In today’s world of IT, there are basically two philosophies when it comes to locking down user desktops. The first is to have everything unlocked to begin with, then gradually lock apps down as you gather data about a user’s activities. The second is to start with a blank slate and have everything locked down initially, unlocking only the apps that are necessary to the user’s job functions. I’ll give a basic overview of the pros and cons to both of these management approaches.

I’ll start off by talking about the first example: going from an unlocked to a locked environment. In my experience, a lot of companies use this method because it is an easy way to manage workstations. There are definitely upsides to this. This method doesn’t prohibit users from accessing resources that uncommon yet necessary and it gives them a sense of freedom and the feeling that their employer trusts them to do their job correctly and efficiently. This also allows the admin to monitor their activities and lock down applications/processes only as needed. While this might seem like a great idea, there are also some pretty serious consequences. A major drawback to this method is that it gives users unlimited access to any part of their desktop and can potentially cause serious problems like providing the power to install any application at will or to map any drive they want. Your ability to safeguard your system is substantially lowered with this approach. Another thing you may want to consider is that when locking down a user's desktop after they have started working on it, you run the risk of upsetting them as they used to have access and “power” and now do not. This leads me into the second method.

The second example I did not know about until I started working with triCerat's Simplify Lockdown software. It is the complete opposite of the previous approach: instead of initially allowing users access to everything and then locking them 'down and out' as it were, this method starts with a blank desktop that provides only enough access to load Windows and run basic Windows required processes. This way, you gradually build up to a fully functional desktop after learning about the user's specific work requirements. This gives the admin full control over what their users can and can't do. End users have nothing to be angry about as they have nothing from the get go, thus miss nothing. Generally, it is usually much easier to give users access to an application then to take it away. Another benefit is the level of security this can provide. Instead of locking down a desktop after a user messes something up, the sys admin can lock down the potentially harmful application beforehand and avoid any security threats and/or stability issues. While in my opinion this sounds great and I personally prefer this method of locking desktops down, it wouldn’t be fair to not also list the disadvantages associated with this method. First off, the initial setup can be a daunting task, especially if there are many applications and processes to consider. If you have users that need different apps depending on which department they are in, it can be a little confusing to establish (although the Simplify Lockdown application does make it streamlined and easy to organize and delegate). Secondly, the 'giving limited access' approach might create some hostility between IT and end users as they might feel untrusted and unappreciated.

Overall both of these methods are perfectly acceptable depending on the type of company you are in and how IT savvy your users are, but personally I prefer the “blank slate” method just because it gives more control over the way desktops are set up and acts as a security blanket. The way I look at it, it's always easier to give something than to take it away.