Playing it safe with Windows Vista

The software maker is promoting the use of Windows Security Center, a feature in the long-awaited operating system, as a way for Web sites and third-party software programs to gauge the security status of customer PCs. This could be used to deny computers that aren't fully protected access to online services, which ultimately is good for user safety, Microsoft said.

"Let's say you're trying to buy something online, and before you enter your credit card information, the site checks if you're up to date and gives a green light," said Adrien Robinson, a director in Microsoft's trustworthy computing group. "As more people find out the security state of their computer, the more safe customers will be online."

Microsoft is actively pitching the possibility of the PC security checks to banks and online retailers. The feature was actually introduced in Windows XP Service Pack 2, in August 2004, but Microsoft hasn't talked about it much. "We are promoting that a lot more to the community now than we did with SP2," Robinson said. Windows Vista is slated to be broadly available in February.

Though they say Microsoft's goal is noble, others don't expect many consumer Web sites or online services to start conducting PC security checks. According to Microsoft's own data, about 70 percent of consumers aren't running up-to-date antivirus protection. That's a large number of potential customers a business could lose, analysts said.

"I do not believe they will be willing to stop doing business with the consumers that are not up-to-code," said Natalie Lambert, an analyst at Forrester Research. Also, consumers could balk at the perceived privacy intrusion if Web sites start checking their PCs.

Moreover, a security check doesn't protect customers against identity theft or other such crimes, said Gartner analyst John Pescatore. "A bad guy could be pretending to be me, and Windows could be telling the Web site that he is running antivirus--what good would that do?" he asked. "Online banks or Amazon.com really don't care whether you are running antivirus."

On the dashboard
The security information is made available through the Windows Security Center, which checks on the status of security applications on a PC--for example, whether the antivirus is able to catch the most recent threats. In Vista, the Windows Security Center keeps track of the firewall, security updates, virus and spyware protection and other Windows-related security settings.

Through a special dashboard, consumers can see the security status of their PC. Windows Security Center also has its own alerts, which will pop up if a computer isn't adequately protected. A Web site or software program can tap into the Windows feature to find out whether a PC is "green," "orange" or "red"--Microsoft's metaphor for fully secured, lacking some security, or insecure, respectively, Robinson said.

"The key benefit would be for people who have fears around identity theft and things of that nature, who may not realize that they turned off their firewall. Or they may not know that they turned off alerts and their antivirus is out of date," she said.

Likewise, a video game manufacturer could prevent PCs from logging onto online services if they are not running a firewall, according to a recent Microsoft white paper. This would help reduce risk to other players and offer a more secure online gaming experience, the company said.

Although Microsoft is pitching Security Center checks as good for companies to use with consumers, the first solid taker for the technology is IP Commerce, a Denver-based business software maker. IP Commerce plans to build the security check feature into tools used by credit card-accepting merchants, to help them keep an eye on whether their systems comply with security rules laid down for the credit card industry.

"If you are dealing with card holder data, then you are mandated to have a firewall, to have the latest security patches, to have antivirus installed and running and up-to-date," said Chip Kahn, chief executive officer at IP Commerce. "Windows Security Center, we think, for the first time provides real-time awareness of security compliance."

Other uses for the technology are in the area of network access control. For example, a business could run a "health check" on a PC before letting it onto a corporate network, said Pescatore, the Gartner analyst. "For businesses, it is definitely a feature they would be using," he said.

On the consumer side, banks currently recommend the use of security software and in many cases have special pages on their Web sites with security tips. But they seem to be stopping short of requiring security tools.

"We are committed to educating our customers about fraud and identity theft protection and recommend steps for customers to take to secure their PCs," Wells Fargo spokeswoman Andrea Mahoney said. Bank of America spokeswoman Betty Riess echoed her words.

While analysts don't think businesses would want to add security checks to their consumer sites or services, some regular Internet users do see value in it.

"Security needs to be taken seriously, and long as it doesn't become overly burdensome, it may actually have some benefits," said Brian Lambert, a student at Southern Illinois University. "This just adds another reminder, especially to people who ignore the pop-up notices that Windows provides."

Jeff Rosado, owner of a computer consulting company in Pensacola, Fla., agreed. "A system that is showing as secure, with running antivirus, firewall, and up-to-date security patches, is less likely to be harboring malicious software that could steal a consumer's password or identity," he said.

But Rosado and Lambert, both members of CNET News.com's Vista Views panel, do see some potential pitfalls. Privacy is one concern. Another is the compatibility of outside security programs with the Windows Security Center.

"I don't want to be excluded from sites because I don't use Microsoft's preferred program, and more importantly, I don't want private information like that to be disclosed," Lambert said. Also, users should be able to access Web sites without having up-to-date security, after acknowledging the risk, he said. "Consumers might welcome the warning."

Despite that so far only one company has signed on, Microsoft is optimistic that its PC security checks will gain traction. "I am sure we will see more and more applications start to do it as Windows Vista rolls out," Robinson said. "Our No. 1 objective is that customers are secure and safe online."