Organizations Are Increasing PC Lockdown

As organizations develop their next-generation client computing environments as part of Microsoft Windows 7 planning, many are revisiting their PC control policies. Survey results and feedback from Gartner clients show that organizations are increasing the number of PCs that IT controls by removing administrative rights and using other measures to control PC configurations.

• Few IT organizations are relaxing PC lockdown policies.
• For most organizations, the optimal lockdown strategy is to lock down some users, but not all.
• Windows 7 does not provide a comprehensive solution to allow users with legacy applications that require administrative rights to run as a standard user.

• Implement PC lockdown policies to maintain PC standardization.
• Assign lockdown policies by role or user type.
• If legacy applications are the only thing stopping you from locking down your users, then remediate the problem applications or use a privilege management tool to allow those applications to run on PCs that are configured as a standard user.
• If you're reconsidering your client management tools strategy and struggling with accommodating user personalization, consider work space virtualization management or composite client management tools.

Through 2015, IT organizations will continue to deploy lockdown policies on the majority of PCs.

Restricting administrative rights to minimize management costs and the security attack surface has been a standard desktop management best practice for over 10 years. In many organizations, however, the freedom to install applications and make PC configuration changes is embedded in the client computing culture; this is a difficult force for IT to overcome. Even IT organizations that have political support for PC lockdown likely have users who need to make system changes to do their jobs. For these users, overly restrictive policies can stifle productivity and, in some instances, "break" their applications. As organizations develop their next-generation desktops as part of Windows 7 planning, some clients have asked whether PC lockdown policies are counterproductive and out of touch with today's world. The reality is that most organizations are increasing the number of users who are locked down. The occasionally voiced sentiment that IT is too controlling or draconian in its policies is not resulting in actual PC control policy changes within IT organizations.

The term "lockdown" does not have a singular definition. It describes a control spectrum, which can range from drafting an IT policy enumerating rules about software installation that may not be "enforced" at the user's system (more of a trust system), to implementing more controlling measures, such as removing administrative rights and using Windows group policies and other software to control other elements of the PC configuration. IT has a range of options to use that can be combined to address a single user's or groups of users' requirements, while ensuring the appropriate flexibility to do their jobs and remain protected from vulnerabilities.

The center of gravity of the lockdown versus autonomy debate is typically around administrative rights — i.e., the rights within Windows that allows users to install software or make other configuration changes. This is usually the "hot button" issue, because administrative privileges have the biggest impact on the degree of change that users can make to their machines. In a perfect world, IT organizations wouldn't care about locking down the PC; they would only care about the services they provide. The reality is that standardization (through lockdown techniques) must be maintained to provide effective desktop services and keep security risk at an acceptable level. Every change to the system changes the configuration and presents the risk that the machine will be unstable or introduce a new attack path. The quality of desktop services, such as application delivery and troubleshooting, depends on standard, stable configurations. Standardization is the objective; lockdown is one of several practices that helps organizations achieve that goal. Gartner covered the benefits of PC lockdown and cautioned against unlocking machines based on cultural pressure in "Organizations That Unlock PCs Unnecessarily Will Face High Costs."

The answer to one of the most frequently asked questions from our approximately 300 client inquiries is "no." Some organizations have started to question the conventional wisdom that locking down the PC is a best practice because of these cultural and technical issues. In the fourth quarter of 2009, we surveyed audiences at Gartner events composed mainly of individuals in IT infrastructure and operations organizations about their lockdown policies (see Figure 1). More than half of the people we asked said they are increasing the percentage of organizations that are locked down, and almost another one-third said they are keeping the same policies in place, while a small minority (17%) said they are reducing the number of locked-down users.

Is the trend at your organization with respect to controlling the PC? (n=150)

Source: Gartner (February 2010)

Most organizations lock down a subset of end users, rather than everyone. This is likely the lowest-cost approach for most organizations, because some users have legitimate needs to install applications to do their jobs (see Figure 2).

The Relationship Between IT Support Costs and PC Lockdown

Source: Gartner (February 2010)

Lockdown policies should be developed based on user type or role. Data entry workers, often structured task users, and hourly workers are usually locked down. Developers typically require administrative rights to do their jobs, and power users typically have administrative rights as well, because their needs and working style are typically unpredictable. Many organizations provide administrative rights to road warriors, because it is often better to give these users access to their machines rather than have them rely on the IT organization to help them, especially when these users could be anywhere. Senior executives are typically granted administrative rights. Gartner will cover user segmentation for PC lockdown in more depth in future research. We recommend using "Segmenting Users for Mobile and Client Computing" as a starting point to identify key worker profiles for client computing and apply control policies based on those user profiles.

Many organizations keep users (who otherwise would be locked down) unlocked because they use applications that require administrative rights. Windows 7 does not address this problem for legacy applications. Therefore, users should remediate applications that need rights to specific resources, or look at a third-party product that elevates users' rights for applications that require them as a tactical measure to deal with the problem (see Note 1). From a cost standpoint, enterprises have to make sure enough users have this requirement to justify the investment, as there are license, maintenance, training and implementation costs. However, our total cost of ownership (TCO) model shows that the IT labor cost for a standard user is 24% lower than that of an administrator. (If legacy applications are the only things stopping enterprises from locking down their users, then a privilege management tool should be used.)

Gartner is also seeing increased adoption of application control tools, which control the execution of applications on the PC. IT administrators can block known unwanted applications (i.e., black list) or only allow the execution of permitted applications (see Note 2). Enterprises can use these tools to block applications that don't require administrative rights; in this way, the tools complement a lockdown strategy that removes administrative rights, because they block applications that don't require administrative rights to install. Enterprises can also use them to control application use for users who have administrative rights, thus providing a control mechanism for these users. Application control tools are becoming increasingly available from various sources: endpoint protection vendors, PC configuration life cycle management, point solutions, and, recently, AppLocker, which is part of Windows 7 Enterprise.

Client virtualization technologies are emerging that will help address the lockdown versus autonomy problem. Client virtualization technologies decouple the components of the PC (applications, data/settings, operating system [OS] and hardware), thereby reducing their dependencies. Changes that users make (e.g., installing an application) should have less of an impact on other components on the PC. Client hypervisors, work space virtualization management (e.g., InstallFree, RingCube and MokaFive), and composite client management tools (e.g., Unidesk, Viewfinity and Virtual Computer) all promise to help organizations deal with user-installed applications in different ways.

Client hypervisors allow multiple OS instances to exist on a single piece of hardware. IT can manage a locked down corporate image and allow users to install a second unmanaged personal image on the same piece of hardware. The suitability of this type of solution for user personalization will depend on the enterprise's specific circumstances. For example, one client stated that many of its users work 60 hours a week, and the IT organization felt that it was not on solid political ground to tell these users that they couldn't install personal finance applications on their work computers. In this case, offering the option of a second virtual machine where personal applications reside can be a viable option. In other situations, users will want to install applications within their corporate environments. In these cases, a separate virtual machine solution may not be viable.

Work space virtualization management and composite client management tools offer alternative approaches to managing user environments to traditional PC configuration life cycle management tools. Both categories of tools manage the local PC in composite layers, allowing the major components of the work space (hardware, OS, applications and data) to be managed separately. All solutions in this category claim to offer some capability to separate user-installed applications and manage them in a different layer. These technologies can affect PC lockdown strategies in two ways:

• First, they could help enterprises increase the percentage of users who are locked down in cases where a second virtual machine solution is viable.
• Second, they can help enterprises control user-installed applications better and recover PCs that have become unstable due to application conflict.

Organizations that are struggling with user personalization, particularly user-installed applications, should evaluate these technologies as part of their strategic planning.