Death match: Windows Vista versus XP
- — 17 March, 2008 18:32
So there you are, signing the "Save XP" petition, shaking your fist in triumph as you stick it to "the man." It's a liberating feeling. You've found the courage to buck the trend and jump off the Wintel upgrade treadmill. You feel empowered, enlightened. But still, there are these nagging doubts.
Can you really skip the Vista upgrade cycle? Will Windows XP still be properly supported by Microsoft and, as a primary development target, by third parties? Is there something we've missed, some hidden gotcha that's going to trip us up 12, 18, or 24 months from now?
Of course, there's no universal answer to the Vista upgrade question. Yes, in all likelihood you'll be just fine sticking with Windows XP -- at least until Windows 7 ships in 2009 or 2010. But let's not rush to universal judgment. Let's take a close, measured look at the key considerations, and compare Vista's merits against the state of XP on the essential points that IT organizations and end-users care about. And if we can't solve this calmly and objectively, like fair-minded professionals, then let's at least have a good fight.
Are you ready to rumble? OK, then. Operating systems, return to your corners, and come out swinging.
Round 1: Security
Security is one of the first areas to come to mind when considering a Vista migration. Features such as UAC (User Account Control) and Internet Explorer Protected Mode have been making headlines for more than a year -- but not always in the context Microsoft would have wanted. UAC, in particular, has been savaged by critics who balk at its many annoying confirmation dialogs. Just try enabling or disabling multiple network connections quickly or moving a file into a protected folder.
However, even with UAC -- which is really just a more visible, "in your face" implementation of the user account controls that have been built into Windows NT since day one -- Vista still isn't fully secure. There are documented ways around UAC involving Internet Explorer, security token privilege escalation, and the exploitation of the "deprecated administrator" status of the default Vista account model.
More importantly, however, is the fact that most IT shops have already implemented a form of UAC under Windows XP by not allowing domain users to run as local administrators and, in some cases, writing their own "elevation" utilities to make it all work seamlessly. In practice, these "locked down" XP systems are in some ways more secure than a UAC-protected Vista system, because they're immune to the aforementioned privilege elevation exploit. To bring Vista systems on par with XP, you need to force users to work with a true non-admin account, as opposed to Vista's "deprecated admin" account, which puts you right back at square one (that is, where XP is today).
Other security features, such as the updated firewall and more esoteric, internal fixes like Address Space Layout Randomization, are interesting but by no means compelling. Most IT shops have implemented a proper hardware firewall solution or third-party software for mobile/remote users, and address-based code exploits usually require some degree of social engineering to get them to work -- a phenomenon even Vista can't thwart.
Decision: From a security standpoint, there's just not a lot to compel XP shops to upgrade. Many of the issues addressed by Vista have already been resolved under Windows XP using in-house applications or third-party tools.
Round 2: Manageability
One of the key drivers for Windows 2000 adoption, and later Windows XP adoption, was the debut of Active Directory and its Group Policy framework. For the first time, IT shops could address the myriad configuration management issues that plagued traditional, fat client installations, using a standardized, centralized repository of rules and restrictions. Vista adds a few extensions to this mechanism. However, as with the aforementioned security improvements, many of these issues have already been resolved.
For example, Vista adds support for locking down block devices at the client level. This is a useful feature -- you can restrict users from accessing certain external media devices, such as CD driver or USB keys -- but it's another XP loophole that was closed long ago by third-party management agents. Likewise, the inability to install printer drivers using a non-administrator account -- something Vista now allows via a Group Policy extension -- was resolved directly by many large IT shops, in some cases through the creation of their own elevation utilities (see Security for details).
On the management tools front, there is a dearth of new Vista-specific features, either from Microsoft or from major third-party framework vendors. In fact, outside of support for Vista's new image-based installation and deployment mechanism, which is one of the product's few noteworthy manageability improvements, there's little incentive to move to Vista from a purely systems management perspective. The image-based installation model makes it easier for IT to capture a "golden" working image of their runtime configuration, and then spin this out to multiple systems regardless of the underlying hardware. This was a real challenge under XP, so definitely a point to Vista, but given the myriad third party installation and provisioning tools (one or more of which are probably in use at any given IT shop) it's no TKO.
Decision: Moving to Vista provides little or no ROI from a systems management perspective. Yes, the new image-based installation model is a welcome addition. However, the lack of significant innovation in other areas makes Vista's management story less than compelling.