Convincing Your Boss to Move to Windows Vista (Part 2)...second attempt

(Trying this again, after apparently overwriting my earlier blog post....troubleshooting times)

Well, I am long overdue in posting this and I apologize. As many of you are aware, I spend about 70% of my time on the road doing international travel, so I'm usually trying to figure out how to say, "Take me to the <insert hotel chain here> hotel"  in French or trying to figure out what visas I'm going to need for travel abroad.

But today...I'm actually in Houston, Texas for the big Windows Vista, Office 2007, Exchange 2007 Launch event. We got about 3,000 good Houstonians here and there all gearing up to see the keynote. I'll be speaking later today in a session entitled Infrastructure Protection and Protecting Your Company's Intellectual Property. Both are really good session. Click the links to see the demos (not my voice, but still cool).

Okay...where were we? Oh yeah, budget meetings are coming up and you need to convince the boss why you need to move the company's laptops/desktops to Windows Vista. Lots of us aren't comfortable having the "business discussion" (which is why we're IT folks and not Donald Trump). Previously I discussed BitLocker, UAC, and some other stuff. Today I'm going to discuss the changes in Internet Explorer 7, Windows Firewall, and the Device Blocking features.

  • Internet Explorer 7-
    • What it is - The new browser from Microsoft! It contains tabbed browsing, RSS feeds, and some much needed protection (which it needed!)
    • Why you should care - The security features of IE7 are extensive. We now have a Phishing Filter, which is going to sweep the URL against a database of known phishing sites, as well as scan against your previous sites (so if you've been to multiple times, why would you suddenly be going to We also have this ability to do One Button fixes for users who get into the Security Settings and muck them up and forget what they did. One Button allows them to click a single button to reset the default permissions, which is nice. We also include a feature known ad IE Protected Mode, which limits the area that software downloads attempt to install into. We don't want evil.exe just dumping into your system area do we? Now it can't. There's also ActiveX Opt-In, International Domain Name support. You should also care because IE7 is being pushed out via Automatic Updates to your WinXP machines, so your users might be installing it like a regular monthly update.
    • How do I tell my boss? - "It's about naked, dancing pigs, Boss. All of security awareness efforts and all the technical controls we put into place come down to a single decision when a user sees a URL that says 'Click here to see the naked dancing pigs'. Do you realize how many infections we get on our network from our users going to suspect websites? Our IT staff spends a lot of time rebuilding local machines and sometimes segments of the network because of it. IE7 is a crucial (and free) aspect of those controls.
  • Windows Firewall and Windows Firewall with Advanced Security-
    • What it is - It's the new BI-DIRECTIONAL firewall that's built into Windows Vista. Based on your feedback, we made it filter not only inbound, but outbound as well.  We actually provide two consoles to access it. The first you can get to via the Control Panel and it's essentially the "dashboard" of whether you got it turned on (recommended) or turned off (bad bad...highly not recommended). The other console is a MMC snap-in and I like to call it the "IT Pro Firewall Console".
    • Why you should care - The new Windows Firewall with Advanced Security allows you to see all the profiles (private, public, domain) and their status in the firewall. It also allows me to see all the rules (both inbound and outbound) and the single location for you to setup any IPSec you may have running on the machine. (Makes sense doesn't it?) No more loading up the dreaded IPSec Wizard with all those gory multiple layers of dialog boxes. Now it's very easy to setup policy with about 8 clicks. Nice. 
    • How do I tell my boss? It's about defense-in-depth, Boss. We got tons of money invested in our perimeter firewall, but that doesn't help us if bad things start within our perimeter. The reason we don't use encrypted connections between workstations now is because it's just too hard to get it setup properly. The new Windows Vista firewall will cut down on that pain, and ensure we have encrypted connections from Point A to Point B.
  • Device Blocking -
    • What it is - A new GPO that prevents the installation of USB devices (some or all) and can limit who can write to burnable media.
    • Why you should care - Data Leakage. Ask me what the two biggest ports open in your network and I'll tell you: The doors by the receptionist. USB thumbdrives, cell phones, iPods (oops.....I meant "portable media devices') as well as burnable DVDs. You've asked for a simple way to shut it down and now you have it. You can block all USB devices....but allow the special IT Dept USB thumbdrives and USB mice....but nothing else. We can also block the ability to use the DVD-R. Sweet smackdown.
    • How do I tell my boss? - Hey Boss....companies lost over $300 Billion dollars last year from industrial espionage. (FYI, there are currently more spies out of work now than anytime in world history) Our biggest risk is data walking out the front door, not from some 17-year old Finnish kid hacking through our six perimeter firewalls. Vista provides a single policy that we can eliminate the majority of that risk. Think we're not at risk? Here's an example of a German product that was counterfeited based on stolen data by a VERY LARGE country (which I won't mention because I don't want to be Bauered if I travel there...if you get my drift). Original is on the left, the dupe is on the right. Scary, huh?








Before I leave, I really want anyone reading to check out Jeff Jones latest Profiles In Security on our very own David Cross. David is our Director of Program Management for Security. Very smart. He even owns a parrot names "Kerberos". I had the opportunity to meet David a few weeks ago in Redmond and he is what I term "scary smart". PKI questions? David is THE guy.