Every new version of Windows brings with it fears about which software aftermarket will get steamrolled by a new Windows feature. The big questions with Vista are about security, and there are some fair ones to be sure.
Some people assume that once Microsoft includes a feature in Windows its curtains for anyone trying to sell a competitive product, but this has proved false more often than not. Personally I still think the whole browser issue was overblown, but certainly the inclusion of Windows Media Player for free has not been the death of competitive products. Many programs included with Windows, like WordPad, Paint, and even the backup and firewall programs, provide only perfunctory capability.
How far should an operating system go with bundled programs? How much money should companies leave on the table for others, or at least, for others to compete for?
The Yankee Groups report on the effect they expect Windows Vista to have on the security aftermarket asks a lot of the right questions. Some of their answers are spot on, and some are … well, Id say strange.
Yankee is right to put the Reduced Account Privileges at the top of the list for important Vista features, but I still think its of more importance to consumers than to enterprises. Whine as they will to the contrary, enterprises have always had management tools to allow them to lessen the privileges of their users. They have chosen not to for a number of reasons.
Ziff Davis Media eSeminars invite: Join us on May 8 at 2 p.m. ET as security and identity management experts and Sun Microsystems look at how identity management provisioning can help lower TCO and realize ROI payback.
Its true that there are some tasks in Windows XP that require administrator privileges for reasons that are, at best, controversial. Changing a VPN connection, changing the system time, installing a printer and that sort of thing will no longer require admin privileges on Vista.
But the real problem is badly written applications that require access to registry and file system areas that everyone knows programmers shouldnt use. Companies that have relied on such applications for years have at the same time avoided fixing the applications. Running them as limited users on Vista will allow users to bump their credentials on a case-by-case basis or to whitelist them. By the way, this has been possible for some time through the runas command, although doing so somewhat compromises the administrator credentials.
For consumers, on the other hand, restricted accounts will be much more helpful, unless they rely on an application that wont run. The few notorious examples of such programs, Intuits QuickBooks being the most notorious, will have a hard time making excuses for themselves when Vista comes around. Some users, perhaps prodded by lazy support at Intuit, will just ignore the warnings and log in as an administrator, but theres no question that there will be a huge jump in Windows users who are substantially protected against malware by virtue of the limited rights under which they run.
What does this mean for the security aftermarket? It shouldnt mean a lot. None of these protections will make all that malware out there go away, and users will need protection. Even if everything goes well and the attack surface for Vista is small compared to XPs (I do believe this will be the case, and Yankee seems to think so, too), then the need for protection against attack doesnt go away, its just greatly lessened, and the impact of attacks that get through is also lessened.
So lets look at some of Yankees specific findings and recommendations.
Yankee believes that the two-way firewall in Vista commoditizes the desktop firewall market. They recommend that existing players not look on it as a growth item in the future. Theres something to this, although third parties have typically combined actual firewall functions and the blocking and opening of TCP ports with IPS functions that are much less threatened by Vista.
This should aggravate what is already a confusing situation, but the third parties will be hurt by calling them firewalls. They need a new name, otherwise Yankee will be right and the fact that Vista comes with a competent firewall will doom them.
There are a number of other desktop IPS products, but most of them are either small-fry specialty products or integrated into what vendors call desktop firewalls or security suites. I dont see a threat worth measuring here, and its perfectly conceivable that the vendors will be able to demonstrate protections that Microsoft doesnt provide with Vista. I dont think a lot of software is sold for this function.
Same thing for teeny categories like Device Control. Some measure of this capability belongs in the OS obviously, but theres still a small living to be made for customers who want greater control.
Certainly Yankee is right that conventional anti-virus software is unthreatened by Vista, even though some of Vistas protections make many viruses less threatening. The claim that Windows Defender will kill off much of the anti-spyware market depends on how good a job it does, but this is fine with me.
The anti-spyware market is a phony creation of security companies; this function should always have been performed by anti-virus software, and I suggest that the category as a separate entity will die off in any event as companies like Symantec add anti-spyware to their anti-virus offerings, which is where they belong anyway.
Yankee is right about what it calls Network Access and Zoning—what everyone else calls NAC. This is a diverse and competitive market. Microsoft has no special credibility in it and bundled agent support is of trivial value.
Yankee then goes on to a series of predictions, some of which are reasonable. For example, Yankee predicts that “Vistas Tighter Security Will Annoy Users”—and induce them to consciously make stupid decisions, akin to driving right past a “WARNING! BRIDGE OUT!” sign. No doubt users will blame Microsoft when they compromise their systems after bypassing security features in Vista that proved tiresome, but theres a limit to what Microsoft can do about these things.
I disagree with Yankee when it says that there is inadequate information for developers to make their programs run in a restricted account environment. In fact, the guidelines are not dissimilar to those of the Windows XP logo program, which also required that programs run in a standard user context. If Yankee is hearing this from developers, I suspect that the developers are actually just unhappy with the guidelines, not ignorant of them.
Yankee recommends that Microsoft backport Windows Defender and Least Privileged Access to XP. Windows Defender runs on Windows XP right now; does Yankee know something I dont know about the future of this program? As for Least Privileged Access, this is a major change in the behavior of the OS and not a reasonable request. Yankee says that an easy-to-use configurator for the DropMyRights tool would do, and it has a point, but there are plenty of third-party tools for this.
“Retire ActiveX—now.” Yankees assertion that this is a practical idea just cant be taken seriously. ActiveX is widely deployed and cant be easily dismissed. Microsoft has begun, with certain changes in IE 7, to let enterprises limit ActiveX to a specific whitelist and block out all other controls, but if it were eliminated it would have to be replaced with something just as vulnerable. You have to be able to run native code—even Firefox does.
Yankees overall sense that Vista does some damage to some security aftermarkets, but that Microsoft remains vulnerable (especially on legacy operating systems) is spot-on. I also agree that IT departments would be mistaken to dive head first into Vista, but waiting for 2008 seems like an arbitrary rule to me. The enterprise I ran would have some test groups running it, perhaps on a second computer or under VMware.
Dont expect Microsoft to cut the heart out of a whole class of ISVs—its not something they often do. And in the end, Vista will probably create some new security software opportunities that we havent even realized yet. It happens every time.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.