Why Windows 7 XP Mode makes sense from a security perspective

I have to admit: When I first learned about Windows 7 XP Mode I was quite surprised. How can we actually ship an XP Virtual Machine with Windows 7? Well, then I started to think (no, it did not hurt too much)… But before I share my findings with you, let me tell you a story:

A few months back, a friend of mine called me. He was desperate. He is the owner of a car dealer close to where I live (a pretty big one for Swiss terms) and had decided to renew the business’s IT system. So, they moved to Windows Server 2008 Terminal Server and Windows Vista as a client. They hired an IT shop to do it for them and the migration went pretty smoothly – up until they wanted to start the web application of the car manufacturer. It is one of the German car makes you definitely know and which is well known for the quality of its cars. Unfortunately the web application did not run with Internet Explorer 7. So, they went back to the car manufacturer to learn that they knew about this but had no plans to make it compatible with neither IE 7 not IE 8. An alternative browser was not an option either as the latest versions broke this application as well. He needed a solution, which I could not provide – unfortunately. Finally they decided to let one PC run on XP with IE 6, just to get around the problem for this one task. So, basically they did “Windows 7 XP Mode” – just physical.

Now, let’s consider such scenarios. I know of companies that have decided to stay with XP and not move to Windows Vista because of concerns over compatibility issues with other applications they run. Their systems no doubt run, but they are depriving themselves of security and privacy enhancements designed to cope with modern threats – bear in mind that XP was designed in 2001 to cope with the threats back then – threats which changed significantly over the last eight years! The impact of Windows Vista as a secure platform is significant, and Windows 7 will built on that foundation.

Additionally we know that the browser is one of the most targeted attack vectors in the ecosystem. We shouldn’t be surprised by this as the browser is the window to the outside world and has to defend the computer against everything coming from the Internet. The security of the browser increased tremendously from Windows XP to Windows Vista, and will again with Windows 7. I deliberately did not say from IE 6 to 7 to 8 – even though this is true at least as much as with the OS. But the OS provides additional protection like IE 7 Protected Mode on Windows Vista which we simply cannot deliver on Windows XP or Address Space Layout Randomization or … That these design changes pay off can be seen if you look at our Microsoft Security Intelligence Report (SIR):


In Windows XP, 42% of the successful attacks came through our software, in Windows Vista, this changed tremendously:


This data is in the Security Intelligence Report v5. If we look at the malware infections per operating system in the most recent SIR version 6, there is another reason to migrate to Windows Vista/Windows 7:


Looking at all of this, our task basically boils down to “How can we help our customers benefit from the much better protection on today’s Operating Systems and in parallel ensure compatibility.” It is the classical security vs. compatibility problem. Of course we make a huge investment to ensure the operating system is as compatible with old applications as possible but we all know that there will be a point where we simply have to draw a line and put security needs above compatibility.

From this viewpoint Windows 7 XP Mode all of a sudden makes sense. It allows our customers to migrate to Windows 7 and significantly lowers the risk, for example, of web browsing or running 98% of their application software. The last 2%, which would have been issues that could have prevented migration, have so far been covered by the XP Mode. Now to be completely clear here: XP Mode has to be a temporary solution! The only effective long-term answer is to migrate applications to a version that is compatible with today’s Operating Systems. It also has to be managed and protected like any other machine – it is a full blown Windows XP with Internet Explorer 6 connected to the network. So it has to be used wisely and very, very limited but it allows you to migrate to the more secure environment for the every day’s tasks.

And finally, XP Mode from a user perspective can be set up in a way that the user only sees the legacy application running seamlessly in the Windows 7 environment. So, there is not necessarily a Windows XP, where the user can do everything they want: You just give them the legacy applications you want. Here is a picture how this looks like:


If you look at it like that it is simply a risk management decision: Which risk is higher? Leaving our customers on an 8-10 year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode? With XP Mode, we could have helped my friend above without actually having to force him to run a PC just for the sake of this single application!

For more information on VirtualPC on Windows 7, please look at http://blogs.technet.com/windows_vpc/ (I “borrowed” the last picture from there)


Comments (9)
  1. Anonymous says:

    Hi Sergio,

    thank you for your feedback. The way I see it is that XPMode helps to bring people on to a more secure OS – Windows 7 and is buying time. So from an overall risk perspective it reduces the risks heavily – IF PEOPLE PLAN TO MIGRATE OFF!!!


  2. Anonymous says:

    Honestly, that’s my biggest fear with XPMode – by far. The rest can be handled and I see your point.

    Windows XP will go out of support 8.4.2014 according to http://support.microsoft.com/lifecycle/?p1=3223. This is the point where you will not get any security updates anymore…

    And this scares me 🙁


  3. Anonymous says:

    Hi Elisabeth,

    thank you. However, this is strange as they do with me (from different PCs)


  4. Hello thank you for the info.  Please note the first three images are not displaying. Thanks again, E

  5. Sergio says:

    Roger, great thoughts…for us to ponder how we will disable XP mode or how we are going to make room to patch another OS box besides Windows 7 ones.

    I agree with you that it has to be a temporary solution but, as temporary as it is, I do prefer to run legacy applications on a physical patched XP box.

    The issue you pointed out about the Web application not being compatible with IE7, only shows a lack of migration design by the IT shop charged with the migration process.

    Desktop virtualization is a task that needs to be ponder on considerably in the enterprise and having a very good design for it takes time.

    Is XP Mode really a benefit of Windows 7 or a security goal in anyway?

    Thank you


  6. Shoaib Yousuf says:

    For sure, Windows 7 is the winner all the way 🙂

    Microsoft is back !!

  7. Stuck in the Mud says:

    Roger, you are being totally unrealistic in suggesting XP mode will just be a temporary fix. We all know from experience how often the "its just temporary" excuse is made, and how in the majority of cases that temporary thing becomes part of established infrastructure.

    For many people XP mode is one of the most attractive reasons to migrate from Vista to Windows 7. As someone who has wasted endless nights trying to get software to work in Vista I can sympathise. I fully expect to be using XP mode for at least the next 5 years, and I do not think I will be the only one.

    Then again, I might be a tad excessive about holding on to legacy applications? It is only in the last 3 months that I have finally put to rest my old and faithful Win98 desktop! I gather that with the combination of Windows 7 + XP mode I will still have to fully manages two OS’s, two lots of security settings, etc. etc? But at least they will be physically integrated onto the same computer.

    So, XP mode is a welcome way to provide us with a legacy environment, but please don’t try to kid anyone that it is just temporary. XP mode will last as long as Windows 7 itself lasts.

  8. Jeff25 says:

    I work in desktop support. We dump images to hard drives and deliver machines. We do maintenance and repairs. There are rare occasions when we can’t fix things. My company spoils end-users, so they have tons of personal settings and data. Simply re-imaging a computer is a major headache.

    Not so for a virtual machine that only has a few application-specific roles. Antivirus protection for XP Mode will not cost the same, and it will work in a managed environment. If for some reason someone’s XP Mode VM gets damaged, it will be simple to replace.

    So far, no one has mentioned backups. I supposed you could also argue that your backup needs double. But this also isn’t true. The role for XP Mode is so extremely narrow that the vhd’s and VM’s are expendible. Much more expendible than for physical machines with primary roles.

  9. strange says:

    To your last comment: That does not cumpute. Microsoft will have to support Windows XP as long as it is selling it as part (or just a feature) of Windows 7. Or will there be a servicepack which removes XP mode?

    We have seen Microsoft extending support for XP numerous times, I don’t see how they can get out of this one easily. Mark my words: Support for Vista will end earlier than for XP.

Comments are closed.

Skip to main content