The assertion that "Vista is light years ahead" of Windows XP on security kicked off a storm of e-mail at the Burton Group.

"What is really the difference?" asked one analyst. "It won't matter how far ahead Vista is.... If the alerts [from User Account Control (UAC)] get too annoying, the users will just turn them off and then who cares?"

I responded: "There's a lot more to Vista than UAC. There's service hardening, full volume encryption, device driver signing, kernel patch protection, address space layout randomization, better group policy, better crypto and smart card support and generally higher-quality code."

Unconvinced, the analyst replied: "I still have to buy [antivirus] or pay Microsoft for it. I still have to deploy firewalls. I still need some type of patching system. Where is the benefit of Vista?"

Another analyst, a Mac user, added: "If you have to patch it less frequently, if it's easier to manage (for example, through improved group policy), that's a big win for an enterprise. But all this just reduces cost and management overhead; the actual security difference is probably not huge."

This implies Vista is only light years ahead, not warp speed ahead. While most attacks are being developed for Office, Internet Explorer and application-layer components, Vista will receive its share. The new operating system doesn't really change the reactive patch, update and clean paradigm of endpoint protection.

"Recall the debut of Windows 95," another analyst said. "People lined up like they do now for gaming consoles. It was a big deal. Now the [operating system] is fading into the appliance, at least as far as the consumer is concerned. If the packaging were simpler, the pricing more aggressive, and the features liberating instead of constraining [with digital rights management], more people would upgrade in advance of buying a new PC, helping Microsoft convert the installed base faster. Microsoft's actions do not typify a company that's defining the future but one that's protecting the past."

Vista will protect Microsoft's desktop dynasty, but migration will come at a cautious pace. Given Vista's large hardware footprint and compatibility issues with security tools such as existing third-party antivirus and Internet Explorer 6 applications, there is little reason for enterprises to rush forward before Microsoft's partner ecosystem works out the kinks. Consumers will get Vista when they buy new machines. Enterprises should generally deploy Vista per their desktop refresh cycle, but may need to delay for months if stability issues or compatibility with applications, management or security infrastructure arise.