VISTA: Don't overindulge

Hoping to roll out Microsoft's brand spanking-new desktop operating system, Windows Vista, across your enterprise? Apparently, so are a lot of agencies ' although when exactly is still up in the air.Whether you start migrating this year or next, there are three crucial issues to keep in mind, according to Michael Silver, analyst for Gartner Inc., who covers the Windows operating system: application compatibility, application compatibility and application compatibility.Government users seem to agree. According to an exclusive survey of GCN readers, application compatibility was the top concern among potential Vista users, above even security. Therefore every rollout will present its own unique challenges.'Most environments are pretty heterogeneous,' said Dmitry Sotnikov, new product research manager at IT management vendor Quest Software of Aliso Viejo, Calif. 'A Vista upgrade will not take the same path for everyone.'Vista, which is scheduled to be available for large government agencies this year, comes with a fresh look and many snazzy new features, some of which could even streamline office routines. But the main thing CIOs and program managers should consider when they think about Vista is how well their applications and computing environments will work with the new OS.Rolling out a new desktop OS requires more than just a day of remote installations. Work must be done to ensure applications remain compatible and users have the feature sets they need. And that's no small chore.Those who maintain the Navy-Marine Corps Intranet, which will eventually encompass more than 400,000 seats, are taking a deliberate path when it comes to rolling out Vista.'We are actively working with Microsoft in beta evaluation, looking at how our apps might work in the operating system. They understand how the Navy would use it,' said an NMCI official who wished to remain anonymous. The organization has been testing Vista throughout 2006, using various versions of the beta.Still, the Navy is in no hurry to roll out Vista to everyone. Instead plans call for a gradual deployment. Vista's predecessor, Microsoft Windows XP, should be supported through 2009, by which time most NMCI users should be running Vista, the official said. NMCI uses the industry standard refresh cycle of four years for desktops, three years for notebook PCs and three years for high-end workstations.Other agencies might deploy Vista even more gradually. The Federal Deposit Insurance Corp., for instance, has no plans to upgrade its desktop computers to Vista, said David Barr, a spokesperson for the agency.According to our survey of GCN readers, 34 percent of respondents said their agency was somewhat or very likely to deploy Vista on a majority of its systems. Which isn't to say they won't deploy it at all. Overall, 11 percent of respondents said they expected to roll out Vista next year, 26 percent in 2008 and 17 percent in 2009.'Most people will not upgrade that fast,' Silver said. Instead most enterprise customers will wait to get the go-ahead from the software vendors whose applications they run, which could necessarily entail waiting a year or more in order to migrate a majority of users to Vista.Microsoft itself recognizes this fact of life. For many agencies, a Vista rollout will 'depend on how advanced an agency is in terms of software,' said Patrick Svenburg, Windows client solution specialist for Microsoft Federal.'You have to make your own assessment and test it into your labs and then take the necessary steps and make a decision of when to deploy it,' Svenburg said.Experts agree the upgrade from Windows XP to Windows Vista will be a major one, and the differences between the two OSes are considerable. And when there are changes to a computing environment, there are always potential problems.Identifying these potential problems in advance will help dictate when an agency can realistically move its PCs to Vista.For instance, Vista has a new driver model, which means some agencies will need a new set of drivers for some of their hardware. These drivers may not be available right away, according to Sotnikov.Vista also comes with a new TCP/IP stack, the protocols needed to communicate on Internet protocol-based networks. Although interoperable with other TCP/IP stacks, the new stack remains untested beyond beta use. That doesn't mean there are problems with the stack itself. But this critical set of protocols now enters the connected enterprise where it will face the wilds of the Internet for the first time.The potential hazard of using a new stack is that it hasn't been hardened through years of use, said Dean Turner, senior manager for Symantec Corp. of Cupertino, Calif.'In the short term, we think we might see an increase in the number of vulnerabilities. In the short term, researchers will be very focused on Vista, and that will have an impact on a government's security posture,' he said.Another area of concern within the security community is the approach Microsoft has taken in protecting the OS kernel, Turner said.Last month, Symantec issued a report decrying how Microsoft cut off access to the 64-bit Vista kernel, making it difficult for security companies to develop third-party tools. Their chief complaint was that Microsoft incorporated PatchGuard, a security protection tool built into the OS.Microsoft responded to these criticisms by announcing plans to to add an application programming interface on top of PatchGuard, so third-party security vendors could continue to offer additional protections to the kernel. So system planners should take note of the new architecture. If the organization wants to take advantage of a growing trend toward 64-bit computing during its next refresh cycle, it will need to test PatchGuard and tools that use its API.If you've only just begun to consider testing Vista for deployment in your agency, you're not alone. In our survey, only 14 percent of nearly 200 respondents said their agency had been testing prerelease versions of Vista.Once an agency spends time with Vista, testing its existing hardware and software and gauging the impact of new features on the enterprise, it's ready to start mapping out deployment. Microsoft has customized Vista into six different offerings, including two for large organizations: Windows Vista Business and Windows Vista Enterprise. For government agencies, Microsoft recommends Vista Enterprise, Svenburg said.Vista Enterprise is available only to customers with a Software Assurance agreement. The advantage of this approach is that the enterprise gets updates and upgrades as they come out. Vista Enterprise also offers a number of new features unavailable in other versions of Vista, such as BitLocker, which encrypts hard drives. Other features include out-of-the-box multilanguage support, an emulation layer for running Unix applications and licenses for virtualization capabilities, allowing users to run more than one OS on a machine.However managers should weigh carefully the additional yearly costs against the usefulness of such exclusive features, Silver said. After all, third-party tools can provide similar functionality.One significant deployment consideration is whether agencies should wait until they get new machines, or try to upgrade the software on their existing units.'We think people should just bring Vista in new machines and not touch old machines,' Silver said. The useful lifespan of an older machine may not justify the investment in a new OS. Interestingly, government users don't see it that way. While a good chunk of respondents to our survey admitted they weren't sure how Vista would make its way into their offices, 37 percent said it would be through upgrades of current systems, versus 34 percent who said they'd acquire Vista on new PCs.Moreover, Vista's hardware requirements, if not considerable, do tend to limit the universe of compatible existing PCs to those purchased in the last couple years. Vista will need at least 512MB of RAM to run properly (and really would be happier with 1GB) and a processor running at 800-MHz or more.Perhaps the biggest leap in hardware requirements is in the area of video. For the nifty Vista Areo look-and-feel, the video card will need to have a not-inconsiderable 128MB of memory, plus support for the new Windows Display Driver Model. That alone may present agencies with their biggest Vista-related decision: Upgrade existing PCs not just with a new OS but also a new video adapter, buy all new PCs, or forgo the new interface.For computers that don't make the hardware requirements cut, Microsoft has provided an option that will allow agencies to stay in lock step with the current release schedule. Microsoft plans to offer a stripped-down version of Windows XP for older hardware that agencies can use until they buy new Vista-capable units. Called Windows Fundamentals for Legacy PCs, this slim version of XP will run on as little as 64MB of RAM, a 133-Mhz CPU and 10GB of hard drive space.The company plans to support Windows Fundamentals for Legacy PCs through the entire lifecycle of Vista (unlike XP itself), said Rhys Ziemer, Microsoft technology specialist. Again, this software can only be obtained as part of an existing enterprise agreement with Microsoft.Of course, ensuring your agency's PCs can run the version of Vista you intend is a baby step. Next comes the actual migration. When rolling out a widespread instance of Vista, Microsoft recommends building a master image and installing it remotely through tools such as Microsoft Systems Management Server, Svenburg said.Getting the image configured correctly, however, will take some work, experts warn. There are many variables to consider, applications being the main ones.Microsoft itself provides several tools at its Desktop Deployment Center [to find it, go to GCN.com and enter 703 in the GCN.com/box]. Using DDC, you can determine what applications you have and start a test deployment to check if they will work in a new environment. Then you can build a version of the operating system that will work with the applications.Companies such as Quest also offer reporting tools. Quest Reporter can scan a network and build reports on what hardware, groups and software your agency has, Sotnikov said. Quest recently agreed to sell $4 million of its infrastructure management software to the Army, in part to help automate deployment across the Army's Windows infrastructure. Companies such as CA Inc. and Hewlett-Packard Co. make similar Windows migration suites.Just keep in mind that even with supporting tools in place, this process of migrating to Vista could take 12 to 18 months for large deployments, according to Gartner's Silver. Part of the reason is that in addition to migrating in-house applications, IT managers may need to work deliberately to turn on some of the new Vista features. Some of these features, such as new interfaces and integrated search, shouldn't add any work during deployment. Others, however, may require additional planning and policy creation.Svenburg, for instance, pointed to BitLocker as highly suited to government offices because it has the potential to minimize incidents of data loss. BitLocker encrypts user-entered data, which then can only be unencrypted with robust authentication.'If you lose a laptop, [someone else] can't fire up the laptop and attempt to read it with another OS,' Svenburg said.But BitLocker could require hardware upgrades, as well as guidelines for employee use. Ideally, BitLocker should run with a Trusted Platform Module chip on the motherboard with a supporting BIOS. (In a workaround scenario, BitLocker could also be run from a USB key drive.) In either case, however, the IT staff would need to set up the supporting infrastructure and the policies for storing data and keys.The Army is currently evaluating BitLocker for deployment.'The Army is looking for better ways to secure their data, yet simultaneously allow the staff to become more productive,' said Lt. Col. C.J. Wallington, who is the division chief for advanced technologies of the Enterprise Information System's Program Executive Office. EIS PEO procures enterprise IT systems for the Army.'We think that BitLocker ... is a great security complement to the Army Common Access Card strategy,' Wallington said, referring to the Defense Department initiative to issue smart cards to all military personnel. 'The ability to encrypt the hard drive and logically tie it to that one specific platform is a very powerful feature. Adding CAC authentication to the operating system after it boots, makes the entire scheme much stronger.'Finally, any Vista rollout should include provisions for 508 accessibility compliance. Vista has an updated set of features that offers disabled users better access to their data, such as improved contrast and magnification, said Ed Leary, Windows and accessibility specialist for Microsoft Federal. When the OS starts up, users get the option of launching accessibility features immediately rather than turning them on later.Perhaps the most notable new accessibility feature is integrated voice recognition. This allows users to start and operate their computers using only voice, instead of typing in commands and text (previous Windows versions supported voice input, but it was not integrated into the base OS). Such a feature could be a real bonus to those with carpal tunnel syndrome, or users who simply aren't good typists.Voice recognition requires something else IT managers must factor into their Vista migration plans: training. It takes about an hour to teach Vista to recognize a user's voice, according to Leary. It also takes time for the user to get used to voice commands.Make no mistake, migrating your enterprise to Vista won't be a picnic. But with some careful planning and testing, the process should go smoothly. As a result, users should be thrilled with new features and rest easier under the blanket of improved security. They may even become more productive.