Report Casts Doubt on Vistas Security Impact

By Matt Hines  |  Posted 2006-05-08

Report Casts Doubt on Vistas Security Impact

An early review of the much-publicized security features due in Microsofts next-generation Windows Vista operating system concludes that the tools may be so unfriendly to users that they delay enterprises move to adopt the new product.

In a research report published May 8, analysts at Boston-based Yankee Group said that Microsofts latest attempt to better secure its dominant OS is significantly off the mark. Based on feedback garnered by the experts from a wide range of software developers already testing preview versions of Vista, Yankee Group said that the intrusive nature of the security features could turn off IT administrators and users alike.

While the researchers laud Microsofts efforts to reduce account privileges to slow the spread of malware, lock down holes in its Internet Explorer browser, improve network access controls and integrate anti-spyware and anti-phishing applications into Vista, the report concludes that the execution of some of those plans may encourage companies to take a wait-and-see approach with the OS.

Andy Jaquith, the analyst who authored the report for Yankee Group, said that many people already working with Vista feel that Microsofts security tools are unnecessarily repetitive and even patronizing, and interrupt the workflow of administrators to the extent it makes their jobs harder to perform.

Specifically, Jaquith, who tested a preview version of Vista released in December 2005, said that Microsofts incorporation of user accounts that strictly limit access privileges via its User Account Control feature will be "particularly problematic."

Microsoft representatives didnt immediately offer comment on the findings of the Yankee Group report, but confirmed that they had read its contents.

Guru Jakob Nielsen offers advice on designing applications for usability. Click here to watch the video.

By forcing end users with such accounts to constantly seek approval from administrators to complete tasks they manipulate freely in todays versions of Windows, and creating headaches for those people charged with handing out such permissions, Jaquith said the features may simply be ignored or shut off by many people.

Read more here about delays in Vista.

"The User Account Control feature is like Chatty Kathy, its always in your face and the danger is that users are going to start treating it like the snooze button on their alarm clock and hitting yes without looking to see why theyve been prompted," said Jaquith. "A lot of people, especially home users, will probably turn the feature off so theyll essentially be no better off than before."

Another issue with the User Account Control is that it is incompatible with popularly used anti-virus applications from companies such as Symantec and McAfee, forcing customers to wait until those firms have rewritten their products to mesh properly with Vista.

The analyst said he was surprised to see that the new SafeDocs backup program shipped with Vista can only be run by IT administrators, not end users.

Next Page: Putting itself at a disadvantage.

Putting Itself at a


Yankee Group contends that Microsoft has also put itself at a disadvantage by failing to invest sufficient effort into its partnership programs for ISVs, making it likely that additional third-party programs being built to run on Vista will need more development work before coming to market.

Related delays could keep Vista-oriented products from arriving for as much as a year after the OS is introduced sometime in 2007, the report said.

Jaquith said that Microsoft is headed in the right direction with its security work in Vista, but said he believes that it will take the company at least a year before it is able to make the features it has already added more digestible for administrators and end users.

One of the major issues will be the way in which the security tools "fundamentally shift" the way that administrators interact with Vista, he said, in that people who were used to having almost unlimited access to desktop controls will find themselves more limited in their scope of authority.

"Its not a step backward, but the features are going to cause some disruption in the manner that people work and will interfere with some peoples perceived ability to do their job in short term," said Jaquith.

"If people had unfettered access to everything before, putting limits on that is going to be pretty jarring, but I think its something that Microsoft had to do in some way."

So many viruses depend on their ability to take over computers Windows administrative controls in order to spread themselves that the feature should have success in slowing attacks and protecting corporate networks, the analyst said.

In light of the issues surrounding Vistas security tools, Yankee Group is predicting that the software introduction will have a limited effect on the anti-malware applications industry, at least in the next year or two. Despite the added time to compete against Microsoft, researchers said that many providers of individual security technologies addressed by Vista, such as anti-spyware or anti-phishing filters, will likely consolidate to offer more integrated packages of defense software.

Ziff Davis Media eSeminars invite: Join us on May 11 at 2 p.m. ET to learn critical best practices for e-mail and instant messaging applications, including tips on "hygiene" from Gartner.

"Were telling enterprises, if youve got security controls in place and third-party packages that youre working with, keep using them, but Vista is eventually going to change the need for those," said Jaquith.

"We feel companies should really wait until the end of 2007, or the beginning of 2008 at the very earliest to get into the work, as Microsoft will have likely issued a service pack by that time to address any major issues."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Rocket Fuel