Sophos's Chief Technology Officer Richard Jacobs joins us as a guest blogger to discuss the implications of Microsoft including XP Mode in Windows 7. Over to you RJ..
Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colours of the OS giant.
As Chet Wisniewski previously reported, we've watched Microsoft make good progress with the security of their products, from missteps like User Account Control to Kernel Patch Protection and their Security Development Lifecycle internally.
However, XP mode reminds us all that security will never be Microsoft's first priority. They'll do enough security to ensure that security concerns aren't a barrier to sales, but not so much that it gets in the way of "progress". At Sophos, we live or die based on our ability to deliver effective security. Microsoft doesn't, so when there's a trade off to be made, security is going to lose.
XP mode delivers Windows XP compatibility by creating a virtual PC, running the tried and tested OS, on your Windows 7 desktop. All your XP supported applications then run in that environment. The level of integration is such that most users won't even be aware that XP is there. XP mode makes sense and ought to help organisations to transition from native Windows XP to Windows 7. This is particularly important to Microsoft, as most of us didn't buy Vista. They can't afford for us to shun the latest incarnation of Windows as well.
The problem is that Microsoft are not providing management around the XP mode virtual machine (VM). This creates the potential for a security disaster. XP mode is an independent Windows instance, that shares the odd folder and device with the host Windows 7 installation. What it doesn't share is processes and memory. So it doesn't share security settings, security software, patches etc. It does not inherit any security from the host. When you use XP mode, you need to patch the copy of XP as well as the host Windows 7. You need to manage settings separately, configure two personal firewalls and install and manage two copies of anti-malware software.
So surely the new security conscious Microsoft must have provided tools to help us manage all of this? Wrong! Microsoft's view is that this is your problem, unless you're prepared to invest in a full Virtual Desktop Infrastructure (VDI) system. You already know how to manage VMs on all your desktops, don't you? So you can manage this one too.
Unfortunately most of us don't know how to manage VMs on the desktop. That's why desktop virtualization hasn't taken off in the way that vendors like VMware and Citrix would have liked. Virtualization on the desktop has huge potential as the future of endpoint computing, but many organisations try to block the use of VMs on the desktop, precisely because managing them is still too expensive and complicated.
So what are our options?
1.Stick with Windows XP.
2.Migrate to Windows 7 and block use of XP mode - if you have no legacy applications.
3.Migrate to Windows 7 and adopt XP mode. Make sure you understand the costs. Every VM needs to be managed just like every physical PC. So you're now managing twice as many PCs as before. They all need to be joined up to your domain, configured, secured and patched. Incidentally, that's not just patching 2 OSes, but also 2 browsers (IE8 and IE6).
a.Assuming you always deploy XP mode centrally as you roll out Windows 7 PCs and pre-install security software, then you also need to think about the performance impact (memory, CPU, bandwidth, disk) of 2 sets of security software, what applications runs in which environment and any licensing issues. Licensing is not a problem for Sophos products, but check with your other vendors.
b.If you don't already know where every XP mode VM is on every PC that touches your network, then you additionally need to find them. For example if users install XP mode themselves, or contractors do so, you probably won't be able to detect the VMs remotely. Network Access Control may help, but that's another story.
4.Migrate to Windows 7 and implement full VDI - there are various options for this, but don't imagine it's free.
5.Demand that Microsoft do better - We understand that they're not a security company, but XP mode, as it stands doesn't meet the bar. It is a barrier to Windows 7 migration, because it increases costs and complexity.
No doubt there are people at Microsoft who are passionate about security and extremely competent, but they can't slow the Windows 7 juggernaut. Sophos can't do that either, but maybe you can. XP mode is not a bad idea, but without built-in management, it's a security disaster. We all need to tell Microsoft that the current choices of no management, or major investment in VDI are not acceptable. Then we need to remember that, however well intentioned, Microsoft will not put security first.
Posted on July 17th, 2009 by Richard Jacobs, Sophos