Historically speaking, software vendors generally designed operating
systems to manage the resources of computer systems rather than providing helpful
end-user tools—at least in the beginning. Operating systems of the past didn’t come
bundled with a lot of end-user functionality.

In the past, computers typically had very specialized
uses—software makers didn’t design computers for use by the general population.
That, of course, was prior to the advent of personal computing, a revolution
that sought to make computers accessible by the masses for whatever they wanted
to do.

Once people had access to computing on their own terms, the
idea of generalized computing took hold. Operating systems of the past with
command-line interfaces began to give way to point-and-click graphical user
interfaces. In addition, vendors kept piling more and more features into their
operating systems. But exactly what functions should an operating system
provide?

If you remember working with older operating systems, such
as CP/M, MS-DOS, and PC-DOS, you know how different applications once were.
With the notable exception of MacOS, software vendors simply layered early
personal computer graphical interfaces onto the underlying operating system.

In fact, Microsoft just layered early Windows versions on top
of MS-DOS, and even OS/2 was more of a “command-line” operating
system with a layered GUI. And let’s not forget X-Windows, which remains
layered on top of the operating system rather than being a part of it.
Microsoft decided to change tactics beginning with Windows NT, and it began
featuring an “out-of-the-box” GUI.

But it’s important to remember that Windows is more than
just an operating system—it’s a complete environment bundled with a variety of
general-purpose software and features. And it’s these other
“features”—not the core functions of the Windows operating system—that
generally make Windows insecure.

While it’s generally true that separating the OS functions
from the GUI and applications doesn’t inherently affect Internet security, it actually
does in the case of Windows. Out of the box, most Windows systems are
vulnerable to a variety of Internet security risks—due primarily to the
applications and functionality bundled and buried within Windows rather than
the core OS itself.

For example, how many home computer users really need to
have NetBIOS enabled by default and accessible over TCP/IP? (Not that many.) However,
Microsoft decided to enable NetBIOS by default, leaving millions of computers
at risk to well-reported worms and Trojans. And that’s just one of many
specific examples of enabling unnecessary features, which most users never even
know are there.

Microsoft argues that it’s providing more applications and
functionality to end users. But this excuse doesn’t address the fact that the
vast majority of users, including corporate users, only need a small fraction
of the features that Windows provides.

More than 10 years ago, I wrote about the dangers of including
too much functionality in the Windows 95 operating system. Part of my apprehension
was due to the danger of Microsoft’s software bundling shutting out independent
software, a concern that wound up becoming true.

However, an even greater concern was the blurring of the
distinction between features that an OS needs to provide and the additional
components and applications that users choose themselves. Windows enables
vulnerable features without the knowledge or direct control of the typical end user,
and typical end users don’t know how to protect themselves from such risks.

Making computers easier for people to use does not include
enabling features that make a computer vulnerable the moment it connects to the
Internet. For my money, I’d like nothing more than to see a
“cafeteria” version of Windows. Such a version would be something
that gets the computer going with only the bare essentials required to start
Windows—and that allows me to choose everything else in detail.

Had Microsoft created such a Windows version 10 years ago,
we wouldn’t have the problems with Internet security that we have today. Microsoft
is capable of producing such an OS, and it knows it—yet it continues to fight a
losing battle.

If Microsoft really wants the freedom to innovate and
provide users with more choices, then it needs to go back to the basics with
Windows. If I don’t want Internet Explorer on my system, that should be my
choice; if I want to use a different program to play media files, that should
be my choice.

Microsoft continues to spend more time and more money fixing
problems in applications bundled with Windows than it should. Putting too much
functionality into Windows was a mistake, and everyone knows it—and it’s time
Microsoft accepted it.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and industry
trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.