The assertion that "Vista is light years ahead" of Windows XP on security kicked off a storm of e-mail at the Burton Group.
"What is really the difference?" asked one analyst. "It won't matter how far ahead Vista is.... If the alerts [from User Account Control (UAC)] get too annoying, the users will just turn them off and then who cares?"
I responded: "There's a lot more to Vista than UAC. There's service hardening, full volume encryption, device driver signing, kernel patch protection, address space layout randomization, better group policy, better crypto and smart card support and generally higher-quality code."
Unconvinced, the analyst replied: "I still have to buy [antivirus] or pay Microsoft for it. I still have to deploy firewalls. I still need some type of patching system. Where is the benefit of Vista?"
Another analyst, a Mac user, added: "If you have to patch it less frequently, if it's easier to manage (for example, through improved group policy), that's a big win for an enterprise. But all this just reduces cost and management overhead; the actual security difference is probably not huge."
This implies Vista is only light years ahead, not warp speed ahead. While most attacks are being developed for Office, Internet Explorer and application-layer components, Vista will receive its share. The new operating system doesn't really change the reactive patch, update and clean paradigm of endpoint protection.
"Recall the debut of Windows 95," another analyst said. "People lined up like they do now for gaming consoles. It was a big deal. Now the [operating system] is fading into the appliance, at least as far as the consumer is concerned. If the packaging were simpler, the pricing more aggressive, and the features liberating instead of constraining [with digital rights management], more people would upgrade in advance of buying a new PC, helping Microsoft convert the installed base faster. Microsoft's actions do not typify a company that's defining the future but one that's protecting the past."
Vista will protect Microsoft's desktop dynasty, but migration will come at a cautious pace. Given Vista's large hardware footprint and compatibility issues with security tools such as existing third-party antivirus and Internet Explorer 6 applications, there is little reason for enterprises to rush forward before Microsoft's partner ecosystem works out the kinks. Consumers will get Vista when they buy new machines. Enterprises should generally deploy Vista per their desktop refresh cycle, but may need to delay for months if stability issues or compatibility with applications, management or security infrastructure arise.
Doubts and caveats notwithstanding, enterprises should look to leverage Vista in conjunction with other security infrastructure initiatives that Microsoft discussed in its keynote presentation at the recent RSA Conference. These include Network Access Protection and IPSec end-to-end authentication/policy enforcement. Yet another area of opportunity centres around Microsoft's work on implementing identity management and Web services security standards such as WS-* and OpenID.
Vista security is mostly something you create, not purchase. Vista migration for the enterprise should be part of a larger strategic goal to get the user out of the sysadmin loop and improve the security of applications running on the operating system. This involves establishing managed desktop environments, and working with vendors and business developers to reduce application privilege requirements. Worries about UAC should recede, and systems can be made less susceptible to malware and other attacks. These are the kinds of things that could change the game.
Blum is senior vice president and research director with the Burton Group, an integrated research, consulting and advisory service. He can be reached at firstname.lastname@example.org.