I recently purchased a PC for my parents and then started to install it – well actually used the OEM installation to get it up and running with Windows Vista Home Premium. I was pretty surprised how easy it was to actually have a running system (I usually re-format the disk if I have to install a PC for myself). But then I had a deeper look at the installation base and was pretty surprised. There were a gazillion of products installed on the PC I never wanted.

So I started to think about security of this setup. If I am looking back to earlier versions of our Operating System, one of the key problems with the earlier versions was that we enabled everything we thought a user could ever use. Remember Code Red? It actually attacked our web server and spread incredibly fast – on File Servers, Print Servers, any other server (sometimes it even hits a web server)… IIS was installed by default and the users and the administrators were not even aware of having IIS on the box – and mostly did not update it at all. We changed heavily and went down the "Secure by Default" road.

Taking this back to the OEM installation above, we (being the industry) just do a big step back to the old days. Why do I have to have a dictionary, train schedule, etc. to be installed by default? Who is taking care of these applications and makes sure that they will be properly managed and updated? Why is a AV-solution forced on my PC (yes, I want one but I want to have choice)?

Personally I think OEM have to change the way a PC is set up. When I buy a box with Windows Vista on it, I would expect a screen that shows me all the tools that I could actually get during the setup. I will then pick and choose and the machine will be installed. We could finally argue about opt-in and opt-out. I hate those installers where I have to tell them between one and three times that I really do not want to have toolbar X installed on my computer (yes, I know, we have these kind of tools as well). I would expect the OEM to take their responsibility and ship a secure-by-default PC. Some of them even disable security functions…

Coming back to my story above: The first thing I had to do after the successful installation of the PC is to de-install all the non-wanted software and update mechanism for all the active components and printer drivers and …. At the end it still left a bad feeling as I am not sure whether I actually really de-installed everything and no vulnerable component I will never use is still on the box…

Roger