Now is as good a time as any to think about switching to Vista, if your organization uses Windows XP or an earlier iteration of Windows. (They might not admit it, but some big enterprises still use a lot of Windows 2000 and NT boxes.) However, what we are now learning about Microsoft's own confusion over the release of the original Vista, as well as the vague SP1 release schedule, is likely to make some C-level execs lukewarm to the migration idea at best.
Obviously, a company may be pushed to upgrade by external factors, such as compatibility with a key supplier or client, or a need to run Vista-only apps, and so on. For many organizations, however, the choice still looks like this: stick with a flawed but patched and well-understood OS, or migrate to a more secure alternative that comes with several drawbacks, like hefty hardware requirements, serious compatibility issues (hardware and software) and nagging availability questions. Enterprises using XP today should think back to when they were contemplating that transition. When did that transition take place, on initial release or following the release of SP1? In fact, a lot of organizations delayed until SP2.
It's
Requires Free Membership to View
worth noting that Vista SP1 will offer a number of security enhancements, including an improvement to the security of RemoteApp programs and desktops by allowing Remote Desktop Protocol (RDP) files to be signed. An Elliptical Curve Cryptography (ECC) pseudo-random number generator (PRNG) also gets added to the list of available PRNGs in Vista. (While offering a greater range of PRNGs would normally be a good thing, giving developers more choices when they need to encrypt data, this particular random number generator is currently shrouded in controversy owing to allegations of an NSA backdoor, not to mention the fact that it is slow, so many developers may end up avoidng it.) Additionally, SP1 provides Vista's BitLocker Drive Encryption (BDE) with an additional multi-factor authentication method. The encryption feature first uses a key that is protected by the Trusted Platform Module (TPM) and combines it with a user-generated personal identification number (PIN).
Unfortunately, SP1 also has drawbacks. Microsoft has confirmed that Vista SP1 intentionally prevents some third-party applications from running because they may cause instability after SP1 has been installed (these include products from Trend Micro Inc., Zone Labs Inc., BitDefender, and Novell Inc--see this Microsoft Knowledge Base article for more details.) SP1, however, gives security software vendors a more secure way to communicate with Windows Security Center and APIs, and third-party security and malicious software detection applications can work with kernel patch protection on x64 versions of Vista.
SP1 does promise two things that might make the migration itself more palatable. First, device compatibility should be improved, with better support for a whole range of devices such as graphics cards and high density drives like Blu-ray. Second, reliability, an important aspect of security, is about to be enhanced. Supposedly, SP1 will more than double the mean number of hours between disruptions, from about 17 hours to about 34. (Maybe it's just me, but neither number sounds great, and it would help to know more about how that metric compares to XP. Unfortunately, Microsoft does not provide such a number. I know, however, that my XP laptop often goes longer than 40 hours between "disruptions.")
For most organizations, Vista implementation is not going to be just a security issue. There are serious costs concerning new hardware and software, which means some serious cost-benefit analysis must take place. If you are currently running XP and are on top of patch management and security training for end users, it's likely that your security issues aren't serious enough to justify making the switch right now. A year from now, there will be a lot more data -- and hopefully a lot more inexpensive hardware -- upon which to base your decision.
This was first published in February 2009