Deconstructing Vista

There is a large battle forming over what Windows Vista should, or should not, have in it. On the security front, this battle focuses on three features: the security software Microsoft will bundle with Vista; the Security Center that will manage most of the security software to be used on Vista; and PatchGuard, a feature unique to the 64-bit edition of the operating system. Let's take a closer look at each of these potential elements of the Vista package.

The Battle for Content: Vista's Security Bundle

This battle didn’t just begin; it started some time ago when the European Union requested and got a special version of Windows without a media player -- only to discover that customers didn’t want it. The voice of the customer often goes unheard as Microsoft plans its next-generation Windows capabilities, so let's examine that demand.

Number one, customers like free things. In fact, if Google is any example, they really like free things. In general, customers don’t want to pay for something in the future they get for free today. So far, the anti-phishing and anti-spyware products in Vista are free; the antivirus product is not. It is priced below other products, but it is also considered inferior to most, so it will be possible for third parties to market their security products in a way that makes their premium price appear reasonable.

In the near term, if Microsoft provides an adequate product for less, the market will likely go for it. But security products become obsolete very fast and need to be updated on a regular basis. If hardware OEMs continue to regularly bundle third party security products with their offerings, Microsoft's advantage will likely be fleeting.

Security Center

Security Center is the Windows component that monitors the overall security health of the system. Other vendors have competing products, but Microsoft has refused to allow them to replace this component of Windows. Microsoft's reasoning is easy to understand: Whichever vendor owns this component is the most likely to sell the parts of the entire solution. If a Windows customer uses Symantec’s Security Center, that customer is more likely to favor Symantec’s security products.

The Microsoft feature, as of this writing, is not strongly branded. But third-party vendors remain concerned because Windows itself is a very strong brand. Meanwhile, customers want a tool that will help them manage all of the security software on the computer. So far, none of the third-party Security Centers we have tested does that.

Given the requirements of such a tool, it doesn’t seem unreasonable that Microsoft would not allow its tool to be replaced by one that couldn’t work across vendors. And could you really trust one competing vendor to properly link to another -- even if it wanted to?

Windows Vista 64 Patch Guard

In the near term, I don’t expect a lot of folks to run the 64 bit edition of Windows Vista, even though it will clearly be the most secure. One of its special security features is a unique component called Patch Guard.

In a nutshell, Microsoft is locking everyone -- including its own security software people -- out of the operating system kernel to assure the integrity of that kernel.

Symantec and others feel this is wrong because, despite Microsoft’s best efforts, they say the kernel will be compromised, and they will need access to it to protect their customers against future problems. But for Microsoft, giving one group of companies the ability to change the kernel is like giving everyone that ability, and this would decrease Vista's overall security.

Certainly, interfaces to the kernel can and should be allowed. The question is whether any third party should be allowed unfettered authority to alter the kernel.

This is a tough one to call, but our view is that the decision should be made by the company that is truly accountable for the security of the platform. If Vista were Symantec’s product, Symantec should get the final say on what methods are most appropriate to secure the product. If Microsoft keeps to its plan of restricting access to the kernel, it could lead to greater security, reliability, and consistency in the offering.

I’m a firm believer that the kernel should be locked up; the question is whether or not this is even possible. The only way to know for sure is to try it -- and what better way to try it than with a low-volume product that will generally be used by the most technically competent?

Microsoft's Broken Security Process

Years ago, Microsoft passed the security responsibility for its products to other companies, and that may have been a bad idea. Now Microsoft is trying to reverse this position and take ownership of the security of its platform. Preventing Microsoft from doing that probably isn’t in the customer’s best interest.

Whether it is a car, home, business, or operating system, the company that builds a thing should own the responsibility for securing that thing. Only then is security designed in from the start, and this is the most secure way to secure anything. In the current hostile environment, even Symantec reports that most attacks are now targeting employees at home. We desperately need to allow Microsoft to secure its own offerings because we just as desperately need to raise the base level of desktop security.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading