Energizer Holdings is a global manufacturer of batteries, portable battery-powered devices, and is the parent company of popular brands, such as Energizer, Banana Boat, Edge, Hawaiian Tropic, Schick, and Playtex. As part of its ongoing commitment to innovation, Energizer wanted to upgrade to the Windows 7 Enterprise operating system but also needed a way to easily maintain control over which software applications employees could install on company computers. With the help of the Microsoft Managed Platform and Services Delivery team, Energizer implemented Windows 7 AppLocker, which it now uses to specify which software can run on its computers. As a result, the company has enhanced its IT security, reduced the number of application rules it manages by 80 percent, improved system performance by as much as 75 percent, and increased productivity by the equivalent of 80 full-time employees.
Situation
Energizer Holdings is one of the world’s largest and most-recognized manufacturers of primary batteries, portable battery-powered devices, portable flashlights and lanterns, and, under the Schick and Playtex brands, personal shaving products. The company is headquartered in St. Louis, Missouri, and has more than 15,000 employees in offices around the world.
The battery giant recognizes that innovation is one of the reasons for its long history of success—both through innovations in its own lines of popular products, and through the technology innovations it uses to keep operations running. In fact, the company has a policy to always use the latest software technologies in its day-to-day business. The company wants the technology it uses to be so simple and easy that its employees can focus on business, rather than spending time managing a complex infrastructure. “Our mantra is to be on the bleeding edge of technology and to give our employees the latest and greatest tools that they need to do their jobs and do them well,” says Chuck Henderson, Manager in the IT department at Energizer.
 |
[With AppLocker] we can create a security-enhanced environment with 80 percent fewer rules to manage and can deploy IT resources elsewhere. That is only going to continue to improve over time. |
 |
|
Chuck Henderson
Manager, IT Department, Energizer |
|
|
In the spirit of being innovative and current, Energizer uses the latest versions of many Microsoft products and technologies, including Microsoft Exchange Server 2010, Microsoft SharePoint Server 2010, and the Windows Server 2008 R2 operating system. To bring its client operating system up-to-date, the company sought to upgrade its 7,600 managed client computers from the Windows XP Service Pack 2 operating system to the Windows 7 operating system. In addition to upgrading its client operating system, however, the company had several business requirements to consider: enhanced application security, simplified maintenance, and improved performance.
Energizer had been using Group Policy to implement software restriction policies in Windows XP. By using software restriction policies, IT administrators were able to manage and control which applications employees could install on client computers, preventing potentially malicious software and virus threats from infiltrating the corporate network. The company used a hybrid “deny-allow” methodology for application control. It maintained a list of denied applications to prevent employees from downloading and installing unauthorized software, and also elevated some applications, such as those developed in-house, to run with elevated administrator tokens. This ensured that the company had security-enhanced application control, but with the flexibility that employees needed to do their jobs. “With our application security strategy, we try to strike a balance,” explains Henderson. “We want a high level of control to keep out applications that can pose a risk to people and to the network, but we need a certain level of openness in order to allow people to access the resources they need to do their job.”
While software restriction policies in Windows XP enabled Energizer to maintain tight control over what software was installed on its corporate network, it was a reactive, laborious solution, requiring the IT department to continuously maintain a long list of denied software. In fact, one person who worked on the team that helped manage the desktop environment for Energizer was dedicated full-time to setting up and managing the list of denied applications. Plus, the list of application rules, to which the company dedicated resources to maintain, grew to more than 3,300 rules. As a result, the company wanted an operating system that would enable it to persist with its application control efforts, as well as simplify the IT tasks that came with maintaining lists of denied applications and rules.
In addition, the company sought to improve system performance with the operating system upgrade. With its previous operating system, Energizer employees experienced significant lag times during the startup sequence—sometime between five and eight minutes. “It’s not uncommon to experience performance issues with an aging operating system—Windows XP is a reliable operating system that we pushed hard over the years,” explains Henderson. “But we were ready for an upgrade and wanted to see a boost in performance. Eight minutes of startup time for every employee is a lot of lost productivity.”
Solution
Without hesitation, Energizer decided to upgrade to the Windows 7 Enterprise operating system, including the Windows Internet Explorer 8 browser, starting with a pilot deployment in October 2009. For the deployment project, Energizer worked with Microsoft Managed Platform and Solution Delivery (a division of the Management and Security Product Division at Microsoft), which has provided a desktop management service to Energizer for more than four years. By working with Microsoft Manage Platform and Solution Delivery, Energizer receives real-time feedback on desktop management and security solutions, which enables the company to provide business value and focus on its core business—manufacturing.
|
We’re ahead of the game now and don’t have to be reactive when it comes to application security. |
|
|
Chuck Henderson
Manager, IT Department, Energizer |
|
|
Energizer started a production deployment of the operating system in June 2010, and by November 2010, upgraded 70 percent of its managed client computers. The company plans to complete its upgrade to all 7,600 computers by June 2011.
Software Application Control
To address its need to maintain control over which applications are installed on its client computers, and to help prevent unwanted software from being installed, Energizer implemented AppLocker—a feature in Windows 7 that enables the company to specify what software is allowed to run on client computers through centrally managed, flexible Group Policy settings.
Energizer decided to use an “allow” methodology to prevent unwanted software; that is, it blocks unwanted or unapproved applications by default and specifies the applications, installers, scripts, and libraries that are allowed to run on company PCs. To implement this methodology, the company first had to evaluate its application portfolio. By using Microsoft System Center Configuration Manager 2007 R2, Energizer and the Microsoft Managed Platform and Solution Delivery team took a full inventory of all the applications in the Energizer application portfolio and then determined which of those applications were allowed and across which user groups.
After completing the application inventory and creating its list of allowed applications, the team further customized the AppLocker rule types for applications. AppLocker supports four rule categories: executable, Windows Installer, script, and DLL (dynamic-link library). For each of the four rule categories, Energizer set rule conditions by which applications are allowed or denied through AppLocker. The company primarily relied on publisher rules, which enabled it to allow applications from any identified software vendor that digitally signs its applications, such as Microsoft. For its applications that are not digitally signed, such as those that it develops internally and hosts on an internal file share for employees to install, Energizer implemented path rules—conditions that identify an application by its location on the corporate network. Finally, Energizer used file hash rules to create a cryptographic snapshot of a particular application file. By using file hash rules, the company blocked updates or upgrades to business applications solely developed on a specific version of a supporting application, such as Java, that might render the application incompatible.
Once the team set the rules, conditions, and exceptions for AppLocker, it tested its rule set, validating the rules and setting up event logging to easily identify issues. Then, it created a process for managing the rules, including giving help-desk employees the ability to modify rules in real time to quickly assist employees and not impede business productivity.
Future Implementation Plans
With AppLocker successfully implemented, Energizer plans to evaluate other features in Windows 7 Enterprise. In an effort to support greater efficiency for its mobile and globally distributed workforce, some of whom work from small, remote offices in emerging countries, Energizer plans to implement DirectAccess. By using DirectAccess, employees can connect to the corporate network through an Internet browser, without needing to establish a virtual private network (VPN) connection.
|
We are handing back to the business the equivalent of approximately 80 full-time employees as a result of upgrading to Windows 7. |
|
|
Chuck Henderson
Manager, IT Department, Energizer |
|
|
The company is also evaluating BitLocker drive encryption for enhanced security and to help protect sensitive data, such as intellectual property and other corporation information, from being accessed by unauthorized users who come into possession of lost, stolen, or improperly decommissioned computers.
Benefits
By upgrading to Windows 7 Enterprise and implementing AppLocker, Energizer has maintained control over which applications it allows into its network environment and further enhanced network security. The easy-to-use, flexible rules in AppLocker helped the company reduce the number of rules it manages, resulting in better use of IT personnel resources. Furthermore, Energizer improved system performance, particularly with startup time, which helped dramatically increase employee productivity.
Enhanced Desktop Security and Control
As a result of implementing AppLocker in Windows 7 Enterprise, Energizer remains confident that it can effectively prevent unwanted and unauthorized software, which might be dangerous, from being installed on its corporate network. Instead of managing separate lists of denied and allowed applications, the company set up AppLocker to allow only approved applications, ensuring that applications that are not on the list cannot be inadvertently installed. By eliminating the list of denied applications to manage, Energizer can rely on a more proactive approach to application security, instead of a reactive approach that required IT administrators to add applications to the deny list. “We’re ahead of the game now and don’t have to be reactive when it comes to application security,” says Henderson. “In the end, this helps ensure better application control.”
When the company implements DirectAccess and BitLocker, it will further enhance its IT security. For instance, by using BitLocker, Energizer will be safeguarded against data loss in the event that a computer is lost or stolen. With DirectAccess, mobile and remote employees, who typically would have to connect to the corporate network through a VPN connection, will be connected to the network anytime they access an Internet connection. This will help ensure that company computers receive critical software updates, virus definitions, and Group Policy updates, even when they are not connected to the VPN. “But by using DirectAccess, we can still get updates, software packages, and other critical information to computers, and also get important information back into System Center Configuration Manager, every time users log on to their computer and establish an Internet connection,” says Henderson.”
Reduced Managed Rules by 80 Percent
Energizer relies primarily on publisher rules in AppLocker, allowing digitally signed applications from reputable software vendors to be installed on its corporate network. This methodology helps to eliminate the need for time-consuming rule management tasks. Publisher rules endure application updates, so even when applications are updated by software vendors, Energizer does not have to spend time updating any of its publisher rules.
Furthermore, the company reduced the number of rules it has to manage by 80 percent—from 3,300 rules to only 50. In fact, previously, one employee from the Microsoft Managed Platform and Solution Delivery team managed rules on a full-time basis on behalf of Energizer. That personnel resource is now freed to work on more strategic tasks, such as proactively managing the desktop environment. “With AppLocker, we can use a method that enables us to simply allow applications, instead of individually denying applications,” explains Henderson. “By doing so, we can create a security-enhanced environment with 80 percent fewer rules to manage and can deploy IT resources elsewhere. That is only going to continue to improve over time as more and more reputable software vendors start digitally signing their applications.”
Improved System Performance
Since upgrading to Windows 7 Enterprise, employees at Energizer have seen a dramatic boost in system performance. Whereas previously, employees had to wait up to eight minutes for their PCs to start completely, now the startup sequence takes less than two minutes. “Windows 7 Enterprise is more efficient, especially in the way that it handles Group Policy settings,” explains Henderson. “As a result, employees around the world can start up their computers in less than two minutes—in some cases, that’s a 75 percent improvement.”
Increased Employee Productivity
In addition to the improved system performance that Energizer has seen with the Windows 7 operating system, the company has also noticed increased employee productivity. “A few minutes saved on startup might not sound so impressive on its own,” says Henderson. “But if you multiply that by 7,600 computers and the number of working days in a year, it adds up quickly. We are handing back to the business the equivalent of approximately 80 full-time employees as a result of upgrading to Windows 7.”
Windows 7
Works the way you want: Windows 7 will help your organization use information technology to gain a competitive advantage in today’s new world of work. Your people will be able to be more productive anywhere. You will be able to support your mobile workforce with better access to shared data and collaboration tools. And your IT staff will have better tools and technologies for enhanced corporate IT security and data protection, and more efficient deployment and management.
For more information about Windows 7, go to:
www.microsoft.com/windows/windows-7
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com
For more information about Energizer Holdings products and services, call (800) 383-7323 or visit the website at:
www.energizer.com
