Microsoft leaves colleges vulnerable

Microsoft's licensing policies and legal restrictions that forbid schools from distributing software patches to many students are leaving IT executives at universities with potentially thousands of unmanaged desktops that pose a serious security risk.

The issue is that higher-education institutions, and other organizations outside Microsoft and its resellers, don't have the legal right to distribute Windows software to computers they do not own. For most schools, that is a majority of their student desktops.

The result is that universities can't distribute patches for many Windows-based machines; instead they must rely on students to patch their own systems.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft's licensing policies and legal restrictions that forbid schools from distributing software patches to many students are leaving IT executives at universities with potentially thousands of unmanaged desktops that pose a serious security risk.

The issue is that higher-education institutions, and other organizations outside Microsoft and its resellers, don't have the legal right to distribute Windows software to computers they do not own. For most schools, that is a majority of their student desktops.

The result is that universities can't distribute patches for many Windows-based machines; instead they must rely on students to patch their own systems.

As a result, schools end up with lopsided networks with secure network infrastructure servicing clients not adequately patched and protected.

"We have one set of licensing agreements in place to handle site licensing for faculty, staff and employees, and then we have the infamous black hole for student-owned computers because they are not owned, managed or have site-licensed software installed," says Rodney Petersen, coordinator for the Security Task Force at Educause, a nonprofit association of 1,900 schools that promotes IT in higher education.

Microsoft offers licensing options for student machines but the cost is prohibitive, with requirements to cover entire departments or entire campuses. Few schools subscribe, according to Educause.

The problem joins a list of growing Windows-patching challenges in specific industries. In July, Network World uncovered potentially life-threatening patch problems that plague the healthcare industry.

Educause's Security Task Force is encouraging Microsoft to adapt to the unique relationship schools have with students through licensing revisions or modifications to Microsoft's software distribution technology.

The higher-education community has solutions in mind but is skeptical of Microsoft, which has promised a long-term remedy but has yet to provide details.

Some say the solution should combine flexibility in both delivering patches to machines not owned by the university and how it can be done.

"Educational institutions are looking for more flexibility to secure the entire network," Petersen says. "They don't want to rely on students getting a CD or going to an update server."

Many users are trying workarounds using methods that don't scale, including Active X controls for rudimentary patch assessments, or don't work well. Products that perform security checks before allowing access typically require client-side code, which is impossible to load on student machines new to campus. Remote security scans also are difficult because many students use personal firewalls.

What complicates the matter further is that Microsoft is legally required to track software it distributes in case of a recall. If schools re-distributed patches they would have to log and track each user, including those that leave the university system.

Microsoft also closely guards distribution to secure the integrity of the software.

Company officials said in a statement that they are "working closely with their higher-education customers on this and exploring options to meet the unique needs of the campus computing environment."