By most accounts, the Windows Vista operating system is much improved over its predecessors when it comes to security. But there are still plenty of areas where solution providers can add value by recommending and implementing additional security software and hardware to meet clients' needs.

Already, a lot of opportunity exists in guiding customers through the process of upgrading to Vista, educating them on the new security features, ensuring compatibility and supplementing the implementation with additional security products. As more clients move to adopt Vista after Service Pack 1 (SP1) is shipped (expected to happen in early 2008), those opportunities will only increase, solution providers say. In this article, we'll walk through some of the security improvements in Vista and highlight the upsell and cross-sell opportunities.

Microsoft has come a long way in making its code more secure in Vista, notes Oliver Friedrichs, director of emerging technologies in Symantec's Security Response Division. In fact, Microsoft claims that in the first six months following its general release in November 2006, Vista had a total of 12 vulnerabilities, compared to 36 in the first six months of Windows XP, and anywhere from 60 to more than 300 vulnerabilities for other operating systems.

However, attackers have already shifted their focus to easier targets, notes Friedrichs. Vista's security improvements focus mostly on the operating system itself, he says. (That focus has been a source of great consternation for third-party security vendors. For details, see below) Most of today's threats no longer target the OS, but rather are aimed at applications such as office suites, media applications and web browsers, Friedrichs says. "Well over 50 percent of all security vulnerabilities today are in web applications."

That leaves plenty of room for adding value. "Securing Vista is a tremendous opportunity for solution providers who know what they are doing," says Darren Patoni, president of solution provider The I.T Workshop. "The potential for providing security services is excellent."

Defending Windows Defender
Vista contains a number of features that are specifically designed to help fight malware, including user account control, Windows Defender and a redesigned Windows firewall.

User Account Control (UAC) essentially protects users from themselves. In previous Windows operating systems, users could set up administration-class accounts for themselves and thus make any changes they wanted, such as installing drivers and modifying key system settings. UAC in Vista monitors this activity more closely, limits the sort of modifications that standard users can make, and throws up many more dialog boxes warning users and administrators when they make certain changes or load certain software. Although some users complain about the additional notifications and limits, it's a good method for protecting systems, solution providers say.

Windows Defender is Vista's antispyware protection, but it lacks antivirus features. That's an opening to add antivirus protection, and for upselling an antispyware program that exactly fits the customer's wants and needs. "Expertise is a premium, and businesses are willing to pay for that." says Patoni. "They need someone to come in and solve their security problems. Especially in the SMB market, you have to learn what the customers need, what type of infrastructure they have and then find the right products. It's not one-product-fits-all."

Among the key challenges with Vista are potential compatibility issues with device drivers and applications that need deep hooks into the operating system, particularly antivirus suites and IPSec VPN software, says Patoni. In many cases, updated drivers, new hardware or new software are needed to get the application to work with Vista. There is also a mechanism, called "shimming," that resellers can use to make legacy applications think they are running on Windows XP and thus circumvent some compatibility problems, although this has its limits, Patoni notes. "This an area where resellers can truly serve their customers by asking the tough questions, holding software vendors accountable, and selling products and solutions that are certified and compatible."

Vista's Windows Security Center provides a tool for tracking the status of security features, including third-party software, running on Vista machines, says Michael McGuire, senior product manager of U.S. Vista deployment at Microsoft. In the old days, says McGuire, users might have different versions of different antivirus and other security products, all at various stages of running, and there was no way to monitor the status. The Security Center, available in Windows XP Service Pack 2, has been expanded in Vista.

"We've gotten more comprehensive -- with more driverlevel support as well as new features and add-ons," says McGuire. Now the Security Center does a better job of integrating third-party applications and monitoring their status. The Vista center provides one screen for viewing the status of Windows Firewall, automatic updates, virus and spyware protection, and user account control.

Firewall and Encryption Solutions
In Vista, Microsoft has upgraded the personal firewall that debuted in Windows XP Service Pack 2. But that shouldn't be a business's only firewall defense. "In the SMB space, I would not entrust the firewall space to Microsoft," says Patoni. "Many of the third-party perimeter firewall vendors provide hardware that is more granular. They look at the deep inspection level, the packet layer or better yet, down to the application layer."

A new feature in Vista, widely touted by Microsoft, is BitLocker Drive Encryption. Designed to protect sensitive data. in case a laptop is lost or stolen, BitLocker is an on-disk system that encrypts the computer's boot drive, making the system data on it unreadable to unauthorized users. Authorized users can unlock the data with a 24-character key, which can be manually entered, downloaded through a USB flash drive or stored in a secure chip built into the PC itself (included only on high-end laptops).

But BitLocker isn't good enough for most enterprise users, says Rob Eggebrecht, CEO of solution provider BEW Global, most of whose clients have more than 1,000 employees. BitLocker encrypts data at the operating-system level, but "most of our clients are encrypting the entire disk," says Eggebrecht. "A lot of clients were waiting to see Vista BitLocker, and now that they've seen it, they've moved on and purchased a thirdparty application." (For more on best practices for preventing data leakage, see "Data Loss Prevention," in the Fall 2007 Ingram Micro Channel Advisor.)

Momentum in 2008?
As more customers start to adopt Vista, solution providers and ISVs are learning more about its security strengths and weaknesses. Eggebrecht estimates that about 20 percent of his customers are upgrading in 2007, but he expects that number to rise in 2008. So far, he's run into some compatibility problems between Vista and thirdparty applications, but notes that's not unusual for a major operating system upgrade.

Microsoft says it's making progress on compatibility issues. Today more than 2,100 applications carry the Vista logo, compared with only 250 in November 2006, according to Microsoft. SP1 is expected to ease some of the compatibility problems. It should also increase the speed of Vista adoption, says Patoni, because a lot of users typically hold off until after the first service pack is released for an operating system. All the more opportunities to upsell, cross-sell and enhance Vista security.