My company's desktop security software suite includes active firewalling capability as well, which is able to whitelist applications based on administrator approval. This works very well, and I'm not at all convinced that Windows Firewall is going to give us a better experience. It seems like a perfectly good product for home users who want to manage their own applications, but that's a long way from what goes in on an IT shop of our size. We need administrators to configure and approve software communications, and as far as I know, Windows Firewall can't be centrally managed in a way that allows easy approval that can be quickly propagated throughout the organization. Yes, there's Group Policy, but is that really the ideal management tool?
Furthermore, I'm looking into a new software tool that performs behavioral profiling and adaptive blocking of application execution on end-user workstations. This commercial software runs on the computer for a while, building a database of behaviors that are then "locked in" as known-good. Any subsequent execution attempt must be approved before it is allowed. That seems to me to be much better than a classic network-port-control firewall.
Finally, I gave some thought to Bitlocker. Unlike whole-disk encryption, which is what we have, Bitlocker encrypts only specific files and folders. This leaves open the possibility that important files might be left unencrypted due to human error or omission. It's up to the individual user or administrator to determine which locations get encrypted, and if users place files outside those areas, they will remain in the clear. With whole-disk encryption, we are assured that all confidential data on the hard drive is protected. (I'm also considering replacing our standard hard drives with self-encrypting drives, but that's a bigger project for another time.)
I can see how in small shops, like say a dentist's office or a single-office law firm, the built-in software components offered by Microsoft could be a good choice. But in bigger operations like my company, I just don't think they scale. While I applaud Microsoft for making them available, I don't perceive the level of maturity I expect from an enterprise solution. That doesn't mean the conversation is over, however.
The folks in the desktop group are not as concerned about security as I am -- they just want to make their life easier. So the question is, how much of a battle is this going to be?
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.