Now that Windows Vista has been available to business customers for more than a year, it’s a good time to go back and look at how it’s holding up from a security perspective. I think that it’s fair to say that Windows Vista is proving to be the most secure version of the Windows to date. Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off. Let’s take a look at some areas that we’ve made progress in: the impact of defense-in-depth; Internet Explorer 7’s protection of personal information; vulnerabilities and infections; and cost savings. First, let’s look at the impact of defense-in-depth features like User Account Control and Internet Explorer Protected Mode. These features have helped reduce both the risk and severity of security bulletins, giving enterprises more time to deploy patches:

• Running as standard user, which is the recommended configuration and made easier in Windows Vista thanks to User Account Control, helps reduce the impact of any particular vulnerability. Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges: MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069. This is a great illustration of the importance of User Account Control and why we included it in the product. It’s also the reason I personally run as a standard user on every machine I use.
• Because of IE Protected Mode, the MS07-056 bulletin from October ’07 was rated important on Windows Vista and critical on Windows XP. The bulletin rating helps organizations determine the urgency with which they need to deploy the update. Fewer critical updates help organizations maintain regular processes around patch management.