If you ask Microsoft executives why consumers or companies should upgrade to Windows Vista, the answer they’ve recently been talking about is “security.” The head honcho of Windows, Jim Allchin, said, “Safety and security is the overriding feature that most people will want to have Windows Vista for.”

Of course, the public perception of Windows security is still not very great among most IT pros and end users. But if we put that perception aside and take a look at Windows Vista, there are some impressive developments on the security front. In the testing that I’ve been doing with Vista over the past six months, it has become abundantly clear that Windows security has been re-engineered in Vista and several important security features have been added.

The two most prominent security additions are Network Access Protection (NAP) and User Account Protection (UAP). NAP will keep systems and devices with inferior security configurations from joining the network (and potentially infecting healthy machines) until they meet minimum security requirements. Until that time the machines are quarantined into a restricted VLAN.

UAP (which was originally called LUA – least-privileged user account) will finally allow administrators to stop giving end users local admin privileges on their PCs. With UAP, admins can grant privileges on a more granular level and so most activities can be performed with minimal privileges, thus limiting the access that rogue malware can perform in most cases.

In general, Vista is a lot more inflexible about letting programs launch in the background, perform covert system changes, and interact with system-changing operations. That provides a lot proactive protection against spyware, malware, adware, viruses, worms, and the like. Naturally, there’s a trade-off in usability. For example, when launching many of the applets from the Control Panel users will now get the following message each time:

The user has to hit “Allow” in order to open this tool. When end users see messages like this (and they will likely end up seeing a lot of them), then they will probably ask their IT departments why they keep getting these messages. The IT department will respond that this is an important part of the increased security in Windows Vista. I think a lot of users will then ask, “Do I need this much security?”  

The answer is that they certainly do need this much security in order to pre-empt other potential security issues. Nevertheless, this much security comes with a price in usability. In fact, any time you increase security it almost always comes with a price in usability.

While most IT professionals will gladly welcome these major security improvements in Vista, they will also need to adequately prepare their staff and their end users for some necessary drawbacks in usability.