Microsoft has taken an interesting approach to the application compatibility problem by introducing Windows XP Mode in Windows 7. The idea is that Windows XP mode will allow older applications that refuse to run on Windows 7 to simply run on Windows XP virtual machine running in the background on the Windows 7 machine. Instead of the end user being presented with a separate Windows XP virtual desktop, the applications running on the virtual machine will be published to the Windows 7 desktop. So it will seem like the application is running on the Windows 7 OS, but in reality it will be running on the virtual XP machine. On the surface, this seems to be a good solution to the application compatibility problem, but it raises a number questions. What about managing the virtual machine? Do we now need to manage twice the number of machines now? Does it need to be domain joined? Does it need to be patched? Does that mean Microsoft is going to extend support for Windows XP? What about virus protection? What about licensing?
Here at BeyondTrust, we’re very interested in the least privilege problem. Applications that require administrative rights to run are a huge problem from an application compatibility perspective. So, if you have an application that requires admin rights, and also refuses to run on Windows 7, you’re going to have to install the app on the virtual XP machine and allow the user to log onto that Windows XP virtual machine as an admin! So, you’re back to square one, the user is now an admin on a domain joined machine. Even if the user is logging in as a standard user on the Windows 7 desktop, they are going to be an admin on the virtual machine. The bottom line is that when you move to Windows 7, you will likely have application compatibility issues and you will likely also encounter least privilege problems on both the Windows 7 OS and the Virtual XP OS. The move to Windows 7 presents a great opportunity to look at both problems and how you might solve them.
Here at BeyondTrust, we’re very interested in the least privilege problem. Applications that require administrative rights to run are a huge problem from an application compatibility perspective. So, if you have an application that requires admin rights, and also refuses to run on Windows 7, you’re going to have to install the app on the virtual XP machine and allow the user to log onto that Windows XP virtual machine as an admin! So, you’re back to square one, the user is now an admin on a domain joined machine. Even if the user is logging in as a standard user on the Windows 7 desktop, they are going to be an admin on the virtual machine. The bottom line is that when you move to Windows 7, you will likely have application compatibility issues and you will likely also encounter least privilege problems on both the Windows 7 OS and the Virtual XP OS. The move to Windows 7 presents a great opportunity to look at both problems and how you might solve them.
I am not sure if the XP VM is joined to the domain or not. In fact when setting it up, I do not think I was even given the option to specify a user account, it used a built-in account, therefor it couldn't have been directly joined to the domain. Admittedly, my memory of the setup is a bit fuzzy, so I could be incorrect.
ReplyDeleteAs for XP mode, I think it is both a good and bad thing. On one hand, businesses get the piece of mind that they can upgrade without worry of application incompatibility as well as getting a "free" license to XP for each Win7 (Pro/Enterprise/Ultimate) license. On the other hand, administrators will now need to worry about securing and maintaining those XP installs. I also feel that MS is giving some businesses a false sense of security. At some point (soon?) MS will cease support for XP...and they should, it is nearly a decade old. At this point those VMs (potentially still running IE6) will no longer recieve security updates and will pose a tremendous risk to those running XP mode. I think it would be in the best interests of an organization to concentrate on updating their applications or invest in similar applications that directly support running on Win7. It may be a financial hit up front, but in the long run will save on admin costs and potential security costs.