Death match: Windows Vista versus Windows XP

So there you are, signing the "Save XP" petition, shaking your fist in triumph as you stick it to "the man." It's a liberating feeling. You've found the courage to buck the trend and jump off the Wintel upgrade treadmill. You feel empowered, enlightened. But still, there are these nagging doubts.

Can you really skip the Vista upgrade cycle? Will Windows XP still be properly supported by Microsoft and, as a primary development target, by third parties? Is there something we've missed, some hidden gotcha that's going to trip us up 12, 18, or 24 months from now?

[ A third Windows desktop alternative has emerged for technical users. See “Weird, wild, wonderful Windows ‘Workstation’ 2008.” ]

Of course, there's no universal answer to the Vista upgrade question. Yes, in all likelihood you'll be just fine sticking with Windows XP – at least until Windows 7 ships in 2009 or 2010. But let's not rush to universal judgment. Let's take a close, measured look at the key considerations, and compare Vista's merits against the state of XP on the essential points that IT organizations and end-users care about. And if we can't solve this calmly and objectively, like fair-minded professionals, then let's at least have a good fight.

Are you ready to rumble? OK, then. Operating systems, return to your corners, and come out swinging.

Round 1: Security
Security is one of the first areas to come to mind when considering a Vista migration. Features such as UAC (User Account Control) and Internet Explorer Protected Mode have been making headlines for more than a year – but not always in the context Microsoft would have wanted. UAC, in particular, has been savaged by critics who balk at its many annoying confirmation dialogs. Just try enabling or disabling multiple network connections quickly or moving a file into a protected folder.

However, even with UAC – which is really just a more visible, "in your face" implementation of the user account controls that have been built into Windows NT since day one – Vista still isn't fully secure. There are documented ways around UAC involving Internet Explorer, security token privilege escalation, and the exploitation of the "deprecated administrator" status of the default Vista account model.

More importantly, however, is the fact that most IT shops have already implemented a form of UAC under Windows XP by not allowing domain users to run as local administrators and, in some cases, writing their own "elevation" utilities to make it all work seamlessly. In practice, these "locked down" XP systems are in some ways more secure than a UAC-protected Vista system, because they're immune to the aforementioned privilege elevation exploit. To bring Vista systems on par with XP, you need to force users to work with a true non-admin account, as opposed to Vista's "deprecated admin" account, which puts you right back at square one (that is, where XP is today).