Having begun my previous post with an explanation of “I have a professional disregard for …” it bubbles up again… Quite near were I live is the headquarters of Sophos, as a local company I should be well disposed to them but I’ve had occasion before now to roll my eyes at what their spokespeople have said – the pronouncements being of the “lets make the news, and never mind the facts” variety. One security blogger I talked to after some of these could be labelled “lacking professional regard for them”. Well, Graham Cluley of Sophos has a prize example of this as a guest post on his blog, written by Sophos's Chief Technology Officer Richard Jacobs.
“Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colours of the OS giant”. Says Jacobs. “XP mode reminds us all that security will never be Microsoft's first priority. They'll do enough security to ensure that security concerns aren't a barrier to sales… …when there's a trade off to be made, security is going to lose.”
That second half makes me pretty cross: I talked yesterday about the business of meeting customers’ needs and you don’t do that if security is lacking, but it’s not the only priority.
I’ve got a post Windows 7 XP mode: helpful ? Sure. Panacea ? No, where I point out that the Virtual in XP mode is not managed and I quote what Scott Woodgate said in the first sentence we published anywhere about XP mode “Windows XP Mode is specifically designed to help small businesses move to Windows 7.” As Jacobs puts it The problem is that Microsoft are not providing management around the XP mode virtual machine (VM). It’s an odd statement because XP mode is just standard virtualization software and a pre-configured VM. You can treat the VM as something to be patched via Windows update or WSUS just like a physical PC. You install anti-virus software on it like a physical PC. To manages the VM you use the big brother of XPmode: MEDV, which is part of MDOP. But from the existence of unmanaged VM and missing other key facts Jacobs feels able to extrapolate an entire security philosophy: he could do worse than to look up the Microsoft Security Development Lifecycle to learn how we avoid making security trade offs the way we once did (and others still do ).
Now I’m always loathe to tell people how to do their jobs, but in post companies someone who carries the title of “Chief Technology Officer” would have a better grasp of the key facts before reaching for the insulting rhetoric. And having looked after another blog where we used many guest posts, it’s important to check the facts of your contributors, Cluley either didn’t check or didn’t know better, and let Jacobs end by outlining his idea of customers’ options.
Lets’s review these
Option 2, get rid of legacy applications is plainly the best choice. There are now very few apps which don’t run on Windows Vista / 7 but if you’re lumbered with one those this choice isn’t for you
Option 1. Bad choice. (A) because if you are even thinking about the issue you know you want to get onto a better os and (B) because those legacy apps are probably driving you to running everything as administrator. Given a choice of “use legacy apps”, “run XP”, and “be secure”, you can choose any two. I hope Jacobs has the nouse not to put this forward as a serious suggestion.
Option 3. Small business with unmanaged desktops ? XP mode is for you. Got management ? Get MEDV.!
Option 4. Full VDI: Bad choice: put the legacy app on a terminal sever if you can – but remember it is badly written, if it doesn’t run on an up-to-date OS will it run on Terminal services ? VDI in the sense of running instances of full XP desktops in VMs (just at the datacenter, not the desktop) has all the same problems of managing what is in those VMs: except they aren’t behind NAT, and they probably run more apps so they are more at risk.
Option 5. Hmmm. He doesn’t make any proposals, but he seems to demand that Microsoft produce something like MEDV. We’ve done that.
And while I’m taking Cluley and Jacobs to task I should give mention a to Adrian Kingsley-Hughes on ZDNet It was one of my twitter correspondents who pointed me to Adrian and on to Sophos. He quotes Jacobs saying “We all need to tell Microsoft that the current choices of no management, or major investment in VDI are not acceptable”. The response is that if we thought those choices were acceptable we wouldn’t have MEDV. And Adrian should have known that too.
If people like these don’t get then some blame has to be laid at our door for not getting the message across, so for clarity I’ll restate what I said in the other post
Update Adrian has updated his post with quotes from the above. He has this choice quote “XP Mode is a screaming seige to manage. Basically, you're stuck doing everything on each and every machine that XP Mode is installed on.”. Yes Adrian, you’re right. No customer who needs to manage Desktop Virtualization in an enterprise should even think of doing it without Microsoft Enterprise Desktop virtualization. Adrian calls the above the “MEDV defense” but asks “OK, fine, but what about XP Mode? That's what we are talking about here”. What about XP mode ? It’s the wrong product if you have lots of machine (with 5 you can get Software assurance and MDOP). We’re talking about customers who install the wrong product for their needs. My job as an evangelist is to try to get them to use the one that meets their needs. But I think it would help customers if instead of saying “XP mode is the wrong product” and stopping, commentators (Adrian, Richard Jacobs, Uncle Tom Cobley) also mentioned the right product.
So basically, if we upgrade from XP to Vista, we can't do a straight upgrade, we also need to buy MED-V, which comes as part of MDOP, and learn how to use that to configure two sets of windows, with two sets of security updates, and two sets of anti-virus.
I'm sorry, but even with MDOP I can see where Sophos are coming from - that sounds like an admin nightmare, and a huge amount of work. Also, while I've only had a quick browse, I can't find any details on how to buy MDOP yet, and I have a sneaking suspicion it isn't going to be free.
The bigger problem is that Microsoft have marketed the XP mode as being a great solution. What's been gloseed over is the fact that this hidden virtual PC is going to be full of vulnerabilities unless secured. Most users are just going to run programs, they are going to have no idea that they have a virtual machine running in the background.
Those hidden, unpatched virtual machines are going to be seen as low hanging fruit by the malware guys. Unless Vista defaults to automatically patching them, with the Vista security center warning if the Virtual machine has no AV or needs security patches, then yes, this is going to be a concern.
Not really. You're looking at this as a solution when you have one or two badly written apps. These are few and far between. You won't be fetching mail in the VM, you won't be browsing the web in it (though you might use IE 6 for a number of specified web sites MEDV redirects all others back to the host browser). Its firewalled, and hidden behind a NAT facility. So nothing gets in.
You set up XP to for autoupdates and forget about or you patch a MEDV image centrally and the changes get pushed out to the client OSes (changes only) so they are more easily patched than a normal desktop OS. And yes the XP tray icon to say you have no AV or the patching needs attention comes through to the Windows 7 tray
We have put very little marketing into XP mode - it's not exactly a hidden PC since the default location for the icons is under "Virtual PC" and setting up an app needs you to go into an XP desktop.