Barney's Blog

Blog archive

Doug's Mailbag: Putting the OS on Lockdown

More readers give their takes on Microsoft's recently patented OS lockdown technology:

Locked-down OSes would be very appropriate for a corporate environment. For home users, if it could be turned on or off, it would be the best anti-botnet, anti malware device outside of a disconnected CAT5 cable. They need to put it into Windows 7 before release.

No, I personally would never use a computer with the lockdown functionality. Microsoft having the ability to lock your machine down because you upgraded one too many pieces of hardware and Vista now thinks that you've pirated it is bad enough, but at least Microsoft can generally be trusted. The real worry is when this functionality is hijacked by viruses and malware. There are already cyber-extortion programs that are capable of wreaking havoc -- now you're going to give them that ability at the OS level? What are you thinking? And I definitely CAN'T trust Microsoft to secure this function; otherwise we wouldn't have other patches for Windows.

I do see how this could be useful in an enterprise environment, but the network better be inspecting all the packets that come through the door to keep the nasties outside.

Let me get this straight -- I pay for an OS and I can't use it the way I want? I don't think so! No, no, no, I would not use it or recommend it. I can see a cracked OS will become more popular for some. But for me, Ubuntu Linux is looking good. It will be interesting to see what the EU will do; can you say antitrust?

I can see it as a real advantage for better security on company computers. Most viruses are installed by unknowing users, and with a tool like this a company can minimize the threat even more. So if it is used for the right reason, this tool would be very valuable.

On the other hand, just like anything else, a tool could be misused. For example, a VAR/manufacturer could use this to sell systems that only include software that they sell and support, and not allow any other software from being installed. In this case, it does make the system more secure, but it also allows the VAR to lock the customer to only software that is purchased from the VAR/manufacturer. The only valid use for a tool like this would be for businesses to make their computer system more secure; any other use would not be appropriate.

What's locked down, and from whom? Is the lockdown graduated and flexible, the way security permissions are designed in application programs? Or does it flatly lock/unlock? Are there gradations for power users? For people certified in certain apps and tasks? How flexible is this lockdown system?

The number of people in a modern company who need a PC is far greater than the number who can be trained and trusted to use it wisely and ethically. Let's assume the administrator/IT manager is among the enlightened. If s/he can reliably lock down the system from semi-trained and overly adventurous users, that still leaves an important downside: the restriction of users' bright, new ideas that can't be done in lockdown mode. Then users must request permission from IT, write justifications (never get answers from IT). And it begs the question whether the system can be unlocked to do "New Task A" without enabling the download of Key Logger B.

At my company, with over 12,000 PCs, it is a matter of faith that all PCs should be locked down in the sense that the PC's user does not have admin rights. Taking away admin rights is still in progress, with many users arguing that they require admin rights to do their job. How do other companies come down on the admin rights issue (only part of the "locked-down PC" issue)?

More letters coming on Wednesday, including readers' thoughts on Mac prices. Meanwhile, leave a comment below or send an e-mail to [email protected]

Posted by Doug Barney on 06/01/2009 at 1:16 PM


comments powered by Disqus