Sophos, Microsoft Spar Over XP Mode Security
The dustup started last month when Sophos CTO Richard Jacobs penned a blog post claiming that Microsoft's failure to include management tools in XP Mode, a virtual Windows XP SP3 environment running under Windows Virtual PC, shows that "security will never be Microsoft's first priority."
Without a costly investment in a full Virtual Desktop Infrastructure (VDI) solution, companies will find the management of virtual machines to be prohibitively complicated, Jacobs wrote in the blog post. "XP mode is not a bad idea, but without built-in management, it's a security disaster," he said.
Microsoft developer James O'Neill fired back earlier this week in a blog post of his own, calling into question Sophos' presentation of the facts.
XP mode is just standard virtualization software and a pre-configured virtual machine, according to O'Neill. "You can treat the virtual machine as something to be patched via Windows update or WSUS (Windows Server Update Service) just like a physical PC. You install anti-virus software on it like a physical PC," O'Neill wrote.
David Sobel, CEO of Evolve Technologies, a Fairfax, Va.-based solution provider, says while some of Sophos' points are worth considering, XP Mode will be primarily used in businesses that already have some form of desktop management technology in place. "Only Windows 7 Ultimate and Windows 7 Professional have XP Mode. Thus, these are managed desktops, not machines across the Internet," Sobel said.
XP Mode does add another layer of technology to Windows environments that needs to be managed, but that applies primarily to companies that plan to use it as more than just a transitional tool, says Mark Crall, president of Charlotte Tech Care Team, a Charlotte, N.C.-based solution provider.
"If companies plan to run entire enterprises of XP Mode instances on their networks for an extended period of time, then the security and patch management of those instances is a consideration they need to consider before making the leap to Windows 7," Crall said.
Jeff Middleton, a Microsoft Small Business Server MVP based in Metairie, La., says that while virtual machine management can be a bit baffling, Sophos' logic in this case is a bit skewed.
"Whatever happened to the argument that Microsoft should leave room for the aftermarket to add value where a gap in Windows offers an opportunity?" Middleton said. "If Sophos can develop a solution that solves his complaint, stop complaining and sell the solution."