Doug's Mailbag: OS Lockdown Revisited, More
Locked-down OSes are this week's topic du jour. Today, a few readers who aren't completely opposed to the idea explain why:
I can't believe I am saying this, but I like the idea of a locked-down OS. With teenage kids, being able to provide them with a locked-down OS would mean the "emergency" repairs to that box at 10:30 at night on Thursday because the big project is due on Friday morning would be gone! And working in a hospital, the ability to provide locked-down KIOSK machines to the patients' families would be a huge benefit to them and to our IT department. I like the idea. I just wonder how much the price will go up for the new "feature"!
I would hate to have a locked-down operating system to work WITH, but I would love a locked-down system to work ON. From an IT perspective, a locked-down computer in many cases is not optional.
Working in manufacturing, I would love to see the computer systems tied with specialized equipment to be locked down. An example case, a multimillion-dollar piece of equipment that simply cannot run anti-virus, but must be connected to the network for job information. This is a nightmare to deal with and requires a lot of custom network configuration and hardware to ensure they are not infected. In this case, a fully locked system would be helpful as long as the data can make it out of the system.
As long as MS provides a version without this "feature," I don't see a problem. Could be very useful for company tech departments. Also, I wouldn't mind having it on may kids' computers. They have no sense about what they should or shouldn't install; they get stuff from friends and the Internet that can really mess up the system. I'm sure schools would find it very useful, too. The obvious problem comes if MS controls what can be installed, not the user or administrator. I don't mind if they prevent you from installing the same copy of Office on several machines (it is a copyright violation, you know). But suppose they decide that OpenOffice isn't "compatible" enough and prevent us from installing that?
I guess we'll all have to refuse to buy "locked-down" machines or OSes. Sounds easy enough, but on several attempts I've been unsuccessful at getting Linux to run on my systems (and I make my living as a software developer). Also, most of us are walking around with cell phones that are locked to a specific carrier and we just keep buying them, don't we? It would be nice to think that the market would prevent MS from being too draconian, but I'm not so sure we can count on that.
The concept is interesting and my recommending it to clients would depend upon the ability to turn it on and off. (Very creative thinking on Microsoft's part! Kudos are in order.)
If we could not disable it in order to make changes -- configuration, etc. -- then I would NOT support it.
Most of the USAF already has locked-down computers. The standard desktop configuration (SDC) is preconfigured with all the apps that 80 percent or more of the users need. The user has no admin or power user privileges. And even the local support personnel's admin rights are severely constrained by domain policies.
As a user/local admin, it is frustrating. As a security officer, it is comforting. And I'm sure to high-level IT leadership, it has reduced cost.
But James remains solidly against the idea:
I'm sorry, but my answer to the question about locked-down computers wouldn't be no -- it would be HELL NO! There is no way I would buy or even recommend the purchase of computers that could only be upgraded or have software installed by the manufacturer. If you have end users that are breaking into your systems, past your IT-installed safeguards, then it might be time for that end user to find a new company to work for. Or if they are a continuing problem, then I would disconnect their system from the network and their call would move down the list of support calls. I have never had to do this before but I wouldn't hesitate to do it. In fact, if it got to that point, I think I would go down during after-hours, remove their computer and leave them a tablet of paper and say, "Here ya go. Since you can't seem to stop installing unsupported software, here is your new computer."
But to buy a computer that only the manufacturer could install software would be idiotic. What happens down the road when an engineer needs to install special software for testing purposes? Or a new designer is hired and we need to re-allocate a workstation and add AutoCAD to their system? To me it just doesn't make sense.
Meanwhile, Ken responds to how one anonymous reader expressed his disagreement (to put it mildly) with the Microsoft patent:
I find comments like that of "Anonymous" that merely rant against Microsoft a complete waste of my time. If you want to rant and have it published, you should be willing to sign your name. I would suggest that you edit out such comments from future publications.
And finally, Earl has a few bones to pick with recent reader comments about Mac pricing and Apple ads:
Jon wrote, "but I would hope an IT professional would be willing to admit that functional and useful differences exist between OS X and Windows."
I am an IT professional. I work with PCs, Macs and Linux. I agree that there are functional and useful differences between OS X and Windows. There are also functional and useful differences between those OSes and Linux. What is his point? All three OSes will perform similarly if properly configured on adequately powered computers. Macs will cost the most, need the least amount of configuration, be the most expensive to repair, have the most expensive software, and have the least flexibility. Linux will cost the least, be the most flexible, need the most configuration, be the cheapest to repair, have the least expensive software and the smallest selection of software. PCs are in the middle when it comes to flexibility, software availability and price, need for configuration, repair and flexibility. PCs are also the easiest to network.
Dan's comparison of PC/Mac advertising to the truth of the dangers of cigarette smoking is ludricrous. Legislation and bans of cigarette ads reduced the number of smokers and amount they smoke, not "truth." Not even legislation (antitrust lawsuits) has slowed Microsoft.
More reader letters -- including some thoughts on Microsoft's OS naming conventions -- coming next week! Meanwhile, tell us what you think by leaving a comment below or sending an e-mail to [email protected]
Posted by Doug Barney on 06/05/2009 at 1:16 PM