Windows 7 "XP Mode": What are the Security Implications?
There has been much talk in the IT world about the new "XP Mode" feature in Windows 7 - an implementation of a new version of Microsoft's Virtual PC with a free licensed XP virtual machine that can be used to run older applications - but what are the security implications? In this article, we'll examine both the good and the bad (in terms of security) related to running this special VM on your Windows 7 computer.
XP Mode Explained
First, it is important to understand that despite its name, "XP Mode" is not a mode in which Windows 7 runs. It is not something that is built into the operating system. It is actually a separate application, Windows Virtual PC, running a special virtual machine (.vmcx file) provided by Microsoft. What is special about it is that you do not have to create a VM and install the XP operating system; all of that is done for you. More good news: you do not need to buy a license for this instance of XP; the free download is already licensed. The bad news is that it you need Windows 7 Professional or Ultimate edition to use it; it does not run on Home Premium edition.
The first step in running "XP Mode" is to download and install the Windows Virtual PC application. Then you download the Windows XP Mode VM. At the time this article was drafted, both are in the release candidate stage and can be downloaded from the Microsoft web site.
You can now install XP applications in the XP VM - apps that do not run on Windows 7 - and they will appear in your Windows 7 Start menu, as shown in Figure 1.
Figure 1: The apps you install in a WVPC VM appear on the Windows 7 Start menu
But that is not even the coolest part. Thanks to the integration feature in Windows Virtual PC, they appear on the Windows 7 desktop as if they were running on the Windows 7 host machine. That is, you do not have to see the virtual machine's XP desktop at all - unless you want to. As shown in Figure 2, if you click the application in the Windows 7 Start menu, it initializes the VM in the background and opens the app itself.
Figure 2: Windows Virtual PC opens a virtualized XP application
In Figure 1, you can see the old Corel PhotoPaint 10 application running in "XP Mode" on my Windows 7 desktop, right alongside my Windows 7 application (IE8) and there is no difference in the way the user interacts with the two. This seamless integration is difficult to fully appreciate until you see it at work.
Figure 3: An "XP Mode" application running on the Windows 7 desktop
Note that Windows Virtual PC is not limited to running the "XP Mode" VM. You can install other guest operating systems (Vista, Windows 7) and run integrated applications from them. This can be a nice security feature, as we will discuss a little later.
Is "XP Mode" a security problem?
You have probably seen the headlines on the web, proclaiming that XP Mode is a "security disaster." Sophos CTO Richard Jacobs has been widely quoted as saying exactly that in this blog post.
Jacobs says XP Mode "risks undoing much of the progress that Microsoft has made on the security front in the last few years." Jacobs' big complaint seems to be that XP Mode is essentially a separate logical computer and thus doesn't share the Windows 7 host's security settings, security software, patches and so forth. That's true, of course - but that's true of any guest OS running in a VM on any host. Jacobs' other complaint is that Microsoft "didn't provide tools to help manage all of this." Of course, since the XP Mode VM does appear to the network like a separate machine, it can be managed in the same way organizations manage their non-virtual Windows XP machines.
Jacobs says if you use XP Mode, "now you are managing twice as many PCs as before" and charges that XP Mode "increases cost and complexity." You may indeed need to install anti-virus software on the virtual OS, but he is quick to point out that "licensing is not a problem for Sophos products." Sophos is not unique in this; other vendors also license their security software on a per-physical machine basis, rather than per-OS instance.
How can you make "XP Mode" more secure?
The takeaway here is that "XP Mode" is not a magical "feature" in Windows 7. It is a real instance of Windows XP running in a virtual machine, and it must be treated as such for security purposes. As long as you understand that, it's no more a "security disaster" than having a building full of computers running Windows XP. To make it secure, then, do the following:
Ensure that the appropriate anti-virus/anti-malware software is installed on XP in the VM. Local security software on the host machine does not protect it.
Ensure that the VM gets all of the XP security updates through automatic updates or WSUS.
Ensure that any applications installed in the VM get vendor updates when needed.
Disable unneeded services on the XP OS running in the VM.
In short, you should follow all the security guidelines in the Windows XP Security Compliance Management Toolkit here.
To manage the XP Mode VMs, change the default networking behavior in the XP VM from NAT to bridged. To change the settings, open the Virtual Machines folder (Start | All Programs | Windows Virtual PC | Virtual Machines), right click the Virtual Windows XP. vmcx file and select Settings. This will open the dialog box shown in Figure 4.
Figure 4: You can change the XP VM's settings for better security
Use MED-V for centralized management of virtual machines
The management issue becomes a real problem only when you have large numbers of virtual machines. Large companies can deploy Microsoft Enterprise Desktop Virtualization (MED-V) and Microsoft Application Virtualization (APP-V) to manage your virtual machine infrastructure. MED-V is part of the Microsoft Desktop Optimization Pack (MDOP). MED-V adds management functionality that allows you to centrally create, deploy and update virtual images throughout the enterprise.
With MED-V, you have granular control over the VMs in your organization. You can control which XP applications will be available to the users, control the VMs' network settings, authenticate users before granting access to VMs, apply corporate policies and usage permissions to VMs, even set expiration dates for VMs, after which they will no longer be available to the user. Client activity can be centrally monitored. Find out more about MDOP and MED-V here.
For large scale application virtualization where applications are not installed on the client computer, organizations can deploy Microsoft Application Virtualization (APP-V). Virtualized applications are streamed to desktops, laptops and terminal servers. Each application runs in a separate virtualized environment, but you still cut and paste and perform similar operations between applications. Find out more about APP-V here.
Security benefits of XP Mode
In addition to the security challenges that have been widely discussed, there are also security benefits to running applications in a virtual environment. Those apps can be, in essence, "sandboxed" from the host operating system because they're running on a separate OS. For more about security through virtualization, see my previous article on that topic here.
There has been a great deal of hype about "XP Mode" for Windows 7, and much FUD (fear, uncertainty and doubt) spread about its potential security ramifications. In reality, it is neither a magic bullet that bestowed instant application compatibility with no need to think about security, nor the "security nightmare" that some are labeling it. The XP Mode VM for Windows Virtual PC is a useful tool for running applications on the Windows 7 desktop that will not run directly on the new OS. In doing so, it utilizes an unseen underlying virtual machine running an instance of Windows XP that needs to be secured just like any "real" Windows XP computer on the network.
Small organizations can configure the security measures for these VMs individually. For the enterprise, Microsoft provides tools such as MED-V to enable easy centralized control of VM, supplying the "management tools" that are missing in standalone XP Mode.