Topic C: What actions should Microsoft Windows users take to address its well-publicized security issues?

Our advice: From a fundamental, architectural perspective, the Windows NT family (NT, 2000, XP, 2003) is as sound as any other generally available operating system. In contrast, the MS-DOS-based versions of Windows (95, 98, ME) are fundamentally flawed, and shouldn't be used in any environment where security is a concern.

Coding bugs, especially stack-buffer overflow bugs, have been a serious problem with Windows. The only way to deal with them is to install Microsoft's security patches promptly upon release. After testing with their own applications, Windows administrators should install the latest Service Packs for their respective Windows versions, as well as any subsequent security patches. Windows administrators also should subscribe to the Microsoft Security Notification Service.

Ill-considered "features," especially some ease-of-use features, have been an Achilles' heel for Windows and its applications. For example, as originally released, both Microsoft Office 97 and 2000 permitted users to inadvertently run a virus by just previewing an infected E-mail. Depending on the user's privileges, this could damage the entire system. These holes have long since been fixed with security patches. And as with the operating system, keeping up-to-date on application security patches is essential.

Inappropriate defaults are another problematic artifact of Microsoft's attempts at "ease-of-use." Systems that retain these default settings are particularly vulnerable to hackers and viruses. The Microsoft Baseline Security Analyzer tool enables an administrator to check for inappropriate default settings on all the NT-family systems on a network.

Although not a problem with the operating system per se, another reason for Windows' poor security reputation is that it's more likely than other operating systems to be installed and configured by people untrained in basic IT-security practices. Combined with inappropriate defaults, this can lead to untrusted users having access to far more information, and therefore having more ability to cause damage, than they should. This problem can be solved by ensuring that all Windows administrators have appropriate security training and job-performance metrics.

Because so many systems run Windows, it's the most popular target of hackers and viruses. Nonetheless, we don't believe that it's necessary or appropriate for Windows users to undertake the effort, disruption, and expense of moving to another operating system for reasons of security. Properly managed and maintained, Windows 2000, XP, and 2003 are as secure as Linux or other operating systems.

-- Peter Schay

Sourabh Hajela, TAC Expert, has more than 15 years of experience in strategy, planning, and delivery of IT capability to maximize shareholder value for corporations in major industries across North America, Europe, and Asia. He is a member of the faculty at the University of Phoenix, where he teaches courses in strategy, marketing, E-business and leadership. Most recently, he was VP and the head of E-business with Prudential Financial.

Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT delivery organizations from both user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.

Peter Schay, TAC executive VP and chief operating officer, has 30 years of experience as a senior IT executive in both IT vendor and research industries. He was most recently VP and chief technology officer of SiteShell Corp. Previously at Gartner, he was group VP of global research infrastructure and support, and launched coverage of client/server computing in the early 1990s.