Kind of late I know but I’ve recently completed a new desktop rollout project for a UK gov department to Windows 7 and found it interesting that CESG supposedly (see below) think that Ubuntu 12.04 is the most secure end-user OS. There was much discussion on this project around the security features and CESG compliance so I find this topic quite interesting.
They didn’t look at a wide range of client devices so other Linux distributions may prove just as secure, as could OSX which seems a notable omission to me considering they included ChromeBooks in the list. It was also pointed out that the disk encryption and VPN solutions haven’t been independently verified and they’re certainly not CAPS approved; but then again, neither is Microsofts BitLocker solution.
The original page under gov.uk seems to have disappeared (likely as result of all the recent change going on there) but there’s a lot on that site which covers end user device security including articles on Ubuntu 12.04 and Windows 7.
However, reading these two articles you don’t get the view that Ubuntu is more secure than Windows – in fact, quite the opposite. There’s a raft of significant risks associated with Ubuntu (well, seven) whilst only one significant risk is associated with Windows (VPN). Some of the Ubuntu issues look a little odd to me; such as users can ignore cert warnings since this is more a browser issue than OS related unless I’ve misunderstood as the context isn’t very clear, but the basic features are there, just not certified to any significant degree. This is and easy argument for the proprietary solution provides to make and a deal clincher for anyone in government not looking to take risks (most of them). I doubt open-source solutions are really any less secure than these but they do need to get things verified if they’re to stand up to these challenges. Governments around the world can have a huge impact on the market and use of open standards and solutions so helping them make the right decisions seems a no-brainer to me. JFDI guys…
Otherwise, the article does have a good list of the sort of requirements to look out for in end-user devices with respect to security which I reproduce here for my own future use:
- Virtual Private Network (VPN)
- Disk Encryption
- Secure Boot
- Platform Integrity and Application Sandboxing
- Application Whitelisting
- Malicious Code Detection and Prevention
- Security Policy Enforcement
- External Interface Protection
- Device Update Policy
- Event Collection for Enterprise Analysis
- Incident Response
IE’s EPM (Enhanced Protected Mode) mode provides separate containers for web storage between desktop and Metro mode when using the Internet Zone. There’s a page which discusses the detail but never really states why it behaves like this. It seems to me that this is unnecessarily complex and will lead to user confusion and angst – “why does switching to desktop mode lose my session/cookies/storage?” or more simply – “why do I have to login again?”. It’s also arguably a security risk since users will have multiple sessions/cookies active so could inadvertently leave themselves logged in or could lead to duplicate transactions because items may be placed in the basket in separate containers etc. It would be less of a concern if users couldn’t easily switch, but of course they can because MS has kindly put a menu item on the Metro page to “View in the Desktop”!? It all seems to be related to providing enterprise users with the ability to maintain and configure a setup to provide greater access/functionality to intranet sites than you would want for untrusted Internet sites (enabling various plugins and the like).
To a degree, fair enough, but it’s mostly as a result of intranet sites adopting features that weren’t standardised or hardened sufficiently in the first place (ActiveX, Java etc.). These need to be got rid of though this will cost companies dearly – replacing existing functionality with something else but with no significant added value to the business bar adherence to standards/security compliance etc. is a hard sell.
So MS is; from one viewpoint, forced into this approach. The problem is it just adds more weight to my view that MS is so dependent on the enterprise customer and supporting the legacy of cruft they (MS & corporate intranets) have spawned over so many years that MS are no longer able to provide a clean, consistent and usable system (some would say they never were…).
Violation of rule #1 – Keep it Simple!
Having recently been responsible for an estate wide software upgrade programme for many thousand devices to Windows 7 I sympathise but have to find this amusing. However, it is an interesting approach to achieving a refresh in particularly short order… Make the best of it guys, treat it as an opportunity to audit your estate… I do hope your backup procedures are working though… 😉
Windows 7 Incident
A while ago I wrote a blog entry about a pre-emptive single task operating system that I think the world needs. It seems I’m not the only one and George RR Martin (Game of Thrones) also thinks there’s a need for this. His seems to stem from security as well as a productivity perspective but I think I grok what he means. The feature bloat in products such as MS Office these days detracts from their usability. They may be able to boil the ocean but it’s not really necessary and just gets in the way of the creative process. However, DOS surely has a limited life and it must be hard to find the h/w components to run this on now. I may fire up a VM with DOS sometime to remind myself of the good-old-days… need-for-a-preemptive-os++