Theres Still Life in the Post-Vista Security Aftermaket

By Larry Seltzer  |  Posted 2006-05-08 Print this article Print

Opinion: Yankee's basically right that opportunities remain after Vista ships, even if it misses the point in some areas.

Every new version of Windows brings with it fears about which software aftermarket will get steamrolled by a new Windows feature. The big questions with Vista are about security, and there are some fair ones to be sure. Some people assume that once Microsoft includes a feature in Windows its curtains for anyone trying to sell a competitive product, but this has proved false more often than not. Personally I still think the whole browser issue was overblown, but certainly the inclusion of Windows Media Player for free has not been the death of competitive products. Many programs included with Windows, like WordPad, Paint, and even the backup and firewall programs, provide only perfunctory capability.

How far should an operating system go with bundled programs? How much money should companies leave on the table for others, or at least, for others to compete for?
The Yankee Groups report on the effect they expect Windows Vista to have on the security aftermarket asks a lot of the right questions. Some of their answers are spot on, and some are ... well, Id say strange.

Yankee is right to put the Reduced Account Privileges at the top of the list for important Vista features, but I still think its of more importance to consumers than to enterprises. Whine as they will to the contrary, enterprises have always had management tools to allow them to lessen the privileges of their users. They have chosen not to for a number of reasons.

Ziff Davis Media eSeminars invite: Join us on May 8 at 2 p.m. ET as security and identity management experts and Sun Microsystems look at how identity management provisioning can help lower TCO and realize ROI payback. Its true that there are some tasks in Windows XP that require administrator privileges for reasons that are, at best, controversial. Changing a VPN connection, changing the system time, installing a printer and that sort of thing will no longer require admin privileges on Vista.

But the real problem is badly written applications that require access to registry and file system areas that everyone knows programmers shouldnt use. Companies that have relied on such applications for years have at the same time avoided fixing the applications. Running them as limited users on Vista will allow users to bump their credentials on a case-by-case basis or to whitelist them. By the way, this has been possible for some time through the runas command, although doing so somewhat compromises the administrator credentials.

For consumers, on the other hand, restricted accounts will be much more helpful, unless they rely on an application that wont run. The few notorious examples of such programs, Intuits QuickBooks being the most notorious, will have a hard time making excuses for themselves when Vista comes around. Some users, perhaps prodded by lazy support at Intuit, will just ignore the warnings and log in as an administrator, but theres no question that there will be a huge jump in Windows users who are substantially protected against malware by virtue of the limited rights under which they run.

What does this mean for the security aftermarket? It shouldnt mean a lot. None of these protections will make all that malware out there go away, and users will need protection. Even if everything goes well and the attack surface for Vista is small compared to XPs (I do believe this will be the case, and Yankee seems to think so, too), then the need for protection against attack doesnt go away, its just greatly lessened, and the impact of attacks that get through is also lessened.

Next page: Specific claims.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel