College campuses prepare for Microsoft Vista challenges

For some IT staffers at Northeastern University in Boston, Microsoft Vista's enhanced security features mean trouble in an environment where students and professors crave open access to the network and scowl at any roadblocks in their way.

Northeastern IT security manager Glenn Hill finds Vista's security tools useful, including the enhanced encryption and user access controls. But he says students and faculty will surely have trouble navigating the new controls. The problems could result in an increase in calls to the information services department, he said.

"People just want to use their technology and don't want to hear about things like encryption," Hill said.

Microsoft launched Vista in November 2006 and IT pros are in various stages of deploying it. Microsoft and experts have touted such new security features as encryption and Network Access Protection (NAP), but enterprises are dealing with a host of compatibility challenges along the way, and some have pushed their Vista deployment schedules into next year as a result.

About Deploying Vista: This is the latest in an ongoing series about the challenges of deploying Windows Vista and the considerations that go into the decision to roll out the new OS. The series highlights the setbacks and successes of those who are at various stages of deployment. Also in this series: When Microsoft Vista and VPNs don't mix Big Microsoft Vista concerns for Big Pharma

Universities, hospitals and government agencies face the same issues with early Vista deployments as many enterprises, said Paul Asadoorian, a former IT security specialist at Brown University. Asadoorian, a senior network security engineer with Rhode Island-based OSHEAN Inc., a nonprofit coalition that buys Internet services for public schools and universities, said many IT security professionals can relate to Northeastern's situation.

"Many students will come back to campus with Vista and so they have to be more prepared than the average company," Asadoorian said. "Academia is more like the Wild West in that the IT shops have a harder time controlling all the computers on its network."

The task of preparing for Vista's invasion of the Northeastern campus has been a big challenge for Hill and his staff. Like many universities, Northeastern resembles a small city, with blocks of buildings. Hill estimates there are 70-plus buildings stretched across five campuses, with 15,000 local network ports and more than 55,000 unique IDs with access to the computer network.

"Academic organizations are about openness, sharing and not keeping everything locked down," Hill said. "Academia abhors controls. But to not do Vista is technologically and financially unfeasible. Every time someone buys a new computer now, it will be running Vista out of the box."

Trouble with virtualization, authentication
Like other early Vista adopters that include the Papa Gino's pizza chain, Northeastern has run into compatibility problems between the new operating system and some of its crucial applications.

Compatibility issues between Vista and Northeastern's virtualization efforts became a big obstacle, since virtualization is imperative in an environment where people are accessing applications 24 hours a day, seven days a week, Hill said. The department has successfully rolled out virtualization software to quicken the deployment of new applications to workstations throughout campus.

While an updated version of Vista addressed the virtualization trouble, Navid Atoofi, the department's SPS director, said the IT department still had to contend with applications that couldn't function with the new operating system. Hill and Atoofi found that Vista lacked a lot of backward compatibility in general, and there have also been licensing problems.

Vista's format also conflicted with Northeastern's authentication policy. Authentication is a complex process at the university because there are several layers of users the policies must account for -- students, faculty and researchers who require round-the-clock-access to the network.

Atoofi is critical of Microsoft for not doing enough to ensure better compatibility and prepare the masses.

Hill added, "A new operating system has many benefits, but it's a disruptive technology because older assumptions [about how the OS works with applications and different policies] are turned on its side."

Users face hard lessons
Hill and Atoofi said the biggest compatibility problems have been ironed out. But now they're bracing for the inevitable calls for help from users who smack head-on into some of Vista's security walls. As an example, Hill noted that Vista will encrypt the user's disk for them, but that if the user loses their PIN code and key, they won't be able to retrieve their data.

"If they don't make a copy of the data on their disk and they lose the PIN and key they're out of luck. They may as well throw the disk away," Hill said.

Asadoorian expects that universities will also have trouble when their access control systems try to scan Vista machines for antivirus software. It's a common practice in academia for the system to check any machine trying to plug into the network to make sure it complies with the institution's security policies. That includes having antivirus software running on the box.

But some antivirus vendors have had trouble tweaking their programs for Vista, and some antivirus detection tools in use throughout academia may not be able to recognize the software on a Vista machine because of configuration changes, Asadoorian said.

Atoofi said the majority of organizations will work out the challenges and Vista will eventually be the dominant OS in use. And while some may have more time to deal with it than institutions like Northeasern, the changeover timetable will be much shorter than what IT shops experienced with past Windows releases, he said.

"The support period for older versions of Windows is getting narrower and narrower," he said. "Microsoft will eventually stop supporting Windows XP, so we'll all have to have Vista."