Vista deployment is still at least a year out for most enterprise deployments, but it's not too early to consider what to do if Microsoft's new Vista operating system and Forefront security family don't support your legacy Microsoft and non-Microsoft applications.

Organizations that can't change out legacy apps such as Microsoft SQL Server 2000 due to the custom code they wrote for it could find themselves left out in the cold security-wise with Vista and Forefront, experts say. Although Microsoft hasn't officially revealed just which older apps will not work with Vista and Forefront yet -- or to what extent -- security experts don't expect Microsoft to include older products such as SQL 2000 and ISA Server 2000, for instance, under the new generation of products.

"Forefront is not likely to be compatible with Windows 95/98/ME and may not run on NT 3.5, 4.0, or 2000 with some Service Packs," says Randy Abrams, director of technical education for Eset, and the former operations manager for Microsoft's Global Infrastructure Alliance for Internet Safety. "It is possible that the code will run on older systems, but very unlikely that MS will support it if it does."

Organizations that have customized their older Microsoft apps, for instance –- especially the SQL database product, which is often used for accounting and other custom financial apps -- can't necessarily replace it, even if they are going with Vista, says Chris Schwartzbauer, vice president of worldwide field operations for Shavlik Technologies. "There's no reason to change my SQL license because I wrote custom code around the app and it's unlikely I'll [be able] to stop such a critical process," he says.

That means organizations running these older apps will have to use security tools from third-party vendors instead.

William Bell, manager of security operations for CWIE, says his company will wait for Vista Service Pack 1 (SP1) before it even starts testing the new OS. "In general, no one is going to trust Vista out of the box," Bell says. "No major company is going to roll out Vista day one."

But Bell, who runs Windows Server 2004 as well as XP workstations throughout his organization, says securing the Windows OS is an important step. "If we can secure the base OS as much as possible, we can stop a lot of the problems we see today with XP or 2000," he says.

Microsoft wouldn't provide details on which apps Vista and Forefront won't support. A Microsoft spokesperson instead reiterated Vista's defense-in-depth approach: "Windows Vista contains numerous security features that working together help prevent malware from installing and help find and remove it if it has already been installed," the spokesperson says. "It's important to note that with Windows Vista, we're taking a defense-in-depth approach to helping protect users from malware, which includes features such as user account control, Windows service hardening, ASLR, and kernel patch protection."

One of the biggest hurdles will be managing the controls Vista has in place, such as its built-in firewall and user account settings. "It's not about breaking the OS, but exploiting a misconfigured app, or taking advantage of a vulnerability that exists because the user didn't run the patch or a service isn't turned on and being used as a launching-point into the enterprise," Shavlik's Schwartzbauer says.

CWIE's Bell agrees it won't be easy. "It's hard to centrally manage controls," he says. "It's going to be a big hurdle for companies."

But a more chilling question, security experts say, is whether or not Forefront will use common dynamic link libraries (DLLs), which could provide attackers with potential holes in the security software to launch their exploits. DLLs are essentially files of system controls and drivers. "If Forefront were to use common DLLs, such as those used for manipulating cabinet files, then a vulnerability that may now affect Windows Explorer could theoretically also affect the security software as well," Eset's Abrams says.

To avoid any compatibility surprises, enterprises should start by testing Forefront and/or Vista before deploying the products. "Vista in particular is vastly different than XP was in terms of security capability, and it can be crippled if deployed incorrectly," says Rob Enderle, principal analyst with the Enderle Group. "Part of what should occur here is revisiting where legacy applications run and whether you even need them anymore. Many can now be hosted and doing so will not only result in lower operating costs, but better uptime and less employee aggravation."

The Gartner Group recommends that enterprises running or considering security tools such as host-based intrusion detection or content-monitoring tools that are not compatible with the 64-bit Vista (and "for which no suitable alternative exists"), should forego Vista initially. They won't get full Vista functionality otherwise, according to the consulting firm.

Still, having Microsoft's Forefront and Vista in general really won't change much in how enterprises approach security, Eset's Abrams says. "Enterprises [still] need to configure their OSes as safely as they are able, and to choose security software based upon how well it will allow them to productively secure their environment," he says. Now they will just have another option with Microsoft, he reckons.

— Kelly Jackson Higgins, Senior Editor, Dark Reading