Windows Vista less secure than Windows 2000??

Reaffirmed: You really do have a part to play in Internet security

Michael Kleef ::: MSFT — Wed, 10 Dec 2008 19:30:46 GMT

Like most people I have an opinion. I hold pretty strong opinions about certain topics, one of which

re: Windows Vista less secure than Windows 2000??

Michael Kleef [AppSense] — Thu, 22 May 2008 04:26:31 GMT

Jack - the prison approach is roughly like the same statement that another person made around mandating digitally signed code. Think of the customer impact here - there has to be a tradeoff of functionality aswell.

Vess - please tell me exactly what youre doing to get daily UAC prompts. I hardly get any unless Im installing something. Which apps are causing them?

That said, yes in RTM it was prompting excessively for a single operation. SP1 has addressed much of that. Take a look at the webcast I did on it. Its only about 2 mins long. http://blogs.technet.com/mkleef/archive/2008/05/15/screencast-uac-improvements-in-vista-sp1.aspx

Think of this analogy - daily you drive a car. The manufacturer puts in plenty of safety devices in to protect and warn you when youre about to do something wrong. Newer cars beep and alert when you are about to break the speed limit and also warn you when you are about to reverse your car into another car.

Despite the annoying beeping and warnings, do any of these actually stop the unwanted result should you choose to proceed? After the accident has occurred the best thing you can do is recover or fix up the results which is exactly what anti-virus does. It cleans/fixes up the unwanted stuff that has already started executing on your machine.

The difference in the car situation is people have to learn about the risks and issues that come with driving a car. Its part of your license to drive - even as a basic understanding. They dont with computing...I think you would agree that user education about security risk with computing is lacking.

re: Windows Vista less secure than Windows 2000??

Vess — Wed, 21 May 2008 14:23:59 GMT

Vista's UAC is so bloody annoying and interferes so much with legitimate work, that practically all users I know who are using Vista have turned it off. In fact, I know only one person who hasn't; he keeps Vista on a separate partition from all installed programs; according to him, in such a setup the UAC pops up its annoying dialogs less often.

Microsoft have still a lot to learn about security. We who have been professionals in this field for decades learned long time ago that a pop-up dialog saying essentially "Foo bar, click here to make this go away" is *not* going to protect the user.

re: Windows Vista less secure than Windows 2000??

jack — Mon, 19 May 2008 23:38:37 GMT

This latest revelation that Vista is less secure is further evidence that more needs to be done limiting user control of fundamental systems. The issue isn't whether education will prevent users from executing "dodgy" code - it is whether we allow dodgy code to run on a system. One of the most obvious facts of security IMHO is that you can NEVER educate a user in a substantial enough way to prevent security issues. What is needed is for ActiveX to have more of the JVM like sandbox features to stop nasty code from executing (NOTE: I am not saying Java is perfectly secure or better, just that some of the JVM controls are well planned to prevent harmful execution). In any event, whether Vista is more or less secure that 2000 remains to be seen - I personally don't get hosed on either OS ^_^

Let's stop this education approach and move into the prison approach... total lockdown.

Cheers,

Jack

Vista (in)security - It's all your fault

Stuart King's Security and Risk Management Blog — Mon, 19 May 2008 11:01:20 GMT

Windows Vista is, apparently, less secure than Windows 2000. An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control

re: Windows Vista less secure than Windows 2000??

Michael Kleef [AppSense] — Sun, 18 May 2008 14:07:45 GMT

George - firstly thanks for taking the time to reply with helpful information on market platform trends. Its interesting that Windows 2000, according to this w3schools site, only has now 3.3% market. Maybe that is affecting the data...

I still, without seeing the test methodology or data, find it ridiculous to believe that Windows 2000 is more secure than Vista. That said I do agree with one of the statements, that Vista PCs still require anti virus and that the protections we have put in place are no silver bullet. We have never stated otherwise.

Especially when users are so willing to click consent prompts that warn them and trust anything they download, run and execute.

Lets look at a few things:

1. To date theres been a handful of critical issues with Vista requiring a patch. Of those, many also affected Win2k. If a vulnerability was being exploited out of one of these patches it would also affect Win2k.

2. Of the viruses and trojans target Windows execution; If they run on Vista, they run on Win2k.

3. A good portion of the APIs that exist in Vista exist in Win2k.

4. IE6 runs on Win2k and IE7 runs on Vista. Firefox fans aside, most people would agree that IE7 is a much more secure browser than IE6.

5. Most consumers (like 99% of them) run their interactive user session on a Windows PC as a local admin. Vista restricts this through a split token requiring elevation to gain administrative access for anything that affects the integrity of the machine. Windows 2000 allows everything in that shell session to run as admin including IE.

Theres a whole bunch of reasons that affect "studies" like this. Without seeing the methodology its hard to make a judgement though I find it very, very difficult to take this "study" seriously.

re: Windows Vista less secure than Windows 2000??

Michael Kleef [AppSense] — Sun, 18 May 2008 13:46:05 GMT

Rooperi - of course mandating signed executables (implying that only trusted code will execute) is one way to help though think of everything that breaks when you do that. And I should note that you can do this today - though we dont mandate it because of the application compatibility implications. Try this for a moment.

Go into group policy and switch on the policy for "User Account Control: Only Elevate executables that are signed and validated". Its under the local machine policy security node. Then go try and install an msi package or ten.

Tell me how many actually elevate to allow you to install.

Then think: Can you imagine the outcry of forcing the entire developer ecosystem to get their applications signed for every executable they write and have written - past and present?

Further to this, can you imagine every consumer with all their old applications they have had for years now breaking because of this?

re: Windows Vista less secure than Windows 2000??

george — Sun, 18 May 2008 05:34:25 GMT

> why do more Vista users seem to get infected than Windows 2000 ones

Michael, this was almost my point, except I was referring to the relative number of infections, more precisely to the number unique threats per 1000 computers as was reported in the original article (http://www.pctools.com/news/view/id/206/):

Unique Threats per 1000 machines

Windows 2000 586

Windows 2003 478

Windows XP 1, 021

Windows Vista 639

If the samples were chosen to be representative of a population then the numbers would not depened on the install bases of either Windows 2000 or Windows Vista, provided both install bases are comparable. And during the six-month study, according to the statistics gatherd by w3schools (http://w3schools.com/browsers/browsers_os.asp), the install bases of both OSs were comparable. I understand that the statistics could be biased, but this is the best I have. I only wish that the top ranked sites (http://www.quantcast.com/top-sites-1) published similar information on regular basis.

You could also say that since Windows 2000 is an old OS the targeted attacts are less frequent. I would agree with this, and even more so if I saw supporting data. Nevertheless, the numbers shown in the study are indeed alarming, especially considering all the work that had been done around UAC.

re: Windows Vista less secure than Windows 2000??

Rooperi — Sat, 17 May 2008 17:48:22 GMT

Well, I agree that Vista is not worse than Windows 2000. However, I think users should not be blamed. Operating systems, especially mass market ones like Windows Vista, should improve security features - not just eye candy.

You should expect that basic user of your operating system is not a geek and so does not know much about security or technology.

For example, making it mandatory that a) only signed executables can be run b) signing should be controlled by trusted party (Microsoft or its partner, or some community). Also, alternative would be to check hash codes of executables / dlls against online database.

That would help a lot.

re: Windows Vista less secure than Windows 2000??

Michael Kleef [AppSense] — Sat, 17 May 2008 08:01:16 GMT

Good point George, no I dont think user behaviour is necessarily changing...but it needs to. Anecdotely, users seem to be becoming more aware of security in certain scenarios such as internet banking though not necessarily in everyday usage.

So this points to something you have alluded to though not directly stated - if thats the case then why do more Vista users seem to get infected than Windows 2000 ones?

Without having found the test matrix or resultant data for this study, think about this one for a moment. How many consumers are still using Windows 2000? The majority will be using Windows XP (which explains the "poorer than Vista" result there), a growing number will be using Vista and a vastly diminishing number of Windows 2000 users.

Hence when you track trends from people doing AV scans via a website:

1. These are likely to be consumers and not corporates (that are likely to have their own in house mechanisms for AV scan and protection. Consumers are less likely to still be using Windows 2000 as they migrate to new hardware incrementally.

2. Thus the installed base of each platform will have an effect on the numbers produced.

I wonder if the same data is showing Windows 3.11 and DOS 6.22 to be "more secure" by the fact that there are no online scans found for it? :) Not all study results show the complete story...

Of course at present Im speculating here - I havent seen the study. I havent seen the test methodology and Ive yet to find it. If you do please let me know as Id love to see it.