Security – the risk of introducing non standard image machines to a corporate environment

anti-virusSecurity

I’m after some feedback from those in the managed desktop or network security space on the risks of introducing machines that are not built on a standard desktop image into a large corporate environment. This particular context relates to the standard corporate image (32 bit Win XP) in a large multi-national not being suitable for a particular segment of users. In short, I’m looking at what hurdles we might come across by proposing the introduction of machines which are built and maintained by a handful of software developers and not based on the corporate desktop image (proposing 64 bit Win 7).

I suspect the barriers are primarily around virus definition updates, the rollout of service packs and patches and the compatibility of existing applications with the newer OS. In terms of viruses and software updates, if machines were using common virus protection software with automated updates and using Windows Update for service packs and patches, is there still a viable risk to the corporate environment? For that matter, are large corporate environments normally vulnerable to the introduction of a machine not based on a standard image?

I’m trying to get my head around how real the risk of infection and other adverse events are from machines being plugged into the network. There are multiple scenarios outside of just the example above where this might happen (i.e. a vendor plugging in a machine for internet access during a presentation). Would a large corporate network normally be sufficiently hardened against such innocuous activity? I appreciate the theory as to why policies such as standard desktop images exist, I’m just interested in the actual, practical risk and how much a network should be protected by means other than what is managed on individual PCs.

Best Answer

I presume the question is what ADDITIONAL risk is introduced from a non-standard PC. Done properly, very little. Done badly, a whole bunch.

Whether image-based or not, the PC install needs to work with the corporate systems or guidelines in the following areas ... each exception adds security risk.

1- OS - if Windows, it should be in the domain
2- Security/Permissions on the local computer
3- Anti-virus
4- Patch management
5- Web Access / Filtering / Monitoring

Image-based deployment is not done to manage risk, it is done to manage workload and increase control. A non-standard computer will require more work to deploy and support. Each "exception" has to be built and managed separately. The techs will not just know it, so problems will take longer to figure out. The standardization nazi's will whine and complain, and that wastes everyone's time.

Snide remarks aside ... if the organization has invested in an imaging infrastructure, I would compromise to avoid deploying systems that don't work with it. If possible to accept some delays while images are dealt with, or to compromise on the configuration, go with it. Or purchase an extra system, give one to the imaging folks, and use the exception until they have an image ready.

Take care.

Related Topic