Features and Naivete

 
 
By Don Reisinger  |  Posted 2009-05-26
 
 
 

Correcting the Rhetoric: Windows Vista Is Secure


Windows Vista has come under fire for not being as secure as some would like. At the same time, Vista security can be enhanced when IT managers simply force employees to run as users with limited rights. It effectively creates a situation where the employee can only engage in business activities and not perform the kind of actions (such as installing applications) that put data at risk.

Whenever operating system security is discussed, it seems Windows takes the brunt of the criticism.  Critics (and even some supporters) say the operating system is insecure. They claim it causes the enterprise issues that reduce its ability to ensure mission critical data is being kept out of the hands of malicious individuals.

There's no debating that Windows isn't as secure as it could be. But then again, the only operating system that doesn't need to be more secure is one that isn't prone to any vulnerabilities. That operating system doesn't exist.

But just how insecure is Windows? If you believe the Microsoft haters, Windows (and especially Vista) is exceedingly insecure. It's a nightmare.

Here's the reality: it's not. Can Vista be more secure? Of course.  But you know what? So can Linux and Mac OS X. And as long as a company has Windows Vista installed, it won't need to worry about security as much as the detractors claim.

Windows Vista is just fine for the business world.

Security reports

When it comes time to evaluate just how secure Windows really is, it's best to start with the security documents that provide (hopefully) objective data about the state of security in the Windows ecosystem. If Microsoft and security experts can be believed, Vista is doing better than the most ardent Microsoft haters want to admit.

According to Microsoft in its latest Security Intelligence Report, which covered the last half of 2008, Vista has performed relatively well. During the period, the IT industry was affected by fewer vulnerabilities. Microsoft claims the total number of vulnerabilities during the period decreased by 3 percent compared to the first half of 2008. Vulnerabilities declined by 12 percent compared to 2007. The total number of High Severity vulnerabilities was down 16 percent from 2007.

Buried in the Security Intelligence Report was an interesting fact that most IT managers would probably like to know: "more than 90 percent of vulnerabilities disclosed affected applications or browsers." Just 8.8 percent of all vulnerabilities affected operating systems, 4.5 percent affected browsers, and 86.7 percent affected applications. In other words, it wasn't necessarily Vista that was the problem.

But since Microsoft has a vested interest in making itself look good, it's difficult to believe everything it reports. But when a trusted security source, PC Tools, reported recently that Vista is more secure than any other Windows operating system on the market, it should have put the industry on notice.

According to the security firm, PC Tools counted 639 unique threats, malicious code that penetrated security software in the OS, over a six-month period for every 1,000 machines running Vista. XP suffered from 1,021 unique threats per 1,000 machines in the same period.

Late last year, Alexander Sotirov, a security expert at VMware, wrote that Vista is vulnerable to an attack, such as the ANI cursor vulnerability, that the victim has been duped into running on their computer. The operating system has memory protection features that make it more difficult for malicious hackers to run that code on Vista computers, but it's still not perfect. At first glance, that might seem like an indictment of Vista. But Sotirov said in an interview with ZDNet's Ed Bott that "in XP, a lot of those protections we're bypassing don't even exist. XP is even less secure than Vista in this respect...Vista is still very good [emphasis added] at preventing vulnerabilities."

But it goes beyond studies.

Features and Naivete


Vista is filled with a variety of security features that really do keep the enterprise more secure. User Account Control ensures that the user is forced to permit an application to run. It's not perfect and it can be annoying, but it does go a long way in giving users a second chance when they decide to run potentially malicious code. 

At the same time, Vista security can be enhanced when IT managers simply force employees to run as users with limited rights. It effectively creates a situation where the employee can only engage in business activities and not perform the kind of actions (such as installing applications) that put data at risk.

On the browser side, Protected Mode in Internet Explorer runs the entire surfing process in a sandbox, making it more difficult for users to access system locations. That simple addition makes it easier for administrators to control how users surf the Web. They can limit the employee's ability to install malware.

Those are just a few examples of many that help make Vista more secure. But when evaluating the security of Vista, it's impossible to ignore the fact that, in many cases, it's the employee's naivete that develops into issues. No, they shouldn't open attachments on their work e-mail from people they don't know. No, they shouldn't be downloading software onto their computers from an untrusted source. No, they shouldn't be surfing to sites that contain malware. But the problem is: they do.  And when they do, we can't expect Vista to be perfect and stop every threat.

So in the end, we need to look at Vista for what it really is: a piece of software that, while not perfect, is better than the critics say. And in the enterprise, it's still a good choice.

Rocket Fuel