How To Keep Control Of Employee-Owned PCs

Based on eWEEK Labs tests and research, I’ve identified two primary approaches to the problem of working with user-controlled desktop and notebook systems. The first approach involves reaching a sort of compromise between user control and management policy on a given machine. The second involves carving out for IT an isolated and closely managed environment within an otherwise unmanaged system. Both routes have their drawbacks, benefits and prospects for improvement as the technologies on which they depend continue to mature.

Approach One: A Negotiated Settlement

The first approach to managing what are essentially unmanaged systems should be a familiar one because it’s the approach that most home users – as well as a striking number of corporate shops – employ for their Windows-based desktops and notebooks: The user gets administrative rights on his or her machine, and IT administrators layer on policies and products intended to prevent damage or instability caused by malware and unpatched bugs and vulnerabilities.

As a matter of policy, companies can mandate the use of anti-virus applications and frequent system patching. They also can direct users to divide their system administration and daily computing tasks into separate administrator and limited-rights accounts. On Windows Vista, the UAC (User Account Control) feature automates administration/daily use rights separation by limiting the privileges of administrative-rights users by default, and by requiring confirmation for operations that require elevated rights.

Administrators can add another layer of management to this scheme by employing NAC (network access control) to confirm and enforce user compliance with these policies by conditioning access to corporate network resources on their satisfaction.

Moving a step further, administrators can employ an application whitelisting product with a large database of known-good applications, such as Bit9’s Parity, to preserve their users’ freedom to control their computing environments and to install the software of their choice – from a pool of vetted applications. What’s more, an application whitelisting product gives administrators the option of removing from the whitelist applications known to conflict with key company software.

While this strategy for dealing with user-controlled systems should be mostly familiar to administrators and users, there are drawbacks to sharing control over a desktop or notebook in this way. For instance, administrators can mandate security baselines and enforce those baselines through NAC, but unless users can be counted on to keep their systems in order, IT can find itself stuck on a treadmill of bringing quarantined systems back into conformance.

More importantly, the fact that ultimate control over the host operating system lies in the users’ hands must result in a trust gap of sorts, as users’ actions can lead to security issues that could potentially evade the detection of company-mandated anti-virus software.