Security: Oh the exploits they are a coming

Let's face it nothing is secure but somehow pundits want to argue that option A is always better than option B. George Ou of TechRepublic is one of the most vocal bloggers on the ZDNet boards and his views, though not entirely without points, don't always seem to fit as many situations as I think he'd like.

In one of his more recent posts he notes again his support of Vista's newer granular security and the idea that you don't need AV. While I agree with him in that AV software is a severe performance drain and that the improvements to Vista's security layers should help, I also realize there are circumstances where you can't use the security model that George advocates.

Case in point: The mobile worker/field worker. I myself spend about half my day on other customers' LAN's more than my own employer. Relying on restricted local permissions isn't going to cut it, by the nature of my work, I have to do a lot of my work as an Administrator or Power User. The fact that I am also relatively "naked" from myself to the wire means I can't rely on gateway AV. In a Utopian world everybody else would implement the same level of security and be equally protected, but that just doesn't happen.

The idea that an "end user" can get along fine with restricted permissions is something that I've had to tackle for a long while as a support person. Let's say for instance you've got a remote customer and you're trying to assist them with something using a remote access tool like LiveMeeting for WebEx. Oops they aren't an admin user, they can't even install ActiveX applets. Well hey great... Even if code signing applied here, most system admins would limit the installation of anything out side of corporate standard.

Now am I saying the various *nix flavors fix this to a T? No, not really. Unix's standard permissions system is definitely long in the tooth, but it is still one of the easiest to get a grasp on initially as an admin (at least I thought so). The problem with high granularity security is that you can find yourself trying to heard cats. You have so many security policies defined, so many exceptions defined that you can't trace back what happened in your AD without having a well structured change log/management system. Now while that works if you're a large organization try to picture it from the perspective of the smaller business or the small IT shop.

In the end there's no one all answer, I feel there's definitely room for layered security but it has to be applied appropriately and with scrutiny and care.