In recent weeks Dell has been found to have installed rogue certificates on laptops they sell. Not once, but twice. The security ramifications of this are grim. Such a laptop can have its SSL-encrypted connections sniffed quite easily. Dell has responded by providing uninstall instructions and an application that will remove the cert. They've apologized and that's fine... everyone makes mistakes, don't let it happen again. You can read about the initial problem in "Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops" and the re-occurance in "Second Root Cert-Private Key Pair Found On Dell Computer"
And here is why I don't care.
Anyone running the vendor-supplied OS with a machine they purchase is...
Wait. I'm trying to find the right word.
"Foolish?" No. That's too judgemental.
"Lazy?" No. That doesn't make the point I want to make.
"Unprofessional? Amateurish?" Again... not exactly my point.
"Negligent"?
Ah! Yes, that's the word I'm looking for.
Basic operational hygiene dictates that we start each new machine in a "known good state". It makes support easier; otherwise you are creating a self-inflicted support nightmare. It makes upgrades and patches less brittle; otherwise you are creating a situation where upgrades are more likely to fail because the number of variations that need to be tested is unknowable.
Entropy will eventually wreck the software and configuration of a machine and require it to be fixed. If you don't start the machine in a known good state, you are fighting entropy with one hand tied behind your back. You are giving entropy a head start.
Every new machine should be wiped and reloaded with your organization's "standard build". Having a "standard build" is one of the foundational pieces of infrastructure that your organization is responsible for. It is so fundamental that not having this kind of infrastructure is negligent.
I am very particular and careful about using the word negligent. We, as an industry, should have a bar under which falls the expected and fundamental practices of a professional, responsible, IT organization. Not doing those things is unprofessional and therefore negligent.
Having a "standard build" and a fully automated installation process that is used on all new machines is basic operational hygiene for a enterprise desktop/laptop organization. I call it operational hygiene because it is the "brushing your teeth" of fleet management. The "eeeuuuu!" you feel when you see someone that never brushes their teeth should be the same feeling you get when you experience an organization that doesn't have a fully automated wipe-and-reinstall process for desktops and laptops. (To complete this analogy, backups are the "flossing" part. Everyone claims they do it but most people don't.)
So, why do I not care about Dell's rogue certs? Because this blog is for professional system administrators and it would be unprofessional to not wipe-and-reinstall all new machines. Your standard installation should be based on the OS vendor's installation disks, not Dell's. In fact, if you disagree with the certs that your OS vendor includes you can use this process to control which certs make it onto machines. I bet that the NSA removes certain certs. I'm sure that security conscious companies like Google and Facebook watches the list of installed certs very carefully and evaluates each one.
You might ask, "What about small companies who buys a PC and use it as-is?" If you are too small to justify an automated OS install system, you probably buy machines rarely enough that you can do the process manually. Even companies with just 1-2 employees generally have a "PC guy/gal" that visits occasionally to do their IT. They should establish a standard built that they install on all customers, even the small ones.
You might ask, "What about my parents who don't have an IT department?" This blog isn't about consumer computing. That's not a cop-out. That's the truth. I am gravely concerned about this issue for consumers. They're in a really shitty situation and it is only going to get worse. I think this is why people are moving to iPads so rapidly. Solving this problem for the general Windows consumer is an unsolved problem.
The 3rd edition of The Practice of System and Network Administration (due out in Nov 2016) will have a greatly expanded section about workstation/laptop management. We call it "Workstation Fleet Management". We cover everything from workstation architecture, policy, delivery, and we even have a chapter on new employee onboarding.
You can read drafts of these chapters if you have a SafariBooksOnline (SBO) account: Chapter 4-11 is an 8-chapter sequence that covers everything you need to know about the subject
- Chapter 4: Workstation Architecture
- Chapter 5: Workstation Hardware Strategies
- Chapter 6: Workstation Software Lifecycle
- Chapter 7: OS Installation Strategies
- Chapter 8: Workstation Service Definition
- Chapter 9: Workstation Fleet Logistics
- Chapter 10: Workstation Standardization
- Chapter 11: Onboarding
We'd love your feedback about these chapters. You can submit feedback directly via SBO.
As consumer builds go, I find the Microsoft Signature builds to be the least offensive. If you have to buy a PC, get one from the Microsoft Store with a signature build. If you value your sanity, go to an Apple Store and get a Mac.
I agree that any of the major manufacturer builds, whether Dell, HP, Lenovo, Acer, ASUS or whomever are terrible. They demand a secondary monetization stream from the laptop and will load it up with mind numbing streams of crapware. You can help yourself a little with tools like PC Decrapifier, but a bare metal build from OS vendor install media is really the way to go.