Jeff Dimock, vice president of Microsoft solutions at the IT consultancy Dimension Data Americas, expects IT organizations will like Windows Vista's tighter security. That's true even though it requires a change in both user behavior (to acknowledge the User Account Control, or UAC warnings when installing potentially harmful applications), and an update in applications (to run in user mode rather than administrator mode). "It's a lot more robust security model, but it does come at a price," he says.
The good news is that IT can control the new security model to some extent, so they can choose how much of a price is paid for that extra security.
Working with -- or around -- UAC
With Vista now installed on all 80 PCs, Collegiate Housing Services, a college facilities management firm, has seen a marked decrease in spyware and adware infections, says IT Director Sumeeth Evans. "Before Vista, we got one every other month. In the year since we deployed Vista, we've had none," he says. "We no longer need to use Spybot or Ad-Aware." He credits Vista's User Account Control feature, which makes users approve every potential installation of software, whether from applications or Web pages. "UAC tells the user what's going to happen before they do it," he observes.
Although some people have complained that UAC is overzealous and desensitizes users to threats by its constant "are you sure?" messages, Evans says Collegiate Housing countered that behavior through "social education," conveying that clicking OK by default was not the right response.
Still, he knows that not everyone responds in that desired way. "I'm sure some users do turn it off -- I do that, since sometimes it can be an annoyance. Microsoft did go a bit overboard," Evans says. That's why he is looking for a tool that would automatically approve known applications, so users only get challenged on unusual activity. A few such tools already exist, such as BeyondTrust's Privilege Manager 3.5.
At capacitor manufacturer Kemet, Global Infrastructure Manager Jeff Padgett has disabled the User Account Control security system. UAC is too invasive, he notes, making users confirm any suspicious activity before allowing it, which annoyed users and caused many to click OK without reading the warnings. Rather than use UAC, Padgett will continue to use Trend Micro's anti-malware software to protect the PCs. "While UAC would protect against rogue administrator-privileged apps, we couldn't afford to handle the user support [requests it would cause]," he says.
Padgett says UAC makes sense in a tightly controlled network environment, where most risks are filtered out before they get to the user, but that's not a realistic state for his network, as it connects to supplier and customer networks beyond Kemet's control.