Reworking custom apps' permissions
Although many people have complained that Vista's new security model breaks apps designed to run in administrator mode -- not in user mode as Microsoft has been urging since 1999 -- this has not caused much of a problem at Kemet. The reason, Padgett says, is that he had already reworked homegrown programs to run in user mode. Today, only five of 50 .Net and FoxPro database applications in use have problems with the new security model, and he expects to have those externally developed apps fixed shortly. Padgett's team has also migrated from Visual Studio 2003 to the 2005 edition, which natively supports the Vista security model.
The issues that some users have had with the new security model didn't apply to a medical setting because his IT group had already locked down the PCs in a way similar to what Vista does by default. "We never gave users full access to the PC [administrator privileges], so they're not seeing a change" in what applications they can run from user mode, he notes.
IT can elevate certain apps so UAC gives them more leeway before issuing warnings. But the long-term solution is to modify custom apps to support the Vista security model and insist that your vendors do the same, says Kemet's Padgett.
BitLockerencryption lacks flexibility
Another Vista security feature has also caused some problems, notes Gary Wilhelm, the business and systems financial manager (a combination of CTO and CFO) at Englewood Hospital Medical Center in New Jersey.
That feature is the BitLocker encryption capability. It is an all-or-nothing tool, encrypting the entire disk or nothing, which caused some access issues on PCs that are used by multiple people with separate user accounts. It also encrypts only the C drive, even though the hospital uses a separate D partition for data, distinct from application and system files. Wilhelm hopes that Microsoft will change BitLocker so it can encrypt just specific files or folders, as some third-party encryption tools already do, and support encryption across multiple volumes.
At the Milwaukee YMCA, IT Director David Fritzke ran into a surprising issue with BitLocker: Users turned this feature on to protect data if their laptops were lost or stolen, but when they left the YMCA's employment, IT discovered it couldn't read the backed-up files from their laptops. BitLocker requires that the data be opened on the actual computer where it was encrypted, even with administrator privileges.
Fritzke's team now uses an awkward workaround: If they need access to a former employees' files, they take back that employee's laptop from its current owner, copy the files to it, decrypt them with BitLocker, and then give back the laptop when done. Fritzke is hoping that Microsoft or a third party will provide a way for IT to open these files when backed up, so he can end this workaround.
The Vista deployment guide: