Why Windows 7 XP Mode makes sense from a security perspective

I have to admit: When I first learned about Windows 7 XP Mode I was quite surprised. How can we actually ship an XP Virtual Machine with Windows 7? Well, then I started to think (no, it did not hurt too much)… But before I share my findings with you, let me tell you a story:

A few months back, a friend of mine called me. He was desperate. He is the owner of a car dealer close to where I live (a pretty big one for Swiss terms) and had decided to renew the business’s IT system. So, they moved to Windows Server 2008 Terminal Server and Windows Vista as a client. They hired an IT shop to do it for them and the migration went pretty smoothly – up until they wanted to start the web application of the car manufacturer. It is one of the German car makes you definitely know and which is well known for the quality of its cars. Unfortunately the web application did not run with Internet Explorer 7. So, they went back to the car manufacturer to learn that they knew about this but had no plans to make it compatible with neither IE 7 not IE 8. An alternative browser was not an option either as the latest versions broke this application as well. He needed a solution, which I could not provide – unfortunately. Finally they decided to let one PC run on XP with IE 6, just to get around the problem for this one task. So, basically they did “Windows 7 XP Mode” – just physical.

Now, let’s consider such scenarios. I know of companies that have decided to stay with XP and not move to Windows Vista because of concerns over compatibility issues with other applications they run. Their systems no doubt run, but they are depriving themselves of security and privacy enhancements designed to cope with modern threats – bear in mind that XP was designed in 2001 to cope with the threats back then – threats which changed significantly over the last eight years! The impact of Windows Vista as a secure platform is significant, and Windows 7 will built on that foundation.

Additionally we know that the browser is one of the most targeted attack vectors in the ecosystem. We shouldn’t be surprised by this as the browser is the window to the outside world and has to defend the computer against everything coming from the Internet. The security of the browser increased tremendously from Windows XP to Windows Vista, and will again with Windows 7. I deliberately did not say from IE 6 to 7 to 8 – even though this is true at least as much as with the OS. But the OS provides additional protection like IE 7 Protected Mode on Windows Vista which we simply cannot deliver on Windows XP or Address Space Layout Randomization or … That these design changes pay off can be seen if you look at our Microsoft Security Intelligence Report (SIR):

2009,08%20-%20BB%20Attacks%20XP[1]

In Windows XP, 42% of the successful attacks came through our software, in Windows Vista, this changed tremendously:

2009,08%20-%20BB%20Attacks%20Vista[1]

This data is in the Security Intelligence Report v5. If we look at the malware infections per operating system in the most recent SIR version 6, there is another reason to migrate to Windows Vista/Windows 7:

2009,08%20-%20BB%20Infections%20per%20OS[1]

Looking at all of this, our task basically boils down to “How can we help our customers benefit from the much better protection on today’s Operating Systems and in parallel ensure compatibility.” It is the classical security vs. compatibility problem. Of course we make a huge investment to ensure the operating system is as compatible with old applications as possible but we all know that there will be a point where we simply have to draw a line and put security needs above compatibility.

From this viewpoint Windows 7 XP Mode all of a sudden makes sense. It allows our customers to migrate to Windows 7 and significantly lowers the risk, for example, of web browsing or running 98% of their application software. The last 2%, which would have been issues that could have prevented migration, have so far been covered by the XP Mode. Now to be completely clear here: XP Mode has to be a temporary solution! The only effective long-term answer is to migrate applications to a version that is compatible with today’s Operating Systems. It also has to be managed and protected like any other machine – it is a full blown Windows XP with Internet Explorer 6 connected to the network. So it has to be used wisely and very, very limited but it allows you to migrate to the more secure environment for the every day’s tasks.

And finally, XP Mode from a user perspective can be set up in a way that the user only sees the legacy application running seamlessly in the Windows 7 environment. So, there is not necessarily a Windows XP, where the user can do everything they want: You just give them the legacy applications you want. Here is a picture how this looks like:

image_4[1]

If you look at it like that it is simply a risk management decision: Which risk is higher? Leaving our customers on an 8-10 year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode? With XP Mode, we could have helped my friend above without actually having to force him to run a PC just for the sake of this single application!

For more information on VirtualPC on Windows 7, please look at http://blogs.technet.com/windows_vpc/ (I “borrowed” the last picture from there)

Roger