I have to admit: When I first learned about Windows 7 XP Mode I was quite surprised. How can we actually ship an XP Virtual Machine with Windows 7? Well, then I started to think (no, it did not hurt too much)… But before I share my findings with you, let me tell you a story:

A few months back, a friend of mine called me. He was desperate. He is the owner of a car dealer close to where I live (a pretty big one for Swiss terms) and had decided to renew the business’s IT system. So, they moved to Windows Server 2008 Terminal Server and Windows Vista as a client. They hired an IT shop to do it for them and the migration went pretty smoothly – up until they wanted to start the web application of the car manufacturer. It is one of the German car makes you definitely know and which is well known for the quality of its cars. Unfortunately the web application did not run with Internet Explorer 7. So, they went back to the car manufacturer to learn that they knew about this but had no plans to make it compatible with neither IE 7 not IE 8. An alternative browser was not an option either as the latest versions broke this application as well. He needed a solution, which I could not provide – unfortunately. Finally they decided to let one PC run on XP with IE 6, just to get around the problem for this one task. So, basically they did “Windows 7 XP Mode” – just physical.

Now, let’s consider such scenarios. I know of companies that have decided to stay with XP and not move to Windows Vista because of concerns over compatibility issues with other applications they run. Their systems no doubt run, but they are depriving themselves of security and privacy enhancements designed to cope with modern threats – bear in mind that XP was designed in 2001 to cope with the threats back then – threats which changed significantly over the last eight years! The impact of Windows Vista as a secure platform is significant, and Windows 7 will built on that foundation.

Additionally we know that the browser is one of the most targeted attack vectors in the ecosystem. We shouldn’t be surprised by this as the browser is the window to the outside world and has to defend the computer against everything coming from the Internet. The security of the browser increased tremendously from Windows XP to Windows Vista, and will again with Windows 7. I deliberately did not say from IE 6 to 7 to 8 – even though this is true at least as much as with the OS. But the OS provides additional protection like IE 7 Protected Mode on Windows Vista which we simply cannot deliver on Windows XP or Address Space Layout Randomization or … That these design changes pay off can be seen if you look at our Microsoft Security Intelligence Report (SIR):

In Windows XP, 42% of the successful attacks came through our software, in Windows Vista, this changed tremendously:

This data is in the Security Intelligence Report v5. If we look at the malware infections per operating system in the most recent SIR version 6, there is another reason to migrate to Windows Vista/Windows 7:

Looking at all of this, our task basically boils down to “How can we help our customers benefit from the much better protection on today’s Operating Systems and in parallel ensure compatibility.” It is the classical security vs. compatibility problem. Of course we make a huge investment to ensure the operating system is as compatible with old applications as possible but we all know that there will be a point where we simply have to draw a line and put security needs above compatibility.

From this viewpoint Windows 7 XP Mode all of a sudden makes sense. It allows our customers to migrate to Windows 7 and significantly lowers the risk, for example, of web browsing or running 98% of their application software. The last 2%, which would have been issues that could have prevented migration, have so far been covered by the XP Mode. Now to be completely clear here: XP Mode has to be a temporary solution! The only effective long-term answer is to migrate applications to a version that is compatible with today’s Operating Systems. It also has to be managed and protected like any other machine – it is a full blown Windows XP with Internet Explorer 6 connected to the network. So it has to be used wisely and very, very limited but it allows you to migrate to the more secure environment for the every day’s tasks.

And finally, XP Mode from a user perspective can be set up in a way that the user only sees the legacy application running seamlessly in the Windows 7 environment. So, there is not necessarily a Windows XP, where the user can do everything they want: You just give them the legacy applications you want. Here is a picture how this looks like:

If you look at it like that it is simply a risk management decision: Which risk is higher? Leaving our customers on an 8-10 year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode? With XP Mode, we could have helped my friend above without actually having to force him to run a PC just for the sake of this single application!

For more information on VirtualPC on Windows 7, please look at http://blogs.technet.com/windows_vpc/ (I “borrowed” the last picture from there)

Roger

Well, the title is not completely from me – I just quoted another blog post. I wrote recently on Why Windows 7 XP Mode makes sense from a security perspective and was even quoted on the register. The “funny” thing was the history of that blog: I was readying some Tweets and blogs where XP Mode was just questioned. I actually never read Richard Jacobs’ blog post on this. I just wanted to share the process I went through.

However, my post again caused a reply by Jacobs – so he seems to read my blog…

Unfortunately he got some facts quite wrong – but at least he got some attention. If you are interested in the facts, read the James O’Neill’s post called Sophos error: facts not found – where I have the title from.

As I wrote in the first post: XP Mode is here to help our customers to benefit from the undisputable higher security in Windows 7 for 95% of their tasks and removing the migration blocker called “compatibility” by using XP Mode. Let me give you another example:

I helped a SME last weekend to migrate from an XP environment (even their server was on XP) to a state-of-the-art Windows Server 2008 SBS and Windows Vista environment. We failed! Because of one application, which is a 16bit-DOS accounting application which we have been unable to stabilize on Windows Vista and being able to print. Even though we switched on all the compatibility settings, it crashed about every 15 minutes. Migration is not an option as a customer of them is still using this application. So, what are the options:

1. Fall back to XP
2. Live with the crashes
3. Find a solution……

What we did at the end (after several hours of trial and error) was to keep one old XP box and to Remote Desktop to run this DOS application – basically we did XP Mode on a physical level instead of virtually and by far not as transparent as with XP Mode for the user – however, managing the XP box now is definitely harder (or at least as hard) than XP Mode (see James’ post).

So, as I said in my first post on this: It is all about Risk Management.

Roger

That’s new: We have Windows Server 2008 Hyper-V Common Criteria EAL 4+ certified. The new thing is that we certified it in Germany by the BSI (Bundesamt für Sicherheit in der Informationstechnik). You can find the report here: https://www.bsi.bund.de/cae/servlet/contentblob/612768/publicationFile/35487/0570a_pdf.pdf

Roger

I guess you remember the day back in 2003: I was actually on vacation when I was called in back to the Microsoft offices as we had some strange things going on… It was the day of the Blaster breakout. The first time I personally had to deal with a very severe incident here at Microsoft. So we started to ramp up and tried to deal with what was happening out there. The biggest challenge was at the beginning to bridge the time between the beast hit our customers and everything was popping up in the press and the time we actually knew what was going on – which had to come from the Microsoft Security Response Centre back in Redmond. They did and amazing job but it took them some time as well. At the beginning we were blind and we did not have the same incident response processes back then as we have them today (and as we learned that they are necessary as a post-mortem of Blaster).

So, the teams ramped up and we tried out best to have an incident response team together locally: Support, PR, Sales, me, and whoever we could draw from any not absolutely critical activity. We did our best to keep the hotlines up but this was a mission impossible. Within hours we were flooded… So, we developed some written guidance what to do (and had to translate that into three languages as I was working in Switzerland back then) but still this only helped partially. People started to call our offices in order to get help and we had an overflow to handle there. And last but not least we had consumers walking into our buildings telling the receptionist that they have this thing they heard in the news and that we have to help them to get rid of it – NOW!

And then, after the first few days the customer visits started. I never experienced something like that. Customers were literally screaming at me, telling me what they think about Microsoft and that we did all wrong.

Well, the whole industry came a long way – didn’t it? Trustworthy Computing had a big effect on how software is developed, Security Development Lifecycle has an industry-wide impact, the products themselves grew tremendously looking at how we defend them today… and the industry starts to understand that Patch Management is an important part of the Risk Management processes. Yes, I said deliberately “starts to understand” – there is still an amazing number of customers who still do not even think about patching.

Looking back to 2003:

• Virus alert about the Blaster worm and its variants on microsoft.com
• Worm exploits a widespread Windows vulnerability

and a lot more

Roger

This is a pretty interesting survey: Future of the Internet III: How the Experts See It

Here are the key findings:

• The mobile device will be the primary connection tool to the internet for most people in the world in 2020.
• The transparency of people and organizations will increase, but that will not necessarily yield more personal integrity, social tolerance, or forgiveness.
• Voice recognition and touch user-interfaces with the internet will be more prevalent and accepted by 2020.
• Those working to enforce intellectual property law and copyright protection will remain in a continuing "arms race," with the "crackers" who will find ways to copy and share content without payment.
• The divisions between personal time and work time and between physical and virtual reality will be further erased for everyone who is connected, and the results will be mixed in their impact on basic social relations.
• "Next-generation" engineering of the network to improve the current internet architecture is more likely than an effort to rebuild the architecture from scratch.

This shows to me that our End-to-End Trust vision is more important than ever as we will be relying on a trusted stack and a strong identity.

Roger