Posey's Tips & Tricks
Windows To Go: Microsoft's OS Becomes Portable
Brien discusses the security issues tangled with remote user access and highlights how Microsoft may be simplifying the process with its upcoming Windows To Go bootable device.
One of the big problems that has plagued IT for many years is that of remote users. Organizations need to be able to give remote users access to corporate resources, but this access must be provided in a secure manner.
In the past the main solution to this problem was company-issued laptops. However, laptops are easily lost, stolen or damaged and if not properly secured data can be compromised in the process.
Over the last few years VPN, terminal and VDI solutions have become more prevalent. Rather than attempting to issue users a pre-configured laptop, the organization provides remote users with access to a portal session through which they can access network resources or even an entire virtual desktop. The nice part about this solution is that it can be used from almost anywhere. The down side is that the user can only access these resources if they have Internet access.
Security can also be a concern. I had one friend who inadvertently exposed lots of sensitive data to the world. His son had been using the computer for dubious purposes and infected it with a number of Trojans. Needless to say, the next time that my friend connected to the corporate network bad things happened.
Today it is possible to reduce the chances of this happening by configuring Microsoft's Network Access Protection feature. In case you aren't familiar with Network Access Protection, it is a feature in Windows Server 2008 and Windows Server 2008 R2 that allows you to compare a remote PC's configuration against a health policy and then only allow the PC to connect to the network if it is in a healthy state. For instance Network Access Protection could be used to make sure that a PC's antivirus software is up to date and that the Windows Firewall is enabled.
Although this type of solution works relatively well, a lot of companies avoid using Network Access Protection because it can be complicated to configure. Even so, that hasn't stopped VDI solutions from becoming the standard mechanism for accessing corporate desktops.
While I don't expect VDI to go away any time soon, Microsoft is providing another alternative for remote users in Windows 8. Windows 8 is going to be offering a new feature called Windows To Go. The basic idea is that it will be possible to install Windows 8 on a USB flash drive.
It is worth noting that it has been possible to run Linux from a USB flash drive for many years now. Several years ago someone also figured out how to do the same thing with Windows XP. However, this will be the first time that Microsoft has specifically designed a Windows operating system (other than Windows PE) to run from removable media.
So why is this such a big deal? Windows To Go will make it possible to access a corporate desktop from any PC that supports USB booting. This should prove to be extremely beneficial to anyone who sometimes works from their own personal computer.
If you really stop and think about it, allowing users to use their personal computer for work is just asking for trouble. For example, users may be concerned about their employer being able to see what they have installed on their home computer. IT departments may fear connectivity from personal computers because they know nothing of the computer's state. It might be infested with viruses or the user could be using an ancient and completely insecure operating system. The IT department might also have concerns about users copying corporate data to their personal systems or about tricky licensing issues.
Windows To Go solves all of these problems by allowing the user to simply insert a USB flash drive and boot to a fully managed corporate desktop. The corporate desktop is completely isolated from their personal desktop, which should go a long way toward eliminating the concerns that I just mentioned. To put it another way, Windows To Go makes it possible to place a managed corporate desktop onto an unmanaged host with no worry about what is on the host computer. Furthermore, because the entire operating system is contained within the USB flash drive and nothing is installed onto the computer's hard drive, there is no worry about the user leaving sensitive information behind when they finish using the computer (assuming that they remember to take their flash drive with them).
It's still too early to see how well WindowsTo Go will perform in the real world, but a demo that was given at the Build conference looks rather promising. In fact, I have even heard unconfirmed rumors that the technology will work with Macs.
Brien Posey is a 21-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.