Corporate and home users don't have similar OS needs. It is time for Windows 7 to offer varied versions.
Windows 7 is due for release in mid-2009. It's been fashionable to knock Microsoft for years, but actually it has been doing quite a reasonable job on security (with the odd exception!) Given the great stride forward with Windows Server 2003 and the constructive approach with the Vista beta programme, what would we like to see with the forthcoming OS?
There are a few fundamental issues we would like to see ironed out. These come down to the familiar story of the lack of separation between corporate and domestic operating systems. This is best underlined by the low uptake of Vista by corporates: home users want functionality and bundled apps, corporate IT security managers want a vanilla operating system that, well, operates, and little more.
A good example would be the availability of NetBIOS. It can be disabled, but even in this state, SMB provides similar functionality over TCP on port 445, which generally has to be disabled in the registry. This has been the root of so many security vulnerabilities in the past.
Another is the presence of cached domain credentials by default. Why does a server need cached creds that can be extracted and cracked? It's never likely to be off the domain, and if it were, local account creds could be used.
Similarly, why does a corporate workstation need cached credentials? Laptops are another matter altogether of course, but why the same insecure approach for all?
I believe that Windows Server 2008 dispenses with cached credentials by default, so how about a similar approach for workstations?
For the home user, why is it possible to configure a desktop to not require a login? Surely the most fundamental element of security is the username and password. And we wonder why huge botnets or domestic PCs are controlled by extortionists? Sometimes we need to protect the home users from themselves.
Vista incorporates bundled applications such as Paint and Outlook Express, questionable default configs and inconsequential desktop gadgets. Great for home, but pointless and potentially insecure for the corporate. Many *nix operating systems are ‘vanilla'; and functionality has to be enabled, rather than disabled, with complex install scripting and heavily customised builds.
Separation of domestic and corporate operating systems was present in Windows 2000 and ME. Separation also carries the benefit that a stripped-down OS for the corporate is likely to be less resource-hungry, meaning that hardware upgrades are less likely, therefore smoothing the upgrade path.
How about a nice vanilla version of Windows 7 for corporate use, allowing IT administrators to enable the necessary software and choose their own default settings, without a complex configuration overhead?
A clearly defined domestic version for Windows 7 could simplify options for the layperson. The current Microsoft firewall constantly asks the user questions relating to firewall settings and program defaults, which Ms/Mr Average is unlikely to understand. How many times have you been to fix a friend's PC that's been screwed up through them getting ‘click-happy' with wizards?
Windows 7 is apparently to ship with Windows Mobile 7. A wonderful idea to combat Google Android and the iPhone, but it will no doubt result in further polarisation of mobile operating systems. While this is great for the mobile developer community, as its apps will have wider appeal to a larger body of users, it also means hackers will invest more time in breaking it. It didn't take long for the iPhone OS to get rooted. Microsoft must ensure WM7 is secure to protect its users and its reputation.
Will Microsoft recognise the need for varied, clearly defined versions of its new OS? I hope so. And can it balance functionality with security? The general public and business users will only get onboard if the latest version is ready to meet their needs. Happy New Year, Windows 7, it's time to operate for everyone.
Ken Munro is director of SecureTest, the penetration and security testing division of NCC Group