Playing it safe with Windows Vista

Microsoft is pitching a security feature in Windows Vista as a boon for consumer online safety, but others think its benefits lie elsewhere.

The software maker is promoting the use of Windows Security Center, a feature in the long-awaited operating system, as a way for Web sites and third-party software programs to gauge the security status of customer PCs. This could be used to deny computers that aren't fully protected access to online services, which ultimately is good for user safety, Microsoft said.

"Let's say you're trying to buy something online, and before you enter your credit card information, the site checks if you're up to date and gives a green light," said Adrien Robinson, a director in Microsoft's trustworthy computing group. "As more people find out the security state of their computer, the more safe customers will be online."

Microsoft is actively pitching the possibility of the PC security checks to banks and online retailers. The feature was actually introduced in Windows XP Service Pack 2, in August 2004, but Microsoft hasn't talked about it much. "We are promoting that a lot more to the community now than we did with SP2," Robinson said. Windows Vista is slated to be broadly available in February.

Though they say Microsoft's goal is noble, others don't expect many consumer Web sites or online services to start conducting PC security checks. According to Microsoft's own data, about 70 percent of consumers aren't running up-to-date antivirus protection. That's a large number of potential customers a business could lose, analysts said.

"I do not believe they will be willing to stop doing business with the consumers that are not up-to-code," said Natalie Lambert, an analyst at Forrester Research. Also, consumers could balk at the perceived privacy intrusion if Web sites start checking their PCs.

Moreover, a security check doesn't protect customers against identity theft or other such crimes, said Gartner analyst John Pescatore. "A bad guy could be pretending to be me, and Windows could be telling the Web site that he is running antivirus--what good would that do?" he asked. "Online banks or Amazon.com really don't care whether you are running antivirus."

On the dashboard
The security information is made available through the Windows Security Center, which checks on the status of security applications on a PC--for example, whether the antivirus is able to catch the most recent threats. In Vista, the Windows Security Center keeps track of the firewall, security updates, virus and spyware protection and other Windows-related security settings.

Through a special dashboard, consumers can see the security status of their PC. Windows Security Center also has its own alerts, which will pop up if a computer isn't adequately protected. A Web site or software program can tap into the Windows feature to find out whether a PC is "green," "orange" or "red"--Microsoft's metaphor for fully secured, lacking some security, or insecure, respectively, Robinson said.

"The key benefit would be for people who have fears around identity theft and things of that nature, who may not realize that they turned off their firewall. Or they may not know that they turned off alerts and their antivirus is out of date," she said.

Likewise, a video game manufacturer could prevent PCs from logging onto online services if they are not running a firewall, according to a recent Microsoft white paper. This would help reduce risk to other players and offer a more secure online gaming experience, the company said.

Although Microsoft is pitching Security Center checks as good for companies to use with consumers, the first solid taker for the technology is IP Commerce, a Denver-based business software maker. IP Commerce plans to build the security check feature into tools used by credit card-accepting merchants, to help them keep an eye on whether their systems comply with security rules laid down for the credit card industry.

"If you are dealing with card holder data, then you are mandated to have a firewall, to have the latest security patches, to have antivirus installed and running and up-to-date," said Chip Kahn, chief executive officer at IP Commerce. "Windows Security Center, we think, for the first time provides real-time awareness of security compliance."

Other uses for the technology are in the area of network access control. For example, a business could run a "health check" on a PC before letting it onto a corporate network, said Pescatore, the Gartner analyst. "For businesses, it is definitely a feature they would be using," he said.