Case Study: DesktopStandard helps an Air Force base streamline and secure its software operations.
How do you make hundreds of changes to 500 desktop workstations without touching them?
That was the seemingly Zen-like challenge for Mike DeBruin, senior systems engineer with RS Information Systems, at Vandenberg Air Force Base in California, near the city of Lompoc.
Employees at Vandenberg are like many othersthey operate in a Windows Office environment and sometimes need to use specialized software applications for more sophisticated projects. One year ago, the U.S. Air Force issued the mandate requiring all desktop workstations to have a standardized appearance software package and centralized security clearance.
DeBruin needed a solution that would let him make quick changes to hundreds of desktop workstations. But even simple tasks, such as changing the default name for all the computers or removing the script enabling users to print, would take days to complete.
If DeBruin forgot to change one workstation, its user might be unable to use critical applications. Or, a user with unnecessary administrator privileges could unwittingly download malicious software and leave the entire network vulnerable to hackers.
To correct these matters, the Air Force had given DeBruin a security mandate for all workstations, and the deadline was rapidly approaching.
FullArmors GPAnywhere 2.0 extends the reach of Microsofts Group Policy. Click here to read more.
DeBruin looked for a third-party vendor whose software was compatible with the Air Forces operating system and all its proprietary software, while simultaneously meeting all his security and administrative needs. After weighing several options, he chose DesktopStandards PolicyMaker.
"DesktopStandard was the one vendor that had its act completely together," DeBruin said. "They were the only vendor that could do all the things that I needed to have done."
"Too many users with non-administrator privileges is a common problem across all organizations, not just the military," said Kevin Sullivan, director of product management at DesktopStandard, in Portsmouth, N.H. "Most users run their workstations as the local administrator, so when they switch to a nonadministrator user status, there are [incompatibility] issuestheyre unable to access certain applications, for example."
DeBruin faced another challenge common to many organizations: a looming deadline. "The Air Force is moving toward a standardized desktop configuration," said DeBruin. "Theyd like to centrally control all of their computers from a single location [to minimize security breaches]."
For DeBruin and his peers at other Air Force bases, that meant removing levels of permissions for users and administrators from tens of thousands of desktop workstations.
DeBruin was responsible for 500 workstations located in eight buildings. Manually removing as many levels of permissions as possible on each workstation would take days, if not weeks. But many users still needed access to a variety of critical applications that required elevated privileges.
"When you install Microsoft Windows on a desktop, the default administrative name is administrator, and the policy is that you have to change that name to something else," DeBruin said. "It sounds simple, but we get 150 new boxes a year on top of the 500 we already have, and the concept of logging on at each computer and doing that by hand is tough. We needed a tool that would allow us to remotely change user names and passwords for each box."
There were other challenges. DeBruin needed to eliminate all forms of client-side scripts, which are mini-programs for tasks such as logging on to a workstation or printing from a workstation. Updating hundreds of lines of client-side scripting was laborious, to say the least, and the scripts were potential security threats.
Other security issues loomed, such as a vulnerable file that needed to be removed from all workstations or a new security patch from Windows that needed to be installed. How could DeBruin quickly make 500 changes?
And like many private companies, the Air Force wanted to save money by reducing energy costs, which had risen dramatically in recent years. Although saving money wasnt part of the standardization mandate, DeBruin knew his bosses would be pleased if energy savings would offset the cost of purchasing new equipment.
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
To begin his search for the right software solution, DeBruin decided to seek a product that was compatible with the applications and operating system the Air Force already used.
"We asked ourselves what the Air Force uses as a central management tool," said DeBruin, referring to Microsofts Group Policy and Active Directory. "The entire Windows network is built around them, so I knew the Air Force wasnt going to discard them any time soon."
DeBruin said he had used Group Policy and Active Directory before and found that it wasnt as user-friendly as he liked, nor could it perform all the functions he needed. He investigated all the software packages that were compatible with the Air Forces system and researched studies and articles looking for a product that enhanced the functionality of Group Policy.
DeBruin said he looked at four or five vendors. "They offered free trials, and we downloaded them and played around with them," he said. "But [DesktopStandards PolicyMaker] had the most granular functionality of any of them."
The man who wondered how he could make changes to 500 computers without touching them said he had his answer. Due to security restrictions, DesktopStandard was unable to install the software and train DeBruin and his colleagues on-site. As a compromise, DesktopStandard provided an online simulation in which DeBruin participated.
DesktopStandard enabled DeBruin to remotely install security patches or remove vulnerable files at every workstation. Unnecessary scripts and user privileges were eliminated from DeBruins office, although he could authorize some users who needed higher levels of access for certain applications.
Using DesktopStandard also saved money. When Vandenberg Air Force Base had initially switched to flat-panel computer screens, the power-saver mode failed to engage on them, and, thus, that feature wouldnt work. DesktopStandard enabled DeBruin to remotely order the screens to turn off at night. He estimates that energy costs were reduced by $10 per workstation per week, or roughly $260,000 per year.
Most important, Vandenberg said he met the Air Forces standardized desktop initiative with a minimum of manual labor and headaches.
DeBruin said he was pleased with DesktopStandards support and training.
"The people at DesktopStandard are really knowledgeable," DeBruin said. "They dont offer your usual tiered tech service where the first rep is just reading off a script: Have you tried restarting your computer? Whenever I had a question, I never had to be transferred because the first person I spoke to didnt understand the problem or have a solution."
In fact, DeBruin said he wishes he had taken DesktopStandards training course before using the software. "DesktopStandard had set up a conference call for training, and I decided I wanted some hands-on experience prior to the call so I could ask better questions," he said. "But I didnt understand some aspects of the package and had to call them for technical support."
Sullivan said the Air Forces security requirements made installation and training a bit of a challenge. But he said he was impressed that DeBruin understood his challenges so clearly, which made it easier for DesktopStandard to supply the right solution.
"Out of a list of about 24 [types] of functionality that we have, they focused on eight of them," Sullivan said. "The No. 1 issue was the standardization mandate, and, when [DeBruin] looked at what we had to offer, we clearly met his needs better than the other solutions he was considering."
Understanding your current application and the new package is critical, DeBruin said. "A lot of people buy software packages, and they dont know how to use them," he said. "If I had ordered DesktopStandard but didnt know what Group Policy was, I wouldnt have understood it. You need to spend some time understanding the concept behind the package before you dive in."
Ira Apfel is a freelance writer based in Bethesda, Md. Contact him at firstname.lastname@example.org.
Case File: Vandenberg Air Force Base
Location California, near the city of Lompoc
Organizational snapshot Responsible for Department of Defense space and missile testing and satellite launches
Business need Eliminate client-side scripting, remove unnecessary user privileges, standardize desktops and reduce energy costs
Technology partners DesktopStandard
Recommended solution Deploy DesktopStandards PolicyMaker software to meet its administrator needs
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.