Has Microsoft finally done it?

After a long wait, the successor to Microsoft's Windows XP operating system is nearly here, and it's certainly making a lot of noise after being quiet for so long. Initial beta testers report funky new graphics and enhanced user-friendly functionality, but what of the security? Microsoft solemnly pledged to upgrade its security after years of bad press and worse exploits, but even the software giant concedes there is no "silver bullet that can address every current and future security threat". So what has Microsoft actually done, and how does the industry view the changes?

The new Vista is a very different animal to the familiar XP, a dramatically altered architecture giving a noticeably larger OS footprint, with more than a nod in the promised security direction.

Microsoft has clearly paid attention to its critics and really gone to town on security. Features such as User Account Control (UAC), which stops users from constantly running as administrators, and Windows Service Hardening, which performs a similar task with the services themselves, have both been well received.

"UAC is a really useful means of tying down user privileges, which has not been addressed fully before. UAC is the company's big push to reduce the platform's overall attack surface and enforce the principle of least privilege," says Alan Coburn, managing consultant at dns.

The move from 32-bit to 64-bit should also bring security gains for Vista users, because Kernel Patch Protection and Mandatory Driver Signing should render rootkits useless by demanding a genuine, easily checkable digital signature – a good move if it works in practice.

One addition has caused controversy in the industry. The inclusion of anti-spyware and intrusion detection in the Windows Security Center – the so-called Windows Defender and Windows Firewall – has been interpreted by some analysts as a death-knell for third-party desktop security applications.

Yankee Group Research recently reported that: "Vista's built-in spyware capabilities will be more than sufficient for the vast majority of enterprises… the functionality provided by Microsoft will be good enough to obviate the need for most third-party firewalls."

But, as ever with Microsoft, the proof will be in the pudding.

The recent US launch of OneCare, a subscription-based, managed anti-viral, anti-spyware and firewall package, shows Microsoft's future intentions in this area for home users, but has the enterprise been fully satisfied? Microsoft itself admits that this might not be the case at first: "Home users are more likely to become excited about this technology; the security benefits to them are fairly clear," says Microsoft's IT professional evangelist, Stephen Lamb.

"Businesses will take a ‘look and see' attitude," agrees Andrew Jaquith, the analyst behind the Yankee Group report. "Both Firewall and Defender have a home-user focus, and will really impact on this market. The SME market might also see some uptake."

The third-party security companies in question, such as Kaspersky Labs, seem less concerned. David Emm, senior technology consultant, believes that businesses will be fairly cautious about installing Microsoft security as their sole defence. "Enterprises will be wary of end-to-end Microsoft solutions, just as they are currently inclined not to use just one third-party provider. I'm not convinced of the import of this move, but to say it will have no impact is ridiculous. It will set the bar for the security market higher, and will force existing vendors to shape up."

Graham Cluley, a senior technology consultant at Sophos, also takes a philosophical view: "Vista will certainly make our job easier. It's well worth remembering that the top ten viruses at the moment are all fairly old ones. This is because some home PC users haven't updated their virus checkers, or run the latest OS patches. This is an issue for enterprises, however, because these machines flood business networks with useless traffic. Vista should help stop a large proportion of this."

After some neglect, Internet Explorer 7+ has finally been revamped, with a new phishing filter, sandboxing, ActiveX opt-in and visual warnings of trusted sites. Critics say it is now very similar in functionality to Mozilla's Firefox. Microsoft's Lamb admits there has been a delay between releases, and that Explorer was "behind other browsers", but points to the now-increased security with pride.

Cluley thinks Microsoft might have a winner here: "We have seen Firefox penetration slowing, holding steady at around 15 per cent. Those that are going to adopt it have done so, but the ‘great unwashed' simply haven't. This market is likely to be impressed with the functionality of IE 7+ when they get their hands on it."

Vista has built-in BitLocker Drive Encryption, a drive encryption tool designed for use on hardware using the Trusted Platform Module (TPM).

Coburn is very keen on the TPM: "Microsoft is beginning to implement some of the features of the much-touted Next-Generation Secure Computing Base (NGSCB) that it made a lot of noise about a couple of years ago. I can see this being really useful for companies with mobile workers using laptops. Mobility can be a very serious issue in security terms – Microsoft is moving towards providing something genuinely useful here. That said, any company with very sensitive data on their laptops should already have sourced a highly specialised third-party solution, which will probably suit them more than Microsoft."

It is also worth pointing out that full-volume encryption might be a dangerous tool in the hands of non-technically savvy users. Although BitLocker does produce an emergency data recovery key during the initial set-up, this key must be stored off-PC, for obvious reasons. Failure to do so will cause serious problems, and Microsoft itself admits there is a balancing act here.

BitLocker will only be available to enterprise customers and those home users running the ‘Ultimate' edition Vista – designed for those who understand the technology under the hood. Lamb points out that the feature should be used with a certain amount of care: "This is very much a compromise between how much security you have and need, versus how much time you have to administer and manage it."

Overall, the OS is likely to divide the industry both before and after its enterprise release date of November 2006, and consumer release in the first quarter of 2007. In spite of the time and effort Microsoft has obviously invested in security, it is possible to go too far in this direction, as Simon Heron, technical director at Network Box, points out: "The constant opt-in/opt-out pop-ups are a real pain to live with – it's the boy who cried wolf all over again. I fear one issue is that Microsoft won its giant market share by being very easy to use, but not particularly secure. Now it has tried to go the opposite way, becoming less easy to use, but safer – it's a call for social change, and I wonder if customers will still buy into it?"

There are more weighty issues too – the sandboxing features in Internet Explorer 7+ are doubtless secure, but will also take a chunk of processing power to run. Norton has a sandboxing product, which is said to take up 10 per cent of the processor – a sizeable weight to carry.

Additionally, the BitLocker technology, while it is impressive in theory, will cause hardware problems. The TPM hardware required for BitLocker is version 1.2 – on public release less than six months ago. This adds a large hardware cost to any enterprise considering a Vista upgrade in order to use that functionality.

Jaquith points to a related issue with Vista itself: "Vista's required hardware footprint in itself is very hefty, and many enterprises will need to invest in new hardware to implement it. This changes the decision criteria somewhat, and will play its part in limiting the initial adoption of Vista. Microsoft predicts 400m versions will be rolled out in the first 24 months – I think this is a rather optimistic estimate."

Hardware costs aside, there are bound to be glitches and fixes with a totally new OS, especially in one this large and complex. This should slow business adoption in the short term until the platform is seen to have stabilised. Heron points out: "It makes good business sense to let other people do your beta testing for you as much as possible. I believe that business users will wait until late 2007 at least, certainly until a full-service pack has been delivered. Vista will be particularly vulnerable to patching – it's just so big. We'll be seeing a lot of patches during the coming months."

Graham agrees: "Many business users are happy running XP with Service Pack 2 (SP2), and some are still using 98 or NT. It will take a lot to convince these companies to institute a major upgrade to Vista. We'll see home users adopting in the short term, due to the enhanced security features. Business will wait a while – they will need to evaluate the whole package properly."

As Microsoft says, there can be no silver bullet for security, and although Vista's security seems a useful step, you can be certain that there will be flaws, as there are in any software of similar size and complexity. The trouble with Vista is that literally millions of desktops will be running it within the next year or two, thus making it the most obvious target for purely theoretical crackers and financially motivated hackers alike.

Home users will be easily convinced by the new functionalities and "safer" tags, while businesses will lag behind, maybe waiting until their hardware needs to be refreshed and the software is generally accepted to be bug-free. Remember, many businesses have only recently adopted XP SP2, which most in the industry regard as a reliable and relatively secure package.

Change for these companies will be much longer coming. Eventually, though, most current Windows users, both enterprises and individuals, will find themselves upgrading to Vista simply because it is the new Microsoft OS, and support for older versions of Windows will gradually fade away. It only remains to see just how long that upgrade process will take.