This decade-old operating system has stood the test of time. But while Windows XP may be Microsoft's most popular OS, when it comes to security, it is sorely lacking.
For example, I recently worked with two Windows XP laptops that were infested with more than a dozen instances of malware -- even though both were fully patched and running antivirus software. The malware disabled Windows Defender and even infected a USB flash drive I was using to clean the infestation.
And this story is not unique. In the past 10 years, I have encountered many Windows XP machines that have turned into breeding grounds for malware. As such, I do not recommend Windows XP for people interested in security.
Since its initial creation, there have been two service packs and dozens of individual security patches for Vista. But despite its many vulnerabilities -- and the fact that it may be the most despised OS ever -- Vista has always been more secure than Windows XP. Features such as address-space randomization, data execution prevention, application isolation and User Access Control (UAC) protect Vista from many (but not all) of the exploits that work so well against Windows XP.
In the years since Vista's release, I have only seen three infected machines. In at least one of those situations, the infection was partially the result of the administrator disabling certain built-in security features.
Built on top of the Vista kernel, Windows 7 isn't all that different from its predecessor.
And when it comes to security, Windows 7 doesn't offer a lot more than Vista: BitLocker to Go, which allows for the encryption of removable media, and AppLocker, which provides greater control for regulating the applications that users access, are the only two new security features.
But Microsoft did make changes to User Access Control (UAC) in Windows 7. UAC was a new feature in Vista that prompted the user for permission any time a change was going to be made to the system. The Vista implementation of UAC drew a lot of criticism for being too intrusive. In Windows 7, Microsoft redesigned UAC to make it less chatty, and it threw in a slide bar that allows an administrator to pick the level of protection.Personally, I believe that dumbing down UAC makes Windows 7 a little bit less secure. I like being prompted for permission before an application can make a change to my system. However, the argument can also be made that the new UAC interface makes Windows more secure -- users see fewer prompts and thus, may not become conditioned to click Yes every time an annoying popup appears.
And the winner is ...
In the end, Windows 7 is the most secure desktop OS. Although it doesn't introduce a lot of new security features, it builds on Vista's success. Furthermore, AppLocker offers a big improvement over software-restriction policies.
Software-restriction policies control the apps that can run in Windows XP and Vista, but they didn't catch on because it's difficult to create a set a user can't easily circumvent. While software-restriction policies still exist in Windows 7, AppLocker, which is designed to take their place, is far more effective.
Regardless of which operating system you choose, security ultimately boils down to the way that an OS is configured, and therefore, it is important to always adhere to security best practices.
|Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.|
This was first published in February 2010