At the Microsoft Technology Center Chicago, one infrastructure topic that never seems to be absent from our customer agendas, no matter their level of IT maturity, is the concept of a “locked down” desktop.
The locked down desktop, like its brothers server consolidation and single sign-on, is an umbrella term that often means different things to different people. The drive here by IT, I find, comes down to a desire for better desktop management, and more often grows into philosophy of what exactly are IT departments trying to accomplish by locking-down.
First off, I tend to avoid using the term locked down. It gives off a negative connotation, and I have yet to find a user that wants to sign up to be “locked down”. I prefer, and encourage our clients to use, the friendlier term “Enterprise Enabled Desktop”. (side note: our legal team and desktop marketing had no interest in protecting this term, so please feel free to use generously in your own IT marketing.)
After a brief discovery and understanding of what a client is hoping to accomplish in an Enterprise Enabled Desktop (or EED), the answers most commonly break down to:
It’s no secret Microsoft has a wealth of tools to help IT departments gain and keep control over environments. Many are shared here later, but before diving into a solution I find it most helpful to prime the EED conversation with an illustration of my “Spectrum of Workstation Management”. I usually draw a line on the whiteboard and explain that on the left side is what I consider the wild, wild west, and the right side is your fixed function corporate device.
Here’s an analogy I often share: Imagine a driver for a package delivery company. This driver is given a truck every morning in which he or she makes deliveries. Can they take that truck home on the weekend to help move his friend’s apartment? No, that increases liability for the company, and increases the wear and tear among other things. Can they take that truck in for a paintjob or to install a new radio? Or course not, it’s not his truck. That truck is a corporate asset, given to him for the purpose of conducting his job duties. This same perspective can be used for a corporate workstation. I put this at the far right of my spectrum.
On the far left, as I mentioned, is the wild, wild west. Anything goes here. Users can install, change, and tweak anything they want to. They can update the drivers, install a screensaver the pulled down from any website, copy their personal movie collection to the device. Basically, treat it they would their home machine.
There is tons of evidence that a machine closer to the left side of the spectrum costs more to own and maintain (Gartner says: $5,500/yr). But, traditionally as a workstation moves further to the right, the amount of freedom the user has on that device decreases. This can be good or bad, depending on the tasks the user needs or wants to perform.
The point I make with our customers is this: classify your users by find the most appropriate place for your classes of users and/or workstations, and where they should be on the spectrum. It is probably not appropriate for all users in an organization to be in the same spot on the spectrum. For example, non-techie groups that perform a fixed set of tasks such as HR or customer services reps might be pretty far right on the spectrum. Developers or executives might be more in the middle or closer to the left, giving them more freedom over their machines yet still having some basic policies applied to their machine to ensure some level of corporate compliance or adherence to corporate IT policies.
(another side note: This is often where the “thin clients” which act as a terminal and connect to a terminal service in, but too much to cover here)
Once the classes of users are identified, then we begin a very basic discussion on options available for helping enforce the level of placement. There are many tools that help support the locations of workstation on that spectrum. At the very basic is Active Directory and Group Policy, which manage the most basic of settings and configurations for user identity, machine identity, and basic configuration. Once a machine is joined to the directory, we can introduce server and domain isolation to know that authorized clients can connect, and establish the corporate identity. You can also consider Network Access Protection in Windows Server 2008 here.
More advanced management tools as we move just a bit further to the right is Microsoft Software Update Services for critical patches. Vista has added many features and modification of existing XP components specifically for making it more granular and enabling for users to have more control without the need to be an administrator on the workstation, such as adding a printer. User Access Control, while being considered a nuisance by many, when managed through policy helps to get more classes of users closer to the right and more fixed-function that ever before.
As we get closer to the rightmost side of the spectrum, System Center Configuration Manager (SCCM, previously known as Systems Management Server, or SMS) comes into play, which enables a complete solution for workstation management – from bare metal provisioning to full management and even drift from a desired state. We could also get into more advanced areas such as client monitoring with SCOM to really understand performance and trending of a workstation for future diagnostics, troubleshooting, and response levels.
Keep in mind - even though developers and users with laptops might be father to the left, they can still have some basic, core policies applied (Active Directory group policies for things like firewall, proxy, and NAP) in order to maintain some degree of manageability and confidence of the security around that workstation without impairing the ability for them to do their job function successfully.
Information on all the technologies discussed here can be found on Microsoft.com. Search on these terms: