Waiting for Vista's Best Security Advances

In its bid to get its enterprise customers to sit up and notice Windows Vista, Microsoft has consistently pushed one unbeatable message: Vista will be more secure. Vista, Microsoft says, is the most secure OS that the company has ever released. And sure enough, the list of Vista benefits reads like a laundry list of security features. You'll see terms such as Address Space Layout Randomization (ASLR), User Account Control (UAC), Bitlocker Drive Encryption, and much more. But you're going to have to wait for some of Vista's biggest security advantages. And that's probably just fine with most businesses, as it seems that virtually no one is in any hurry to deploy Microsoft's next client OS right now.

Some of these features, such as ASLR, digitally signed device drivers, and kernel patch protection are available only in Vista's x64 versions. Although many of us have been buying the x64-based hardware necessary to run these 64-bit Vista versions for some time, I advise you to hold off on running a native 64-bit Vista: The x64 versions will suffer from withering application incompatibility problems for some time. Unless you've fully tested all the software you use--whether it's commercial or developed in-house--on x64 versions of Vista, don't even consider moving to these systems. My guess is that it will take a year or more before the x64 versions of Vista can be considered mainstream releases.

Other features waiting in the wings won't really come to life until Microsoft ships Windows Server "Longhorn" and Vista Service Pack 1 (SP1), both of which are expected to ship concurrently. Vista SP1 will include an updated kernel version, which will bring Vista inline with the kernel found in Longhorn Server. That alone is a big deal. But there are various Vista features that won't make much sense until you're running Longhorn Server on the backend. The most obvious is Network Access Protection (NAP), a network quarantine feature. For NAP to work, you need support for the technology on both the client and the server. Vista is the first Windows OS to ship with native NAP support, though presumably you could add it to previous Windows versions via an agent install.

Microsoft has been working on this feature for several years, and you might recall that the server NAP code was originally going to ship as part of Windows Server 2003 Release 2 (R2). Microsoft stripped NAP from that product, however, because of a deal with Cisco Systems in which the two companies agreed to create interoperable network quarantine solutions. Cisco's Network Admission Control (NAC) and Microsoft's NAP will be fully interoperable, and customers will be able to choose between the two technologies on the server-side. This means you could install Cisco-based appliances or software solutions, and/or Longhorn Server-based servers in your enterprise and use compatible client OSs, such as Vista, to ensure that systems connecting to the network meet your security requirements. Systems that don't meet these requirements are quarantined from the network and provided with the security updates they need before being granted full access.

With Longhorn Server not due to ship until late 2007, most Microsoft-oriented enterprises will likely want to wait until that time to begin deploying any network quarantine solution. But this technology is an absolutely crucial security piece that's missing from many environments today. For this reason, you should begin evaluating NAP in Longhorn Server when Microsoft ships its beta 3 release in the first half of 2007. Rolling out NAP and Vista together is an excellent idea. In fact, if you were looking for a truly good reason to go through the expense and pain of rolling out Vista, this might be it.

As for the timing, heck, you were waiting for Vista SP1 anyway. And late 2007 might be the perfect time to move to x64 versions of the OS as well.