According to security firm Sophos, Microsoft risks undoing much of the work it has done on the security front over the past few years by shipping XP Mode with Windows 7.
Sophos's Chief Technology Officer Richard Jacobs doesn't pull any punches when it comes to outlining the issues:
XP mode reminds us all that security will never be Microsoft's first priority. They'll do enough security to ensure that security concerns aren't a barrier to sales, but not so much that it gets in the way of "progress".
Ouch. It gets worse:
The problem is that Microsoft are not providing management around the XP mode virtual machine (VM). This creates the potential for a security disaster. XP mode is an independent Windows instance, that shares the odd folder and device with the host Windows 7 installation. What it doesn't share is processes and memory. So it doesn't share security settings, security software, patches etc. It does not inherit any security from the host. When you use XP mode, you need to patch the copy of XP as well as the host Windows 7. You need to manage settings separately, configure two personal firewalls and install and manage two copies of anti-malware software.
As I've said before, the problem with XP Mode is that there's no way to manage it. I've mentioned this before, and while XP Mode certainly improved between the beta and RC, there wasn't much new on the management front.
The bottom line:
We all need to tell Microsoft that the current choices of no management, or major investment in VDI are not acceptable. Then we need to remember that, however well intentioned, Microsoft will not put security first.
The issues here are real. No matter how XP Mode is deployed, anyone using it will instantly make two PCs out of each one it's installed on. No matter how you cut it, that's a major headache. And the way that XP Mode is currently implemented, there's a real risk that users' systems will be open to being compromised.
If you're going to use XP Mode, take care out there.
[UPDATE: Seems that James O'Neill doesn't like what I wrote. Problem is, he's steered himself into the tarpits with his argument.
A few examples:
"And while I’m taking Cluely and Jacobs to task I should give mention a to Adrian Kingsley-Hughes on ZDNet It was one of my twitter correspondents who pointed me to Adrian and on to Sophos. He quotes Jacobs saying “We all need to tell Microsoft that the current choices of no management, or major investment in VDI are not acceptable”. The response is that if we thought those choices were acceptable we wouldn’t have MED-V. And Adrian should have known that too."
OK, I keep hearing about the MED-V defense. This is the equivalent of running away when asked a tough question. MED-V and XP Mode are separate applications. The argument isn't related to MED-V, it's about XP Mode.
"Desktop virtualization is not a free excuse to avoid updating applications. It is a work around if you can’t update."
But that's the point that botth Sophos and I were making, XP Mode is a pig to manage. No one said anything about not updating the OS, what I'd like to see is an easier way to manage the XP image.
"Desktop virtualization needs work, both in deployment and maintenance – to restate point 1 – it you have the option to update, expect that to be less work."
I agree, but XP Mode is a screaming seige to manage. Basically, you're stuck doing everything on each and every machine that XP Mode is installed on.
"As I pointed out in an earlier post still. MED-V is designed for larger organizations with a proper management infrastructure, and a need to deploy a centrally-managed virtual Windows XP environment on either Windows Vista or Windows 7 desktops. Make sure you use the appropriate one."
Again, the MED-V defense. Running away again. OK, MED-V is for "larger organizations with a proper management infrastructure ..." ... OK, fine, but what about XP Mode? That's what we are talking about here. None of this MED-V dodging makes XP Mode any easier to manage ...
XP Mode ... here be tigers!]