 is concerned, there are a number of great features and developments that will appeal, especially to consumers. However I’m not sure that businesses will be as quick to adopt.
The issue for business users
While it’s true that Windows 8 has some handy new features, in my opinion, it’s predominantly aimed at touch screen users. This would mean a huge investment for businesses to replace existing monitors and, with our current financial climate, the investment simply can’t be justified.
Next – the vast majority of organisations are either actively, or planning to, roll out Windows 7. This costs money – both in time, compatibility testing, initial loss of productivity and re-training which would all need to be repeated to upgrade to Windows 8.
This is the area that we think Microsoft could have improved on – especially to entice corporates to upgrade so soon after Windows 7. They have introduced a few new features, such as Windows Secure Boot, and anti virus now comes as standard. They’ve also upgraded Windows Defender.
However, from what we’ve seen, Microsoft have not changed their stance in UAC (User Account Control) being their approach to least privilege. This approach has limitations as to use UAC correctly the user must be an administrator.
For those of you not sure, here’s UAC in action:
- When a user tries to do something that requires elevated rights, UAC prompts them to confirm that they want to perform the task and asks for a password. The user’s own password won’t work if he doesn’t have admin rights – which often the results in helpdesk calls, at a cost to the business.
- If a user knows an administrator password then they could use it to ‘approve’ future tasks – whatever they may be – and we all know that users can’t be trusted to make their own decisions.
In an effort to limit these prompts Microsoft introduced a sliding scale to Windows 7. This means organisations could allow certain activities to take place without being prompted. However everyone soon became aware that there was a vulnerability introduced with how UAC works when it’s set at its lowest setting.
Don’t get me wrong, I think UAC is a great idea for home users, and for ‘true’ administrators. The problem is that in most organisations you don’t want to give admin accounts to end users as this gives them full control of the endpoints – which can cause major problems.
Users with rights
Allowing users to control the end point not only exposes the business to internal exploits, but also the users to external attacks. There are lots of articles that examine this topic in finite detail, so I’ll just give you a top level brief on the vulnerabilities users with admin rights can introduce to the enterprise:
- Kernel-mode rootkits – they are very dangerous and you don’t want them on your build
- Key loggers – the sheer idea that every keystroke can be communicated to others outside the organisation is terrifying
- Install Active X controls – whether you want them or not
- Introduce spyware, adware and any other types of malware
- Stop and start services that either freeze the machine or cause a problem on the network – for example switching off the antivirus software or the firewall
¬ Users can either take themselves out of the domain, or create a new user account. As a result, IT lose visibility and control; domain settings and security updates no longer apply, all of which results in the desktop – and ultimately the whole organisation – being left open to attack. Rogue or unlicensed software can be introduced
If you bestow admin rights on end users you are compromising every other security mechanism in place. Also, if the end users then choose to turn UAC off, they will not see the prompts and are not made aware of what is happening – so the devastation can go on in the background undetected.
Make it secure:
Here are five simple tips to secure the environment, whether using Windows 7 or 8:
- Remove admin rights. To give users control of their desktop, in a corporate environment, is bad news. They’ll introduce or change things that can cause serious security issues – which could cost money and time. Instead, use a privilege management product to assign privileges to the applications, tasks or scripts, making the desktop more secure and the user more manageable.
- Move towards a least risk Windows desktop. To do that you need to white list your applications, ensuring that only the applications that you want to run in your environment can run. The idea that you’re not in control of your applications in one way or another is foolhardy.
- UAC is an annoyance for most people – if you give users admin rights, the first thing they’ll do is turn it off, removing a vital layer of control. A better situation is to replace UAC altogether with customised messaging allowing IT to communicate an appropriate message to the user based on their activity. This can reduce costly support and improve the user experience.
- Make sure that you’ve got antivirus/anti-spyware/web security on the desktop and that it is up to date.
- Finally all machines should be part of the domain. If they’re not part of your Active Directory then you’re always going to have difficulty keeping your endpoints secure. This is especially important for ensuring that policy settings get out to your machines and that they’re always up to date.
Thumbs up or down?
Everything considered – Windows 8 gets very firm thumbs up from me. I love the operating system and I do think it really is shaking things up – which is necessary. For home users this is nothing but good news, although businesses may be less convinced. That said, we’ve only seen the developer version and anything could change in the next 12 months.